March 31, 2013

Compiling the JailbreakMe.com 3.0 star_ exploit – episode 1

domi007 Brainstorming, Ethical Hacking comex, compile, exploit, how to compile, ios, ios 4.3, jailbreakme, jailbreakme 3.0, star_ 1 Comment

Previous episode – episode 0

So, last time I was just about to do some compiling, getting down to real work, right? Well, let’s have a look at the README file of star_:

How to use:
- git submodule init -u
- ln -s /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk /var/sdk
- add binaries to bs, e.g.
    mkdir iPhone2,1_4.3.3_8J2
    cp decrypted_kernel iPhone2,1_4.3.3_8J2/kern
    cp dyld_shared_cache_armv7 iPhone2,1_4.3.3_8J2/cache
    OR import an ipsw:
    grab https://github.com/posixninja/xpwn.git
    install "xpwntool", "hfsplus", and "dmg" to ~/xpwnbin/
    in here: cd config; python ipsw.py whatever.ipsw

- get t1utils and apply this patch: http://pastie.org/2251647
- get http://github.com/comex/xnu-env and point fs/xnu to it
- ./make.py pdf

As you can see it isn’t very long, but also not very detailed. Fortunately I was able to figure out that step 0 would be having a Mac OS X box up and running. Thanks to some guides I was able to do this pretty easily using VMware Player, and I have a Mac OS X 10.7.5 Lion machine up and running. I installed MacPorts, which is an essential component if you are planning on doing anything from the Terminal.

So, step 0 completed, let’s go on with step 1:

Cloning the GIT-repo and running the submodule init was pretty straightforward, except that the command in the README doesn’t work anymore, instead I did:

git submodule init
git submodule update

After that I had all the sources needed, let’s get to step 2 which is linking the SDK to /var/sdk. Well, it was kind of natural to me that I need to get the SDK from somewhere, which means going to the Mac AppStore, signing in with an Apple ID and install Xcode. If Xcode is installed you still need to find the SDK, here is what I have done:

find / -name iPhoneOS.platform
ln -s /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.1.sdk/ /var/sdk

You probably noticed, that I have a slightly different path and also iPhoneOS6.1.sdk, not 4.3. As far as I know this SDK still has support for iOS 4.3 in it (you can even select iOS 4.3 as your Build Target in Xcode), so this should not cause any problems.

All right, so far it hasn’t been very hard, let’s go to step 3, which is getting some required files from the IPSW file we need.

First of all I downloaded the IPSW file using idownloadblog.com. After that I tried to compile xpwn but I failed because somehow I wasn’t able to install CMake, so I searched the web and found some binaries of xpwntool which work great.

After that I thought I have everything to run the command, so why not give it a go?

mkdir bs          #this is the output dir and it needs to be there
cd config
python ipsw.py iPod3,1_4.3.3_8J2_Restore.ipsw

And BANG! an error:

Couldn't get keys for iPod3,1_4.3.3

Okay, let’s have a look at the Python script. After some minutes it was obvious that the script uses a file – keyz.txt to get decryption keys for the files inside of the IPSW. So I only needed to go to iphonewiki and get the keys for my iPod Touch. After I inserted the values to keyz.txt the script seemed to continue, but only after some seconds, it failed again:

lzssfile.c:createAbstractFileFromComp:112: mismatch: 4073636 7933935 7933952 ba 8a
error: cannot open infile

Well, that’s awkward, I mean what can I do with this? Fortunately there is one Google hit for this error message, which is from iphonewiki, this talk. According to the talk the solution is to give xpwntool the switch -decrypt and then later go on with manually processing the file (which is now decrypted but not decompressed).

So I did exactly that:

unzip iPod3,1_4.3.3_8J2_Restore.ipsw #Yeah, IPSW = ZIP :-)
~/xpwnbin/xpwntool kernelcache.n18 kernel_decrypted -k KEY -i IV -decrypt

Great, this finished without any errors, let’s get to the decompressing part. According to the book ‘iOS Internals’ (this part of it could als be read at Google Books for free) you need to open the file with ‘od’ find a specific pattern, then using the offset run the decompressor program which is called ‘lzssdec’. Well, od was easy to use since it is built into OS X as far as I know, so I only needed to get lzssdec. I found its source code easily with Google, so here is what I did:

g++ -o lzssdec lzssdec.cpp
od -A d -t x1 kern_decrypted | more
#Looking for a specific pattern: ce fa ed fe
lzssdec -o OFFSET < kern_decrypted > kern_final

If we were lucky in kern_final we have a decrypted and decompressed binary, let’s check it:

file kern_final
kern_final: Mach-O executable arm

Success, let’s move on!

Well, we have the kernel file, so now we need to get the other two files: cache and dyld. To do that the easiest way is to comment out the kernelcache stuff from ipsw.py and then just run it. This will create the missing two files in the directory SOURCE/bs. We need to copy kern to this folder too.

Awesome, we are almost there, right? What is next on the list?

get t1utils and apply this patch: http://pastie.org/2251647

Well, this isn’t hard, is it? First open the patch link, and look at the header:

t1utils-1.27/t1asm.c

So we need to get the source of t1utils-1.27, naturally Google is your friend. After you got the source unpacked proceed with standard patching-procedure:

cd t1utils-1.27
patch -p1 < PATCH_FILE_FROM_PASTIE

It should work without any errors, so all what is left is to compile and install:

./configure && make
sudo make install

Great, this was easy, let’s continue!

get http://github.com/comex/xnu-env and point fs/xnu to it

OK, this shouldn’t be a problem after what we came through, right? Git clone, ln -s done.

So, here is the big moment, let’s try the last command:

./make.py pdf

BANG, errors right in the face as my friend would say, what’s wrong? We shall see that in the next episode.