Question Payload loader for iOS?

Discussion in 'Switch - Exploits, Custom Firmwares & Soft Mods' started by ElijahZAwesome, May 21, 2018.

  1. Dread_Pirate_PJ

    Dread_Pirate_PJ Advanced Member

    Newcomer
    2
    Feb 24, 2018
    United States
    Once you send the payload, you ask the Switch for the status with a control request with USB_REQ_GET_STATUS, with a ridiculously large length (0x7000). That is what smashes the stack. Check the last 5 lines of code of

    https://github.com/DavidBuchanan314/fusee-nano/blob/master/src/exploit.c

    and last 30 or so lines of

    https://github.com/DavidBuchanan314/fusee-nano/blob/master/src/usb.c
     
    Last edited by Dread_Pirate_PJ, Jun 2, 2018
    snoofly likes this.
  2. JustBrandonT

    JustBrandonT Advanced Member

    Newcomer
    3
    Mar 11, 2018
    Canada
    I figured it out by writing a driver for OSX but for iOS, it only worked HALF the time (maybe I missed something).. In any case, I compiled libusb for iOS by modifying the OSTypes.h file and switching the project to compile for iphone-os release.

    Then I wrote a wrapper around libusb that does the same stuff my OSX driver does to send control properly over the usb port.. There's no IOCTL for iOS and OSX usb port apparently..

    So in any case.. I got it working on both platforms:

    I'll upload what I have later and someone else can make it look pretty or add logs or w/e.. or I'll do it when I have time. For now, enjoy the video.. I gotta head out for a few :D

    P.S. Sorry for the vertical vid. I was holding the my phone side-ways but I guess I screwed that up ={
     
    Last edited by JustBrandonT, Jun 3, 2018
    SpiffyJUNIOR, GyTe, ccprodigy and 8 others like this.
  3. Lil_SpazJoekp

    Lil_SpazJoekp Advanced Member

    Newcomer
    3
    Apr 11, 2018
    United States
    Awesome work! Can't wait to see the app. When you commit the changes, I will see what I can do to make it pretty!:D
     
  4. metaljay

    metaljay GBAtemp Fan

    Member
    6
    Jan 10, 2012
    Excellent work bro!
     
  5. Lil_SpazJoekp

    Lil_SpazJoekp Advanced Member

    Newcomer
    3
    Apr 11, 2018
    United States
    Okay. I have the ui mostly made. I'm just waiting on the code from you to start linking things together. This is starting to come together awesome. @Dread_Pirate_PJ have you made any progress?
     
  6. Dread_Pirate_PJ

    Dread_Pirate_PJ Advanced Member

    Newcomer
    2
    Feb 24, 2018
    United States
    I haven't worked on the UI, I'm waiting on the exploit code.
     
  7. Riky_Xerez

    Riky_Xerez Member

    Newcomer
    2
    Nov 20, 2014
    Thanks you for it! Can you release the app please? Is time to buy a Lightning - USB C cable!
     
  8. JustBrandonT

    JustBrandonT Advanced Member

    Newcomer
    3
    Mar 11, 2018
    Canada
    I uploaded the code already. I have to put the code to generate a payload on the fly and that's all that's left. I redid the UI too.
    Right now it loads the exploit from a .bin file and uploads it. I'd rather make it generate the exploit like all the others. Should take about 5 minutes or so to write.


    https://github.com/Brandon-T/iOUSB/blob/master/iOSNXLauncher/NXLauncher.mm#L20

    That's about it. I made it in such a way that you just have to provide an interface and it'd work with any 3rd party library. The code uses lib-usb OR Apple's IOKit. The IOKit is buggy so I disabled it for now and I just use lib-usb. All you have to do is compile it. I mean.. I can compile an ipa and release it I guess..

    Again, I never tested it on an un-jailbroken iPhone. So don't go buying cables yet until I or someone else does test it. It's very likely that you'd have to jailbreak.
     
    Last edited by JustBrandonT, Jun 7, 2018
  9. z10m

    z10m Advanced Member

    Newcomer
    3
    Oct 26, 2009
    I can test it on jailed iPhone X.
    Got some lightning to usb c cables around.
     
