tag:blogger.com,1999:blog-7132717253131045732024-01-15T00:47:38.352-08:00Mostly iPhone hackingSpending nights in IDA so that you don't have to..msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-713271725313104573.post-61699181899147496002012-01-11T23:58:00.000-08:002016-08-10T23:28:57.180-07:00Automatic SSH ramdisk creation and loading<div dir="ltr" style="text-align: left;" trbidi="on">
A <a href="https://sites.google.com/site/msftguy/file/ssh_rd_rev04b.jar">runnable JAR archive</a> - works on OS X or Windows; needs <a href="http://download.oracle.com/otn-pub/java/jdk/7/jre-7-windows-i586-iftw.exe">32-bit JRE on Windows</a>.<br />
Supported devices - hopefully everything Syringe supports (devices with <a href="http://theiphonewiki.com/wiki/index.php?title=S5L8930">A4 chips</a> and lower) plus iPhone 2G, iPhone 3G and iPod Touch 1G.<br />
The tool automatically downloads required files from Apple using <a href="http://twitter.com/planetbeing">@planetbeing</a>'s <a href="https://github.com/planetbeing/partial-zip">Partial Zip</a>, patches them and sends to the device.<br />
If everything works as it should, the only thing you need is an SSH client.<br />
Credits:<br />
<br />
Made possible thanks to Camilo Rodrigues (<a href="http://twitter.com/allpluscomputer">@Allpluscomputer</a>)<br />
<br />
Including xpwn source code by the <a href="http://blog.iphone-dev.org/">iPhone Dev Team</a> and <a href="http://twitter.com/planetbeing">@planetbeing</a><br />
Including syringe source code by <a href="http://chronic-dev.org/blog/">Chronic-Dev</a> and <a href="http://twitter.com/p0sixninja">@posixninja</a><br />
syringe exploits by <a href="http://twitter.com/pod2g">@pod2g</a>, <a href="http://geohot.com/">geohot </a>& <a href="http://twitter.com/p0sixninja">@posixninja</a><br />
pwnage2 exploit by <a href="http://blog.iphone-dev.org/">iPhone Dev Team</a><br />
Special thanks to <a href="http://twitter.com/ih8sn0w">@iH8sn0w</a><br />
<a href="http://code.google.com/p/iphone-dataprotection">code.google.com/p/iphone-dataprotection</a> - EMF tools and kernel patches<br />
<br />
To see more verbose stuff, run from command line: <i>java -jar ssh_rd_rev04b.jar</i><br />
<a href="https://github.com/msftguy/ssh-rd">Source on github</a>.<br />
<br />
<a name='more'></a>Changelog:<br />
* [01/15/12] updated to rev02b: colorized log messages; more prominent success message; exception traces; usb_mux starts immediately on app launch, so you can restart the app and reconnect SSH without having to go through DFU again<br />
* [01/18/12] rev02c: iPhone 4 CDMA actually works now; iPhone 3G should as well - please leave a comment if it doesn't ..<br />
* [01/20/12] rev02d: Should work with iTunes >= 10.0 and Windows XP.<br />
* [01/25/12] rev03: Added 'ls' ;). Added an auto-mount script. Added bin paths from /mnt1 to PATH in .profile.<br />
* [01/26/12] Added a <a href="http://www.youtube.com/watch?v=1dh5loiX1dU">YouTube video demo</a><br />
* [02/05/12] rev03b: Fixed Snow Leopard compatibility<br />
* [03/07/12] rev03c: Using fw 4.2.1 with iPhone 3G (instead of 4.0.1 in earlier builds)<br />
* [07/09/12] rev04a: Added <b>device_infos</b> tool from <a href="http://code.google.com/p/iphone-dataprotection">code.google.com/p/iphone-dataprotection</a> - if the user volume is corrupted, you can image it and decrypt <span style="background-color: white;">with</span><span style="background-color: white;"> </span><b>emf_decrypter.py</b> (see <a href="http://code.google.com/p/iphone-dataprotection/wiki/README">Readme</a>). Also, local ipsw files are used if present (for offline use).<br />
* [06/29/13] rev04b: Fixed crash when connecting iOS7 devices on OS X and DLL load errors on Windows.<br />
<div>
<br /></div>
<b><span style="font-size: large;"><a href="https://github.com/msftguy/ssh-rd/wiki/Reporting-bugs">How to report bugs</a></span></b><br />
<b><br /></b>
<a href="https://github.com/msftguy/ssh-rd/wiki/Windows-How-To" style="font-size: x-large;"><b>Windows How-To</b></a>
<br />
<br />
<b><span style="font-size: large;">Video demo:</span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='600' height='370' src='https://www.youtube.com/embed/1dh5loiX1dU?feature=player_embedded' frameborder='0'></iframe></div>
</div>
msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com395tag:blogger.com,1999:blog-713271725313104573.post-84761717661769474232011-07-27T02:57:00.000-07:002013-06-29T17:14:26.409-07:00Lion, Time Machine and AFP feature bits.<div dir="ltr" style="text-align: left;" trbidi="on">
<span class="Apple-style-span" style="font-size: x-small;">Update2: SMB should be supported in _r2 version. Probably not a very good idea unless your network connection is solid. Also remember that you can't restore the whole system from a TM image on an SMB share.. at least not from OS X boot disk.</span><br />
<span class="Apple-style-span" style="font-size: x-small;">Update1: Please try updating your NAS firmware first; most manufacturers will be releasing updates that make their devices Lion-compatible in the near future.</span><br />
<span class="Apple-style-span" style="font-size: x-small;">These new flags made mandatory in Lion help with AFP session recovery after network connection loss, so you will be at a higher risk of data corruption when using this workaround over spotty WiFi.</span><br />
<br />
'The network backup disk does not support the required AFP features' message means that<br />
Lion's backupd now <i>requires</i> 'TM Lock Stealing' and 'Server Reply Cache' AFP features on all TM destinations.<br />
<br />
<a href="http://www.engadget.com/2007/11/10/how-to-enable-time-machine-on-unsupported-volumes/">TMShowUnsupportedNetworkVolumes </a>workaround affects the UI but has no effect on actual daemon behaviour.<br />
So, seeing as how I'm not going to buy a Time Capsule any time soon, an idea was born:<br />
What if we could <i>make</i> backupd work with those unsupported volumes and unleash any potentially data-munching-monster-ish bugs this unsupportedness shall surely entail? Sounds like a plan!<br />
<br />
<span class="Apple-style-span" style="background-color: yellow;">tldr</span>: <a href="https://github.com/downloads/msftguy/backupd-afpbits/backupd_anyafp_r2.zip">Download</a>, unzip and run the script.<br />
<br />
^^ A dylib that fakes those new shiny AFP feature bits for your old musty half-dead early 20th century NAS-o-saurus.<br />
<br />
Disclaimer: Use at your own risk; data-corru¾*{5Ă‹# may occur!<br />
<br />
Boring tech details: just read the <a href="https://github.com/msftguy/backupd-afpbits/blob/master/main.c">source</a>.</div>
msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com96tag:blogger.com,1999:blog-713271725313104573.post-19963791954844808392011-01-17T07:16:00.000-08:002011-01-17T07:16:47.370-08:00Ultrasn0w (with preserved baseband) on 4.3..NO NEW UNLOCKS HERE! FOR USERS WITH BB VERSIONS CURRENTLY SUPPORTED BY ultrasn0w ONLY! PLEASE RTFM!<br />
