The Story Behind SHAtter Exploit Explained by p0sixninja [iOS 4.1 jailbreak]

SHAtter exploit is not a new thing for those who are interested in iPhone 4 and iPod Touch 4G jailbreak on iOS 4.1. It is the same exploit which is being used to develop the upcoming jailbreak.

Initially pod2g discovered this exploit to jailbreak the iPad but after the launch of JailbreakMe, which can jailbreak up to iOS 4.0, this project was closed. Now Apple has patched the hole in iOS 4.1 and again SHAtter exploit is being tested to develop next generation jailbreak.

p0sixninja just posted the whole story behind SHAtter exploit on iPhone WiKi which is now down due to heavy load. Fortunately we managed to save the document before the site went down and here is what p0sixninja says:

Credits

vulnerability: posixninja (07/05/2010)
research: posixninja, pod2g, also MuscleNerd
exploit: pod2g (09/09/2010)
Vulnerability

In April 2010 pod2g wrote a USB fuzzer and tested every single USB control message possible on his iPod2,1. The fuzzer found 2 vulnerabilities: – a heap overflow caused by the A1,1 control message – a way to dump the bootrom using USB descriptors request
The team tested both PoC on new generation devices (iPhone2,1, iPod3,1, iPad) and both were already fixed by Apple.
posixninja continued the fuzzing on new gens and found that with a particular sequence of USB messages it was possible to dump the BSS+Heap+Stack (on new gens only). Having a memory dump is really helpful to make exploits and it was also the first time we had this kind of dump, previous bootrom exploits (ex: 24kpwn) were done blind!
Also, his first attempts to dump the memory resulted in rebooting the device. Interesting! We’ll see after that this reboot is the base of the SHAtter exploit.
(details on the vulnerability itself soon to come)

Research

The research started and the main actor of this story is posixninja. He found why the device reboots and proposed different ideas to exploit this. posixninja also reversed tons of assembly code of the bootrom in this period, giving a support discussion to the team. We’re not talking about days, but months of work. So, major props to posixninja: SHAtter would not have been possible without the clever vulnerability he found and the research he did on the bootrom.
In the meanwhile, pod2g helped on the USB reversing side and found a way to have more control over the size of the USB packets sent. The finer-grained control of the packet sizes is the key of SHAtter.
posixninja and pod2g worked on exploiting the vulnerability for days. Every attempt was a failure because the idea to attack the stack and bypass the img3 control routines was just impossible. It took them weeks to understand why they failed and why they couldn’t exploit it this way.
They both gave up in July and focused on other subjects.

SHAtter exploit

(details on the SHAtter exploit soon to come)

Stay tuned to this site for more details about iOS 4.1 jailbreak. You can also follow us on twitter for latest updates or sign up to get the latest updates right into your inbox.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *