I found two exploits into the new bootloader, one hardware and one software. They are both untested and hard to implement, but I'm pretty sure they will both work. Keep in mind these are theoretical, don't consider trying them unless you really understand the inner workings.
Hardware:
The version check reads from 0xA0021000 and 0xA0021004 to get the version of the main firmware. It then compares the values [0xA0021000]==~[0xA0021004]. If that check fails it ignores the version check. It is also the only bootloader access into high flash. So when A16 goes high, pull any data line high or low. That will cause the check to fail, and hence the version check to be skipped. And they shouldn't be any memory accesses in the bootloader, so it'll be fine.
Software:
This exploit is in the the way the secpack signature is padded. They did a lot to remove the really bad signature checking of the old bootloader that IPSF exploited. Although the secpack still has 0x28 bytes of data at the end that isn't checked for normal secpack sigs. The secpack sig is(0x30 header/padding, 0x14 main fw sha, 0x14 secpack sha, 0x28 unchecked padding) So by spoofing the first 0x58 of the RSA, you can set any secpack and main fw sha hash you want. It is very easy in exponent 3 RSA cryptosystems to spoof the first 1/3 of the message bytes. I believe with some clever math and brute force, the whole 0x58 can be spoofed. Any cryptology experts out there?
Friday, November 30, 2007
Subscribe to:
Post Comments (Atom)
38 comments:
sow.. If I get this right; once hardware unloched in this new way, the phone is unlocked for good? and I'll be able to run latest firmware?
How exactly do I preforme this hardware unlock? - please post a guide.. please :D
Good work mann.. keep it up :D
Dear god I hope you can get that software spoof to work
hey geohot! thanks for this great achievement. In any case you need a new iphone to test or something dont hesitate to contact me.
jlcsaenz@msn.com
Man.. keep up the good work.. i'm still here waiting for an achievement. Then i'll buy one for my self and be happy as all the others..!
p.s. Greece is with you man!
can't say if it is related as i'm not totally into the crypto stuff, but a quick search turned up the following on a apple mailing list:
Quote "The Apple CDSA implementation of RSA signature verify is not vulnerable to this exploit."
http://lists.apple.com/archives/apple-cdsa/2006/Sep/msg00026.html
the RSA exp 3 is what i'm talking about :)
Really great news. Keep on the hard work. Congrats!
BR,
UnlockBR
For further information on the secpack authentication and potential explioit, you can visit
http://code.google.com/p/iphone-elite/wiki/SecpackAuthentication
(and thanks, geohot!)
i have first generation iphone with
ismf in greece.
I want from 1.0.2 the 1.1.1
i tried all the methods from hacktheiphone.com and other sites
one week now.
i did all virginator.sh, update downgrade firmware , modem.....
i have not application ipsf but at 1.0.2 firmware my iphone simunlocked with i democracy.
i can only restore not update to 1.1.1
When i put the 1.0.2 lockdown file
in /libexec my iphone simunlocked
but i loose the usb connection
when i put the 1.1.1 lockdown file
in /libexec my iphone simlocked.
do you have any idea? can help me?
Thanks for your time
dim
thanks a lot for that news
good work
thanks for the news geohot!!
Message goes to the man with the name "dimitris" that commented earlier..
DIMITRI.. psaxnw gia iphone.. mporeis na kaneis kati alla xwris na me gdisoyne??
Hey George.
I wanted to thank you for all the hard work on your blog.
I would also like to offer to host your blog on my webhosting Free of charge. I will set you up with a wordpress blog, and you can move your domain on to our server. I will supply you with unlimited space, and bandwidth.
Just want to help you out, and maybe make you some money. Add your adsense code to your new blog on our servers.
If you want to get in touch with me, e-mail me.
Andrew.Goldenberg@GMail.com and Ill get you setup right away.
for eleytherios
steile moy to e-mail soy
sto filmnavigate@gmail.com
Guys, I am not a computer person. But being a native of NJ currently serving overseas and understanding that the guy who first cracked an iPhone probably is a certified expert who can answer a strait question I have only one: I just bought an OTB iPhone, week 47, 1.1.2. One guy says there will be a crack in 1 week, another in ????. My question: when can I reasonably expect a soft unlock to be available. PS I dont understnd techno speak.
Miamimike: at the moment, there was no bug in bootloader found so far - these two exploits seem to be unusable unfortunately (HW one: required via is buried, SW one: it is actually 1/3rd of bits, not 2/3rd as written here, so we are missing a HUGE number of bits to modify).
So at the moment it is simply unknown - you will be able to unlock roughly a week after successful exploit is found, but that might take a month or just never happen.
Its hould be very nice to get the new bootloader free.. keep up the excellent work!
nice job! hope you're right and someone develops st to unlock the 1.1.2 OTB using it fast...
keep up the good work...
So... I have 76330_112_bl46_full_dump0x40000, 76330_112_bl46_full_dump0x40011 and ICE03.14.08_G.fls. One idea is to compare them and see differences.
I gave it to IDA, started reversing, found sha1 functions, etc... Also found where the comparission you are referring to is ([0xA0021000]==~[0xA0021004]) in two places.
I also have some experience with hash functions (I codded my own md5 collisions finder, and published some results)
Now. I'd like to know a few things:
What's the difference between the two dumped files (0x40000 vs. 0x40011)?
If I got it right, this files contain both the bootloader and the baseband. How should I break them apart? (I think the first 0x20000 bytes of each is the bootloader, then the baseband, and then the secpack, but I need confirmation).
What's the load base for the bootloader, and baseband? what's the ram range (if known)? I saw in the wiki ranges like 0x18000000 for iBoot. But it doesn't seem to match what I see on IDA.
If the baseband can be flashed, it means the pins for flashing the chip are connected? why can't we flash the bootloader? why do we need the bootloader to flash the baseband?
Assuming the only way to write into this flash chip is from the processor running the bootloader and baseband: will any code execution security bug (buffer overflow for example) let us run code in the right processor and hence let us flash this chip bypassing the booloader?
Oh well... I have experience and ideas, but I don't have an iPhone nor much time. Any info will speed up the process! share!
Now. if you think sharing will make Apple make it harder for us the next time, think again: it's trivial to RE whatever final solution we publish, they don't need anything else than the final product to know how we did it. So publishing info can only benefit us the Hardware Liberators.
In any case, mucha suerte y gracias por todo lo que estan haciendo!
thanks you very high work..
www.r10.net küresel ısınmaya hayır seo yarışması
www.r10.net küresel ısınmaya hayır seo yarışması
www.r10.net küresel ısınmaya hayır seo yarışması
NEW SITE FOR ONLINE TV AND MOST POPULAR TV SERIES:
http://stafex.net
wmwebtr ödüllü seo yarışması
wmwebtr ödüllü seo yarışması
video izle
dizi izle
a.ö.f
mirc
mirç
mırc
mırç
mircturk
turkmirc
mirc indir
mirc yukle
mirch
mırch
mirc turk
turk mirc
mırcturk
turkmırc
mırc turk
turk mırc
turkiyemirc
türkiyemirc
turkiye mirc
türkiye mirc
mircturkiye
mirctürkiye
mirc turkiye
mircturk
turkmırc
muhabbet
forum
forum
turkforum
turkiyeforum
mirc
turkmirc
toplist
site ekle
pagerank
turkmirc
turkforum
sohbet
chat
sohbet odaları
bedava sohbet
bedava chat
türk
karar
the 3 comments above are from turkish script kiddies.. i want to apologize for their behavior.. those are the scum of the community and in no way represent the whole..
i am confused in regards to one point and maybe someone here can clarify it for me;
we know of a way to manipulate the signatures.. we don't use it but instead skip checking altogether.. but now we can't afford to skip checking.. the thing i'm not seeing is, would an itunes check after successful unlock of 1.1.2 OTB brick the iphone? (not really brick though.. you get it :)) because i can't see a means for apple to compare keys of the device if we know what they were and how to modify them.. if we play with the keys, can't we restore them back?
