Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iOS 13.3 is not supported by iBoot64Patch #18

Open
sitay1 opened this issue Jan 9, 2020 · 2 comments
Open

iOS 13.3 is not supported by iBoot64Patch #18

sitay1 opened this issue Jan 9, 2020 · 2 comments

Comments

@sitay1
Copy link

sitay1 commented Jan 9, 2020

std::vector ibootpatchfinder64::get_sigcheck_patch() seems to have 2 issues in iOS 13.3
(haven't checked on earlier version so it might be the case in more versions)

  1. first issue i have encountered is that it doesn't find the the register for "always production patch"
    I think that the register address for iPhone 7+ (iOS 13.3) - is not one of those that appear in the list.

  2. second issue i have encountered is that the layout of the image4_validate_property_callback function has changed in the binary.

if i compare it the SecureRom Binary you can see that the function ends with
RET
BL VALIDATE_STACK_COOKIE

so the patch that replaces this 2 opcodes with
MOV X0, 0
RET

is harmless (to the logic of the function)
Where as in the iBSS code for 13.3 the function layout is like that

iBoot:00000001800C223C RET
iBoot:00000001800C2240 ; ---------------------------------------------------------------------------
iBoot:00000001800C2240
iBoot:00000001800C2240 loc_1800C2240 ; CODE XREF: callback+5E8↑j
iBoot:00000001800C2240 LDR X8, [SP,#0x90+var_78]
iBoot:00000001800C2244 CMP X8, #8
iBoot:00000001800C2248 B.NE loc_1800C2260
iBoot:00000001800C224C LDR X8, [SP,#0x90+var_80]
iBoot:00000001800C2250 LDR X8, [X8]
iBoot:00000001800C2254 STR X8, [SP,#0x90+var_70]
iBoot:00000001800C2258 MOV X0, X8
iBoot:00000001800C225C B loc_1800C1FC0
iBoot:00000001800C2260 ; ---------------------------------------------------------------------------
iBoot:00000001800C2260
iBoot:00000001800C2260 loc_1800C2260 ; CODE XREF: callback+650↑j
iBoot:00000001800C2260 MOV W8, #0x40040011
iBoot:00000001800C2268 ADD W0, W8, #7
iBoot:00000001800C226C B loc_1800C2204
iBoot:00000001800C2270 ; ---------------------------------------------------------------------------
iBoot:00000001800C2270
iBoot:00000001800C2270 loc_1800C2270 ; CODE XREF: callback+628↑j
iBoot:00000001800C2270 BL check_stack_cookie

AS you can see after the RET there is another part of code (that is being invoked earlier in a good context of the function....
causing the RET to arrive skipping the mov x0,0 and also the register restoration from the stack (the function trailer)

Seems like this is the reason that this doesn't work.

Interestingly enough -- it seems to be the function layout for SecureROM of T8010 is the same as in iOS 13.3 (weird but probably compiler optimization stuff)

@sitay1
Copy link
Author

sitay1 commented Jan 12, 2020

Patch suggestion:
`

loc_t ret = iter;
debug("ret=%p\n",ret);
"+" loc_t bne = iter - 7;
"+" debug("bne=%p\n",bne);

"-" const char p[] ="\x00\x00\x80\xD2" /mov x0,0/ "\xC0\x03\x5F\xD6" /ret/;
"-" patches.push_back({ret,p,sizeof(p)-1});
"+" const char p[] ="\x00\x00\x80\xD2" /mov x0,0/ "\x1F\x20\x03\xD5" /NOP/;
"+" patches.push_back({bne,p,sizeof(p)-1});

`

@sitay1
Copy link
Author

sitay1 commented Jan 12, 2020

Don't know how to fix the "always production patch" - is that important?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant