Page 1 of 2 12 LastLast
Results 1 to 10 of 17
Discuss some questions about iOS bootchain at the iOS 4.x (iPhone OS 4.x) - Hackint0sh.org; Hi guys: i searched a lot and make such conclusion according to this slides and ...
  1. #1
    Rookie Array

    Join Date
    Dec 2010
    Posts
    22
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default some questions about iOS bootchain

    Hi guys:
    i searched a lot and make such conclusion according to this slides and this paper. correct me if i'm wrong:
    1.normal bootchain is like this:bootrom->llb->iboot->kernel->filesystem, and /etc/fstab is under "/", i.e. the root of iOS' filesystem. so /etc/fstab is actually a file in the filesystem, it's not in kernel.
    2.there're 2 kinds of kernels. one is in NAND and is uploaded when normal booting happens. the other one is in ipsw and is uploaded when restoring happens in DFU/recovery mode.
    However, i'm still a little confused.
    1.two "ramdisk"s are mentioned in figure4 and figure5 of the paper above, so i wonder what's the relationship between these 2 "ramdisk"s and 2 "kernel"s? what does a ramdisk do in iOS jailbreak or iOS booting?
    2.in which part of iOS jailbreaking or iOS bootchain is /etc/fstab modified?
    3.i googled a lot and found the 2 words "iBSS" and "iBEC" were only mentioned in iPhone 3GS jailbreak. so i wonder is bootchain in DFU mode still bootrom->iBSS->iBEC->kernel in iPhone4?
    any clues are welcome! Thanks for viewing and have a good day.
    Cheers, Lloyd



  2. #2
    Super Moderator Array Olethros's Avatar

    Join Date
    Sep 2007
    Location
    Norway
    Posts
    8,360
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    439

    Default

    Okay, you really need to get a proper jailbreak developer to weigh in on this. Here's my best attempt at answering your questions.

    Quote Originally Posted by snakeninny View Post
    i searched a lot and make such conclusion according to this slides and this paper. correct me if i'm wrong:
    1.normal bootchain is like this:bootrom->llb->iboot->kernel->filesystem, and /etc/fstab is under "/", i.e. the root of iOS' filesystem. so /etc/fstab is actually a file in the filesystem, it's not in kernel.
    Yes /etc/fstab is a file in the root filesystem


    Quote Originally Posted by snakeninny View Post
    2.there're 2 kinds of kernels. one is in NAND and is uploaded when normal booting happens. the other one is in ipsw and is uploaded when restoring happens in DFU/recovery mode.
    However, i'm still a little confused.
    The ramdisk boot might be booting a different iOS version than corresponds to the kernel saved in NOR (for legacy reasons it's still called NOR even in modern iOS devices where there is no physical NOR chip). This is why the ramdisk booting needs to supply it's own independant boot chain (kernel etc) rather than use the existing boot images saved in NOR. Also the update process often has a step which updates the boot images in NOR with ones supplied by the IPSW. So by booting from a separate boot chain, you avoid the chicken and the egg problem of "how do I update something I'm using to boot with?"

    Quote Originally Posted by snakeninny View Post
    1.two "ramdisk"s are mentioned in figure4 and figure5 of the paper above, so i wonder what's the relationship between these 2 "ramdisk"s and 2 "kernel"s? what does a ramdisk do in iOS jailbreak or iOS booting?
    One ramdisk is for restores (wipe all data and then install a new OS) the other is for updates (wipe only the system partion, leaving the user partition intact, then install a new OS). This corresponds to the two buttons "check for update" and "restore" in iTunes.

    Quote Originally Posted by snakeninny View Post
    2.in which part of iOS jailbreaking or iOS bootchain is /etc/fstab modified?
    I can't really answer this - it depends on which jailbreak tool is used.

    For redsn0w for example, this would be done by the unsigned ramdisk that the jailbreak loads after initially pwning the phone to accept unsigned ramdisks.

    For pwnagetool, the root file system ASR image bundled in the IPSW is modified with the required changes to /etc/fstab. Then iTunes is used to restore the custom (pre-jailbroken) IPSW.

    For jailbreakme.com - I don't really know - but it's all done without a ramdisk, this is a userland originating jailbreak, so once it's broken out of the sandbox and got root privileges, it would be a natural step to modify fstab pretty soon afterwards.

