Results 1 to 6 of 6
Discuss 1.1.2 otb boot block break details at the iPhone "2G" (Rev. 1) - Hackint0sh.org; http://www.***********.com/blog/arch...-exploits.html Hardware exploit: The version check reads from 0xA0021000 and 0xA0021004 to get the version ...
  1. #1
    Rookie Array

    Join Date
    Nov 2007
    Posts
    22
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default 1.1.2 otb boot block break details

    http://www.***********.com/blog/arch...-exploits.html

    Hardware exploit:
    The version check reads from 0xA0021000 and 0xA0021004 to get the version
    of the main firmware. It then compares the values [0xA0021000]==~[0xA0021004].
    If that check fails it ignores the version check. It is also the only bootloader access
    into high flash. So when A16 goes high, pull any data line high or low.
    That will cause the check to fail, and hence the version check to be skipped.
    And they shouldn't be any memory accesses in the bootloader, so it'll be fine.

    Software exploit:
    This exploit is in the the way the secpack signature is padded.
    They did a lot to remove the really bad signature checking of the old bootloader
    that IPSF exploited. Although the secpack still has 0x28 bytes of data at the end
    that isn't checked for normal secpack sigs. The secpack sig is(0x30 header/padding,
    0x14 main fw sha, 0x14 secpack sha, 0x28 unchecked padding).
    So by spoofing the first 0x58 of the RSA, you can set any secpack and main fw sha hash
    you want. It is very easy in exponent 3 RSA cryptosystems to spoof the first 1/3 of the
    message bytes. With some clever math and brute force, the whole 0x58 can be spoofed.


    for those interested.



  2. #2
    Rookie Array

    Join Date
    Oct 2007
    Location
    Planet Mars
    Posts
    19
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Quote Originally Posted by ianw View Post
    http://www.***********.com/blog/arch...-exploits.html

    Hardware exploit:
    The version check reads from 0xA0021000 and 0xA0021004 to get the version
    of the main firmware. It then compares the values [0xA0021000]==~[0xA0021004].
    If that check fails it ignores the version check. It is also the only bootloader access
    into high flash. So when A16 goes high, pull any data line high or low.
    That will cause the check to fail, and hence the version check to be skipped.
    And they shouldn't be any memory accesses in the bootloader, so it'll be fine.

    Software exploit:
    This exploit is in the the way the secpack signature is padded.
    They did a lot to remove the really bad signature checking of the old bootloader
    that IPSF exploited. Although the secpack still has 0x28 bytes of data at the end
    that isn't checked for normal secpack sigs. The secpack sig is(0x30 header/padding,
    0x14 main fw sha, 0x14 secpack sha, 0x28 unchecked padding).
    So by spoofing the first 0x58 of the RSA, you can set any secpack and main fw sha hash
    you want. It is very easy in exponent 3 RSA cryptosystems to spoof the first 1/3 of the
    message bytes. With some clever math and brute force, the whole 0x58 can be spoofed.


    for those interested.

    same old stuff... check geohot blog...

  3. #3
    Professional Array Horstbert's Avatar

    Join Date
    Nov 2007
    Location
    Germany
    Posts
    79
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    11

    Default

    That's a quote from geohot's blog and nothing new here.

  4. #4
    Advanced Array

    Join Date
    Oct 2007
    Posts
    45
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Thats just what geohot posted a few days ago.. No?
    http://iphonejtag.blogspot.com/

  5. #5
    Rookie Array

    Join Date
    Nov 2007
    Posts
    22
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Sorry guys I seached for the url, and saw nothing, but yes old news..


  6. #6
    Rookie Array

    Join Date
    Oct 2007
    Location
    Planet Mars
    Posts
    19
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Quote Originally Posted by ianw View Post
    Sorry guys I seached for the url, and saw nothing, but yes old news..
    it's ok..

 

 

Similar Threads

  1. Replies: 0
    Last Post: 03-22-2011, 04:50 AM
  2. Replies: 0
    Last Post: 12-01-2010, 06:00 PM
  3. MacNN: Vodafone details iPhone 3G launch pricing, details
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 08-20-2008, 07:40 AM
  4. For Those that Use Break.com
    By one4house in forum General
    Replies: 1
    Last Post: 09-22-2007, 08:13 PM
  5. HELP!! did i BREAK the Trace?
    By iboner in forum Hardware
    Replies: 4
    Last Post: 09-05-2007, 04:45 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 11:43 PM.
twitter, follow us!