Best regards.
sex shop -
feromon -
sex shop -
sex shop -
seks shop -
seks shop -
seks shop -
erotik shop -
erotik shop -
penis büyütücü -
penis büyütücü -
penis büyütücü -
erotik shop -
seks shop -
sex shop -
erotik shop -
erotik market -
vidrom.com -
video share -
file upload -
free file -
image upload -
erotik market -
erotic market -
erotik market -
erotik market -
erotic shop -
erotic shop -
erotic shop -
alışveriş -
12 taksit
Kozmetik
Shopseks.com
Hepzinde.com
penis büyütücü -
penis büyütücü -
virility pills -
elektronik sigara -
virility pills -
penis büyütücü -
penis büyütücüler -
bayan iç giyim -
virility pills -
elektronik sigara
feromon
evden eve nakliyat
evden eve nakliyat
evden eve nakliyat
Sohbet
sohbet
mirc
penis büyütücü
sohbet
muhabbet
matbaa
seks
sex
hikaye
hikayeler
sex
porno
Sohbet kanalları
Sohbet odaları
Chat
evden eve nakliye
chat
magazin
chat
Sohbet
tuzcuoğlu
Thanks man good job.
renovationdoctors.com
turizmseyahat.blogspot.com
www.yagmurunsesi.org
yagmurunsesiorg.blogspot.com
turkuntarihi.blogspot.com
websitesiyapamak.blogspot.com
saglik-k.blogspot.com
ders-hane.blogspot.com
Thanks man good job.
renovationdoctors.com
turizmseyahat.blogspot.com
www.yagmurunsesi.org
yagmurunsesiorg.blogspot.com
turkuntarihi.blogspot.com
websitesiyapamak.blogspot.com
saglik-k.blogspot.com
ders-hane.blogspot.com
webmaster-sitesi.blogspot.com
成人電影,情色,本土自拍, 免費A片, AV女優, 美女視訊, 情色交友, 免費AV, 色情網站, 辣妹視訊, 美女交友, 色情影片 成人影片, 成人網站, A片,H漫, 18成人, 成人圖片, 成人漫畫, 情色網, 日本A片, 愛情公寓, 情色, 舊情人, 情色貼圖, 情色文學, 情色交友, 色情聊天室, 色情小說, 一葉情貼圖片區, 情色小說, 色情, 色情遊戲, 情色視訊, 情色電影, aio交友愛情館, 色情a片, 一夜情, 辣妹視訊, 視訊聊天室, 免費視訊聊天, 免費視訊, 視訊, 視訊美女, 美女視訊, 視訊交友, 視訊聊天, 免費視訊聊天室, 情人視訊網影音視訊聊天室, 視訊交友90739, 成人影片, 成人交友, 本土自拍, 免費A片下載, 性愛,
成人交友,
美女交友, 嘟嘟成人網, 成人貼圖, 成人電影, A片, 豆豆聊天室, 聊天室, UT聊天室, 尋夢園聊天室, 男同志聊天室, UT男同志聊天室, 聊天室尋夢園, 080聊天室, 080苗栗人聊天室, 6K聊天室, 女同志聊天室, 小高聊天室, 情色論壇, 色情網站, 成人網站, 成人論壇, 免費A片, 上班族聊天室, 成人聊天室, 成人小說, 微風成人區, 色美媚部落格, 成人文章, 成人圖片區, 免費成人影片, 成人論壇, 情色聊天室, 寄情築園小遊戲, AV女優,成人電影,情色,本土自拍, A片下載, 日本A片, 麗的色遊戲, 色色網, ,嘟嘟情人色網, 色情網站, 成人網站, 正妹牆, 正妹百人斬, aio,伊莉, 伊莉討論區, 成人遊戲, 成人影城,
ut聊天室, 嘟嘟成人網, 成人電影, 成人, 成人貼圖, 成人小說, 成人文章, 成人圖片區, 免費成人影片, 成人遊戲, 微風成人, 愛情公寓, 情色, 情色貼圖, 情色文學, 做愛, 色情聊天室, 色情小說, 一葉情貼圖片區, 情色小說, 色情, 寄情築園小遊戲, 色情遊戲情色視訊, 情色電影, aio交友愛情館, 言情小說, 愛情小說, 色情A片, 情色論壇, 色情影片, 視訊聊天室, 免費視訊聊天, 免費視訊, 視訊美女, 視訊交友, 視訊聊天, 免費視訊聊天室, a片下載, aV, av片, A漫, av dvd, av成人網, 聊天室, 成人論壇, 本土自拍, 自拍, A片,成人電影,情色,本土自拍,
Thank you for the wonderful effort
إني تذكـرت والذكرى مؤرقـة * مجـداً تلـيدا بأيـدينا أضعـناه
