{"id":331,"date":"2013-03-31T20:58:27","date_gmt":"2013-03-31T20:58:27","guid":{"rendered":"http:\/\/domonkos.tomcsanyi.net\/?p=331"},"modified":"2013-03-31T21:05:17","modified_gmt":"2013-03-31T21:05:17","slug":"compiling-the-jailbreakme-com-3-0-star_-exploit-episode-1","status":"publish","type":"post","link":"https:\/\/domonkos.tomcsanyi.net\/?p=331","title":{"rendered":"Compiling the JailbreakMe.com 3.0 star_ exploit \u00e2\u20ac\u201c episode 1"},"content":{"rendered":"<p><a href=\"https:\/\/domonkos.tomcsanyi.net\/?p=329\">Previous episode &#8211; episode 0<\/a><\/p>\n<p>So, last time I was just about to do some compiling, getting down to real work, right? Well, let&#8217;s have a look at the README file of star_:<\/p>\n<pre>How to use:\r\n- git submodule init -u\r\n- ln -s \/Developer\/Platforms\/iPhoneOS.platform\/Developer\/SDKs\/iPhoneOS4.3.sdk \/var\/sdk\r\n- add binaries to bs, e.g.\r\n    mkdir iPhone2,1_4.3.3_8J2\r\n    cp decrypted_kernel iPhone2,1_4.3.3_8J2\/kern\r\n    cp dyld_shared_cache_armv7 iPhone2,1_4.3.3_8J2\/cache\r\n    OR import an ipsw:\r\n    grab <a href=\"https:\/\/github.com\/posixninja\/xpwn.git\">https:\/\/github.com\/posixninja\/xpwn.git<\/a>\r\n    install \"xpwntool\", \"hfsplus\", and \"dmg\" to ~\/xpwnbin\/\r\n    in here: cd config; python ipsw.py whatever.ipsw\r\n\r\n- get t1utils and apply this patch: <a href=\"http:\/\/pastie.org\/2251647\">http:\/\/pastie.org\/2251647<\/a>\r\n- get <a href=\"http:\/\/github.com\/comex\/xnu-env\">http:\/\/github.com\/comex\/xnu-env<\/a> and point fs\/xnu to it\r\n- .\/make.py pdf<\/pre>\n<p>As you can see it isn&#8217;t very long, but also not very detailed. Fortunately I was able to figure out that step 0 would be having a Mac OS X box up and running. Thanks to some guides I was able to do this pretty easily using VMware Player, and I have a Mac OS X 10.7.5 Lion machine up and running. I installed MacPorts, which is an essential component if you are planning on doing anything from the Terminal.<\/p>\n<p>So, step 0 completed, let&#8217;s go on with step 1:<\/p>\n<p>Cloning the GIT-repo and running the submodule init was pretty straightforward, except that the command in the README doesn&#8217;t work anymore, instead I did:<\/p>\n<pre>git submodule init\r\ngit submodule update<\/pre>\n<p>After that I had all the sources needed, let&#8217;s get to step 2 which is linking the SDK to \/var\/sdk. Well, it was kind of natural to me that I need to get the SDK from somewhere, which means going to the Mac AppStore, signing in with an Apple ID and install Xcode. If Xcode is installed you still need to find the SDK, here is what I have done:<\/p>\n<pre>find \/ -name iPhoneOS.platform\r\nln -s \/Applications\/Xcode.app\/Contents\/Developer\/Platforms\/iPhoneOS.platform\/Developer\/SDKs\/iPhoneOS6.1.sdk\/ \/var\/sdk<\/pre>\n<p>You probably noticed, that I have a slightly different path and also iPhoneOS6.1.sdk, not 4.3. As far as I know this SDK still has support for iOS 4.3 in it (you can even select iOS 4.3 as your Build Target in Xcode), so this should not cause any problems.<\/p>\n<p>All right, so far it hasn&#8217;t been very hard, let&#8217;s go to step 3, which is getting some required files from the IPSW file we need.<\/p>\n<p>First of all I downloaded the IPSW file using <a href=\"http:\/\/idownloadblog.com\">idownloadblog.com<\/a>. After that I tried to compile xpwn but I failed because somehow I wasn&#8217;t able to install CMake, so I searched the web and found some binaries of xpwntool which work great.<\/p>\n<p>After that I thought I have everything to run the command, so why not give it a go?<\/p>\n<pre>mkdir bs          #this is the output dir and it needs to be there\r\ncd config\r\npython ipsw.py iPod3,1_4.3.3_8J2_Restore.ipsw<\/pre>\n<p>And BANG! an error:<\/p>\n<pre>Couldn't get keys for iPod3,1_4.3.3<\/pre>\n<p>Okay, let&#8217;s have a look at the Python script. After some minutes it was obvious that the script uses a file &#8211; keyz.txt to get decryption keys for the files inside of the IPSW. So I only needed to go to <a href=\"http:\/\/theiphonewiki.com\/wiki\/VFDecrypt_Keys\">iphonewiki<\/a>\u00c2\u00a0and get the keys for my iPod Touch. After I inserted the values to keyz.txt the script seemed to continue, but only after some seconds, it failed again:<\/p>\n<pre>lzssfile.c:createAbstractFileFromComp:112: mismatch: 4073636 7933935 7933952 ba 8a\r\nerror: cannot open infile<\/pre>\n<p>Well, that&#8217;s awkward, I mean what can I do with this? Fortunately there is one Google hit for this error message, which is from iphonewiki, <a href=\"http:\/\/theiphonewiki.com\/wiki\/Talk:Northstar_7D11_%28iPhone%29\">this talk<\/a>. According to the talk the solution is to give xpwntool the switch -decrypt and then later go on with manually processing the file (which is now decrypted but not decompressed).<\/p>\n<p>So I did exactly that:<\/p>\n<pre>unzip iPod3,1_4.3.3_8J2_Restore.ipsw #Yeah, IPSW = ZIP :-)\r\n~\/xpwnbin\/xpwntool kernelcache.n18 kernel_decrypted -k KEY -i IV -decrypt<\/pre>\n<p>Great, this finished without any errors, let&#8217;s get to the decompressing part. According to the book &#8216;iOS Internals&#8217; (this part of it could als be read at<a href=\"http:\/\/books.google.hu\/books?id=bzZO64m3iS0C&amp;pg=PA223&amp;lpg=PA223&amp;dq=%22od+-A+d+-t+x1%22+ios&amp;source=bl&amp;ots=JB99ZLJaB0&amp;sig=u3V8AB1EYW3eLVkKtwQRu9dYwzQ&amp;hl=en&amp;sa=X&amp;ei=SZ5YUZSwM8jAtAbLloDACA&amp;ved=0CCkQ6AEwAA#v=onepage&amp;q=%22od%20-A%20d%20-t%20x1%22%20ios&amp;f=false\"> Google Books for free<\/a>) you need to open the file with &#8216;od&#8217; find a specific pattern, then using the offset run the decompressor program which is called &#8216;lzssdec&#8217;. Well, od was easy to use since it is built into OS X as far as I know, so I only needed to get lzssdec. I found its source code easily with Google, so here is what I did:<\/p>\n<pre>g++ -o lzssdec lzssdec.cpp\r\nod -A d -t x1 kern_decrypted | more\r\n#Looking for a specific pattern: ce fa ed fe\r\nlzssdec -o OFFSET &lt; kern_decrypted &gt; kern_final<\/pre>\n<p>If we were lucky in kern_final we have a decrypted and decompressed binary, let&#8217;s check it:<\/p>\n<pre>file kern_final\r\nkern_final: Mach-O executable arm<\/pre>\n<p>Success, let&#8217;s move on!<\/p>\n<p>Well, we have the kernel file, so now we need to get the other two files: cache and dyld. To do that the easiest way is to comment out the kernelcache stuff from ipsw.py and then just run it. This will create the missing two files in the directory SOURCE\/bs. We need to copy kern to this folder too.<\/p>\n<p>Awesome, we are almost there, right? What is next on the list?<\/p>\n<pre>get t1utils and apply this patch: <a href=\"http:\/\/pastie.org\/2251647\">http:\/\/pastie.org\/2251647<\/a><\/pre>\n<p>Well, this isn&#8217;t hard, is it? First open the patch link, and look at the header:<\/p>\n<pre>t1utils-1.27\/t1asm.c<\/pre>\n<p>So we need to get the source of t1utils-1.27, naturally Google is your friend. After you got the source unpacked proceed with standard patching-procedure:<\/p>\n<pre>cd t1utils-1.27\r\npatch -p1 &lt; PATCH_FILE_FROM_PASTIE<\/pre>\n<p>It should work without any errors, so all what is left is to compile and install:<\/p>\n<pre>.\/configure &amp;&amp; make\r\nsudo make install<\/pre>\n<p>Great, this was easy, let&#8217;s continue!<\/p>\n<pre>get <a href=\"http:\/\/github.com\/comex\/xnu-env\">http:\/\/github.com\/comex\/xnu-env<\/a> and point fs\/xnu to it<\/pre>\n<p>OK, this shouldn&#8217;t be a problem after what we came through, right? Git clone, ln -s done.<\/p>\n<p>So, here is the big moment, let&#8217;s try the last command:<\/p>\n<pre>.\/make.py pdf<\/pre>\n<p>BANG, errors right in the face as my friend would say, what&#8217;s wrong? We shall see that in the next episode.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Previous episode &#8211; episode 0 So, last time I was just about to do some compiling, getting down to real work, right? Well, let&#8217;s have a look at the README file of star_: How to use: &#8211; git submodule init -u &#8211; ln -s \/Developer\/Platforms\/iPhoneOS.platform\/Developer\/SDKs\/iPhoneOS4.3.sdk \/var\/sdk &#8211; add binaries to bs, e.g. mkdir iPhone2,1_4.3.3_8J2 cp [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false},"categories":[5,3],"tags":[91,90,93,96,88,94,89,95,92],"_links":{"self":[{"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/posts\/331"}],"collection":[{"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=331"}],"version-history":[{"count":4,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/posts\/331\/revisions"}],"predecessor-version":[{"id":335,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=\/wp\/v2\/posts\/331\/revisions\/335"}],"wp:attachment":[{"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/domonkos.tomcsanyi.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}