De Rebus Antiquis
Here is a detailed writeup about exploiting the recursive stack overflow bug in iBoot-1940.x.15~2 and prior. This is most likely a core dump of my brain about all the knowledge I've gathered about that specific vulnerability since Xerub published it in 2018.
The following writeup is intended to be a companion of his original work (also known by the community as De Rebus Antiquis). It is not going to cover all the analysis that is already written there, but instead give some technical info around it plus cover more the post-exploitation.
Warning : Some parts of this writeup involve low-level components that may contain critical information for the device to work properly. A simple mistake can definitively brick the device, making it completely useless. Do not try to exploit this bug on a fixed firmware version, this will not work and will result in a bootloop.
No warranties given, follow this guide on your own risk, you are on your own
List of contents
Credits/Thanks to
@xerub for the discovery and his original writeup of the exploit, as well as the awesome name for it!
@dora2ios who has explained me a lot about iloader and the exploit itself.
@nyan_satan for helpful advices with some ARM assembly stuff.