  10. Lil_SpazJoekp

    Lil_SpazJoekp Advanced Member

    Newcomer
    3
    Apr 11, 2018
    United States
    I’ll test it with my X on iOS 12 dev beta 1 tomorrow
     
  11. Riky_Xerez

    Riky_Xerez Member

    Newcomer
    2
    Nov 20, 2014
    I would be grateful if you can compile an ipa and upload it to your GitHub. Thanks for it!
     
    Garlik82 and rishard10212 like this.
  12. Lil_SpazJoekp

    Lil_SpazJoekp Advanced Member

    Newcomer
    3
    Apr 11, 2018
    United States
    Okay so I guess I'm either retarded or missing something. I keep getting an error saying that libusb/libusb.h is not found when running it. I found a libusb.h file here https://github.com/libusb/libusb added and still didn't work. Also I saw that libusb-1.0.0.dylib was missing so I used this here: https://github.com/qmk/qmk_flasher/blob/master/dfu/libusb-1.0.0.dylib added it and still still not running. Is there something I'm doing wrong or am I just retarded.
     
  13. Dread_Pirate_PJ

    Dread_Pirate_PJ Advanced Member

    Newcomer
    2
    Feb 24, 2018
    United States
    The libusb-1.0.0.dylib has to be compiled for iOS. dylibs are used in Mac OS also, but a Mac OS compiled dylib won't work on an iOS device. You can't just grab it from some random Github project.

    The easiest way is to git clone the libusb repo and change the Xcode project to build for iOS, then build it.

    To fix the libusb/libusb.h issue, add the path of the libusb repo clone to Header prefix path in project settings.
     
    Last edited by Dread_Pirate_PJ, Jun 9, 2018
  14. Lil_SpazJoekp

    Lil_SpazJoekp Advanced Member

    Newcomer
    3
    Apr 11, 2018
    United States
    Thats what I was just figuring out. I just didn't know what to do for building the libusb.
     
  15. Dread_Pirate_PJ

    Dread_Pirate_PJ Advanced Member

    Newcomer
    2
    Feb 24, 2018
    United States
    To build libusb for iOS, find the Xcode project in libusb/Xcode, select the libusb target, and change the Build settings.

    Base SDK - Latest iOS
    Supported Platforms - iOS
    Valid architectures - arm64 armv7 armv7s
     
  16. Lil_SpazJoekp

    Lil_SpazJoekp Advanced Member

    Newcomer
    3
    Apr 11, 2018
    United States
    Okay here's what I have.
    It builds successfully but I don't know where the file is spit out at.

    Also, thank you for helping.:D
     

    Attached Files:

  17. Dread_Pirate_PJ

    Dread_Pirate_PJ Advanced Member

    Newcomer
    2
    Feb 24, 2018
    United States
    In the Xcode project, scroll all the way down to Products in the navigator (the file/group tree on the left). Listed under Products are the different things you can build. Right click on libusb-1.0.0.dylib and select "Show in Finder". Then you can copy and paste the file wherever you need.
     
  18. Dread_Pirate_PJ

    Dread_Pirate_PJ Advanced Member

    Newcomer
    2
    Feb 24, 2018
    United States
    I was able to successfully build the latest copy of the project, but it seems the app can't detect the Switch is in APX mode. Taping "Reload" does nothing.

    I have a breakpoint in NXLauncher.mm line 41 and the devices array is empty.

    Maybe I have a bad build. @JustBrandonT can you post your ipa?
     
  19. GraFfiX420

    GraFfiX420 GBAtemp Fan

    Member
    8
    Oct 14, 2009
    United States
    Never really worked with Xcode, wtf?? I'm simply trying to move some headers etc to be included in the project and am having issues, lots of stuff missing from IOKit that I find elsewhere on my mac.
     
  20. kornychaos

    kornychaos Organized.

    Member
    5
    Jul 7, 2007
    United States
    It's hilarious to me to see the posts at the beginning of the thread that basically say - no: impossible - then argue about stock vs jailbroken iOS while still claiming it will never happen.. to skipping to the last page, within seven pages, and seeing that there is a functional payload being run from iOS. This is why people who don't know what they're talking about should probably stop commenting in the first place. Fantastic work @JustBrandonT.
     
Quick Reply
Draft saved Draft deleted
Loading...