<br />
4.3 seems to have enabled slidable image address randomization (<a href="http://en.wikipedia.org/wiki/Address_space_layout_randomization">ASLR</a>). This broke ultrasn0w code naively using 0x1000 as the main executable base address. In addition to that, its FindReference function was using hardcoded offset/xref pairs for slidable images, which means every fw update will break it.<br />
So, I've written a small dylib that works around those issues.<br />
<a href="https://github.com/msftguy/ultrasn0w-fixer">https://github.com/msftguy/ultrasn0w-fixer</a><br />
<br />
Only tested on 3GS; will require changes for next betas.msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com13tag:blogger.com,1999:blog-713271725313104573.post-16709109827138588112010-11-20T15:30:00.000-08:002012-01-12T00:01:00.757-08:00Booting SSH ramdisk on new devices<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="background-color: yellow;"><span style="font-size: large;">This information is deprecated; please use the <a href="http://msftguy.blogspot.com/2012/01/automatic-ssh-ramdisk-creation-and.html"><b>new automatic tool here</b></a>.</span></span><br />
<span style="background-color: yellow;"><span style="font-size: large;"></span></span><br />
<a name='more'></a><span style="font-size: large;"><br /></span><br />
Geohot has recently made his limera1n exploit publicly available: time to update the instructions for new devices.<br />
<ul>
<li>Build the ramdisk as described in <a href="http://msftguy.blogspot.com/2010/05/working-ramdisk-with-ssh.html">http://msftguy.blogspot.com/2010/05/working-ramdisk-with-ssh.html</a></li>
<li>Download the tetheredboot utility from <a href="https://github.com/msftguy/syringe/downloads">https://github.com/msftguy/syringe/downloads</a></li>
<li>Make 4.1 custom ipsw with PwnageTool or SnowBreeze</li>
<li>Extract ibss and kernelcache files from custom ipsw</li>
<li>Put the device in DFU mode</li>
<li>Use <a href="https://github.com/msftguy/syringe/downloads">tetheredboot utility</a> to load the ramdisk: <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">tetheredboot -i iBSS.<b>_CPU_</b>ap.RELEASE.dfu -k kernelcache.release.<b>_CPU_</b> -r 0<b>XX-XXX-XXX</b>.dmg.ssh</span></li>
<li><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span>Use itunnel_mux to forward SSH connection: <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">itunnel_mux --lport 22</span></li>
</ul>
<div>
<b><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;">Troubleshooting</span></b></div>
<div>
<ul>
<li>If tetheredboot fails to load the ramdisk (which tends to happen with large ramdisks), you can try using itunnel_mux to load kernel and ramdisk: </li>
<ul>
<li><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">tetheredboot -i </span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">iBSS.<b>_CPU_</b>ap.RELEASE.dfu</span>; <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span></li>
<li><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">itnl --kernelcache kernelcache.release.<b>_CPU_</b> --devicetree DeviceTree.<b>_CPU_</b>ap.img3 --ramdisk 0<b>XX-XXX-XXX</b>.dmg.ssh </span></li>
</ul>
</ul>
</div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;"></span></span><br />
<div>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;"><b>Copyrights</b></span></span></div>
<ul style="line-height: 1.4; margin-bottom: 0.5em; margin-left: 0px; margin-right: 0px; margin-top: 0.5em; padding-bottom: 0px; padding-left: 2.5em; padding-right: 2.5em; padding-top: 0px;">
<li style="margin-bottom: 0.25em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-indent: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">tetheredboot utility is basically <a href="https://github.com/Chronic-Dev/syringe" style="color: #1118cc; text-decoration: none;">Chronic-Dev's syringe</a> with some minor changes. </span></span></li>
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">
<li style="margin-bottom: 0.25em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-indent: 0px;">chronic dev team Twitter: <a href="http://twitter.com/#!/chronicdevteam" style="color: #1118cc; text-decoration: none;">http://twitter.com/#!/chronicdevteam</a></li>
<li style="margin-bottom: 0.25em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-indent: 0px;">posixninja's Twitter: <a href="http://twitter.com/#!/p0sixninja" style="color: #1118cc; text-decoration: none;">http://twitter.com/#!/p0sixninja</a></li>
</span></span></ul>
</div>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com116tag:blogger.com,1999:blog-713271725313104573.post-33550616208236548232010-11-07T17:26:00.000-08:002010-11-20T15:21:16.414-08:00Booting 4.2 bundle - instructions<b>Instructions</b><br />
<ul><li>Download the appropriate tetheredboot binary for Windows or OS X from <a href="https://github.com/msftguy/syringe/downloads">https://github.com/msftguy/syringe/downloads</a></li>
<ul><li><span class="Apple-style-span" style="font-size: x-small;">Update: OS X version does NOT need libUSB from MacPorts any more.</span></li>
</ul><li>Put the device in DFU mode</li>
<li>Use the command line <b>tetheredboot -i iBSS.<span class="Apple-style-span" style="color: red;">CPU</span>ap.RELEASE.dfu -k kernelcache.release.</b><b><span class="Apple-style-span" style="color: red;">CPU</span></b> to boot, where <b><span class="Apple-style-span" style="color: red;">CPU</span></b> is k48 for iPad, n90 for iPhone4</li>
<ul><li>These files (iBSS and kernelcache) need to be extracted from custom ipsw you made using the bundle!</li>
</ul></ul><ol><ul><ul></ul></ul></ol><b>Bundles </b><br />
<div><ul><li>Look here for bundles: <a href="https://sites.google.com/site/msftguy/file/">https://sites.google.com/site/msftguy/file/</a></li>
</ul><a name='more'></a><b>Notes</b><br />
<ul><li>Cydia does not work. Use apt-get instead. Or use <a href="https://sites.google.com/site/msftguy/file/cy.zip">this Cydia patch</a>.</li>
<li>Boot does not have to be tethered, but unless you use tethered boot, unsigned apps (including SSH) won't work.</li>
<li><u>If you run space.sh script, either by fixing Cydia and letting it 'reorganize', or by NOT running the <b>atvBundlePatcher.sh </b>(see readme.rtf in the bundle zip), you will screw up Safari and some other apps when booting untethered.</u></li>
</ul><div><b>Copyrights</b></div><ul><li>tetheredboot utility is basically <a href="https://github.com/Chronic-Dev/syringe">Chronic-Dev's syringe</a> with some minor changes. </li>
<li>chronic dev team Twitter: <a href="http://twitter.com/#!/chronicdevteam">http://twitter.com/#!/chronicdevteam</a></li>
<li>posixninja's Twitter: <a href="http://twitter.com/#!/p0sixninja">http://twitter.com/#!/p0sixninja</a></li>
