From 865f1e54a6266bdcf083d055e117640b6a807757 Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Thu, 2 Feb 2012 23:36:25 +0100
Subject: add --pwn option to put a limera1n device into pwned dfu mode

---
 src/common.h         |  1 +
 src/idevicerestore.c | 35 +++++++++++++++++++++++++++++++++--
 2 files changed, 34 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/common.h b/src/common.h
index 988245c..d710e69 100644
--- a/src/common.h
+++ b/src/common.h
@@ -91,6 +91,7 @@ extern "C" {
 #define FLAG_ERASE           4
 #define FLAG_CUSTOM          8
 #define FLAG_EXCLUDE        16
+#define FLAG_PWN            32
 
 extern int use_apple_server;
 
diff --git a/src/idevicerestore.c b/src/idevicerestore.c
index ca3c94c..912f25e 100644
--- a/src/idevicerestore.c
+++ b/src/idevicerestore.c
@@ -50,6 +50,7 @@ static struct option longopts[] = {
 	{ "cydia",   no_argument,       NULL, 's' },
 	{ "exclude", no_argument,       NULL, 'x' },
 	{ "shsh",    no_argument,       NULL, 't' },
+	{ "pwn",     no_argument,       NULL, 'p' },
 	{ NULL, 0, NULL, 0 }
 };
 
@@ -65,6 +66,7 @@ void usage(int argc, char* argv[]) {
 	printf("  -s, --cydia\t\tuse Cydia's signature service instead of Apple's\n");
 	printf("  -x, --exclude\t\texclude nor/baseband upgrade\n");
 	printf("  -t, --shsh\t\tfetch TSS record and save to .shsh file, then exit\n");
+	printf("  -p, --pwn\t\tPut device in pwned DFU state and exit (limera1n devices only)\n");
 	printf("\n");
 }
 
@@ -86,7 +88,7 @@ int main(int argc, char* argv[]) {
 	}
 	memset(client, '\0', sizeof(struct idevicerestore_client_t));
 
-	while ((opt = getopt_long(argc, argv, "dhcesxtu:", longopts, &optindex)) > 0) {
+	while ((opt = getopt_long(argc, argv, "dhcesxtpu:", longopts, &optindex)) > 0) {
 		switch (opt) {
 		case 'h':
 			usage(argc, argv);
@@ -120,13 +122,17 @@ int main(int argc, char* argv[]) {
 			shsh_only = 1;
 			break;
 
+		case 'p':
+			client->flags |= FLAG_PWN;
+			break;
+
 		default:
 			usage(argc, argv);
 			return -1;
 		}
 	}
 
-	if ((argc-optind) == 1) {
+	if (((argc-optind) == 1) || (client->flags & FLAG_PWN)) {
 		argc -= optind;
 		argv += optind;
 
@@ -158,6 +164,31 @@ int main(int argc, char* argv[]) {
 	}
 	info("Identified device as %s\n", client->device->product);
 
+	if ((client->flags & FLAG_PWN) && (client->mode->index != MODE_DFU)) {
+		error("ERROR: you need to put your device into DFU mode to pwn it.\n");
+		return -1;
+	}
+
+	if (client->flags & FLAG_PWN) {
+		recovery_client_free(client);
+
+		info("connecting to DFU\n");
+		if (dfu_client_new(client) < 0) {
+			return -1;
+		}
+		info("exploiting with limera1n...\n");
+		// TODO: check for non-limera1n device and fail
+		if (limera1n_exploit(client->device, client->dfu->client) != 0) {
+			error("ERROR: limera1n exploit failed\n");
+			dfu_client_free(client);
+			return -1;
+		}
+		dfu_client_free(client);
+		info("Device should be in pwned DFU state now.\n");
+
+		return 0;
+	}
+
 	if (client->mode->index == MODE_RESTORE) {
 		if (restore_reboot(client) < 0) {
 			error("ERROR: Unable to exit restore mode\n");
-- 
cgit v1.1-32-gdbae