This seems to be an ancient bug, it looks like it is there on firmwares that can be jailbroken by other means.
So in theory it's possible to send the lipc directly, but in practice the semicolon is a problem.
There seem to be two ways to get to the vulnerable area
1. The language tag would be "zh-Hans-CN;"
Code:
module_langpicker_utilChangeLocale(param_3,pcVar9);
pcVar9 = (char *)module_langpicker_utilGetLocaleLangTag(param_3,pcVar9);
if ((*(int *)(param_3 + 8) != 0) &&
(pcVar10 = strstr("zh-Hans-CN;",pcVar9), pcVar10 != (char *)0x0)) {
module_langpicker_utilDeleteExtraDictionaries(param_3,pcVar9);
}
It's possible to set "zh-Hans-CN", but without the semi-colon.
Does anyone know where the local tag comes from?
In the code, param_3 is "UserData", which seems to be set when registering the Lipc handler - but doesn't happen in this module?
2. After a factory reset?
Code:
pcVar10 = strstr(__haystack,"-x-");
pcVar4 = strstr(__haystack,"-tut_inst-");
if (pcVar10 == (char *)0x0) {
if (pcVar4 == (char *)0x0) {
strcpy(pcVar9,__haystack);
iVar6 = 0;
}
...
iVar5 = module_langpicker_utilDoesFileExist("/var/local/system/locale");
if (iVar5 == 0) {
if (iVar6 == 0) {
iVar6 = module_langpicker_utilDoesFileExist("/var/local/system/factory_fresh");
if (iVar6 == 0) {
if ((g_blanket_llog_mask & 0x800000) != 0) {
__syslog_chk(5,1,
"I langpicker:LANGPICKER:Skipping dictionary and font deletion:First Boot file found"
);
}
}
else {
strncpy(acStack_64,pcVar9,0x31);
local_33 = 0;
module_langpicker_utilDeleteExtraDictionaries(param_3,pcVar9);
module_langpicker_utilDeleteExtraContentPacks(param_3,acStack_64);
}
}
The only way for "/var/local/system/locale" and "/var/local/system/factory_fresh" to not exist seems to be running the OOBE code.
However, the factory reset is a problem, because that would wipe the user-store partition!
Maybe there's a way to enable usb-storage before selecting the language?