Support for A5+ devices (iPhone 4S, iPad 2, iPhone 5, ...)

[GoogleCodeExporter]

Until a bootROM/bootloader-level exploit is found for those devices, it is 
impossible to boot a custom ramdisk.
However, for devices jailbroken with Absinthe and ssh access, it should be 
possible to use the tools, provided that the "IOAESAccelerator enable UID" 
kernel patch is applied.

Original issue reported on code.google.com by jean.sig...@gmail.com on 4 Feb 2012 at 10:20

[GoogleCodeExporter]

This does seem to be the case - the tools execute, device_infos returns some 
information, useful at least for a partial decryption of a physical image.

Is it feasible to patch kernel memory once a jailbroken A5 device is already 
booted? Or would this require a modification to the Corona payload to apply the 
new kernel patch along with the others.

I am waiting on some hardware to be able to start looking into this myself. In 
the meantime, any perspective on how to go about this would be greatly 
appreciated.

Original comment by 0x56.0x6...@gmail.com on 29 Feb 2012 at 4:32

[GoogleCodeExporter]

Yes, turns out corona applies the "task for pid 0" kernel patch that allows a 
root application to read/write kernel memory.
Attached is a small program that uses that to apply the "IOAESAccelerator 
enable UID" kernel patch. Should work on ipad 2 5.0.1.
Let me know if this works for you. Thanks.

Original comment by jean.sig...@gmail.com on 1 Mar 2012 at 12:17

• Changed state: Started

Attachments:

• kernel_patcher.c
• tfp0.plist
• kernel_patcher

[GoogleCodeExporter]

Great Success! (on iPhone 4S 5.0.1)

The ramdisk tools seem to be working fine now. This kernel patcher was exactly 
the sort of process I was envisioning; thank you for providing the method! 
(I'll remember task_for_pid() and vm_read()/vm_write())

Original comment by 0x56.0x6...@gmail.com on 1 Mar 2012 at 6:01

[GoogleCodeExporter]

Great ! Let me know if there are issues with the other tools on this device.
Also, known bug : the UDID computed by the tools is wrong on A5 devices because 
the formula changed (see http://iphonedevwiki.net/index.php/Lockdownd)

Original comment by jean.sig...@gmail.com on 1 Mar 2012 at 7:03

[GoogleCodeExporter]

I'm trying to save some pictures I have only on my ipad 2 (5.0.1), jailbroken 
with Absinthe. I used your tools before with other iphones (great success :), 
but never on an A5 device. How does this work? Do I need to create a custom 
ramdisk and boot from it; does this even work?

Original comment by grapple...@gmail.com on 8 Mar 2012 at 9:03

[GoogleCodeExporter]

The latest redsn0w's (0.9.10b6) Keys.plist does not contain the KBAG keys (IV 
and Key) for A5 devices' firmwares, but from the previous comments it seems 
they are available.
Would it be possible to post them to the appropriate theiphonewiki.com page, or 
here?
TIA

Original comment by simg...@gmail.com on 9 Mar 2012 at 5:43

[GoogleCodeExporter]

grapple: First, install OpenSSH on the A5 device through Cydia. Then, use scp 
or sftp to upload the ramdisk tools (specifically, bruteforce and device_infos; 
restored_external doesn't matter here) and kernel_patcher (attachment in this 
issue) to the device. Once the files are uploaded, connect with ssh. Run 
kernel_patcher to gain access to the crypto engine, then you can run 
device_infos followed by bruteforce to generate the keys. I haven't quite 
figured out pulling an image, as the filesystem is mounted and active while the 
device is running (I pulled a dd image, but there were some issues with trying 
to decrypt it, probably because I was still using the phone while the image was 
running...). That is the general idea of what to do, hope it helps get you 
started.

simg: Unfortunately, without access to the GID key, the encrypted KBAGs cannot 
be decrypted. By the time iBoot is finished and passes control to the kernel, 
the GID key is rendered inaccessible until a reboot of the device. The limera1n 
exploit allows running unsigned code at a stage in the boot process where the 
GID key is still accessible. Corona (which Absinthe is used to inject on A5 
devices) exploits the kernel, so by the time it takes place, the GID key is 
inaccessible.

tl;dr KBAG keys will not be available on A5 devices until a limera1n style 
exploit is discovered :)

Original comment by 0x56.0x6...@gmail.com on 9 Mar 2012 at 7:18

[GoogleCodeExporter]

Great Success! (on iPhone 4 5.0.1)
this dynamic patcher looks like cool

Original comment by ann...@gmail.com on 13 Mar 2012 at 3:09

[GoogleCodeExporter]

I'm trying to recompile kernel_patcher.c for another purpose, but I can't get 
it to run on my device.  This is my compile command:

"/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Develope
r/usr/bin/gcc -arch armv6 -isysroot 
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer
/SDKs/iPhoneOS5.1.sdk -mthumb -o kernel_pathcer kernel_patcher.c"

That seems to work (it compiles and runs anyway), and I then sign the 
application with codesign:

"codesign -f -s Han\ Solo ./kernel_patcher"

I then upload it to the device, but any time I run it I get the following error:

"task_for_pid returned 5 : missing tfp0 kernel patch or wrong entitlements"

I'm obviously doing something wrong here, but I can't figure out what.  If I 
just run the binary on the site, it works just fine.  I'm just trying to patch 
a different location, so I need to recompile.  Any suggestions on what I'm 
doing wrong?

Original comment by engineer...@gmail.com on 16 Mar 2012 at 4:14

[GoogleCodeExporter]

Try adding "--entitlements tfp0.plist" to the codesign command (and grab the 
tfp0.plist file from above post).

Original comment by jean.sig...@gmail.com on 16 Mar 2012 at 4:30

[GoogleCodeExporter]

That did it.  Thanks!

Original comment by engineer...@gmail.com on 16 Mar 2012 at 4:52