Automated device and OS configuration

.gitignore

@@ -0,0 +1,6 @@
+bdu
+bdu.dSYM
+payload.bin
+payload.o
+device_def.S
+bootrom.bin

Makefile

@@ -1,22 +1,41 @@
-CC = gcc
-CFLAGS_OSX = -lusb-1.0 -framework CoreFoundation -framework IOKit -I./include
-CFLAGS_LNX =  -lusb-1.0
-
-all:
-		@echo 'ERROR: no platform defined.'
-		@echo 'LINUX USERS: make linux'
-		@echo 'MAC OS X USERS: make macosx'
-
-macosx:
-		$(CC) bdu.c -o bdu $(CFLAGS_OSX)
-
-		arm-elf-as -mthumb --fatal-warnings -o payload.o payload.S
-		arm-elf-objcopy -O binary  payload.o payload.bin
-		rm payload.o
-
-linux:
-		$(CC) bdu.c -o bdu $(CFLAGS_LNX)
-
-		arm-elf-as -mthumb --fatal-warnings -o payload.o payload.S
-		arm-elf-objcopy -O binary  payload.o payload.bin
-		rm payload.o
+CFLAGS = -lusb-1.0 -g
+
+ifeq ($(ARCH),mac)
+CFLAGS += -framework CoreFoundation -framework IOKit -I include
+endif
+
+ifeq ($(DEVICE),a4)
+$(shell echo ".set RET_ADDR, 0x7ef" > device_def.S)
+DEVICE_DEF = -DDEVICE_A4
+endif
+
+ifeq ($(DEVICE),3g)
+$(shell echo ".set RET_ADDR, 0x8b7" > device_def.S)
+DEVICE_DEF = -DDEVICE_3G
+endif
+
+ifeq ($(DEVICE),3gs_new_bootrom)
+$(shell echo ".set RET_ADDR, 0x8b7" > device_def.S)
+DEVICE_DEF = -DDEVICE_3GS_NEW_BOOTROM
+endif
+
+ifndef DEVICE_DEF
+$(error You must define the device type by specifying DEVICE=< a4 | 3g | 3gs_new_bootrom > in your make invocation)
+endif
+
+
+all: bdu payload.bin
+
+.PHONY: clean
+
+clean:
+	rm -f payload.o payload.bin device_def.S bdu
+
+payload.o: payload.S device_def.S
+	ecc -target thumbv7-none-engeabihf -Werror -c -o $@ $<
+
+payload.bin: payload.o
+	ecc-objcopy -O binary $^ $@
+
+bdu: bdu.c
+	$(CC) -o $@ $(CFLAGS) $(DEVICE_DEF) $^

README

@@ -1,13 +1,12 @@
 What to know about the Bootrom Dumper Utility (BDU) :
 - you need a mac or linux box to use it / build it
 - libusb > 1.0.8 required
+- compatible with A4 devices (iPhone 4, iPod 4G, iPad, AppleTV 2) and older devices (iPhone 3Gs, iPod 3G)
+- build it by running make with these arguments:
+    DEVICE=< a4 | 3g | 3gs_new_bootrom >
+    ARCH=mac if you're not using linux
 - execute it with root privileges (sudo ./bdu)
-- by default compatible only with A4 devices : (iPhone 4, iPod 4G, iPad, AppleTV 2)
-     it's possible to extend the compatibility to older devices as well (iPhone 3Gs, iPod 3G) by changing:
-        * the offset to the call of usb_wait_for_image in payload.S
-        * exploit offsets in bdu.c
-     was too lazy to automate this stuff...
 
-Happy Reverse Code Engeneering !
+Happy Reverse Code Engineering !
 
 ~ pod2g

bdu.c

@@ -15,14 +15,20 @@
 
 #define LOADADDR	0x84000000
 // A4:
+#if defined(DEVICE_A4)
 #define EXPLOIT_LR	0x8403BF9C
 #define LOADADDR_SIZE	0x2C000
 // iPod 3G:
-//#define EXPLOIT_LR	0x84033F98
-//#define LOADADDR_SIZE	0x24000
+#elif defined(DEVICE_3G)
+#define EXPLOIT_LR	0x84033F98
+#define LOADADDR_SIZE	0x24000
 // iPhone 3Gs:
-//#define EXPLOIT_LR	0x84033FA4
-//#define LOADADDR_SIZE	0x24000
+#elif defined(DEVICE_3GS_NEW_BOOTROM)
+#define EXPLOIT_LR	0x84033FA4
+#define LOADADDR_SIZE	0x24000
+#else
+#error No device type specified!
+#endif
 
 #define VENDOR_ID    0x05AC
 #define WTF_MODE     0x1227
@@ -83,6 +89,7 @@ struct libusb_device_handle* usb_wait_device_connection(struct libusb_context* c
         sleep(2);
         usb_close(handle);
         handle = usb_init(context, WTF_MODE);
+        return handle;
 }
 