    Finally jailbreakme.com v3 will use unionfs (which will change things dramatically regarding the way the /etc/fstab relates to jailbreak)

    Quote Originally Posted by snakeninny View Post
    3.i googled a lot and found the 2 words "iBSS" and "iBEC" were only mentioned in iPhone 3GS jailbreak. so i wonder is bootchain in DFU mode still bootrom->iBSS->iBEC->kernel in iPhone4?
    DFU is in hardware/bootrom.

    iBSS & iBEC are still used in booting/jailbreaking iPhone 4 and newer.
    Please read the stickies & search forum before posting!
    How to report an iTunes restore/update fail in a useful manner
    -

    iPad 3G 64GB (4.3.3, Redsn0w) oldest SHSH 3.2.2
    iPhone 4 32GB (4.2.1, Redsn0w JB-monte) oldest SHSH 4.1
    iPhone 3GS 32GB (4.3.3; Pwnagetool) factory unlocked oldest SHSH 3.1
    iPhone 8GB (3.1.3; Pwnagetool) AT&T Locked - Unlocked with bootneuter

    -
    Did we solve your problem? Got a dollar or two spare ? Donate!

  3. Thanks snakeninny thanked for this post.
    Like snakeninny liked this post.
  4. #3
    Rookie Array

    Join Date
    Dec 2010
    Posts
    22
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    thanks for ur detailed explanation! its gonna take a little while for me to understand all of em...

  5. #4
    Rookie Array

    Join Date
    Dec 2010
    Posts
    22
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    “For jailbreakme.com - I don't really know - but it's all done without a ramdisk, this is a userland originating jailbreak, so once it's broken out of the sandbox and got root privileges, it would be a natural step to modify fstab pretty soon afterwards.”

    whats the relationship of "root privileges" and "/etc/fstab modification"? i thought they r the same thing...

  6. #5
    Super Moderator Array Olethros's Avatar

    Join Date
    Sep 2007
    Location
    Norway
    Posts
    8,360
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    439

    Default

    Quote Originally Posted by snakeninny View Post
    “For jailbreakme.com - I don't really know - but it's all done without a ramdisk, this is a userland originating jailbreak, so once it's broken out of the sandbox and got root privileges, it would be a natural step to modify fstab pretty soon afterwards.”

    whats the relationship of "root privileges" and "/etc/fstab modification"? i thought they r the same thing...
    They are not the same thing. The modification of /etc/fstab allows the "root filesystem" to be mounted read-write (which is required to install Cydia/jailbroken apps)

    In a simple perspective "root user" is the user with the highest privileges in a unix system. The iPhone runs all apps as another user "mobile", which has much less privileges. I won't get into the sandboxing that further limits privileges for specific applications, but bypassing that also plays a huge part in recent jailbreaks.

    "root filesystem" and "root user" are two separate things. Don't get blinded by the fact that they both start with the word root.
    Last edited by Olethros; 06-23-2011 at 08:19 PM.
    Please read the stickies & search forum before posting!
    How to report an iTunes restore/update fail in a useful manner
    -

    iPad 3G 64GB (4.3.3, Redsn0w) oldest SHSH 3.2.2
    iPhone 4 32GB (4.2.1, Redsn0w JB-monte) oldest SHSH 4.1
    iPhone 3GS 32GB (4.3.3; Pwnagetool) factory unlocked oldest SHSH 3.1
    iPhone 8GB (3.1.3; Pwnagetool) AT&T Locked - Unlocked with bootneuter

    -
    Did we solve your problem? Got a dollar or two spare ? Donate!


  7. #6
    Rookie Array

    Join Date
    Dec 2010
    Posts
    22
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    excellent explanation! thanks and have a nice day!

