initial support for 2.0

CMakeLists.txt

@@ -21,6 +21,7 @@ add_subdirectory (dmg)
 add_subdirectory (hdutil)
 add_subdirectory (hfs)
 add_subdirectory (ipsw-patch)
+add_subdirectory (dfu-util)
 add_subdirectory (xpwn)
 
 install(FILES README.markdown DESTINATION . RENAME README.txt)

README.markdown

@@ -37,6 +37,17 @@ Credits
 This utility is merely an implementation of Pwnage, which is the work of
 roxfan, Turbo, wizdaz, bgm, and pumpkin. Those guys are the real heroes.
 
+Also, the new super-awesome bootrom exploit is courtesy of wizdaz.
+
+MuscleNerd has put a lot of work into the 3G effort. The BootNeuter unlock
+for first-generation iPhones packaged within is primarily his effort.
+
+Thanks also go to gray and c1de0x for their RCE efforts. saurik is the author
+of Cydia, included within. bugout was the lucky guy who did our first 3G tests.
+
+Thanks to chris for his hardware wisdom, Zf for his French humor, and pytey
+for the support on the serial stuff.
+
 XPwn attempts to use all the same data files and patches as PwnageTool to
 avoid duplication of present and future labor. I believe that wizdaz probably
 put the most sweat into PwnageTool, and the pwnage ramdisk is the work of
@@ -52,49 +63,14 @@ the initial exploratory work with the undocumented DMG format.
 Usage
 -----
 
-There are two utilities in this package, as well as the InternalPackages and
+There are two utilities in this package, as well as the bundles and
 FirmwareBundles folders from PwnageTool, and Turbo's autopwn ramdisk.
 
-## xpwn
-
-xpwn will use libibooter to bootstrap the autopwn ramdisk. This will patch
-NOR so that unsigned IPSWs can subsequently be used. The vulnerability used
-is only available in firmware version 1.1.4, so this step has to be done with
-that version.
-
-	./xpwn <input.ipsw> [-b <bootlogo.png>] [-r <recoverylogo.png>]
-
-Specifying a boot logo and a recovery logo is optional. You can specify both,
-or just one. If you do not specify a particular boot logo, the logo will
-remain the same as the one you currently have.
-
-The input IPSW should correspond with CURRENT version on the device you are
-trying to jailbreak. NOT the one you want to upgrade to. The reason it is
-necessary is to provide a kernel for the ramdisk to boot and to provide
-template boot logos to replace.
-
-Note that the input IPSW must have the same name as the one on Apple's
-download site! That is, it will not be recognized if you have renamed it after
-downloading it.
-
-*Note that xpwn is not currently known to work for firmware other than 1.1.4.*
-
-The boot and recovery logos need to be PNG formatted files that less than or
-equal to 320x480 in dimension. Although automatic conversion will be attempted
-for you, the preferred format is an ARGB PNG with 8 bits per channel. *NOT* a
-paletted RGB, and an alpha channel must be present *NOT* binary transparency.
-
-If you save in PNG-24 and have at least one semi-transparent (not fully
-transparent) pixel in your file, you ought to be in good shape.
-
-It is safe to use xpwn multiple times consecutively, and that method can be
-used to swap boot logos without restoring.
-
-A restore with a non-customized IPSW will undo what xpwn did (the NOR will be
-reflashed with Apple's image that does have signature checking)
-
 ## ipsw
 
+*NOTE: Important change for 2.0: (uncompressed) tarballs rather than paths are
+now used for bundles*
+
 ipsw is a more complex tool to generate custom IPSWs that you can restore
 after using xpwn (or any other pwnage-based utility). This is important, since
 that's how the jailbreak actually occurs.
@@ -103,7 +79,7 @@ that's how the jailbreak actually occurs.
 		[-r <recoveryimage.png>] [-e "<action to exclude>"] \
 		[[-unlock] [-use39] [-use46] [-cleanup] \
 		-3 <bootloader 3.9 file> -4 <bootloader 4.6 file>] \
-		<path/to/merge1> <path/to/merge2>...
+		<package1.tar> <package2.tar>...
 
