Page 1 of 2

imagine tool missing the "dt.h" header

PostPosted: Tue Jun 16, 2015 3:49 pm
by backendbilly
Hi Jonathan,

Could you provide the dt.h header to compile imagine?

Thanks

Re: imagine tool missing the "dt.h" header

PostPosted: Tue Jun 16, 2015 6:58 pm
by morpheus
I can. Sorry. That was an omission of mine, apparently (should be just obtainable from same directory, with "dt.h" as the file name).

While I'm at it, here's a slightly improved version of the tool, which also dumps the KBAGs (more useful that way)

Re: imagine tool missing the "dt.h" header

PostPosted: Tue Jun 16, 2015 7:45 pm
by backendbilly
Hi Jonathan,

I'm a little confused with the output from img3 and the original imagine output shown in the book. The book shows the following:

morpheus@Ergo (/tmp)$ imagine –d iOS/DeviceTree.n81ap.img3
Device Tree has 15 properties and 13 children
Properties:
device-tree
| +--compatible Length 23
| +--secure-root-prefix Length 3
| +--AAPL,phandle Length 4
| +--config-number Length 32
| +--model-number Length 32
| +--platform-name Length 32
| +--serial-number Length 32
| +--device_type Length 8
| +--#size-cells Length 4
| +--clock-frequency Length 4
| +--mlb-serial-number Length 32
| +--#address-cells Length 4
| +--region-info Length 32
| +--model Length 8
| +--name Length 12
+--chosen
| | +--firmware-version Length 256



The new img3 tool shows actual segments in the encrypted IMG3 file (which is what I expected):

img3 -d DeviceTree.n94ap.img3
Ident: dtre
Tag: TYPE (54595045) Length 0x20
Type: dtre
Tag: DATA (44415441) Length 0x1413c
Data of type 0x65727464 and length 82212 bytes
More than 20 properties? Did you hand me an encrypted file?
Tag: VERS (56455253) Length 0x3c
Version: EmbeddedDeviceTrees-1735.1.73
Tag: SEPO (5345504f) Length 0x1c
Security Epoch: 11 00 00 00
Tag: CHIP (43484950) Length 0x1c
Chip: 40 89 00 00
Tag: BORD (424f5244) Length 0x1c
Board: 08 00 00 00
Tag: KBAG (4b424147) Length 0x4c
01000000000100003314F219FEEFAA302CBA74FEBB82C5C5B538C045776BFEE9BBFC79C7890E9428440AAD1F764464F64F5392276531324C00000000000000004741424B8000000038000000
Tag: KBAG (4b424147) Length 0x80
020000000001000001F480B48D9711C713A73133F668EF7300728DD3B0A6F2BA6D25797B3A1E572C16A4935C3AA62FEFC1369FD9C7697F8E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000


Trying the img3 tool with the decrypted DeviceTree shows the following:

img3 -d DeviceTree.n94ap.img3.decrypted
DeviceTree.n94ap.img3.decrypted is not an IMG3 file!


I'm I missing something?

Re: imagine tool missing the "dt.h" header

PostPosted: Wed Jun 17, 2015 2:41 am
by morpheus
Likely a bug, but possibly because it couldn't find the header post decryption. Upload your pre and post decryption files here, please? I'll have a look.

Re: imagine tool missing the "dt.h" header

PostPosted: Wed Jun 17, 2015 4:47 am
by backendbilly
the IMG3 header is stripped out post decryption hence the reason why the tool exits if it does not find it. I'm not sure if the version of DeviceTree (appears to be from iOS 4.1 iPod) that you tested at the time you wrote the tool kept the IMG3 header even after it was decrypted. I can tell you that the decrypted DeviceTree from iOS 8.1 does not include the IMG3 header.

Re: imagine tool missing the "dt.h" header

PostPosted: Wed Jun 17, 2015 2:26 pm
by morpheus
Ah. That would explain it, yes. Normally when I decrypt with my version of xpwntool the header remains intact. If you cut/paste the header (64 bytes or so) the tool would work. FYI, the device tree hasn't really changed from the older iOS versions much, since it's primarily derived from the hardware.

Re: imagine tool missing the "dt.h" header

PostPosted: Mon Aug 17, 2015 8:36 am
by danzatt
You should use xpwntool's -decrypt option, otherwise it just decrypts and dumps the DATA tag. Or you may consider switching to https://github.com/danzatt/reimagine which has more features.

Re: imagine tool missing the "dt.h" header

PostPosted: Thu Aug 20, 2015 3:20 pm
by backendbilly
hey danzatt,

There seems to be a problem in cloning your git code specifically at opensn0w.

Code: Select all
Cloning into 'reimagine'...
remote: Counting objects: 65, done.
remote: Total 65 (delta 0), reused 0 (delta 0), pack-reused 65
Unpacking objects: 100% (65/65), done.
Submodule 'opensn0w-X' (git@github.com:danzatt/opensn0w-X.git) registered for path 'opensn0w-X'
Cloning into 'opensn0w-X'...
Warning: Permanently added the RSA host key for IP address '192.30.252.129' to the list of known hosts.
Permission denied (publickey).
fatal: The remote end hung up unexpectedly
Clone of 'git@github.com:danzatt/opensn0w-X.git' into submodule path 'opensn0w-X' failed

Re: imagine tool missing the "dt.h" header

PostPosted: Thu Aug 20, 2015 8:05 pm
by danzatt
Yeah I blindly copied the link shown to me (while logged in), should be fixed now.

Re: imagine tool missing the "dt.h" header

PostPosted: Thu Aug 20, 2015 8:25 pm
by backendbilly
still getting the same error