Results 1 to 10 of 10
Discuss Nature of security exploit at the General - Hackint0sh.org; Sorry that I'm not knowledgeable about that. What exactly is the kind of vulnerability that ...
  1. #1
    Senior Professional Array

    Join Date
    Sep 2007
    Posts
    130
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default Nature of security exploit

    Sorry that I'm not knowledgeable about that.

    What exactly is the kind of vulnerability that allows unlock? Is it possible that other people/some unhappy wireless provider will propagate viruses exploiting the same bug forcing us to install the new Apple firmware (which will close unlock)?



  2. #2
    iPhone DevTeam Array

    Join Date
    Aug 2007
    Location
    Always sunny Los Angeles, California
    Posts
    421
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    34

    Default

    The basic exploit is this: a low-level OS of sorts in the iPhone lets you read/write to almost any part of non-volatile memory, except for one key protected section. You're not supposed to be able to write to that section without authentication. But it turns out that if you "seek" to a location just before the protected area and start writing from that point forward, you can keep writing on through the protected area as well. (As opposed to seeking to the protected area directly and trying to write, which will fail.)

    In theory, a trojan horse sort of app that you download through Installer.app (for example) could go off and relock your phone again using the above trick. But nobody except for Apple or AT&T or Infineon is going to be able to remove the underlying flaw (if it really is a flaw..some say it's a feature). Until that flaw is removed, you'll always be able to unlock again.

    There are at least 2 other vulnerabilities. The one described above is the one used by the free unlockers.
    Last edited by MuscleNerd; 09-18-2007 at 08:27 AM.

  3. #3
    Professional Array

    Join Date
    Jul 2007
    Posts
    59
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    9

    Default

    Quote Originally Posted by MuscleNerd View Post
    But it turns out that if you "seek" to a location just before the protected area and start writing from that point forward, you can keep writing on through the protected area as well. (As opposed to seeking to the protected area directly and trying to write, which will fail.)
    I've been curious about the "seek" part ever since looking at NorDumper source. Why do you need to seek at all? Couldn't you just read the byte directly before the start of the protected section prepend whatever you want to write with the value of that byte and just start writing from there? Reason I ask is that it's the seek part of NorDumper that takes 20 minutes isn't it?

    I've never been much interested in hacking but have programmed in C for the last 15 years and the iPhone got me interested in just how hackers figure out this stuff.

  4. #4
    iPhone DevTeam Array

    Join Date
    Aug 2007
    Location
    Always sunny Los Angeles, California
    Posts
    421
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    34

    Default

    The BBREAD (0x803) and BBWRITE (0x804) command packets don't specify the address. BBREAD just specifies amount of data to read, and BBWRITE always writes 0x800 bytes. But both commands rely on a prior BBSEEK (0x802) command to get to the starting position.

    It's not the seek that takes 20 minutes in NORDumper..it's the fact that he's doing all those read operations at 115Kbps. It's only relatively recently that people started using the higher baud rates in their baseband apps.
    Last edited by MuscleNerd; 09-18-2007 at 08:58 AM.

  5. #5
    Professional Array

    Join Date
    Jul 2007
    Posts
    59
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    9

    Default

    Quote Originally Posted by MuscleNerd View Post
    It's not the seek that takes 20 minutes in NORDumper..it's the fact that he's doing all those read operations at 115Kbps. It's only relatively recently that people started using the higher baud rates in their baseband apps.
    Was the initial 115Kbps baud rate a choice? Or was it believed to be a hard limit based on something they found out while hacking? Since they are using higher baud rates now, what changed? Why not use the higher rates from the beginning?


  6. #6
    Senior Professional Array

    Join Date
    Sep 2007
    Posts
    130
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Amazing - I thought all modern OSes do memory protection processorwise.

    Well, I am actually trying to point out the following attack by unnamed unhappy wireless service provider: put money into making viruses - all sorts of viruses - using the exploit; the patch is hard to make without sources, so you and me sigh and go update firmware, losing the unlock. And it's hard to prove unnamed unhappy wireless provider is behind.

    Of course this doesn't work without trojan inside iPhone... oh wait aren't we installing 10 new talkative "version alpha 0.0.0.1" applications written by amateurs to a computer wihtout a firewall (which is iphone if i'm not wrong)?..

  7. #7
    iPhone DevTeam Array

    Join Date
    Aug 2007
    Location
    Always sunny Los Angeles, California
    Posts
    421
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    34

    Default

    To request the baseband to switch to higher speed, you need to send that baudrate packet (0x82). I don't think they had all the kinks worked out of that process until recently.

    The very first publicly released SW unlock tried to use 921600 bps, but for whatever reason it wasn't using the higher rate. (This was the unlock that "zappaz" worked on with "guest184" in the undernet #iphone.unlock IRC channel last Tuesday. It was shortly (literally minutes) after this software was released that the dev team released their software.)

  8. #8
    iPhone DevTeam Array

    Join Date
    Aug 2007
    Location
    Always sunny Los Angeles, California
    Posts
    421
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    34

    Default

    Quote Originally Posted by squirrelfon View Post
    Well, I am actually trying to point out the following attack by unnamed unhappy wireless service provider: put money into making viruses - all sorts of viruses - using the exploit; the patch is hard to make without sources, so you and me sigh and go update firmware, losing the unlock. And it's hard to prove unnamed unhappy wireless provider is behind.
    Those who have SW unlocked their iPhones should definitely stay away from Apple iPhone updates until after they've been analyzed by the community.

    As far as applications downloaded via Installer.app or pxl...well it would be pretty bold for anyone to sneak in a SW relock into one of those. It would provide lots of drama, that's for sure.

  9. #9
    iPhone DevTeam Array

    Join Date
    Aug 2007
    Location
    Always sunny Los Angeles, California
    Posts
    421
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    34

    Default

    A bigger question in my mind is why do the free unlockers bother to rewrite all of the firmware NOR sectors. The software unlock patch is all contained within just a fraction of the total firmware space, and yet the current unlockers rewrite the entire space. Why not save some time and rewrite only the necessary sectors?

  10. #10
    Senior Professional Array

    Join Date
    Sep 2007
    Posts
    130
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Angry

    So, once something runs on the phone nothing prevents it from re-writing the low-level OS? Cool.

    I'm still shocked why the processor doesn't have access management as part of paging mechanism. Or wait, do the processes have privelege levels at all?

    Too bad my only virus was written in high school...


 

 

Similar Threads

  1. MacNN: iOS 5.0.1 security fixes eliminate Smart Cover exploit
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 11-10-2011, 08:50 PM
  2. Replies: 0
    Last Post: 08-25-2010, 04:40 AM
  3. Replies: 0
    Last Post: 08-25-2010, 02:10 AM
  4. MacNN: Vista security gutted by new web exploit
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 08-08-2008, 06:10 PM
  5. Nature of security exploit .1
    By squirrelfon in forum General
    Replies: 5
    Last Post: 10-17-2007, 08:44 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 07:45 PM.
twitter, follow us!