Monday, October 7, 2013

Its Dumping Season!

Many of those who follow me attentively on Twitter noticed that I was asking for people jailbroken on 6.1.2 to email me to dump their kernels. Not many of you seemed to ask why, which is interesting :P

The 6.1.2 kernel dumps are crucial for locating specific functions within the kernel that are static between iOS 6.1.x kernel builds. This means functions such as "_START" within the kernel, are located at the same location in 6.1.2 kernels and 6.1.3 kernels.

So, why do we need these? Simple. We need some static offsets for functions within the 6.1.2 kernel to utilize them in the 6.1.3 kernel, and dump the actual 6.1.3 kernel.

The 6.1.3 kernel is more essential as some kexts such as the sandbox kext, signature check kexts [AMFI], etc, are not static and tend to shift its location on every recompile.

So what's next? Time to start dumping the 6.1.3 kernels for devices we do not have (list below).

6.1.3/6.1.4 Kernels Dumped:

Dumped? Product ID Device Name Board Config
iPhone2,1 iPhone 3GS n88ap
iPhone3,1 iPhone 4 (GSM) n90ap
iPhone3,2 iPhone 4 (GSM-RevA) n90bap
iPhone3,3 iPhone 4 (CDMA) n92ap
iPhone4,1 iPhone 4S n94ap
iPhone5,1 iPhone 5 (GSM) n41ap
iPhone5,2 iPhone 5 (Global) n42ap
iPad2,1 iPad 2 (WiFi) k93ap
iPad2,2 iPad 2 (GSM) k94ap
iPad2,3 iPad 2 (CDMA) k95ap
iPad2,4 iPad 2 (WiFi-RevA) k93aap
iPad2,5 iPad mini (WiFi) p105ap
iPad2,6 iPad mini (GSM) p106ap
iPad2,7 iPad mini (Global) p107ap
iPad3,1 iPad 3 (WiFi) j1ap
iPad3,2 iPad 3 (CDMA) j2ap
iPad3,3 iPad 3 (GSM) j2aap
iPad3,4 iPad 4 (WiFi) p101ap
iPad3,5 iPad 4 (GSM) p102ap
iPad3,6 iPad 4 (Global) p103ap
iPod4,1 iPod touch 4 n81ap
iPod5,1 iPod touch 5 n78ap
* The iPhone 5 6.1.3 & 6.1.4 kernels have been dumped.        

I have one of the devices listed above that is not () dumped yet. How can I help?
  • Have an Intel-based Mac running 10.6 or above.
  • Email a screenshot of f0recast for Mac with the device connected to 
Why does it have to be a Mac?!
The client I wrote to dump the kernel over USB only runs on Intel based Macs.

Does this mean a release after all the dumps are collected? :O
Not right after, but close. The kernel dumps will help us finish the untethers for these devices. Once that's done, we can finally begin writing the tool and finalizing everything.

I helped you dump a 6.1.2/6.1.3/6.1.4 kernel!
Thank you very very much!

Update #1 (Oct. 13): iPad2,1 - 6.1.3 kernel is dumped. More devices pending.
Update #2 (Oct. 14): iPod5,1 & iPad2,2iPad2,5 - 6.1.3 kernel is dumped. More devices pending.
Update #3 (Oct. 15): iPad2,4 & iPad2,7 - 6.1.3 kernel is dumped. More devices pending.
Update #4 (Oct. 16): iPad2,3 iPad2,6 & iPad3,1 & iPad3,3 & iPad3,4 - 6.1.3 kernel is dumped. More devices pending.
Update #5 (Oct. 17): iPad3,6 - 6.1.3 kernel dumped. 2 more devices pending.
Update #6 (Oct. 18): iPad3,5 - 6.1.3 kernel dumped. iPad3,2 pending.
Update #7 (Oct. 21): iPad3,2 - 6.1.3 kernel is finally dumped. What follows next is finalization of the untether bootstrap. There is no knowing how long this will take but we'll post an update when its done. Then the tool creation will follow after that. Again, ETA is still before 2014.
Update #8 (Oct. 28): I've mentioned this on Twitter, but seeing as A5+ devices are going to take awhile, we'll probably end up releasing the iPhone 3GS/A4 6.1.3 untether via a Cydia package after the bootstrap for it is completed. Still no ETA as to when it will be finished, but still aiming for before 2014.
Update #9 (Nov. 1): People are probably wondering why focus on A5+ devices is being lowered in priority. This is not because of difficulties, it is actually because it turns out a few of the vulns we were planning on using still work on iOS 7 (kind of exciting [yes and no]). We do not want to publish these vulns as they have the potential of being used in a future iOS 7.x A5+ jailbreak. With that being said, we are not removing our focus on an A5+ 6.1.3/6.1.4 jailbreak completely. We are looking for some vulns that exist in 6.1.3/6.1.4 but not iOS 7. The problem is... in terms of security iOS 7 looks likes an iOS 6.2 :P. This wouldn't be a problem if Apple did not silently kill the lockdown socket bug. We were initially planning on using that vuln to recycle the shebang attack used in evasi0n to remount the rootfs, but when I found out it was patched, I initially said it wouldn't halt the progress of the jb. This was before we found out the other vuln we had to get root and remount the rootfs as r/w still works in iOS 7. So as I said above, we are currently working on getting the A4 untether bootstrap finished. After that, we will resume looking into the A5+ possibility. If worse comes to worse, we'll release it alongside evad3r's iOS 7 jb to prevent disclosing any more vulns.
Update #10 (Dec. 21):
Update #11 (Dec. 23): Packaging the 3GS+A4 untether for 6.1.3+6.1.5 as i'm typing this. Should be up on saurik's repo. Will update this when that happens.