CINXE.COM

<!DOCTYPE html> <html class="client-nojs" lang="en" dir="ltr"> <head> <meta charset="UTF-8"/> <title>wInd3x - freemyipod.org</title> <script>document.documentElement.className = document.documentElement.className.replace( /(^|\s)client-nojs(\s|$)/, "$1client-js$2" );</script> <script>(window.RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"WInd3x","wgTitle":"WInd3x","wgCurRevisionId":22090,"wgRevisionId":22090,"wgArticleId":6431,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":[],"wgBreakFrames":false,"wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy","wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgMonthNamesShort":["","Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"],"wgRelevantPageName":"WInd3x","wgRelevantArticleId":6431,"wgRequestId":"92e57ac1e6194bcfc62faae7","wgIsProbablyEditable":false,"wgRelevantPageIsProbablyEditable":false,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgWikiEditorEnabledModules":[]});mw.loader.state({"site.styles":"ready","noscript":"ready","user.styles":"ready","user":"ready","site":"ready","user.options":"ready","user.tokens":"loading","mediawiki.legacy.shared":"ready","mediawiki.legacy.commonPrint":"ready","mediawiki.sectionAnchor":"ready","mediawiki.skinning.interface":"ready","skins.vector.styles":"ready"});mw.loader.implement("user.tokens@0m9wzhr",function($,jQuery,require,module){/*@nomin*/mw.user.tokens.set({"editToken":"+\\","patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); });mw.loader.load(["mediawiki.page.startup","mediawiki.user","mediawiki.hidpi","mediawiki.page.ready","mediawiki.toc","mediawiki.searchSuggest","skins.vector.js"]);});</script> <link rel="stylesheet" href="/load.php?debug=false&lang=en&modules=mediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.sectionAnchor%7Cmediawiki.skinning.interface%7Cskins.vector.styles&only=styles&skin=vector"/> <script async="" src="/load.php?debug=false&lang=en&modules=startup&only=scripts&skin=vector"></script> <meta name="ResourceLoaderDynamicStyles" content=""/> <link rel="stylesheet" href="/load.php?debug=false&lang=en&modules=site.styles&only=styles&skin=vector"/> <meta name="generator" content="MediaWiki 1.31.0"/> <link rel="shortcut icon" href="/favicon.ico"/> <link rel="search" type="application/opensearchdescription+xml" href="/opensearch_desc.php" title="freemyipod.org (en)"/> <link rel="EditURI" type="application/rsd+xml" href="https://freemyipod.org/api.php?action=rsd"/> <link rel="alternate" type="application/atom+xml" title="freemyipod.org Atom feed" href="/index.php?title=Special:RecentChanges&feed=atom"/>  </head> <body class="mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject page-WInd3x rootpage-WInd3x skin-vector action-view"> <div id="mw-page-base" class="noprint"></div> <div id="mw-head-base" class="noprint"></div> <div id="content" class="mw-body" role="main"> <a id="top"></a> <div class="mw-indicators mw-body-content"> </div> <h1 id="firstHeading" class="firstHeading" lang="en">wInd3x</h1> <div id="bodyContent" class="mw-body-content"> <div id="siteSub" class="noprint">From freemyipod.org</div> <div id="contentSub"></div> <div id="jump-to-nav" class="mw-jump"> Jump to: <a href="#mw-head">navigation</a>, <a href="#p-search">search</a> </div> <div id="mw-content-text" lang="en" dir="ltr" class="mw-content-ltr"><div class="mw-parser-output"><div id="toc" class="toc"><div class="toctitle" lang="en" dir="ltr"><h2>Contents</h2></div> <ul> <li class="toclevel-1 tocsection-1"><a href="#wInd3x_Vulnerability"><span class="tocnumber">1</span> <span class="toctext">wInd3x Vulnerability</span></a> <ul> <li class="toclevel-2 tocsection-2"><a href="#Affected_Devices"><span class="tocnumber">1.1</span> <span class="toctext">Affected Devices</span></a></li> <li class="toclevel-2 tocsection-3"><a href="#Running_.2F_Usage"><span class="tocnumber">1.2</span> <span class="toctext">Running / Usage</span></a></li> <li class="toclevel-2 tocsection-4"><a href="#Vulnerability"><span class="tocnumber">1.3</span> <span class="toctext">Vulnerability</span></a> <ul> <li class="toclevel-3 tocsection-5"><a href="#Nano_4G_and_5G_Exploit_Chain"><span class="tocnumber">1.3.1</span> <span class="toctext">Nano 4G and 5G Exploit Chain</span></a></li> <li class="toclevel-3 tocsection-6"><a href="#Nano_3G_and_Classic_.28.E2.80.9D6G.E2.80.9D.29"><span class="tocnumber">1.3.2</span> <span class="toctext">Nano 3G and Classic (”6G”)</span></a></li> </ul> </li> </ul> </li> </ul> </div> <h2><span class="mw-headline" id="wInd3x_Vulnerability">wInd3x Vulnerability</span></h2> <p>A <a href="/wiki/S5L8720_Bootrom" class="mw-redirect" title="S5L8720 Bootrom">Bootrom</a> vulnerability discovered and exploited by <a href="/wiki/User:Q3k" title="User:Q3k">q3k</a> in December 2021. It allows code execution in the bootrom over USB. </p> <h3><span class="mw-headline" id="Affected_Devices">Affected Devices</span></h3> <table class="wikitable"> <tbody><tr> <th>Device/SoC</th> <th>Vulnerable?