  8. #7
    Rookie Array

    Join Date
    Dec 2010
    Posts
    22
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Hi again:
    sorry to bother you guys again but when i read this wiki i saw bootrom was read-only. but in most jailbreaks, there is one bootrom exploit. i wonder if bootrom is read-only, how can the bootrom exploit work? i know iOS is bootstrapped successfully if signature check is correct in bootchain. but what happens if the check turns out fail? i mean what status will iOS/iDevice be in?
    Cheers,Lloyd

  9. #8
    Super Moderator Array Olethros's Avatar

    Join Date
    Sep 2007
    Location
    Norway
    Posts
    8,360
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    439

    Default

    Quote Originally Posted by snakeninny View Post
    Hi again:
    sorry to bother you guys again but when i read this wiki i saw bootrom was read-only. but in most jailbreaks, there is one bootrom exploit. i wonder if bootrom is read-only, how can the bootrom exploit work? i know iOS is bootstrapped successfully if signature check is correct in bootchain. but what happens if the check turns out fail? i mean what status will iOS/iDevice be in?
    Cheers,Lloyd
    Yes bootrom is read-only, this means you need to either look for a specific place where the bootrom code makes use of a routine or data that is located outside of the bootrom (in a location that can be written to).

    If the signature check fails the device falls back to either DFU mode or recovery mode (depending on the type of failure and where in the boot chain it occurred)
    Please read the stickies & search forum before posting!
    How to report an iTunes restore/update fail in a useful manner
    -

    iPad 3G 64GB (4.3.3, Redsn0w) oldest SHSH 3.2.2
    iPhone 4 32GB (4.2.1, Redsn0w JB-monte) oldest SHSH 4.1
    iPhone 3GS 32GB (4.3.3; Pwnagetool) factory unlocked oldest SHSH 3.1
    iPhone 8GB (3.1.3; Pwnagetool) AT&T Locked - Unlocked with bootneuter

    -
    Did we solve your problem? Got a dollar or two spare ? Donate!

  10. #9
    Rookie Array

    Join Date
    Dec 2010
    Posts
    22
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    after reading your words over and over, im still confused in the bootchain. correct me if i was wrong:

    when we were jailbreaking an iPhone, first we entered the DFU/recovery mode, whose bootchian was bootrom->iBSS->iBEC->kernel/bootrom->LLB->iBoot->kernel. most of the time the hackers could find a bootrom exploit in the USB connection. thanks to this exploit, signature check in bootrom was modified so custom LLB/iBSS/iBEC/iBoot/kernel could be bootstrapped, signature check in bootchain could even be removed completely, actually the WHOLE bootchain was modified. after that the iPhone quit DFU/recovery and entered normal mode whose bootchain was bootrom->LLB->iBoot->kernel->file system. according to this, a tethered jailbreak is quite easy to understand: we connect iPhone to a PC via USB everytime the iPhone boots. the jailbreak code exploit the bootrom vulnerability via USB, modify the sig check process so unsigned code can be loaded and run, which leads to jailbreak. HOWEVER i dont know how can an untethered jailbreak exist. in my opinion, most untethered jailbreak(like greenpois0n, redsn0w) used 2 or more exploits, one of which is in bootrom. DHowett once told me, under this situation, untethered jailbreak was achieved by doing this: they used the tethered bootrom exploit to ENABLE another untethered exploit(i guess the bootrom exploit here only disables the sig check), say a kernel exploit. the kernel exploit did all the jailbreak things and made the jailbreak code permanently stay in iPhone, which will run at every boot. so you dont have to connect iPhone via USB anymore. and here comes my questions:

    1.what does sig check in the bootchain do generally? i believe all the certificates and hash are stored in NAND, which can be modified, right?
    2.what is the meaning of "disabling sig check"? does jb modify the certificates or sth else?what does jailbreak do to the sig check process exactly?
    3.in untethered jailbreak: "they used the tethered bootrom exploit to ENABLE another untethered exploit, the untethered kernel exploit did all the jailbreak things and made the jailbreak code permanently stay in iPhone." even if the jailbreak code can stay in iPhone, how can it run since its not signed? i mean without the bootrom exploit, any parts fail the sig check cant be loaded and run. so how can an untethered jailbreak do all the things without connecting via USB, i.e. not using the bootrom exploit after the FIRST jailbreak?

    i googled a lot, i thought a lot, but cant find the answer. hope you can lend me a hand.
    Cheers,Lloyd

  11. #10
    Super Moderator Array Olethros's Avatar

    Join Date
    Sep 2007
    Location
    Norway
    Posts
    8,360
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    439

    Default

    Quote Originally Posted by snakeninny View Post
    1.what does sig check in the bootchain do generally? i believe all the certificates and hash are stored in NAND, which can be modified, right?
    It's actually considered to be stored in NOR not NAND (newer iOS devices, there is no NOR - but a special section of NAND is reserved for use as a virtual NOR)

    Yes these NOR images can be modified (normally via loading a new IPSW in iTunes, but this is not the only way to modify the NOR)
    Apple has patented the secure boot process so if you want to read in great detail how it works, the patent might be useful reading.
    Single Security Model In Booting A ... - Google Patents

    Prior to iOS 2.0 the NOR images were first stripped of their encryption/signature wrapper and then written to NOR. This meant that the once you managed to find an exploit that allowed you to write your own unsigned binary image to NOR, the phone would happily boot from this modified image without any further checks.