</ul></div><div><br />
<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;"><a href="https://wave.google.com/wave/waveref/googlewave.com/w+7VxO0zp4A">Discussion wave</a></span><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;"> </span><br />
<ul></ul></div><div id="waveframe" style="height: 500px; width: 800px;"></div><script src="http://www.google.com/jsapi" type="text/javascript">
</script><script type="text/javascript">
google.load("wave", "1");google.setOnLoadCallback(initialize);function initialize() { var waveframe = document.getElementById("waveframe"); var embedOptions = { target: waveframe, header: false, toolbar: false, footer: false }; var wavePanel = new google.wave.WavePanel(embedOptions); wavePanel.loadWave("googlewave.com!w+7VxO0zp4A");}
</script>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.comtag:blogger.com,1999:blog-713271725313104573.post-8467965557340269162010-07-08T23:18:00.000-07:002010-11-09T07:24:39.040-08:00Data recovery: not just for iBoot-pwned devices<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><u><b>Deprecated</b>:</u> Now you can use greenpois0n to load an SSH ramdisk on any new device.<br />
<br />
<span class="Apple-style-span" style="background-color: yellow;">Update: wrote a tool to generate upgrade IPSWs automatically</span><br />
iPad data recovery!</div><div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">If your user data partition is not corrupted, it's possible to get your data back (say, after some Cydia app made your oversized iTouch hang on boot!)</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><br />
</div></div>Should also work for iOS 4.0 new bootrom 3GS iPhones and 3G iTouches.<br />
<b><br />
</b><br />
<b>Will it work if you were jailbroken with:</b><br />
<b></b>PwnageTool: Not recommended/might work<br />
<div>SnowBreeze: Not recommended/might work<br />
<div>Spirit: <span class="Apple-style-span" style="background-color: lime;">YES</span><br />
<div>redsn0w: <span class="Apple-style-span" style="background-color: lime;">YES</span><br />
<div>blackra1n: <span class="Apple-style-span" style="background-color: lime;">YES</span><br />
<div>Not jailbroken: <span class="Apple-style-span" style="background-color: lime;">YES</span><br />
<b><br />
</b><br />
<b>Other necessary conditions:</b><br />
<div><div><div><b></b>Mountable user data volume - not always the case!<br />
<br />
<b>Other warnings:</b><br />
You'll obviously lose your jailbroken state and will have to re-Spirit if using iPad or just back up and restore if using a <b>PwnageTool/SnowBreeze</b> iOS4 jailbreak!<br />
<br />
<b>When should you use this method?</b><br />
<ul><li>You have an iDevice that does not boot (stuck in DFU/on Apple logo) with important data on it (kids pix, financial reports, names of Russian spies)</li>
<li>You are <b>not</b> jailbroken with PwnageTool/redsn0w/blackra1n/Sn0wbreeze</li>
<ul><li>If you are jailbroken using one of those jailbreak methods, check out <a href="http://msftguy.blogspot.com/2010/05/working-ramdisk-with-ssh.html">SSH ramdisk method</a> first as it <i>guarantees</i> non-destructive recovery.</li>
</ul><li>You don't need the device to remain jailbroken/unlocked or can jailbreak/unlock a device that has been restored to latest firmware version.</li>
</ul><b>Download:</b><br />
<a href="http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/downloads/detail?name=make_noerase_ipsw_r1.exe">Windows version</a>, <a href="http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/source/browse/trunk/make_noerase_ipsw/make_noerase_ipsw.py">Python source</a><br />
<br />
<b>Usage:</b><br />
Use <b>current </b>firmware version that is still being signed by Apple (4.1 ATM)!<br />
Drag and drop original unmodified IPSW file over the tool icon, wait for it to generate a <u>UPG_...ipsw</u> file, restore to that using iTunes.<br />
Make sure you've read the necessary conditions and warnings sections!<br />
<br />
Look at the source code if you want an insight into what exactly happens here.<br />
<br />
<a href="https://wave.google.com/wave/waveref/googlewave.com/w+6bUhe_5vA"></a><br />
<a href="https://wave.google.com/wave/waveref/googlewave.com/w+6bUhe_5vA"></a><br />
<a href="https://wave.google.com/wave/waveref/googlewave.com/w+6bUhe_5vA"></a><br />
<a name='more'></a><a href="https://wave.google.com/wave/waveref/googlewave.com/w+6bUhe_5vA">Comment wave</a></div></div></div><script src="http://www.google.com/jsapi" type="text/javascript">
</script><br />
<script type="text/javascript">
google.load("wave", "1");
google.setOnLoadCallback(initialize);
function initialize() {
var waveframe = document.getElementById("waveframe");
var embedOptions = {
target: waveframe,
header: false,
toolbar: false,
footer: false
};
var wavePanel = new google.wave.WavePanel(embedOptions);
wavePanel.loadWave("googlewave.com!w+6bUhe_5vA");
}
</script></div></div></div></div></div>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.comtag:blogger.com,1999:blog-713271725313104573.post-51687525014955109852010-07-07T15:40:00.000-07:002010-07-11T20:58:54.167-07:00iRecovery functionality on Windows without libUSB<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;"><a href="http://www.google.com/url?sa=D&q=http%3A%2F%2Fcode.google.com%2Fp%2Fiphonetunnel-usbmuxconnectbyport%2Fdownloads%2Fdetail%3Fname%3Ditunnel_mux_r6.exe" style="color: #003ea8; font-family: monospace; font-weight: bold;" target="_blank" x="y">itunnel_mux_rev6</a></span><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;"><a href="http://www.google.com/url?sa=D&q=http%3A%2F%2Fcode.google.com%2Fp%2Fiphonetunnel-usbmuxconnectbyport%2Fdownloads%2Fdetail%3Fname%3Ditunnel_mux_r6.exe" style="color: #003ea8; font-family: monospace; font-weight: bold;" target="_blank" x="y">.ex</a></span><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;"><a href="http://www.google.com/url?sa=D&q=http%3A%2F%2Fcode.google.com%2Fp%2Fiphonetunnel-usbmuxconnectbyport%2Fdownloads%2Fdetail%3Fname%3Ditunnel_mux_r6.exe" style="color: #003ea8; font-family: monospace; font-weight: bold;" target="_blank" x="y">e</a> <- this unfortunately named tool now supports loading stuff into iBoot, including USB exploit payloads.</span><br />
<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;">Usage example: </span><br />
<pre>itunnel_mux_rev6.exe --ibss iBSS.n88ap.RELEASE.dfu --exploit exploit --ibec
iBEC.n88ap.RELEASE.dfu --ramdisk 018-6461-399.dmg.ssh --devicetree
DeviceTree.n88ap.img3 --kernelcache kernelcache.release.n88</pre><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;">Due to some hardcoded structure offsets still left, will probably only work with iTunes 9.2. </span><br />
<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;"></span><br />
