From 25fb4231a0cf31f9e0ff6128851c75179338897d Mon Sep 17 00:00:00 2001 From: ninjaprawn <4337909+ninjaprawn@users.noreply.github.com> Date: Tue, 8 Jul 2025 23:13:38 +1000 Subject: [PATCH 1/4] Add img1 format updating for signature bypassing on n7g --- src/img1.rs | 4 ++++ src/main.rs | 11 ++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/img1.rs b/src/img1.rs index f090c7a..64551f2 100644 --- a/src/img1.rs +++ b/src/img1.rs @@ -16,6 +16,10 @@ impl Img1 { out.extend_from_slice(&self.body); out.extend_from_slice(&self.cert); } + + pub fn update_format(&mut self, format: u8) { + self.head[0x08] = format; + } } pub fn img1_parse(orig_data: &[u8], device: &Device) -> Img1 { diff --git a/src/main.rs b/src/main.rs index 0b4d9b3..e1639e0 100644 --- a/src/main.rs +++ b/src/main.rs @@ -105,6 +105,13 @@ fn main() -> anyhow::Result<()> { std::fs::remove_file("./in-otf.bin")?; img1.body = rsrc_data; } + + if let Device::Nano7Refresh = args.device { + // On n7g, changing the format from 'Signed' to 'Encrypted+Signed' will result in the signature of rsrc not being checked + img1.update_format(0x03); + info!("Updated rsrc format to Encrypted+Signed to allow free modifications of rsrc"); + } + info!("Repacking RSRC Img1"); rsrc.body.clear(); img1.write(&mut rsrc.body); @@ -120,7 +127,9 @@ fn main() -> anyhow::Result<()> { if let Device::Nano6 = args.device { mse_out[0x5004..][..4].copy_from_slice(b"soso"); mse_out[0x5144..][..4].copy_from_slice(b"ksid"); - } else { + } else if let Device::Nano7Refresh = args.device { + info!("Swap is no longer required for n7g!"); + } else { mse_out[0x5004..][..4].copy_from_slice(b"soso"); mse_out[0x5194..][..4].copy_from_slice(b"ksid"); } From 3ea12df93c059ca8f4a387262c07754ca708cdb5 Mon Sep 17 00:00:00 2001 From: ninjaprawn <4337909+ninjaprawn@users.noreply.github.com> Date: Thu, 10 Jul 2025 19:27:32 +1000 Subject: [PATCH 2/4] Change overwrite address on n7g to prevent iTunes crashing --- src/payload/exploit_config.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/payload/exploit_config.rs b/src/payload/exploit_config.rs index 62ee8fd..0d87832 100644 --- a/src/payload/exploit_config.rs +++ b/src/payload/exploit_config.rs @@ -50,8 +50,8 @@ impl ExploitConfig for ExploitConfigN7G { const SWAP_COUNT: usize = 128; const DROP_COUNT: usize = Self::SWAP_COUNT + 17; const PATCH_MFG_STR: bool = false; - const BUILDCHAR_OVERWRITE_ADDR: u32 = 0x0819_c458_u32; - const BUILDCHAR_WRITE_OFFSET: u16 = 0; + const BUILDCHAR_OVERWRITE_ADDR: u32 = 0x0819_0000_u32; + const BUILDCHAR_WRITE_OFFSET: u16 = 0xc1d6_u16; } pub struct ExploitConfigN5GEmu; From ef79e7a0bcee7b7f9eab9527ab95d60190e385db Mon Sep 17 00:00:00 2001 From: ninjaprawn <4337909+ninjaprawn@users.noreply.github.com> Date: Thu, 10 Jul 2025 19:28:35 +1000 Subject: [PATCH 3/4] Update some subcommand references as result of overwrite address change --- tools/scsi_decrypter/src/main.rs | 8 ++++---- tools/scsi_dumper/src/main.rs | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/scsi_decrypter/src/main.rs b/tools/scsi_decrypter/src/main.rs index b6e5dd9..3bddd42 100644 --- a/tools/scsi_decrypter/src/main.rs +++ b/tools/scsi_decrypter/src/main.rs @@ -29,7 +29,7 @@ fn main() -> Result<(), Box> { .arg("44") .arg("/dev/sdc") .arg("c6") - .arg("96") + .arg("98") .arg("01") .arg(CODE_ADDR[0]) .arg(CODE_ADDR[1]) @@ -69,7 +69,7 @@ fn main() -> Result<(), Box> { .arg(&format!("{}", CHUNK_SIZE)) .arg("/dev/sdc") .arg("c6") - .arg("96") + .arg("98") .arg("01") .arg(INPUT_ADDR[0]) .arg(INPUT_ADDR[1]) @@ -86,7 +86,7 @@ fn main() -> Result<(), Box> { .stderr(Stdio::null()) .arg("/dev/sdc") .arg("c6") - .arg("96") + .arg("98") .arg("03") .arg(CALL_ADDR[0]) .arg(CALL_ADDR[1]) @@ -107,7 +107,7 @@ fn main() -> Result<(), Box> { .arg(&format!("{}", CHUNK_SIZE)) .arg("/dev/sdc") .arg("c6") - .arg("96") + .arg("98") .arg("02") .arg(INPUT_ADDR[0]) .arg(INPUT_ADDR[1]) diff --git a/tools/scsi_dumper/src/main.rs b/tools/scsi_dumper/src/main.rs index 0819e6d..1b099f7 100644 --- a/tools/scsi_dumper/src/main.rs +++ b/tools/scsi_dumper/src/main.rs @@ -35,7 +35,7 @@ fn main() -> Result<(), Box> { .arg("-v") .arg("/dev/sdc") .arg("c6") - .arg("96") + .arg("98") .arg("02") .arg(&format!("{:02x}", b[0])) .arg(&format!("{:02x}", b[1])) From d364c0eb60edd3cd4900b37d283820982d2d6834 Mon Sep 17 00:00:00 2001 From: ninjaprawn <4337909+ninjaprawn@users.noreply.github.com> Date: Thu, 10 Jul 2025 19:43:45 +1000 Subject: [PATCH 4/4] Update comments for aes function structure --- decrypt_shellcode/src/main.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/decrypt_shellcode/src/main.rs b/decrypt_shellcode/src/main.rs index 1402001..c70d4b7 100644 --- a/decrypt_shellcode/src/main.rs +++ b/decrypt_shellcode/src/main.rs @@ -18,17 +18,17 @@ pub extern "C" fn custom_handler() { let input = 0x08492a50 as *mut u8; // n6g - let aes_func = unsafe { core::mem::transmute::(0x0822215c | 1) }; + let aes_func = unsafe { core::mem::transmute::(0x0822215c | 1) }; // n7g - let aes_func = unsafe { core::mem::transmute::(0x0841140c | 1) }; + let aes_func = unsafe { core::mem::transmute::(0x0841140c | 1) }; aes_func( 0, /* Decrypt*/ 1, /* global key */ - core::ptr::null_mut(), /* no IV */ + core::ptr::null_mut(), /* no user-specified key */ input, /* In-place decrypt */ input, 512, /* Size*/ - 0 /* flags? */ + core::ptr::null_mut() /* IV buffer */ ); }