Saturday, October 2, 2010

How SHAtter Exploit Was Made!

In April 2010,
pod2g wrote a USB fuzzer and tested every single USB control message that could possibly be on his iPod touch 2G. The fuzzer found 2 vulnerabilities:
a heap overflow caused by usb_control_msg(0xA1, 1)
a way to dump the bootrom using USB descriptors request.
The team tested these two vulnerabilities on newer devices (iPhone 3GS, iPod touch 3G, iPad) and both were already fixed by Apple right away...but posixninja continued the fuzzing on these devices and found that with a particular sequence of USB messages it was possible to dump the BSS+Heap+Stack (on new devices only). Having a memory dump is a very helpful way in making exploits and it was also the first time we had this kind of dump. (Previous bootrom exploits like the 0x24000 Segment Overflow were done blind!)
Also, his first attemps to dump the memory resulted in rebooting the device. Interesting! This reboot is the basically the base of the SHAtter exploit.
Research began to figure out why the device would reboot. posixninja found the reason and proposed different ideas to exploit this. He also reversed tons of assembly code of the bootrom in this period, giving a support discussion to the team. We're not talking about days, but months of work. So, major props to posixninja: SHAtter would not have been possible without the clever vulnerability he found and the research he did on the bootrom.
In the meanwhile, pod2g helped on the USB reversing side and found a way to have more control over the size of the USB packets sent. The finer-grained control of the packet sizes is the key of SHAtter exploit arriving.
posixninja and pod2g worked on exploiting the vulnerability for days. Every attempt was a failure because the idea to attack the stack and bypass the IMG3 control routines was just impossible. It took them weeks to understand why they failed and why they couldn't exploit it this way.
They both gave up in July and focused on other subjects.

SHAtter exploit is known to be a tethered jailbreak. It is also known that SHAtter exploit is not a software exploit in-fact its a "Hardware" exploit that could allow you to jailbreak your device for life but tethered...Maybe after still working on the exploit it could turn into an Untethered exploit..but thats a possibility.

This is so far what we know of how SHAtter exploit arrived :-)

Stay tuned for more updates here at www.TheStraightMusic.blogspot.com!

No comments:

Post a Comment