iOS 13.3 is not supported by iBoot64Patch
sitay1 opened this issue · 2 comments
std::vector ibootpatchfinder64::get_sigcheck_patch() seems to have 2 issues in iOS 13.3
(haven't checked on earlier version so it might be the case in more versions)
-
first issue i have encountered is that it doesn't find the the register for "always production patch"
I think that the register address for iPhone 7+ (iOS 13.3) - is not one of those that appear in the list. -
second issue i have encountered is that the layout of the image4_validate_property_callback function has changed in the binary.
if i compare it the SecureRom Binary you can see that the function ends with
RET
BL VALIDATE_STACK_COOKIE
so the patch that replaces this 2 opcodes with
MOV X0, 0
RET
is harmless (to the logic of the function)
Where as in the iBSS code for 13.3 the function layout is like that
iBoot:00000001800C223C RET
iBoot:00000001800C2240 ; ---------------------------------------------------------------------------
iBoot:00000001800C2240
iBoot:00000001800C2240 loc_1800C2240 ; CODE XREF: callback+5E8↑j
iBoot:00000001800C2240 LDR X8, [SP,#0x90+var_78]
iBoot:00000001800C2244 CMP X8, #8
iBoot:00000001800C2248 B.NE loc_1800C2260
iBoot:00000001800C224C LDR X8, [SP,#0x90+var_80]
iBoot:00000001800C2250 LDR X8, [X8]
iBoot:00000001800C2254 STR X8, [SP,#0x90+var_70]
iBoot:00000001800C2258 MOV X0, X8
iBoot:00000001800C225C B loc_1800C1FC0
iBoot:00000001800C2260 ; ---------------------------------------------------------------------------
iBoot:00000001800C2260
iBoot:00000001800C2260 loc_1800C2260 ; CODE XREF: callback+650↑j
iBoot:00000001800C2260 MOV W8, #0x40040011
iBoot:00000001800C2268 ADD W0, W8, #7
iBoot:00000001800C226C B loc_1800C2204
iBoot:00000001800C2270 ; ---------------------------------------------------------------------------
iBoot:00000001800C2270
iBoot:00000001800C2270 loc_1800C2270 ; CODE XREF: callback+628↑j
iBoot:00000001800C2270 BL check_stack_cookie
AS you can see after the RET there is another part of code (that is being invoked earlier in a good context of the function....
causing the RET to arrive skipping the mov x0,0 and also the register restoration from the stack (the function trailer)
Seems like this is the reason that this doesn't work.
Interestingly enough -- it seems to be the function layout for SecureROM of T8010 is the same as in iOS 13.3 (weird but probably compiler optimization stuff)
Patch suggestion:
`
loc_t ret = iter;
debug("ret=%p\n",ret);
"+" loc_t bne = iter - 7;
"+" debug("bne=%p\n",bne);
"-" const char p[] ="\x00\x00\x80\xD2" /mov x0,0/ "\xC0\x03\x5F\xD6" /ret/;
"-" patches.push_back({ret,p,sizeof(p)-1});
"+" const char p[] ="\x00\x00\x80\xD2" /mov x0,0/ "\x1F\x20\x03\xD5" /NOP/;
"+" patches.push_back({bne,p,sizeof(p)-1});
`
Don't know how to fix the "always production patch" - is that important?