freemyipod r359 - Code Review

Jump to: navigation, search
Repository:freemyipod
Revision:r358‎ | r359 | r360 >
Date:13:45, 20 December 2010
Author:theseven
Status:new
Tags:
Comment:
ipodcrypt: Add function for generating pwnage2.0 exploits for the s5l8702
Modified paths:
  • /embios/trunk/tools/ipodcrypt.py (modified) (history)
  • /embios/trunk/tools/libipodcrypto (added) (history)
  • /embios/trunk/tools/libipodcrypto.py (modified) (history)
  • /embios/trunk/tools/libipodcrypto/s5l8702pwnage.cer (added) (history)

Diff [purge]

Index: embios/trunk/tools/libipodcrypto/s5l8702pwnage.cer
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Index: embios/trunk/tools/libipodcrypto/s5l8702pwnage.cer
Property changes on: embios/trunk/tools/libipodcrypto/s5l8702pwnage.cer
___________________________________________________________________
Added: svn:mime-type
## -0,0 +1 ##
 1+application/octet-stream
\ No newline at end of property
Index: embios/trunk/tools/ipodcrypt.py
@@ -37,6 +37,7 @@
3838 print " s5l8701-decryptfirmware <infile> <outfile>"
3939 print " s5l8702-cryptnor <infile> <outfile>"
4040 print " s5l8702-decryptnor <infile> <outfile>"
 41+ print " s5l8702-genpwnage <infile> <outfile>"
4142 exit(2)
4243
4344
@@ -61,6 +62,9 @@
6263 elif argv[1] == "s5l8702-decryptnor":
6364 libipodcrypto.s5l8702decryptnorfile(argv[2], argv[3])
6465
 66+ elif argv[1] == "s5l8702-genpwnage":
 67+ libipodcrypto.s5l8702genpwnagefile(argv[2], argv[3])
 68+
6569 else: usage()
6670
6771
Index: embios/trunk/tools/libipodcrypto.py
@@ -23,6 +23,7 @@
2424
2525
2626 import sys
 27+import os
2728 import struct
2829 import time
2930 import hashlib
@@ -92,6 +93,17 @@
9394 return embios.read(0x08000000, len(data) - 0x800)
9495
9596
 97+def s5l8702genpwnage(data):
 98+ cert = open(os.path.dirname(__file__) + "/libipodcrypto/s5l8702pwnage.cer", "rb").read()
 99+ data = data.ljust(max(0x840, (len(data) + 0xf) & ~0xf), "\0")
 100+ header = ("87021.0\x03\0\0\0\0" + struct.pack("<IIII", len(data) - 0x830, len(data) - 0x4f6, len(data) - 0x7b0, 0x2ba)).ljust(0x40, "\0")
 101+ embios = libembios.Embios()
 102+ embios.write(0x08000000, header + hashlib.sha1(header).digest()[:0x10])
 103+ embios.lib.dev.timeout = 5000
 104+ embios.aesencrypt(0x08000040, 0x10, 1)
 105+ return embios.read(0x08000000, 0x50) + data + cert.ljust((len(cert) + 0xf) & ~0xf, "\0")
 106+
 107+
96108 def s5l8701cryptdfufile(infile, outfile):
97109 infile = open(infile, "rb")
98110 outfile = open(outfile, "wb")
@@ -138,3 +150,11 @@
139151 outfile.write(s5l8702decryptnor(infile.read()))
140152 infile.close()
141153 outfile.close()
 154+
 155+
 156+def s5l8702genpwnagefile(infile, outfile):
 157+ infile = open(infile, "rb")
 158+ outfile = open(outfile, "wb")
 159+ outfile.write(s5l8702genpwnage(infile.read()))
 160+ infile.close()
 161+ outfile.close()
Retrieved from "https://freemyipod.org/wiki/Special:Code/freemyipod/359"