أنَّى اتجهتَ للإسـلام في بـلـدٍ * تجْده كالطيرِ مقصـوصًا جناحـاه
كـم صرفتنا يـدٌ كنـا نـصرفها * وبات يـملكنا شعب مـلكناه
بالله سل خلف بحر الروم عن عرب * بالأمس كانوا هنا واليوم قد تاهوا
وانزل دمشق وسائل صخر مسجدها * عمن بناه لعل الـصخر ينعـاه
هذى معـالم خرس كـل واحـدة * منهن قامت خطيبـا فاغرا فـاه
الله يعلم ما قلبت سـيرتهم يومـا * وأخطـأ دمـع الـعين مـجراه
يا من يرى عمـراتكسوه بردته * الزيت أدمٌ لـه والكـوخ مـأواه
يهتز كسـرى على كرسيه فرقـا * من خوفه ، وملوك الروم تخشـاه
يا رب فابعث لنا من مثلهم نفـرا * يشـيدون لـنا مـجدا أضعنـاه
Thank you for the wonderful effort
إني تذكـرت والذكرى مؤرقـة * مجـداً تلـيدا بأيـدينا أضعـناه
أنَّى اتجهتَ للإسـلام في بـلـدٍ * تجْده كالطيرِ مقصـوصًا جناحـاه
كـم صرفتنا يـدٌ كنـا نـصرفها * وبات يـملكنا شعب مـلكناه
بالله سل خلف بحر الروم عن عرب * بالأمس كانوا هنا واليوم قد تاهوا
وانزل دمشق وسائل صخر مسجدها * عمن بناه لعل الـصخر ينعـاه
هذى معـالم خرس كـل واحـدة * منهن قامت خطيبـا فاغرا فـاه
الله يعلم ما قلبت سـيرتهم يومـا * وأخطـأ دمـع الـعين
مـجراه
يا من يرى عمـراتكسوه بردته *
الزيت أدمٌ لـه والكـوخ مـأواه
يهتز كسـرى على كرسيه فرقـا * من خوفه ،
وملوك الروم تخشـاه
يا رب فابعث لنا من مثلهم نفـرا * يشـيدون لـنا مـجدا أضعنـاه
Thank you for the wonderful effort
إني تذكـرت
والذكرى مؤرقـة
مجـداً تلـيدا
بأيـدينا أضعـناه
أنَّى اتجهتَ للإسـلام في بـلـدٍ * تجْده كالطيرِ مقصـوصًا جناحـاه
كـم صرفتنا يـدٌ كنـا نـصرفها * وبات يـملكنا شعب مـلكناه
بالله سل خلف بحر الروم عن عرب * بالأمس كانوا هنا واليوم قد تاهوا
وانزل دمشق وسائل صخر مسجدها * عمن بناه لعل الـصخر ينعـاه
هذى معـالم خرس كـل واحـدة * منهن قامت خطيبـا فاغرا فـاه
الله يعلم ما قلبت سـيرتهم يومـا * وأخطـأ دمـع الـعين مـجراه
يا من يرى عمـراتكسوه بردته * الزيت أدمٌ لـه والكـوخ مـأواه
يهتز كسـرى على كرسيه فرقـا * من خوفه ، وملوك الروم تخشـاه
يا رب فابعث لنا من مثلهم نفـرا * يشـيدون لـنا مـجدا أضعنـاه
Thank you for the wonderful effort
إني تذكـرت والذكرى مؤرقـة * مجـداً تلـيدا بأيـدينا أضعـناه
أنَّى اتجهتَ للإسـلام في بـلـدٍ * تجْده كالطيرِ مقصـوصًا جناحـاه
كـم صرفتنا يـدٌ كنـا نـصرفها * وبات يـملكنا شعب مـلكناه
بالله سل خلف بحر الروم عن عرب * بالأمس كانوا هنا واليوم قد تاهوا
وانزل دمشق وسائل صخر مسجدها * عمن بناه لعل الـصخر ينعـاه
هذى معـالم خرس كـل واحـدة * منهن قامت خطيبـا فاغرا فـاه
الله يعلم ما قلبت سـيرتهم يومـا * وأخطـأ دمـع الـعين مـجراه
يا من يرى عمـراتكسوه بردته * الزيت أدمٌ لـه والكـوخ مـأواه
يهتز كسـرى على كرسيه فرقـا * من خوفه ، وملوك الروم تخشـاه
يا رب فابعث لنا من مثلهم نفـرا * يشـيدون لـنا مـجدا أضعنـاه
Post a Comment