    Since iOS 2.0 each binary image that is written to NOR is written with it's encryption/signature wrapper intact. Additionally, the bootrom was modified in the ipod touch 2G (and all newer devices) to signature check the LLB before loading it. This will default back to DFU mode if the signature check fails.

    The "untethered boot" has been achieved in many different ways.

    Read up on Pwnage/Pwnage2 and 24kpwn these are all exploits which rely on tricking the bootrom into boooting invalid LLB (and subsquent NOR images in the bootchain) - these techniques worked as DHowett described - use a tethered exploit (either in bootrom or in iBoot) to write the modified NOR images that implement the untethered exploit.

    Since 24kpwn was closed - there hasn't been another bootrom exploit found that allows booting normally with an invalid LLB.

    So the focus has changed to finding ways to exploit the kernel during boot (usually this will require multiple exploits) to patch the kernel in the required ways to allow jailbroken apps to run. In this situation, the boot chain (up to and including the kernel) is signed/valid SHSH as per an un-jailbroken iPhone.

    The iPad 2, there are no public bootrom USB exploits.

    Quote Originally Posted by snakeninny View Post
    2.what is the meaning of "disabling sig check"? does jb modify the certificates or sth else?what does jailbreak do to the sig check process exactly?
    3.in untethered jailbreak: "they used the tethered bootrom exploit to ENABLE another untethered exploit, the untethered kernel exploit did all the jailbreak things and made the jailbreak code permanently stay in iPhone." even if the jailbreak code can stay in iPhone, how can it run since its not signed? i mean without the bootrom exploit, any parts fail the sig check cant be loaded and run. so how can an untethered jailbreak do all the things without connecting via USB, i.e. not using the bootrom exploit after the FIRST jailbreak?

    i googled a lot, i thought a lot, but cant find the answer. hope you can lend me a hand.
    Don't confuse the kernel level "disable signature checking" with the bootrom/bootchain level "disable signature/SHSH checking"

    To use the iphone jailbroken, the kernel/sandbox restrictions imposed by Apple need to be removed/relaxed so that programs not signed by Apple can be run. This is done at the kernel level.

    To boot the iPhone jailbroken, each component in the bootchain (including the kernel) has to pass a signature check by the previous step in the bootchain. As I said before, the kernel exploits find a way to load (often by exploiting a flaw in loading resource that the kernel needs to load during boot)
    Please read the stickies & search forum before posting!
    How to report an iTunes restore/update fail in a useful manner
    -

    iPad 3G 64GB (4.3.3, Redsn0w) oldest SHSH 3.2.2
    iPhone 4 32GB (4.2.1, Redsn0w JB-monte) oldest SHSH 4.1
    iPhone 3GS 32GB (4.3.3; Pwnagetool) factory unlocked oldest SHSH 3.1
    iPhone 8GB (3.1.3; Pwnagetool) AT&T Locked - Unlocked with bootneuter

    -
    Did we solve your problem? Got a dollar or two spare ? Donate!


 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. Two Questions???
    By faisal_sherry in forum iPhone 3G
    Replies: 0
    Last Post: 10-17-2009, 01:44 PM
  2. Questions?
    By BlindSoul in forum Distributions
    Replies: 2
    Last Post: 03-25-2009, 02:53 PM
  3. [1.1.3 OTB UK] A few questions if you may
    By benmooe in forum iPhone "2G" (Rev. 1)
    Replies: 4
    Last Post: 02-06-2008, 07:21 AM
  4. I have some questions.
    By thewind27 in forum General
    Replies: 3
    Last Post: 12-06-2007, 05:22 AM
  5. Just a few Questions ?
    By jazzsond in forum iPhone "2G" (Rev. 1)
    Replies: 2
    Last Post: 11-23-2007, 10:37 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 10:06 AM.
twitter, follow us!