 Yes, I know, confusing syntax. The first two options are the IPSW you want to
 modify, and where you want to save the modified IPSW respectively. -b and -r
@@ -130,41 +106,117 @@ or downgrade your bootloader (if it is not already on the version you choose).
 complete. If you do not specify -cleanup, BootNeuter will be accessible via
 SpringBoard.
 
-The last options are for directories to merge into the root filesystem of your
-device. The included bundles can be merged by specifying something like
-"bundles/Installer.bundle/files". Notice the "files" part must be specified.
-It is also perfectly possible to set up your own files to merge.
-
-/Applications/Installer.app/Installer will be given special setuid
-permissions. All files that have the format /Applications/XXX.app/XXX will be
-given execute permissions. All files in /sbin, /bin, /usr/bin, /usr/sbin,
-/usr/libexec, /usr/local/bin, /usr/local/sbin, /usr/local/libexec will also be
-given execute permissions. Special permissions are also given to BootNeuter.
-Everything else will be non-executable, so a special LaunchDaemon task may need
-to be constructed to properly set up your custom apps. Generally, however,
-those permissions are already sufficient.
+The last options are for tar-files to merge. All permissions and ownership
+will be preserved except for already directories that already exist. This is
+to prevent accidental clobbering (we're guessing you don't really want to
+alter permissions on existing directories). This behavior may change in the
+future.
 
 Told you it was a mess.
 
+## dfu-util
+
+dfu-util is an utility adapted from OpenMoko that satisfies the "pwning" stage
+of the process, that is, allowing the execution of our unsigned code. It
+relies upon an exploit in the DFU mode of the iPhone/iPod touch bootrom. This
+cannot be fixed by Apple on the current hardware revisions. If we can mess
+with the device before iTunes sees it, we can have it load a WTF with
+signature checking disabled with the exploit, and load an iBSS with signature
+checking disabled over that WTF. iTunes will see the device as a regular
+iPhone/iPod in recovery mode, and will happily send our custom firmware to it,
+which will now be accepted.
+
+YOU MUST COMPLETELY DISABLE iTUNES WITH TASK MANAGER OR EQUIVALENT BEFORE
+PROCEEDING.
+
+Only AFTERWARDS do you put your device into DFU mode. If you switch the order
+of these steps, iTunes will be able to load software onto your device without
+this vulnerability, rendering dfu-util useless.
+
+AFTER you have disabled iTunes, iTunesHelper, etc., plug your device into the
+computer. Shut down the device in the normal way if necessary (Slide to
+shutdown). Hold down the Power and Home buttons simultaneously and count
+slowly to ten. (You may need to push down on power an instant before you
+push down on home). The iPhone will start. At around the time you count to 6,
+the iPhone will shut down again. KEEP HOLDING BOTH BUTTONS. Hold down both
+buttons until you reach 10. At this point, release the power button ONLY.
+Keep holding the stand-by button forever (this may take up to two minutes).
+You will know when you can stop holding the button when Windows notifies you
+via an audible cue that a USB device has connected. This is your device in
+DFU mode. The screen of the device will remain completely powered off.
+
+THEN, run dfu-util with the following syntax:
+
+	sudo ./dfu-util <custom.ipsw> <n82ap|m68ap|n45ap>
+
+Where n82ap = 3G iPhone, m68ap = First-generation iPhone, n45ap = iPod touch.
+Note that you're using your CUSTOM IPSW for this stage, since we will need the
+patched firmware, not the stock firmware. dfu-util will pick out the right
+files from the ipsw and send them in the right order. If your screen powers on
+and then turns white, then you know it worked. You can now restore with iTunes.
+
+## xpwn *(DEPRECATED)*
+
+If DFU mode is too complicated for you, and you have a first-generation phone,
+you can still use the legacy xpwn ramdisk method on 1.1.4 to pwn your phone.
+Then you can restore the custom IPSW without messing with DFU mode.
+
+xpwn will use libibooter to bootstrap the autopwn ramdisk. This will patch
+NOR so that unsigned IPSWs can subsequently be used. The vulnerability used
+is only available in firmware version 1.1.4, so this step has to be done with
+that version.
+
+	./xpwn <input.ipsw> [-b <bootlogo.png>] [-r <recoverylogo.png>]
+
+Specifying a boot logo and a recovery logo is optional. You can specify both,
+or just one. If you do not specify a particular boot logo, the logo will
+remain the same as the one you currently have.
+
+The input IPSW should correspond with CURRENT version on the device you are
+trying to jailbreak. NOT the one you want to upgrade to. The reason it is
+necessary is to provide a kernel for the ramdisk to boot and to provide
+template boot logos to replace.
+
+Note that the input IPSW must have the same name as the one on Apple's
+download site! That is, it will not be recognized if you have renamed it after
+downloading it.
+
+*Note that xpwn is not currently known to work for firmware other than 1.1.4.*
+
+The boot and recovery logos need to be PNG formatted files that less than or
+equal to 320x480 in dimension. Although automatic conversion will be attempted
+for you, the preferred format is an ARGB PNG with 8 bits per channel. *NOT* a
+paletted RGB, and an alpha channel must be present *NOT* binary transparency.
+
+If you save in PNG-24 and have at least one semi-transparent (not fully
+transparent) pixel in your file, you ought to be in good shape.
+
+It is safe to use xpwn multiple times consecutively, and that method can be
+used to swap boot logos without restoring.
+
+A restore with a non-customized IPSW will undo what xpwn did (the NOR will be
+reflashed with Apple's image that does have signature checking)
+
+
 ### Examples
 
