Hi there. I was thinking about apps which patch the System Menu in RAM and then load the patched version, and was wondering, would the same principle be applicable to IOS? For example, an app is run via bannerbomb (to have extra permissions over launching via HBC) which patches Trucha Bug, ES_DiVerify (ES_Identify) and NAND permissions into IOS36 in RAM then reloads to that IOS and allows you to do anything requiring those exploits (e.g. install Priiloader etc.) without ever installing a patched IOS to NAND? Or is only the System Menu binary accessible when identified as System Menu (i.e. launched via bannerbomb)? If the later is the case, is this idea possible at all, even if you would need a patched IOS installed (if you only want one one patched IOS, but need to load an app with another patched IOS)? Thanks if anyone can answer my questions.
when you launch an app from bannerbomb, it is running on the PPC. it has no access to the memory which IOS is running in except for the share stuff the ARM and PPC use to talk back and forth. it would have to somehow exploit the IOS using IPC calls across the shared memory to get the current running IOS to execute code that is not actually part of the IOS. once you have a way to access the memory which you are not supposed to be able to access, you can find what part of the IOS you want to change and directly patch the currently running IOS to let you do stuff that you are not supposed to be able to do. the STM release exploit explained on the hackmii blog is an example of this. i assume riivolution uses something like this as well.
I'm assuming the STM release exploit is fixed now? I did try to read that post a while back, but it confused me.
