Pwnage 2.0

Jump to: navigation, search

Planetbeing has adapted the Pwnage 2.0 exploit to work on the iPod Nano and Classic line. This exploit is at the bootrom level, so it cannot be patched by Apple. Apple built in the functionality to upload a WTF recovery stage to the iPod when it is in DFU mode. There is a bug in the certificate parsing code that permits an unauthorized jump to an arbitrary location. It is also convenient that a payload can be embedded in the main body of the WTF. It is know that the entire WTF is copied to 0x22000000. If you put your exploit payload at 0x800 in the WTF, you should jump to 0x22000800. The iPod Classic and Nano lines are vulnerable to Pwnage 2.0, but this vulnerability has been patched starting with the Nano 5G.


The WTF file is the first recovery stage. It is believed that this stage facilitates the loading of a second stage. The iPhoneWiki has some limited information about WTF binaries here. WTF files for your device can be downloaded from Phobos, which hosts binaries for many of Apple's devices. There is a nice directory of Phobos downloads here. Go to the "DFU/Recovery Files" section and find the WTF for your device and download the corresponding ipsw. Extract this and find the actual WTF binary. It normally has a name like WTF.x1225.release.dfu.

The WTF has a header that is of length 0x600 (on the S5L8720 at least). This header is mostly zeros but it also has the length of the certificate. In the middle is the large encrypted payload. The certificate is at the end of the WTF. On the S5L8720 the certificate is 0xBE3 bytes long.

Preparing WTF

In order to use the exploit, you must overwrite part of the WTF's main body with a payload. Offset 0x800 is a good place to start the payload.

To be continued...