</th> <th>Exploited? </th></tr> <tr> <td><a href="/wiki/Nano_3G" title="Nano 3G">Nano 3G</a></td> <td>Yes</td> <td>Yes </td></tr> <tr> <td><a href="/wiki/Nano_4G" title="Nano 4G">Nano 4G</a></td> <td>Yes</td> <td>Yes </td></tr> <tr> <td><a href="/wiki/Nano_5G" title="Nano 5G">Nano 5G</a></td> <td>Yes</td> <td>Yes </td></tr> <tr> <td><a href="/wiki/Nano_6G" title="Nano 6G">Nano 6G</a></td> <td>No</td> <td> </td></tr> <tr> <td><a href="/wiki/Nano_7G" title="Nano 7G">Nano 7G</a></td> <td>No</td> <td> </td></tr> <tr> <td>Classic “6G”</td> <td>Yes</td> <td>Yes </td></tr> <tr> <td>iPhone</td> <td>?</td> <td> </td></tr> <tr> <td>iPhone 3G</td> <td>Yes</td> <td>No </td></tr></tbody></table> <h3><span id="Running_/_Usage"></span><span class="mw-headline" id="Running_.2F_Usage">Running / Usage</span></h3> <p>wInd3x currently allows you to: </p> <ol><li>Decrypt <a href="/wiki/IMG1" title="IMG1">IMG1</a> files, like <a href="/wiki/OSOS" class="mw-redirect" title="OSOS">OSOS</a> or the bootloader/<a href="/index.php?title=WTF&action=edit&redlink=1" class="new" title="WTF (page does not exist)">WTF</a>/...</li> <li>Access arbitrary memory and experiment with peripherals</li> <li>Run unsigned DFU payloads</li> <li>Run an unsigned <a href="/wiki/OSOS" class="mw-redirect" title="OSOS">OSOS</a> or <a href="/wiki/U-Boot" title="U-Boot">U-Boot</a> by first running an automatically patched <a href="/index.php?title=WTF&action=edit&redlink=1" class="new" title="WTF (page does not exist)">WTF</a>.</li></ol> <p>For guides, see <a rel="nofollow" class="external text" href="https://github.com/freemyipod/wInd3x">github.com/freemyipod/wInd3x</a> </p> <h3><span class="mw-headline" id="Vulnerability">Vulnerability</span></h3> <p>This exploits a vulnerability in the standard SETUP packet parsing code of the bootrom, in which the wIndex parameter is not checked for bmRequest == {0x20, 0x40}, but is still used to index an array of interface/class handlers (that in the Bootrom has a length of 1). </p> <h4><span class="mw-headline" id="Nano_4G_and_5G_Exploit_Chain">Nano 4G and 5G Exploit Chain</span></h4> <p>The first requirement is to find a suitable (blx r0) instruction in the bootrom code of the device. For Nano 4G the only one such instruction is at offset 0x3b0, and for Nano 5G there is such instruction at 0x37c. We'll refer to it as X below. </p><p>We abuse the fact that wIndex == 3 for bmRequest 0x40 treats a 'bytes left to sent over USB' counter as a function pointer and calls it with r0 == address of SETUP. We massage the DFU mode into attempting to send us X+0x40 bytes, and failing after 0x40 bytes, thereby leaving the counter at X bytes and executing code at address X. </p><p>Since the bootrom is mapped at offset 0x0 as well as 0x20000000 at boot, this means we execute bootrom code, and X happens to point to a 'blx r0' instruction. This in turn causes the CPU to interpret the SETUP packet received as ARM code, because the SETUP handler is called with the SETUP packet as its argument, i.e. r0. </p><p>We specially craft the SETUP packet to be a valid ARM branch instruction, pointing somewhere into a temporary DFU image buffer. By first sending a payload as a partial DFU image (aborting before causing a MANIFEST), we finally get up to be able to execute either 0x800 on Nano 4G or 0x400 on Nano 5G bytes of fully user controlled code. </p><p>In that payload, we send a stub which performs some runtime changes to the DFU's data structures to a) return a different product string b) overwrite an image verification vtable entry with a function that allows unsigned images. Some SRAM is carved out by this pay </p> <h4><span id="Nano_3G_and_Classic_(”6G”)"></span><span class="mw-headline" id="Nano_3G_and_Classic_.28.E2.80.9D6G.E2.80.9D.29">Nano 