Add image loading support for t8010

[MLGRadish]

Tested and working on t8010

[paranoidnela]

how did you find :
t8010_overwrite_offset = 0x5c0
?

[razmashat]

Are you sure that it works?
Talked with some devs that tried but neither one of them succeed to upload an image after that

[MLGRadish]

I still don't have the sign patches, but after that it should work

[ghost]

I think I found the offset for sign patching, I tried with your change but it crash my device as soon as I upload any image

Here the offsets for sign patching in case you need them:

0x100006ca0 => NOP
0x100006c80 => NOP and args set 1 to by pass conditional check (&0x01) done next.

I created following patch:
https://github.com/kellermanrivero/ipwndfu/commit/9bf1919c90a082c776f845e1d87837ada69629a7

But I could not tested it because as I said my device restarts itself after I start uploading an img file

[MLGRadish]

With these changes it does not reboot, but after applying the patches it just hangs. I will play around with it for a while, but if anyone has any ideas feel free to write a comment.

[ghost]

Thanks, I'll also check in 7 or 8 hours after arrive at home. Keep in touch

[ghost]

Any updates? I updated the offset signature for t8010 in my repo, but I could not pwn the device with your code which prevents me to test my new payload. With the original code from Axiomx I could pwn the device but as soon as I try to write into the memory the device crashes.

Here are the new offsets:

https://github.com/kellermanrivero/ipwndfu/commit/1355473e961e836e117f953f5ac67bcbc137c918

[MLGRadish]

Well that is interesting... it works on my iPhone 7 without a problem as far as the pwning and writing to memory. You could try to copy the files from ipwndfu_public/bin to my fork to see if it works.

[ghost]

Maybe there’s a subtle difference between the iPhone 7 and iPhone 7+. Could you try my new patches to see if they work on your device?

[MLGRadish]

Ok, I will try them out as soon as I get home from school.

[MLGRadish]

OK, so I found some weird behavior for some unexplained reason I can't leave pwned dfu mode. I'm looking into it now.

[ghost]

Caused by the patch I sent you?

[MLGRadish]

I can't leave pwned dfu mode with and without the patches so I'm working on a fix.

[ghost]

That's weird. Any change should not be persisted since patching and exploit works only in memory.

[nk2IsHere]

is it working properly now?
are you able to leave pwned dfu?

[MLGRadish]

Full disclosure the exploit works, SecureROM patches get applied, I can upload iBSS and iBEC and it just does nothing I can see just a blank screen

[ghost]

We’re you able to upload unsigned images after the patch?

After upload iBSS stage did you try to run commands through iRecovery?

[nk2IsHere]

using python rmsigchks.py on cloned kellermanrivero@1355473 just reboots my iphone 7

➜  ipwndfu-master ./ipwndfu -p
*** checkm8 exploit by axi0mX ***
*** modified version by Linus Henze ***
Found: CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0C ECID:*** IBFL:3C SRTG:[iBoot-2696.0.0.1.33]
Device is now in pwned DFU Mode.
(17.29 seconds)
➜  ipwndfu-master python rmsigchks.py 
Traceback (most recent call last):
  File "rmsigchks.py", line 98, in <module>
    main()
  File "rmsigchks.py", line 85, in main
    pdev.write_memory(k, config.patches[k])
  File "/Users/nk2/Desktop/ipwndfu-master/usbexec.py", line 44, in write_memory
    def write_memory(self, address, data):         self.command(self.cmd_memcpy(address, self.cmd_data_address(3), len(data)) + data, 0)
  File "/Users/nk2/Desktop/ipwndfu-master/usbexec.py", line 102, in command
    dfu.send_data(device, request_data)
  File "/Users/nk2/Desktop/ipwndfu-master/dfu.py", line 48, in send_data
    assert device.ctrl_transfer(0x21, 1, 0, 0, data[index:index + amount], 5000) == amount
  File "/Users/nk2/Desktop/ipwndfu-master/usb/core.py", line 1043, in ctrl_transfer
    self.__get_timeout(timeout))
  File "/Users/nk2/Desktop/ipwndfu-master/usb/backend/libusb1.py", line 883, in ctrl_transfer
    timeout))
  File "/Users/nk2/Desktop/ipwndfu-master/usb/backend/libusb1.py", line 595, in _check
    raise USBError(_strerror(ret), ret, _libusb_errno[ret])
usb.core.USBError: [Errno 5] Input/Output Error

[MLGRadish]

The Input/Output Error can be solved with trying it multiple times for some reason it does not work 100% of the time, and the commands do not work.

[nk2IsHere]

i've already tried it several times; thing is iphone reboots. Maybe using older osx (e.g.10.13) will fix the issue

[MLGRadish]

Right now I have no idea what could be wrong with this and don't have much time to find out why, but I have a python3 implementation here https://github.com/MLGRadish/checkm8 that should work maybe give it a try.

[ghost]

@nk2IsHere did you try with the version of @MLGRadish?? I think he included my offsets into his code.

I have the same issue with my iPhone 7 Plus, as soon as I started writing into device’s memory it reboots and I need to do the whole process again.

I found the offsets doing reverse engineering but I’m unable to test it in my device because the reboot issue.

@MLGRadish seems to be the only one able to run it.

[nk2IsHere]

it's all about device's uncontrollable reboot
MLGRadish/checkm8#2

[Cryptiiiic]

@MLGRadish close this pull, my pull: #3
is tested as working and doesn't conflict. Your patches and offsets were wrong. (I didn't realize you made a pull until after I got it working, so I was working independently without using this as reference.)

[MLGRadish]

@Cryptiiiic I'm happy to close my pull, congrats on doing it.