imagine tool missing the "dt.h" header

Used for discussing the various tools in the book as well as encouraging members to share tools

imagine tool missing the "dt.h" header

Postby backendbilly » Tue Jun 16, 2015 3:49 pm

Hi Jonathan,

Could you provide the dt.h header to compile imagine?

Thanks
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: imagine tool missing the "dt.h" header

Postby morpheus » Tue Jun 16, 2015 6:58 pm

I can. Sorry. That was an omission of mine, apparently (should be just obtainable from same directory, with "dt.h" as the file name).

While I'm at it, here's a slightly improved version of the tool, which also dumps the KBAGs (more useful that way)
Attachments
img3.tar
img3.c + dt.h
(10 KiB) Downloaded 276 times
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: imagine tool missing the "dt.h" header

Postby backendbilly » Tue Jun 16, 2015 7:45 pm

Hi Jonathan,

I'm a little confused with the output from img3 and the original imagine output shown in the book. The book shows the following:

morpheus@Ergo (/tmp)$ imagine –d iOS/DeviceTree.n81ap.img3
Device Tree has 15 properties and 13 children
Properties:
device-tree
| +--compatible Length 23
| +--secure-root-prefix Length 3
| +--AAPL,phandle Length 4
| +--config-number Length 32
| +--model-number Length 32
| +--platform-name Length 32
| +--serial-number Length 32
| +--device_type Length 8
| +--#size-cells Length 4
| +--clock-frequency Length 4
| +--mlb-serial-number Length 32
| +--#address-cells Length 4
| +--region-info Length 32
| +--model Length 8
| +--name Length 12
+--chosen
| | +--firmware-version Length 256



The new img3 tool shows actual segments in the encrypted IMG3 file (which is what I expected):

img3 -d DeviceTree.n94ap.img3
Ident: dtre
Tag: TYPE (54595045) Length 0x20
Type: dtre
Tag: DATA (44415441) Length 0x1413c
Data of type 0x65727464 and length 82212 bytes
More than 20 properties? Did you hand me an encrypted file?
Tag: VERS (56455253) Length 0x3c
Version: EmbeddedDeviceTrees-1735.1.73
Tag: SEPO (5345504f) Length 0x1c
Security Epoch: 11 00 00 00
Tag: CHIP (43484950) Length 0x1c
Chip: 40 89 00 00
Tag: BORD (424f5244) Length 0x1c
Board: 08 00 00 00
Tag: KBAG (4b424147) Length 0x4c
01000000000100003314F219FEEFAA302CBA74FEBB82C5C5B538C045776BFEE9BBFC79C7890E9428440AAD1F764464F64F5392276531324C00000000000000004741424B8000000038000000
Tag: KBAG (4b424147) Length 0x80
020000000001000001F480B48D9711C713A73133F668EF7300728DD3B0A6F2BA6D25797B3A1E572C16A4935C3AA62FEFC1369FD9C7697F8E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000


Trying the img3 tool with the decrypted DeviceTree shows the following:

img3 -d DeviceTree.n94ap.img3.decrypted
DeviceTree.n94ap.img3.decrypted is not an IMG3 file!


I'm I missing something?
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: imagine tool missing the "dt.h" header

Postby morpheus » Wed Jun 17, 2015 2:41 am

Likely a bug, but possibly because it couldn't find the header post decryption. Upload your pre and post decryption files here, please? I'll have a look.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: imagine tool missing the "dt.h" header

Postby backendbilly » Wed Jun 17, 2015 4:47 am

the IMG3 header is stripped out post decryption hence the reason why the tool exits if it does not find it. I'm not sure if the version of DeviceTree (appears to be from iOS 4.1 iPod) that you tested at the time you wrote the tool kept the IMG3 header even after it was decrypted. I can tell you that the decrypted DeviceTree from iOS 8.1 does not include the IMG3 header.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: imagine tool missing the "dt.h" header

Postby morpheus » Wed Jun 17, 2015 2:26 pm

Ah. That would explain it, yes. Normally when I decrypt with my version of xpwntool the header remains intact. If you cut/paste the header (64 bytes or so) the tool would work. FYI, the device tree hasn't really changed from the older iOS versions much, since it's primarily derived from the hardware.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: imagine tool missing the "dt.h" header

Postby danzatt » Mon Aug 17, 2015 8:36 am

You should use xpwntool's -decrypt option, otherwise it just decrypts and dumps the DATA tag. Or you may consider switching to https://github.com/danzatt/reimagine which has more features.
danzatt
 
Posts: 8
Joined: Sun Jun 28, 2015 12:32 pm

Re: imagine tool missing the "dt.h" header

Postby backendbilly » Thu Aug 20, 2015 3:20 pm

hey danzatt,

There seems to be a problem in cloning your git code specifically at opensn0w.

Code: Select all
Cloning into 'reimagine'...
remote: Counting objects: 65, done.
remote: Total 65 (delta 0), reused 0 (delta 0), pack-reused 65
Unpacking objects: 100% (65/65), done.
Submodule 'opensn0w-X' (git@github.com:danzatt/opensn0w-X.git) registered for path 'opensn0w-X'
Cloning into 'opensn0w-X'...
Warning: Permanently added the RSA host key for IP address '192.30.252.129' to the list of known hosts.
Permission denied (publickey).
fatal: The remote end hung up unexpectedly
Clone of 'git@github.com:danzatt/opensn0w-X.git' into submodule path 'opensn0w-X' failed
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: imagine tool missing the "dt.h" header

Postby danzatt » Thu Aug 20, 2015 8:05 pm

Yeah I blindly copied the link shown to me (while logged in), should be fixed now.
danzatt
 
Posts: 8
Joined: Sun Jun 28, 2015 12:32 pm

Re: imagine tool missing the "dt.h" header

Postby backendbilly » Thu Aug 20, 2015 8:25 pm

still getting the same error
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Next

Return to Tools

Who is online

Users browsing this forum: No registered users and 4 guests