3G and Classic (”6G”)</span></h4> <p>With bRequestType == 0x20 and wIndex == 6 we directly jump to code execution at the SETUP packet. </p><p>This Bootroom does not have a VTable which can be easily hooked to override functions to provide Haxed DFU functionality. However, an 'OnImage' function pointer is present in the State structure, which we override with our own code (copied to carved out SRAM). This code reimplements the bare minimum of the hooked function, without calling any decryption/verification code on the header/body. </p>   </div>  </div> <div class="printfooter"> Retrieved from "<a dir="ltr" href="https://freemyipod.org/index.php?title=WInd3x&oldid=22090">https://freemyipod.org/index.php?title=WInd3x&oldid=22090</a>" </div> <div id="catlinks" class="catlinks catlinks-allhidden" data-mw="interface"></div> <div class="visualClear"></div> </div> </div> <div id="mw-navigation"> <h2>Navigation menu</h2> <div id="mw-head"> <div id="p-personal" role="navigation" class="" aria-labelledby="p-personal-label"> <h3 id="p-personal-label">Personal tools</h3> <ul> <li id="pt-login"><a href="/index.php?title=Special:UserLogin&returnto=WInd3x" title="You are encouraged to log in; however, it is not mandatory [o]" accesskey="o">Log in</a></li> </ul> </div> <div id="left-navigation"> <div id="p-namespaces" role="navigation" class="vectorTabs" aria-labelledby="p-namespaces-label"> <h3 id="p-namespaces-label">Namespaces</h3> <ul> <li id="ca-nstab-main" class="selected"><span><a href="/wiki/WInd3x" title="View the content page [c]" accesskey="c">Page</a></span></li><li id="ca-talk" class="new"><span><a href="/index.php?title=Talk:WInd3x&action=edit&redlink=1" rel="discussion" title="Discussion about the content page (page does not exist) [t]" accesskey="t">Discussion</a></span></li> </ul> </div> <div id="p-variants" role="navigation" class="vectorMenu emptyPortlet" aria-labelledby="p-variants-label"> <input type="checkbox" class="vectorMenuCheckbox" aria-labelledby="p-variants-label" /> <h3 id="p-variants-label"> <span>Variants</span> </h3> <div class="menu"> <ul> </ul> </div> </div> </div> <div id="right-navigation"> <div id="p-views" role="navigation" class="vectorTabs" aria-labelledby="p-views-label"> <h3 id="p-views-label">Views</h3> <ul> <li id="ca-view" class="collapsible selected"><span><a href="/wiki/WInd3x">Read</a></span></li><li id="ca-viewsource" class="collapsible"><span><a href="/index.php?title=WInd3x&action=edit" title="This page is protected.
You can view its source [e]" accesskey="e">View source</a></span></li><li id="ca-history" class="collapsible"><span><a href="/index.php?title=WInd3x&action=history" title="Past revisions of this page [h]" accesskey="h">View history</a></span></li> </ul> </div> <div id="p-cactions" role="navigation" class="vectorMenu emptyPortlet" aria-labelledby="p-cactions-label"> <input type="checkbox" class="vectorMenuCheckbox" aria-labelledby="p-cactions-label" /> <h3 id="p-cactions-label"><span>More</span></h3> <div class="menu"> <ul> </ul> </div> </div> <div id="p-search" role="search"> <h3> <label for="searchInput">Search</label> </h3> <form action="/index.php" id="searchform"> <div id="simpleSearch"> <input type="search" name="search" placeholder="Search freemyipod.org" title="Search freemyipod.org [f]" accesskey="f" id="searchInput"/><input type="hidden" value="Special:Search" name="title"/><input type="submit" name="fulltext" value="Search" title="Search the pages for this text" id="mw-searchButton" class="searchButton mw-fallbackSearchButton"/><input type="submit" name="go" value="Go" title="Go to a page with this exact name if it exists" id="searchButton" class="searchButton"/> </div> </form> </div> </div> </div> <div id="mw-panel"> <div id="p-logo" role="banner"><a class="mw-wiki-logo" href="/wiki/Main_Page" title="Visit the main page"></a></div> <div class="portal" role="navigation" id="p-navigation" aria-labelledby="p-navigation-label"> <h3 id="p-navigation-label">Navigation</h3> <div class="body"> <ul> <li id="n-mainpage-description"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z">Main page</a></li><li id="n-recentchanges"><a href="/wiki/Special:RecentChanges" title="A list of recent changes in the wiki [r]" accesskey="r">Recent changes</a></li><li id="n-randompage"><a href="/wiki/Special:Random" title="Load a random page [x]" accesskey="x">Random page</a></li> </ul> </div> </div> <div class="portal" role="navigation" id="p-Info" aria-labelledby="p-Info-label"> <h3 id="p-Info-label">Info</h3> <div class="body"> <ul> <li id="n-Status"><a href="/wiki/Status">Status</a></li><li id="n-Contact"><a href="/wiki/Contact">Contact</a></li><li id="n-Contributing"><a href="/wiki/Contributing">Contributing</a></li><li id="n-Todo-list"><a href="/wiki/Todo_list">Todo list</a></li><li id="n-Project-summary"><a href="/wiki/Project_summary">Project summary</a></li> </ul> </div> </div> <div class="portal" role="navigation" id="p-Reverse_engineering_Results" aria-labelledby="p-Reverse_engineering_Results-label"> <h3 id="p-Reverse_engineering_Results-label">Reverse engineering Results</h3> <div class="body"> <ul> <li id="n-Firmware"><a href="/wiki/Firmware">Firmware</a></li><li id="n-Firmware-decryption"><a href="/wiki/Firmware_decryption">Firmware decryption</a></li><li id="n-GUID-Table"><a href="/wiki/GUID_table">GUID Table</a></li> </ul> </div> </div> <div class="portal" role="navigation" id="p-Exploiting" aria-labelledby="p-Exploiting-label"> <h3 id="p-Exploiting-label">Exploiting</h3> <div class="body"> <ul> <li id="n-wIndex"><a href="/wiki/WInd3x">wIndex</a></li><li id="n-Pwnage-2.0"><a href="/wiki/Pwnage_2.0">Pwnage 2.0</a></li><li id="n-Notes-vulnerability"><a href="/wiki/Notes_vulnerability">Notes vulnerability</a></li> </ul> </div> </div> <div class="portal" role="navigation" id="p-Other_Guides" aria-labelledby="p-Other_Guides-label"> <h3 id="p-Other_Guides-label">Other Guides</h3> <div class="body"> <ul> <li id="n-Modes"><a href="/wiki/Modes">Modes</a></li> </ul> </div> </div> <div class="portal" role="navigation" id="p-tb" aria-labelledby="p-tb-label"> <h3 id="p-tb-label">Tools</h3> <div class="body"> <ul> <li id="t-whatlinkshere"><a href="/wiki/Special:WhatLinksHere/WInd3x" title="A list of all wiki pages that link here [j]" accesskey="j">What links here</a></li><li id="t-recentchangeslinked"><a href="/wiki/Special:RecentChangesLinked/WInd3x" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k">Related changes</a></li><li id="t-specialpages"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q">Special pages</a></li><li id="t-print"><a href="/index.php?title=WInd3x&printable=yes" rel="alternate" title="Printable version of this page [p]" accesskey="p">Printable version</a></li><li id="t-permalink"><a href="/index.php?title=WInd3x&oldid=22090" title="Permanent link to this revision of the page">Permanent link</a></li><li id="t-info"><a href="/index.php?title=WInd3x&action=info" title="More information about this page">Page information</a></li> </ul> </div> </div> </div> </div> <div id="footer" role="contentinfo"> <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 5 August 2024, at 02:55.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="/wiki/freemyipod.org:Privacy_policy" title="freemyipod.org:Privacy policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/freemyipod.org:About" title="freemyipod.org:About">About freemyipod.org</a></li> <li id="footer-places-disclaimer"><a href="/wiki/freemyipod.org:General_disclaimer" title="freemyipod.org:General disclaimer">Disclaimers</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-poweredbyico"> <a href="//www.mediawiki.org/"><img src="/resources/assets/poweredby_mediawiki_88x31.png" alt="Powered by MediaWiki" srcset="/resources/assets/poweredby_mediawiki_132x47.png 1.5x, /resources/assets/poweredby_mediawiki_176x62.png 2x" width="88" height="31"/></a> </li> </ul> <div style="clear: both;"></div> </div> <script>(window.RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgPageParseReport":{"limitreport":{"cputime":"0.018","walltime":"0.020","ppvisitednodes":{"value":25,"limit":1000000},"ppgeneratednodes":{"value":36,"limit":1000000},"postexpandincludesize":{"value":0,"limit":2097152},"templateargumentsize":{"value":0,"limit":2097152},"expansiondepth":{"value":2,"limit":40},"expensivefunctioncount":{"value":0,"limit":100},"unstrip-depth":{"value":0,"limit":20},"unstrip-size":{"value":0,"limit":5000000},"timingprofile":["100.00% 0.000 1 -total"]},"cachereport":{"timestamp":"20250407094507","ttl":86400,"transientcontent":false}}});});</script><script>(window.RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgBackendResponseTime":28});});</script> </body> </html>