You may have known that I took some time reversing iBooter, trying to find out the magics behind it. After reading Geohot’s iPhone USB Linux Driver and client sample code, compared with what I have found by reversing iBooter, I have to say I feel a little disappointed about iBooter. It’s just a wrap to Geohot’s code, and there’s no secret behind it.
I’ll try to explain here what iBooter has done to Geohot’s code. The best way to explain is an example, let me start from the very beginning of the program: the main, be prepared, this is a long post :)
Snippet 1: main entry
In Geohot’s client code:
FILE *ipk; drvcmd *send=malloc(sizeof(drvcmd)); drvcmd *rcv=malloc(sizeof(drvcmd)); send->constant=0x1234; send->size=0; send->unknown=0; char line[8192]; int rcvd,rcvdmax; send->cmdcode=0x0; hexdump((unsigned char *)send, sizeof(drvcmd)); sendctrl(send, rcv); hexdump((unsigned char *)rcv, sizeof(drvcmd)); usleep(200000); readusb();
In iBooter, the disassembly listing:
What have you found here? Yes, there’s almost no difference :) They are the same.
Snippet 2: command loop
Now the main loop, in Geohot’s client code:
void qreadline(char *line) { int c=0; char temp=0; do { scanf("%c",&temp); //printf("%2.2x\n",temp); line[c]=temp; c++; } while(temp!='\n'); line[c]=0; } void readwrapper() { int retval; do { usleep(200000); retval=readusb(); //printf("READING %d\n",retval); }while(retval!=0); } int main() { while (1) { ...omitted... qreadline(line); if(line[0]==0x06) //send file { printf("File to send: "); qreadline(line); sendfiletoiphone(line); } else if(line[0]==0x02) //buffer overflow { ...omitted... printf("Buffer overflow\n%s\n",line); sendcmdtoiphone(line); readwrapper(); } else { sendcmdtoiphone(line); readwrapper(); } ...omitted } }
The disassembly of iBooter:
If you compare the above code snippet and the disassembly diagram, you’ll find they are actually the same, the only difference is a check for value 5 which is added by iBooter.
Snippet 3: SendCtrl
Now let’s check a routine that handles real USB call: SendCtrl. In Geohot’s original code:
void sendctrl(drvcmd *send, drvcmd *rcv) { FILE *ipk=fopen("/proc/iphone/ctrl", "w"); //open the device fwrite((void *)send, 1, sizeof(drvcmd),ipk); fclose(ipk); //to ack the write? ipk=fopen("/proc/iphone/ctrl", "r"); //open the device fread((void *)rcv,1,sizeof(drvcmd),ipk); fclose(ipk); }
The above code contains two parts: write to USB and read from USB. The code is using the driver, we need to find out how it’s done with USB library API calls, so we check the driver source, and have the following code snippet:
static int readctrl(char *buffer, char **start, off_t offset, int length) { int len; int retval; retval=usb_interrupt_msg(dev->udev, usb_rcvintpipe(dev->udev, 0x3), //0x83 or 0x3? buffer, length, &len, HZ*10); printk("Read returned: %d\n", retval); return len; } static int writectrl(struct file *file, const char *buffer, unsigned long count, void *data) { char buf[100]; //100 bytes max write int retval; int len; printk("Attempting to write\n"); retval=copy_from_user(buf, buffer, count); retval=usb_interrupt_msg(dev->udev, usb_sndintpipe(dev->udev, 0x4), buf, count, &len, HZ*10); printk("Write returned: %d\n", retval); return count; //should i return len? }
The above code is written for Linux so the calls are slightly different, if we convert the API call to LibUSB, it’ll be like this (endpoint for read is 0×83, not 0×3):
//Send the control command retval = usb_interrupt_write(DeviceHandle, // handle 0x4, // endpoint (char *)send, // buffer sizeof(drvcmd), // length timeout); // timeout //Receive the control command retval = usb_interrupt_read(DeviceHandle, // handle 0x83, // endpoint (char *)recv, // buffer 0xC, // length timeout); // timeout
Now check how iBooter does this:
Yay, it’s doing the same thing in the same manner.
Conclusion
Well, such similarities can be found everywhere in iBooter, so what can we learn from this? For me, it indicates one thing:
iBooter is mainly a copy of Geohot’s code, but changes the API calls to use LibUSB, and has slight changes, there isn’t any innovative secret in there.
My decision to reverse it was totally wrong, I thought I could learn some unusual thing from it, but seems like the easies and the correct way is simply to read Geohot’s linux driver code and USB documentation, everything’s there.
18 Comments
LOL George! This makes me laugh :D
Nice post
That explains it all.
George, which disassembly is this that you are using?
@Dick, it’s IDA Pro 5.2.
That’s why in the main header it says BASED ON GEOHOT’S kernel code. I never claimed that i rewrote it. I just added libusb support and fixed a bunch of bugs. The first version was a POC and since no one else had bothered to do anything with it… including YOU i figured i would. So how about a thank you?
@cmw, you felt a little pissed off by this article, did you? Check back another article you’ll find that “thank you” has already been said days ago. But in this article I mainly expressed my disappointment about what I have found and my stupid action to reverse it, this will tell other people not to do the same stupid thing to reverse a no-need-to-reverse proggie, not because of the author promised to release the source (where is it? I heard it’s scheduled to be released last week), but because there’s just nothing worth reversing other than reading the original code from Geohot. As I said in the article: “The EASIES and CORRECT way is to read Geohot’s code”.
CMW, I believed a lot of people not only say “thank you” but also donate money to you … so where is the winpwn?
@George.. i guess you didn’t check my site today :) i posted the source code. I have just been tied up working on winpwn and didn’t get time to really beta test 1.0. Check out iphonelinux dot org for the source.
I look forward to you reversing my next gpl app… maybe winpwn?
@avh i hopefully you will see a winpwn release today.. stay tuned
@cmw, I have no interest to reverse ANY of your code after I checked the gBooter (shall I call it iBooter?). Winpwn? Never heard of it, I only know pwnagetool which is released by devteam.
@George, you failed to notice (http://wikee.iphwn.org/news:pwnage_announcement) the rather clear announcement from the Dev Team that thanks to cmw there will be a Windows version that wasn’t originally planned for? It’s a shame your opinion is so easily changed by one miconception.
@Nick, yeah I didn’t notice the announcement, so what ? It’s a shame? Maybe but who cares, I’m just telling the truth that I *never heard of winpwn*.
I did a Google search of iLiberty+ and got 51,600 hits. iLibertyX gets 15,800 hits. winpwn only gets about 6k hits. Perhaps this is why George never heard of it. That, and the fact no one has seen it.
I used to work in academia. They have a saying there… publish or perish.
OK, a few of these are for something else, but “iLiberty” gets about 133,000 hits on Google.
Way to go George!
@sunnD, hahaha, I just tried Google it, “iLiberty” gave me 157000 items, on the other hand, I tried Baidu it (a very famous Chinese search engine), “iLiberty” gave me only 2310 items.
Wow Sunny that’s great. Maybe if you actually LOOKED at the site instead of googling it, You would actually see that i *DID* release. Remind me what you have done lately? Seem’s you forgot how much time i spent reversing the wireless driver for you. I seem to remember you begging me to help. Amazing how quickly people turn?
@cmw
How much more donation do you need? Look at what you have delivered? winpwn: just a tool for you (or maybe the Dev Team) to milk money from windows users …
I enjoyed reading this :p