<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;"></span><br />
<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;"><a name='more'></a></span><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: small; white-space: pre-wrap;"><a href="http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/downloads/detail?name=rev6-debug.zip">Debug build</a> (with a PDB) - please send your crash reports (.mdmp files)!</span>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com9tag:blogger.com,1999:blog-713271725313104573.post-55428217109363289682010-06-23T02:27:00.000-07:002010-08-04T19:07:17.612-07:00OLD BOOTROM + Spirit => 4.0 JB<a href="http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r3.zip&can=2&q="><span class="Apple-style-span" style="background-color: #fff2cc;">Updated for FW 4.0/4.0.1 + 'Star' jailbreak.</span></a><span class="Apple-style-span" style="background-color: #fff2cc;"> You'll need NOR files from a custom 4.0 ipsw made with PwnageTool 4.0.1.</span><br />
<span class="Apple-style-span" style="background-color: #fff2cc;">You still obviously need to have an old bootrom 3GS, however you don't </span><i><span class="Apple-style-span" style="background-color: #fff2cc;">currently </span></i><span class="Apple-style-span" style="background-color: #fff2cc;">need any SHSH while Apple still signs 4.0.1</span><br />
<span class="Apple-style-span" style="background-color: #fff2cc;">The fact that Star jailbreak uses Safari, however, means it will be patched in weeks, so back up those hashes while you can..</span><br />
<span class="Apple-style-span" style="background-color: #fff2cc;">Now that 4.0 is jailbroken, potential uses of this method include installing 4.1 betas, rolling back to 3.x and similar fun activities.</span><br />
<br />
STOP if you have a new bootrom (week 40+, tethered only 3.1.2 JB etc). <a href="http://www.redmondpie.com/how-to-check-iphone-3gs-bootrom-iboot-version/">Here's how to check bootrom ver</a><br />
- your hardware is iPhone 3GS with OLD BOOTROM<br />
- you HAVE <b>3.1.3</b> SHSH<span class="Apple-style-span" style="font-size: small;"> <span class="Apple-style-span" style="color: red;">(**)</span></span><br />
- you DON'T have 3.1.2 SHSH <span class="Apple-style-span" style="font-size: x-small;">(otherwise, just use blackra1n/redsn0w).</span><br />
- you WANT iOS4/JB<br />
<br />
<span class="Apple-style-span" style="background-color: yellow;">Update:</span> thanks to <b><a href="http://www.blogger.com/goog_824373833">movie</a> </b>for <a href="http://msftguy.blogspot.com/2010/06/old-bootrom-spirit-40-jb.html?showComment=1277964976545#c322450084424909408">those awesome step by step instructions!</a><br />
<span class="Apple-style-span" style="background-color: orange;">Update2:</span> someone made a <a href="http://www.mob2all.com/2010/07/spirit2pwn-fix-spirit-jailbreak-to.html">Cydia package</a>. Looking at type of questions people ask in the comments, that might be the only option for 80% of them. Apple's license terms, of course, don't allow to redistribute their binaries, so I just link to it. Their description also says it works with <b>3.1.2</b>/Spirit - I very much doubt that.<br />
<br />
This tool can be used to flash pwned nor files (containing LLB exploit) on the phone running Spirit JB (script has <b>hardcoded </b>offsets for 3.1.3 3GS).<br />
<br />
<a name='more'></a>*Now flasher checks that all files exist before flashing them.<br />
<a href="http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r2.zip">http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r2.zip</a><br />
<ol><li>Unpack <b>pwned<span class="Apple-style-span" style="background-color: yellow;"><span class="Apple-style-span" style="color: red;">(!)</span></span> </b>3.1.3 firmware, copy all the files from iPhone2,1_3.1.3_7E18_<b>Custom</b>_Restore\<b>Firmware\all_flash\all_flash.n88ap.production</b> folder to <b>/tmp</b> directory your phone. You can use CyberDuck or WinSCP to do that. Copy those files <b>directly</b> to the <b>/tmp</b>, not to a subfolder: LLB should be at /tmp/LLB.n88ap.RELEASE.img3, etc.!</li>
<li>Extract the contents of the <a href="http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r2.zip">spirit2pwn_r2.zip</a> archive to <b>/tmp</b> directory on the phone.</li>
<li>Run the following commands <u>on the iPhone</u>: (Use ssh or PuTTY).</li>
</ol><span class="Apple-style-span" style="font-family: monospace; white-space: pre;">cd /tmp</span><br />
<pre>chmod 755 pwn_old_boot_r2.sh
./pwn_old_boot_r2.sh</pre><pre></pre><ul><li>Now reboot and your iboot and llb should be pwned, and you can restore to a custom FW now.</li>
</ul>Thanks Gojohnnyboi for code, ZeRoLiMiT for testing ;)<br />
<br />
<span class="Apple-style-span" style="color: red; font-size: small;">(**) Technically, you can still do that if you don't have 3.1.3 SHSH, but then if you don't really have old bootrom or if you use wrong ipsw files, your only option will be to upgrade to 4.0 and stay without jailbreak or unlock until a new exploit is made public. </span>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com111tag:blogger.com,1999:blog-713271725313104573.post-9585993585592929382010-05-27T16:25:00.000-07:002010-05-27T16:26:35.932-07:00Educational..<a href="http://www.youtube.com/v/B6J2OQvaHjw&hl=en_US&fs=1&hd=1">http://www.youtube.com/v/B6J2OQvaHjw&hl=en_US&fs=1&hd=1</a>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com4tag:blogger.com,1999:blog-713271725313104573.post-27763487550187026602010-05-27T09:35:00.000-07:002010-08-05T00:56:24.614-07:00On bluetooth in 4.0<div class="separator" style="clear: both; text-align: center;"></div><ul><li style="text-align: left;">Bluetooth in 4.0 has a couple of new profiles: HID (meh) and.. Braille. Wait, what's exciting about Braille? Two things:</li>
<ul><li style="text-align: left;">It is one of the three services that call OpenSerialPort()</li>
<li style="text-align: left;">It is the only one of them that <s>isn't handled by OS</s> isn't <i>generally</i> handled by the OS, unless you enable some obscure accessibility feature, unlike WiAP and Nike sensor profiles, meaning there are no side effects to connecting the service to arbitrary BT devices with serial profile.<br />
<br />
<br />
<a name='more'></a></li>
</ul></ul> <br />
<object height="570" width="730"><param name="movie" value="http://www.youtube.com/v/_ofCOG3z7uM&hl=en_US&fs=1?hd=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/_ofCOG3z7uM&hl=en_US&fs=1?hd=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="730" height="570"></embed></object><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><img style="border:1px solid gray;margin-top:15px" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjue5fzTVH6HKSvPoKk3DmkHveh4_U41IhAF3gSzuA_psjTV4KFOxhzNxONYJtqjhEbRQR_prVGzuvh-IBy18bvL6LaEcBP4ycj9iEeuqRz0rln-OADlOZaZF0RiZK8so_wpR4dkOApgKt4/s400/bt_gps_iphone_stack_3.png" width="266" /></div><br />
<br />
This function:<br />
<b>extern "C" int BTDeviceGetComPortForService(BTDEVICE device, int svcIdOrSmth, char*buf, int cbBuf);</b><br />
gets the COM pipe (e.g. /dev/ttys003)<br />
Sample code: <a href="http://code.google.com/p/iphone-bluetooth/">http://code.google.com/p/iphone-bluetooth/</a><br />
Also (<i>still</i>?) works in current 4.1 beta ;)<br />
<br />
<a href="https://wave.google.com/wave/waveref/googlewave.com/w+5tC_cmcSA"><span class="Apple-style-span" style="font-size: x-large;">Discussion wave</span></a><br />
<div><br />
</div>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com0tag:blogger.com,1999:blog-713271725313104573.post-63254802464476677592010-05-16T01:28:00.000-07:002012-02-03T12:10:33.099-08:00Working iPhone recovery ramdisk with SSH ;-)<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<span style="background-color: yellow;"><span style="font-size: large;">This information is deprecated; please use the <a href="http://msftguy.blogspot.com/2012/01/automatic-ssh-ramdisk-creation-and.html"><b>new automatic tool here</b></a>.</span></span><br />
<span style="background-color: yellow;"><span style="font-size: large;"></span></span><br />
<a name='more'></a><br /><br />
<span class="Apple-style-span" style="font-size: x-large;"><a href="https://wave.google.com/wave/waveref/googlewave.com/w+hssrvqxAH">>> Up to date instructions HERE << </a></span><br />
<br />
Requirements: iPod or iPhone with fw 3.1.2 and intact iBoot (not a DFU-only brick), OR with saved SHSH hashes for 3.1.2.<br />
<br />
<div>
If your iPhone does not boot and you are too lazy to reinstall everything/have some data that needs to be recovered, this may just work for you. Allows you to copy full disk images among other things.<br />
<br />
<br />
<object height="344" width="425"><param name="movie" value="http://www.youtube.com/v/G_oyoXJAlto&hl=en_US&fs=1&rel=0&hd=1">
</param>
<param name="allowFullScreen" value="true">
</param>
<param name="allowscriptaccess" value="always">
</param>
<embed src="http://www.youtube.com/v/G_oyoXJAlto&hl=en_US&fs=1&rel=0&hd=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="730" height="500"></embed></object><br />
Update3: Experimental support for 3GS iPhones with 3.1.2 SHSH on file, even with new bootrom.<br />
<br />
<span class="Apple-style-span" style="background-color: yellow;">Ramdisk prep tool (currently Windows version only, needs .NET Framework 4):</span><br />
<a href="http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/downloads/detail?name=RecoveryRamdiskBuilder_rev_2.zip">http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/downloads/detail?name=RecoveryRamdiskBuilder_rev_2.zip</a><br />
*Note that you still need a <i>pwned </i>kernelcache (from a pwnageTool generated IPSW)!</div>
<div>
<ol></ol>
Now we can boot the ramdisk; you can either create an IPSW and do a very timely USB cable disconnect using iTunes, or use iRecovery:</div>
<div>
<ol>
<li>iRecovery -f 018-6051-014.ssh.dmg</li>
<li>iRecovery -c ramdisk <span class="Apple-style-span" style="background-color: yellow;">0x90000000</span></li>
<li>iRecovery -f kernelcache.release.s5l8920x</li>
<li>iRecovery -c bootx</li>
</ol>
<div>
Note: If you get errors uploading kernelcache, try disconnecting and reconnecting USB cable after issuing 'ramdisk' command. This seems to happen more often with larger ramdisks..</div>
<div>
<br /></div>
Now you need a custom build of iPhone_tunnel utility to connect to SSH:<br />
<a href="http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/">http://code.google.com/p/iphonetunnel-usbmuxconnectbyport/</a></div>
<div>
Changes made for this custom build:</div>
<div>
<ol>
<li>Launch iPhone_tunnel, forward remote port 22 as local port 2022 (or 22 on Windows):<br />
./iPhone_tunnel</li>
<li>Connect using SSH: ssh root@localhost -p 2022</li>
</ol>
</div>
<div>
Useful commands:<br />
<pre>mount / ;#to make ramdisk readwrite</pre>
<pre>mount_hfs /dev/disk0s1 /mnt1 ;#if the FS still mounts..
mount_hfs /dev/disk0s2s1 /mnt2 ;# user data part
export PATH=$PATH:/mnt1/bin:/mnt1/sbin:/mnt2/stash/bin: ;#more stuff to run
export DYLD_LIBRARY_PATH=/mnt1/usr/lib ;#to run stuff without having to copy/symlink the libs</pre>
<pre>kill 1 ;# since we nuked the /sbin/reboot..</pre>
<br />
<b>Tethered support:</b><br />
<u><i>Advanced skills</i> and OS X recommended.</u><br />
If you have iPhone 3GS with 3.1.2 SHSH on file and new bootrom:<br />
<br />
<ol>
<li>Replace gs.apple.com with Saurik's server or your local tinyTss.</li>
<li>Start the DFU mode restore.</li>
<li>!IMPORTANT! Unplug the USB right after the screen turns white. This happens after iTunes message 'preparing iPhone for restore' which loads iBSS.</li>
<li>Use the payload <a href="http://forums.openpwn.org/viewtopic.php?f=8&t=41&p=229">here</a> to patch iBSS.</li>
<li>Now just load ramdisk and kernelcache as usual, then recover your data/fix the system over SSH.</li>
</ol>
<br />
If you don't have SHSH for 3.1.2 saved BUT still have a working iBoot 636.66, it is possible to use a similar payload to load an unsigned ramdisk. If this is your situation, please leave a comment; since I don't have a new bootrom device, I cannot test the required payload myself, but will gladly send it to you in exchange for testing ;-) <br />
<br />
Tech details:<br />
<b>restored</b> daemon enables USB MUX kernel module to accept connections, after which we can use standard MobileDevice framework functions for port forwarding. Now we just need to start <b>sshd</b>.<br />
By replacing <i>/sbin/reboot</i> with <i>sshd </i>and issuing a reboot command to <i>restored</i> we make <i>restored </i>launch <i>sshd </i>and hang waiting for reboot. Now we just need to make sure the restore dmg has required libraries and /bin/sh (this is the login shell for root user specified in passwd file). Password is <i>alpine</i>, as usual ;-)<br />
<br />
Please use this wave for comments:<br />
<span class="Apple-style-span" style="font-family: arial, sans-serif;"><span class="Apple-style-span" style="white-space: pre-wrap;"><span class="Apple-style-span" style="font-size: small;"><a href="http://www.blogger.com/goog_1774268160">https://wave.google.com/wave/waveref/googlewave.com/w+8ZB8IWzVL<span class="__wave_paste" data-wave-annotations="0,60,link%2Fmanual,waveid%3A%2F%2Fgooglewave.com%2Fw%2B8ZB8IWzVL:" data-wave-xml="Working iPhone recovery ramdisk with SSH (Discussion wave 3)"></span></a><a href="https://wave.google.com/wave/waveref/googlewave.com/w+8ZB8IWzVL"> </a></span></span></span></div>
<div id="waveframe" style="height: 800px; width: 750px;">
</div>
<script src="http://www.google.com/jsapi" type="text/javascript">
</script><br />
<script type="text/javascript">