 int readfile(char *filename, void* buffer, unsigned int skip) {
@@ -150,21 +157,22 @@ int main(int argc, char *argv[]) {
 	#ifndef __APPLE__
 	printf("sent fake data to timeout: %X\n", libusb_control_transfer(handle, 0x21, 1, 0, 0, buf, 0x800, 10));
 	#else
+	#define DARWIN_CACHED_DEVICE(a) ((struct darwin_cached_device *) (((struct darwin_device_priv *)((a)->os_priv))->dev))
 	// pod2g: dirty hack for limera1n support.
 	IOReturn kresult;
-	IOUSBDevRequest req;
+	IOUSBDevRequestTO req;
 	bzero(&req, sizeof(req));
 	//struct darwin_device_handle_priv *priv = (struct darwin_device_handle_priv *)client->handle->os_priv;
-	struct darwin_device_priv *dpriv = (struct darwin_device_priv *)handle->dev->os_priv;
+	struct darwin_cached_device *dpriv = DARWIN_CACHED_DEVICE(handle->dev);
 	req.bmRequestType     = 0x21;
 	req.bRequest          = 1;
 	req.wValue            = OSSwapLittleToHostInt16 (0);
 	req.wIndex            = OSSwapLittleToHostInt16 (0);
 	req.wLength           = OSSwapLittleToHostInt16 (0x800);
 	req.pData             = buf + LIBUSB_CONTROL_SETUP_SIZE;
-	kresult = (*(dpriv->device))->DeviceRequestAsync(dpriv->device, &req, (IOAsyncCallback1) dummy_callback, NULL);
+	kresult = (*(dpriv->device))->DeviceRequestAsyncTO(dpriv->device, &req, (IOAsyncCallback1) dummy_callback, NULL);
 	usleep(5 * 1000);
-	kresult = (*(dpriv->device))->USBDeviceAbortPipeZero (dpriv->device);
+	kresult = (*(dpriv->device))->USBDeviceAbortPipeZero(dpriv->device);
 	#endif
 
 	printf("sent exploit to heap overflow: %X\n", libusb_control_transfer(handle, 0x21, 2, 0, 0, buf, 0, 1000));

include/config.h

@@ -1,99 +1,28 @@
-/* config.h.  Generated from config.h.in by configure.  */
-/* config.h.in.  Generated from configure.ac by autoheader.  */
+/* config.h.  Manually generated for Xcode.  */
 
 /* Default visibility */
-//#define API_EXPORTED __attribute__((visibility("default")))
-
-/* Debug message logging */
-/* #undef ENABLE_DEBUG_LOGGING */
+#define DEFAULT_VISIBILITY /**/
 
 /* Message logging */
 #define ENABLE_LOGGING 1
 
-/* Define to 1 if you have the <dlfcn.h> header file. */
-#define HAVE_DLFCN_H 1
-
-/* Define to 1 if you have the <inttypes.h> header file. */
-#define HAVE_INTTYPES_H 1
-
-/* Define to 1 if you have the `rt' library (-lrt). */
-/* #undef HAVE_LIBRT */
-
-/* Define to 1 if you have the <memory.h> header file. */
-#define HAVE_MEMORY_H 1
-
-/* Define to 1 if you have the <stdint.h> header file. */
-#define HAVE_STDINT_H 1
-
-/* Define to 1 if you have the <stdlib.h> header file. */
-#define HAVE_STDLIB_H 1
-
-/* Define to 1 if you have the <strings.h> header file. */
-#define HAVE_STRINGS_H 1
-
-/* Define to 1 if you have the <string.h> header file. */
-#define HAVE_STRING_H 1
-
-/* Define to 1 if you have the <sys/stat.h> header file. */
-#define HAVE_SYS_STAT_H 1
-
-/* Define to 1 if you have the <sys/types.h> header file. */
-#define HAVE_SYS_TYPES_H 1
-
-/* Define to 1 if you have the <unistd.h> header file. */
-#define HAVE_UNISTD_H 1
+/* Define to 1 if you have the `gettimeofday' function. */
+#define HAVE_GETTIMEOFDAY 1
 
-/* Define to the sub-directory in which libtool stores uninstalled libraries.
-   */
-#define LT_OBJDIR ".libs/"
+/* Define to 1 if you have the <poll.h> header file. */
+#define HAVE_POLL_H 1
 
-/* Define to 1 if your C compiler doesn't accept -c and -o together. */
-/* #undef NO_MINUS_C_MINUS_O */
+/* Define to 1 if you have the <sys/time.h> header file. */
+#define HAVE_SYS_TIME_H 1
 
 /* Darwin backend */
-#define OS_DARWIN /**/
+#define OS_DARWIN 1
 
-/* Linux backend */
-/* #undef OS_LINUX */
+/* type of second poll() argument */
+#define POLL_NFDS_TYPE nfds_t
 
-/* Name of package */
-#define PACKAGE "libusb"
-
-/* Define to the address where bug reports for this package should be sent. */
-#define PACKAGE_BUGREPORT ""
-
-/* Define to the full name of this package. */
-#define PACKAGE_NAME "libusb"
-
-/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "libusb 1.0.8"
-
-/* Define to the one symbol short name of this package. */
-#define PACKAGE_TARNAME "libusb"
-
-/* Define to the home page for this package. */
-#define PACKAGE_URL ""
-
-/* Define to the version of this package. */
-#define PACKAGE_VERSION "1.0.8"
-
-/* Define to 1 if you have the ANSI C header files. */
-#define STDC_HEADERS 1
-
-/* Backend handles timeout */
-#define USBI_OS_HANDLES_TIMEOUT /**/
-
-/* timerfd headers available */
-/* #undef USBI_TIMERFD_AVAILABLE */
-
-/* Version number of package */
-#define VERSION "1.0.8"
+/* Use POSIX Threads */
+#define THREADS_POSIX 1
 
 /* Use GNU extensions */
-#define _GNU_SOURCE /**/
-
-/* Define to `__inline__' or `__inline' if that's what the C compiler
-   calls it, or to nothing if 'inline' is not supported under any name.  */
-#ifndef __cplusplus
-/* #undef inline */
-#endif
+#define _GNU_SOURCE 1