-Jailbreaking iPod 1.1.4:
+Jailbreaking iPod 2.0:
 
-	./ipsw iPod1,1_1.1.4_4A102_Restore.ipsw custom.ipsw \
-		bundles/Installer.bundle/files
+	./ipsw iPod1,1_2.0_5A347.bundle custom.ipsw \
+		bundles/Cydia.tar
 
-Jailbreaking iPhone 1.1.4:
+Jailbreaking iPhone 3G:
 
-	./ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw custom.ipsw \
-		-e "Phone Activation" bundles/Installer.bundle/files
+	./ipsw iPhone1,2_2.0_5A347.bundle custom.ipsw \
+		-e "Phone Activation" bundles/Cydia.tar
 
-Jailbreaking, activating, and unlocking iPhone 1.1.4:
+Jailbreaking, activating, and unlocking iPhone 2.0:
 
-	./ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw custom.ipsw \
+	./ipsw iPhone1,1_2.0_5A347.bundle custom.ipsw \
 		-unlock -cleanup -3 bl39.bin -4 bl46.bin \
-		bundles/Installer.bundle/files \
-		bundles/BootNeuter.bundle/files \
-		bundles/YoutubeActivation.bundle/files
+		bundles/Cydia.tar \
+		bundles/BootNeuter.tar \
+		bundles/YoutubeActivation.tar
 
 Technical notes
 ---------------

common/abstractfile.c

@@ -99,6 +99,9 @@ AbstractFile* createAbstractFileFromDummy() {
 
 size_t memRead(AbstractFile* file, void* data, size_t len) {
   MemWrapperInfo* info = (MemWrapperInfo*) (file->data); 
+  if(info->bufferSize < (info->offset + len)) {
+    len = info->bufferSize - info->offset;
+  }
   memcpy(data, (void*)((uint8_t*)(*(info->buffer)) + (uint32_t)info->offset), len);
   info->offset += (size_t)len;
   return len;

dfu-util/CMakeLists.txt

@@ -0,0 +1,17 @@
+INCLUDE(${PROJECT_SOURCE_DIR}/FindUSB.cmake)
+
+IF(NOT USB_FOUND)
+	message(FATAL_ERROR "libusb is required for dfu-util!")
+ENDIF(NOT USB_FOUND)
+
+include_directories(${USB_INCLUDE_DIR})
+link_directories(${USB_LIBRARIES})
+
+add_executable(dfu-util dfu.c sam7dfu.c main.c)
+
+link_directories(${PROJECT_BINARY_DIR}/common ${PROJECT_BINARY_DIR}/hfs ${PROJECT_BINARY_DIR}/ipsw-patch)
+
+target_link_libraries(dfu-util xpwn)
+target_link_libraries(dfu-util ${USB_LIBRARIES})
+
+install(TARGETS dfu-util DESTINATION .)