google.load("wave", "1");
google.setOnLoadCallback(initialize);
function initialize() {
var waveframe = document.getElementById("waveframe");
var embedOptions = {
target: waveframe,
header: true,
toolbar: true,
footer: true
};
var wavePanel = new google.wave.WavePanel(embedOptions);
wavePanel.loadWave("googlewave.com!w+8ZB8IWzVL");
}
</script></div>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.comtag:blogger.com,1999:blog-713271725313104573.post-53516866612432979472010-03-23T20:16:00.000-07:002010-06-21T21:34:18.408-07:00Fixing Blacksn0w on 3.1.3<span style="font-weight: bold;"></span><br />
<span style="font-weight: bold;"></span><br />
<span style="font-weight: bold;"></span><br />
<span style="font-weight: bold;"><div><span class="Apple-style-span" style="font-family: 'times new roman';">Update: Ultrasn0w now supports 05.11 thru 05.13 with a new exploit that should fix all possible WiFi issues and any OS 4.0 problems. </span><a href="http://ultrasn0w.com/">http://ultrasn0w.com/</a><br />
<br />
<br />
<a name='more'></a>------------------- Deprecated ------------------<br />
<span class="Apple-style-span" style="font-family: 'times new roman';"><b>miniFAQ: </b></span> <br />
<ul><li><span class="Apple-style-span" style="font-family: 'times new roman';">Can this be used with my 'accidentally restored' 3.1.3/non-jailbroken/running BB 5.12.xx iPhone?</span></li>
<ul><li><span class="Apple-style-span" style="font-family: 'times new roman';">NO</span></li>
</ul>
<li><span class="Apple-style-span" style="font-family: 'times new roman';">Does this also fix the WiFi problem (WiFi not connecting/requiring a reboot)?</span></li>
<ul><li><span class="Apple-style-span" style="font-family: 'times new roman';">NO, you should reset network settings to fix the WiFi problem. Preferably before you install the unlock and with original operator SIM card in (otherwise, there are reports of resetting network settings causing an unbootable phone). </span></li>
</ul></ul><span class="Apple-style-span"> <span class="Apple-style-span" style="font-family: 'times new roman';"> <b> <span class="Apple-style-span" style="color: red;"> <span class="Apple-style-span" style="font-size: large;">3.1.3 with 5.11.07 BB ONLY </span> </span> </b> </span> </span> <br />
<span class="Apple-style-span"><span class="Apple-style-span" style="font-family: 'times new roman';"><b><span class="Apple-style-span" style="color: red;"><span class="Apple-style-span" style="font-size: large;"></span></span></b></span></span><br />
<span class="Apple-style-span"><span class="Apple-style-span" style="font-family: 'times new roman';"><b><span class="Apple-style-span" style="color: red;"><span class="Apple-style-span" style="font-size: large;"></span></span></b></span></span><br />
<span class="Apple-style-span"><span class="Apple-style-span" style="font-family: 'times new roman';"><b><span class="Apple-style-span" style="color: red;"><span class="Apple-style-span" style="font-size: large;"></span></span></b></span></span></div><div><span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-family: 'times new roman';"> <b> <span class="Apple-style-span" style="color: #3333ff;"> Update3: </span></b><span class="Apple-style-span" style="color: #3333ff;"></span></span></span><span class="Apple-style-span" style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-weight: normal; line-height: 22px;">Thanks to nice people running PushFix.info, this fix is now available in their repository, <a href="http://cydia.pushfix.info/">cydia.pushfix.info</a>, and their package actually does compatibility checking before install.</span><br />
<span class="Apple-style-span" style="font-weight: normal;"><span class="Apple-style-span" style="font-family: 'times new roman';"><span class="Apple-style-span" style="color: #ff6666;">Update2: </span> </span> </span> <span class="Apple-style-span" style="font-size: 15.8333px; font-weight: normal;"> <b> <span class="Apple-style-span" style="color: red; font-size: 13.1944px; font-weight: normal;">You need to chmod +x the dylib, forgot to mention that earlier :-(</span></b></span></div><div><span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-family: 'times new roman';"> <b>Tools: </b> </span> </span> </div><div><span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-family: 'times new roman';">gdb, IDA 5.5, ldid, hex editor (XVI32) </span> </span> </div><div><span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-family: 'times new roman';"> </span> </span> </div><div><span class="Apple-style-span"> <span class="Apple-style-span" style="font-family: 'times new roman';"> Test load: </span> </span> </div><div><span class="Apple-style-span" style="font-weight: normal;"> </span> <span class="Apple-style-span" style="font-weight: normal;"></span> <span class="Apple-style-span" style="font-weight: normal;"></span> <span class="Apple-style-span" style="font-weight: normal;"></span><br />
<span class="Apple-style-span" style="font-weight: normal;"></span><br />
<span class="Apple-style-span" style="font-weight: normal;"></span><br />
<span class="Apple-style-span" style="font-weight: normal;"></span><br />
<span class="Apple-style-span" style="font-weight: normal;"></span><br />
<span class="Apple-style-span" style="font-weight: normal;"><pre>launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist ; launchctl load /tmp/com.apple.CommCenter.plist ; launchctl start com.apple.CommCenter
</pre></span> </div><div><span class="Apple-style-span" style="font-family: 'times new roman';">Test load in gdb: </span> </div><pre>gdb /System/Library/PrivateFrameworks/CoreTelephony.framework/Support/CommCenter
>set env DYLD_INSERT_LIBRARIES = /usr/lib/blacksn0w.dylib
>run
</pre><div><span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-size: medium;"> <b>Cause of the bug: </b> </span> </span> </div><div><span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-size: small;"> Blacksn0w is locating a function to patch by searching the binary for a reference to string "SIM is not supported" . In 3.1.3 the same function now uses the string "Verified" in the reverse condition branch.. Since the location to patch is determined by instruction search&replace, the patch itself still works in 3.1.3 after changing the string and its length in </span> </span> </span> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-size: small;">Blacksn0w binary </span> </span> </span> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-size: small;">.. </span> </span> </span> </div><div><span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-size: small;"> I also changed the patch from </span> </span> </span> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-size: small;">mov r1, 1 </span> </span> </span> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-size: small;"> to </span> </span> </span> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-size: small;">mov </span> </span> </span> <span class="Apple-style-span" style="color: red;"> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-size: small;">r0 </span> </span> </span> </span> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-size: small;">, 1 </span> </span> </span> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-weight: normal;"> <span class="Apple-style-span" style="font-size: small;"> because I suspect that's what it was supposed to do, instead of returning whatever garbage CFRelease left in r0 :-) </span> </span> </span> </div><div><span class="Apple-style-span" style="font-size: medium;"> <span class="Apple-style-span" style="font-family: 'times new roman';"> </span> </span> </div><div><span class="Apple-style-span" style="font-size: medium;"> <span class="Apple-style-span" style="font-family: 'times new roman';">DISCLAIMER: please test-run before installing permanently; <span class="Apple-style-span" style="color: red;"> failure to do so or installing original BlackSn0w on 3.1.3 will force you to restore! </span> </span> </span> </div><div><span class="Apple-style-span" style="font-size: medium;"> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="color: red;"> </span> </span> </span> </div></span><span class="Apple-style-span" style="font-family: 'times new roman';">Instructions:</span> <br />
<div><ul><li> <span class="Apple-style-span" style="font-family: 'times new roman';">Download <a href="http://blackra1n.com/blacksn0w.deb">blackra1n.com/blacksn0w.deb </a>, unpack with 7Zip </span> </li>
<li> <span class="Apple-style-span" style="font-family: 'times new roman';">Copy System\Library\LaunchDaemons\com.apple.CommCenter.plist from .deb to /tmp/ on the phone </span> </li>
<li> <span class="Apple-style-span" style="font-family: 'times new roman';">Copy the patched blacksn0w.dylib to /usr/lib/ </span> </li>
<li> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="color: red;">Execute in SSH: chmod 755 </span> </span> <span class="Apple-style-span" style="font-family: 'times new roman'; font-size: 15.8333px;"> <span class="Apple-style-span" style="color: red;">/usr/lib/ </span> </span> <span class="Apple-style-span" style="font-family: 'times new roman'; font-size: 15.8333px;"> <span class="Apple-style-span" style="color: red;">blacksn0w.dylib </span> </span> </li>
<li> <span class="Apple-style-span" style="font-family: 'times new roman';">Try to execute a test load, make sure you get signal with your T-Mobile SIM -) </span> </li>
<li> <span class="Apple-style-span" style="font-family: 'times new roman';">ONLY If test load works OK, copy com.apple.CommCenter.plist from /tmp to /System/Library/LaunchDaemons/ </span> </li>
<li> <span class="Apple-style-span" style="font-family: 'times new roman';"> <span class="Apple-style-span" style="font-size: 15.8333px;"> <span class="Apple-style-span" style="font-size: 15.8333px;"> If test load does not work OK, the phone will freeze, wait 20 seconds and reboot (Power+Home), upload CommCenter crash logs from /private/var/logs/CrashReporter </span> </span> </span> </li>
</ul></div>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com72tag:blogger.com,1999:blog-713271725313104573.post-69807420737380498172009-10-04T01:10:00.000-07:002009-10-04T01:29:13.883-07:00Asking for it..Pseudo-code:
<pre class="csharpcode">
VerifyLicense()
{
<span class="kwrd">char</span>
readbuf[16],
plaintext[16],
uuid[32];
<span class="kwrd">int</span> hLic = open(LICENSE_FILE);
get_uuid(uuid);
read(hLic, readbuf, 16);
raw_decrypt(readbuf, plaintext);
memcmp(plaintext, uuid, 16);
}</pre>
<div>Where raw_decrypt is an AES <b>symmetric </b>cypher function -)</div><div>Even more amazingly, raw_encrypt function is ALSO present in the code!</div><div>
</div>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com0tag:blogger.com,1999:blog-713271725313104573.post-68833544345677906552008-11-02T13:10:00.000-08:002008-11-03T23:51:46.936-08:00Windows 7 registry keys<span style="font-face: Calibri"><span style="text-decoration: underline">Enable the new taskbar<span style="color:#ff0000;">*</span>:</span>
1. run this command:
<a href="http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx">strings</a> explorer.exe | findstr /C:"ShellFolder"
2. under the path <span style="color:#996633;">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\</span></span>
<span style="font-face: Calibri"><span style="color:#996633;">CurrentVersion\Explorer</span>,
create subkeys:
<span style="color:#996633;">CLSID\<span style="color:#006600;">{SOME_GUID}</span>\ShellFolder</span>
(for every guid returned by <strong>findstr</strong></span>
<span style="font-face: Calibri">e.g.: <span style="color:#996633;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\</span></span>
<span style="font-face: Calibri"><span style="color:#996633;">CurrentVersion\Explorer\CLSID\<span style="color:#006600;">{A5181F28-5A04-4DBE-A8F6-EEBD7FE228F2}</span>\ShellFolder</span>
3. Under each subkey path, in ShellFolder key, create new value:</span>
<span style="font-face: Calibri"><strong><span style="color:#996633;">Attributes</span></strong> REG_DWORD <span style="font-family:courier new;color:#996633;"><strong>0xA0100004</strong></span></span><span style="font-family:courier new;color:#996633;">
</span>
<span style="font-size:78%;"><span style="color:#ff0000;">*)</span> Seems to work in 6801+. The new taskbar should be enabled by default in <em>newer</em> builds.</span>
<span style="font-size:78%;"></span>
<span style="font-face: Calibri; text-decoration: underline">Disable 'Send Feedback' link:</span>
<span style="font-face: Calibri">HKEY_CURRENT_USER\Control Panel\Desktop
FeedbackToolEnabled REG_DWORD <span style="font-family:courier new;">0</span>
</span><span style="font-face: Calibri"></span><span style="font-face: Calibri"></span>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com0tag:blogger.com,1999:blog-713271725313104573.post-28933167365301225112008-07-20T06:45:00.000-07:002008-07-22T06:06:26.454-07:00Troubleshooting 802.1x on the iPhone<ul><li>Create /private/var/preferences/SystemConfiguration/com.apple.eapolclient.plist with following contents:</li></ul><blockquote><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>LogFlags</key>
<integer>255</integer>
</dict>
</plist></blockquote><ul><li>Log is in /var/log/eapolclient.en0.log</li></ul>Tools: IDA 5.2 (talk about overkill..), iPhoneListmsft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com0tag:blogger.com,1999:blog-713271725313104573.post-83161195435643661682008-07-04T01:10:00.000-07:002010-05-16T02:42:43.828-07:00Snipping Tool on Server 2008 - no love?<div>Short: </div>Problem: Snipping Tool from Vista SKUs does not start on Server 2008 Solution: <br />
<ol><li>Create a new directory, SnipTool </li>
<li>Copy System32\SnippingTool.exe to SnipTool </li>
<li>Copy System32\en-US\SnippingTool.exe.mui to SnipTool\en-US </li>
<li>Create a file called <span style="font-weight: bold;">SnippingTool.exe.local</span> in SnipTool directory.</li>
<li>Download <a href="http://sites.google.com/site/msftguy/Home/slc.zip">this Zip file</a></li>
<li>Extract the contents of the Zip file, copy slc/<span style="font-style: italic; font-weight: bold;">x86</span>/slc.dll to SnipTool directory (replace <span style="font-weight: bold;">x86</span> with <span style="font-weight: bold;">x64 </span>on a 64-bit OS).</li>
</ol><br />
<a name='more'></a><br />
<br />
Long: Eh.. So, at work we are 'blessed' with using '08 Server as a workstation. Also, at work we sometimes like to file bugs. Also, some weird people prefer including screenshots for clarity. So here's the problem: 1. Vista has a neat component called Snipping Tool (SnippingTool.exe). 2. This component does not run on Srv'08 Task: Make it run on SRV'08 Bonus: Without patching the binary (cause that would be <span style="color: #999999;"><scary_voice></span><i>illegal</i><span style="color: #999999;"></scary_voice>) </span>So, we fire up the debugger... 1. We figure out that the program runs if <span style="font-weight: bold;">CTabLicense::GetBOOLPermission</span> (bless the symbol server) returns 1. Cool..now, we could patch this, but we'll see if there's a (more) legal way. 2. Fire up IDA (on the afterthought, IDA was an overkill, the whole function listing fits into a single screen in ntsd), CTabLicense::GetBOOLPermission<span style="font-weight: bold;"> </span>calls <span style="font-weight: bold;">slc!SLGetWindowsInformationDWORD</span> - new <span style="color: #cc0000; font-weight: bold;">evil </span>API added to Vista as a part of SPP (Software Protection Platform) that is just an obfuscated (for no obvious reason) wrapper for mysterious <span style="font-weight: bold;">ntdll!NtQueryLicenseValue</span> (19 Google results, 0 relevant..there are more results for ZwQueryLicenseValue, but still nothing relevant to SLP). 3. Look at import section in IDA, find out that SLGetWindowsInformationDWORD is the only API imported from SLC. 4. Write 10 lines of C code that implement DllMain and SLGetWindowsInformationDWORD always returning 1. 5. Compile that, place in the same directory as SnippingTool, create SnippingTool.exe.local to <a href="http://msdn.microsoft.com/en-us/library/ms682600%28VS.85%29.aspx">redirect DLL loading</a> 6. Q.E.D. Tools used: ntsd, Idag64, VS2008msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com42tag:blogger.com,1999:blog-713271725313104573.post-39900821281377673302008-06-19T00:32:00.000-07:002010-05-16T02:43:13.845-07:00Befriending Live Mesh and Server 2008<div><span class="Apple-style-span" style="font-weight: bold;">Update: recent versions of Live Mesh do not perform this check any more</span><br />
<span class="Apple-style-span" style="font-weight: bold;"></span><br />
<span class="Apple-style-span" style="font-weight: bold;"><a name='more'></a></span></div>When you try to install Windows Live Mesh Tech Preview on your Server 2008 workstation, you will see the message: <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmXPIgC-xQZIsH2Z_HPPoh6TGvLKU9oWZ47vx51ZAHMYi6Vxjz4No_LCaxwLkBTrbtORpwez2p6XJJSnxpYUxIM86I_1UrVaCsbL0Oxs4_5625IjxFpU9QhXNxg-eBjpCKAqDfVVEtjJPT/s1600-h/mesh.srv+-+Copy.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"></a> "This product can be installed on 32-bit Windows XP SP2 or later and 64-bit Windows Vista or later." Well, considering WS2K8 <strike>slip</strike> ship date, it WAS <span style="font-style: italic;">later </span>than Vista, nonetheless, installer does not go any further. Solution: Run installer with '-Force' command line option. LiveMesh.exe -Force [Useless tech details] Version check is performed by CBootstrap::CheckOS (<mesh>\client\servicing\setup\bootstrap\bootstrap.cpp) called from CBootstrap::Run (all names extracted from error strings). There is no single place where CheckOS fails on a server version, so it's easier to just bypass it altogether. CheckOS is not called when byte at offset 30 in configuration data array pointed to by 0x0000000`10003E108 is nonzero. In ntsd terms, db poi(000000010003E100+8)+30 L1 Function to init this config array calls CCommandLine::cflag::operator=, and if you set a breakpoint at StrCmpIW called from CCommandLine::Parse, you can look at all option names: -Help -Quiet -Install -Uninstall -Repair -Force (you could also look at the array of the option structures at 0x000000010003CE30, first element of the structure-pointer to option name; structure size=0x20) Tools used: Ida64, NTSD </mesh>msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com13tag:blogger.com,1999:blog-713271725313104573.post-74920226865894612242008-04-11T00:30:00.000-07:002008-06-19T01:58:00.182-07:00Tip of the day: Sony Rolly Motion Editor installation on English OSWell, It looks like Rolly isn't popular enough here in States, so the only kind of forum posts I found recommended using a Japanese XP in VMware. Which is fine, except I've got no Japanese XP. After changing system locale failed to affect installer's behavior, next idea was to install a MUI. (Un?)fortunately for me and my remaining diskspace, Japanese MUI for x64 Vista SP1 failed to install, and I had to resort to other ideas.
Such as:
Tried to <a href="http://www.wasm.ru/baixado.php?mode=tool&id=268">decrypt</a> the setup.<span style="font-weight: bold;">inx</span>
and decompile it with <a href="http://programmerstools.org/node/117">SID</a>
And figured that installer wants <span style="font-style: italic;">GetSystemDefaultUILanguage </span>to return 0x411 (Japanese LCID)
Step-by step instructions:
1. Run installer under debugger
<a href="http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx">ntsd</a> setup.exe
in ntsd console, type:
<blockquote>
sxi av
a GetSystemDefaultUILanguage
mov eax,411
ret
g
</blockquote>2. Click next-next-..finish.
<span style="font-weight: bold;font-size:130%;" >Update</span>: <a href="http://www.uploading.com/files/J2AOEDO3/Motion_Editor_setup_on_non-Japanese_OSes.cmd.html">Batch file</a> for lazy ones. Copy Motion Editor directory to the local disk, place this file inside and run it.
Additional software:
Rolly needs SonicStage in addition for Motion Editor. Fortunately for all non-Japanese speakers out there, there is an English version of that <a href="http://www.connect.com/SonicStageDownload">here</a>.
PS. You may also want to install 'support for East Asian languages' in Control Panel/Regional & Language Settings to prevent Japanese characters looking like boxes.msft.guyhttp://www.blogger.com/profile/03729413240769832668noreply@blogger.com19