A pretty in-depth look at the progress of the 2G Jailbreak

Discussion in 'iPod touch' started by Joe Rossignol, Dec 5, 2008.

  1. Joe Rossignol

    Joe Rossignol Community Manager Staff Member

    Joined:
    Jan 9, 2008
    Messages:
    11,500
    Likes Received:
    1,268
    Device:
    iPhone 5 (Black)
    I posted a pretty in-depth post about the progress of the 2nd-gen (2G) iPod touch jailbreak, which is on Hack the iPod touch: here.

    Please comment on the actual post over there, but here too!

    Please Register or Log in to view images

  2. jfb392

    jfb392 New Member

    Joined:
    Oct 20, 2007
    Messages:
    2,512
    Likes Received:
    21
    Device:
    iPod touch
    After reading the article, I'd like to point out a mistake, if you don't mind.
    The Dev Team is able to communicate with the 2G, as is anyone else.
    It uses a the DFU mode with a different product identifier, but that's about it.
    The problem that they have is that the exploit used for Pwnage (the DFU bootrom certificate checking bug that unsigned images to be flashed) is now completely gone, as is 8900 file parsing (the container used by the S5L8900x to provide encryption for critical files included in software updates; it wraps an Img2 or Img3 most of the time, but 8900 files are also found alone).
    This means that old files cannot be sent to the device and exploited (such as through the diags command that is used to execute unsigned code at any address in the NOR, so you could send an unsigned file that is modified and use diags to strap it).
  3. GrooveMachine

    GrooveMachine Active Member

    Joined:
    Dec 27, 2007
    Messages:
    1,741
    Likes Received:
    11
    Device:
    iPod touch
    "The updates that they have posted make me more confident that they’re not a hoax, and they’re actually going to pull through on this one."

    Chronic Dev is not a hoax. Chronic's on the #xpwn IRC all the time, as well as several private-access rooms. He's definitely working on this.
  4. dyeung

    dyeung New Member

    Joined:
    Sep 9, 2008
    Messages:
    75
    Likes Received:
    0
    When/If chronic does jb 2G how much of the progress of 1G jb and apps will be seen in the 2G. Basically what i am asking is, is the 2G a clean slate, starting from scratch for everything?

    Ive been reading 2G jb since getting it i dont think this has been asked yet or at least as regularly as "IS 2G there is a jb yet?!?!?"

    So any answer is appreciated THanks
  5. iblackwind

    iblackwind New Member

    Joined:
    Sep 3, 2008
    Messages:
    142
    Likes Received:
    0
    Device:
    2G iPod touch

    The answer to your question is yes!.....Nothing is perfect...so there ought to be an exploit soon and then tada...jb....just have to sit it out......
  6. King Chronic

    King Chronic New Member

    Joined:
    Mar 17, 2008
    Messages:
    687
    Likes Received:
    0
    Device:
    iPhone 3GS (Black)
    Hey, that icon at the beginning of the article looks oddly familiar...from some kind of tool...some kind of tool that...did something to iPSWs...oh well

    Please Register or Log in to view images



    Anyway, here are a few things:
    - It is a clean slate, in a sense. dev never released a client to communicate with dfu.20, since that was obviously new, or the recovery mode protocol of 2.*, but I guess that is different because they were saying that was 'cmws thing'. So once it was realized that we needed to be able to do this if we even wanted to think about jailbreaking the device , tom3q and wEsTbAeR-- went at it. Over the course of something like three days, huge progress was made, and eventually we had a client that could have a 2 way interactive session with iBoot, the iPod / iPhone Bootloader, or if that sounds confusing, think of it like the BIOS on your computer.

    - above, jfb is almost right. you see, in older iBoot revisions, the diags command would jump straight to any parameter you gave it and start executing code there, with no checks or anything. so you could just use mw to write a small amount of code to 0x9000000, or if it was a patched iboot you wanted to strap, you would just send it to 0x9000000, and from there you would just type "diags 0x9000000" and it would execute the code there. now, in 2.*, there is a permission + range check in place, so if you do not have a provisioned engineering / debug device that they have locked up at Apple HQ, then you cannot use diags

    Please Register or Log in to view images



    - the exploit used for the iphone / iphone 3G / ipod touch 1G was a stack overflow when parsing the 8900 certificates. the exploit was not something that just let them go unsigned for no reason, they had to actually exploit it with the right amount of padding, and it seems LR re-written to a return address that is somewhere within the secure bootloader. the only reason it worked was because the bootrom can not be reflashed, as it is in hardware, so when the iPhone came out, 8900 was the first format it knew, and Apple didn't have time to adapt the new iPhone 3G bootrom to IMG3 yet I guess, so that is why it could not be fixed and why it is firmware upgrade resistant
  7. Joe Rossignol

    Joe Rossignol Community Manager Staff Member

    Joined:
    Jan 9, 2008
    Messages:
    11,500
    Likes Received:
    1,268
    Device:
    iPhone 5 (Black)
    Thanks King Chronic! I've added some of those comments you made as quotes into the article, and tried to fix it up so it makes better sense. I'm not on the technical side of the jailbreak, so you providing info like this really helps.

    EDIT: If you had a better icon I could use, I definitely would.
  8. murphmanny

    murphmanny Banned

    Joined:
    Sep 19, 2007
    Messages:
    5,250
    Likes Received:
    3
    thank you
    you clarified many things
    and thanx to chronic king too,
    for working hard on this
  9. joshpowell

    joshpowell New Member

    Joined:
    May 17, 2008
    Messages:
    27
    Likes Received:
    0
    Device:
    2G iPod touch
    *fingers crossed*

    Kudos to everybody for their hard work on this

    Please Register or Log in to view images

  10. King Chronic

    King Chronic New Member

    Joined:
    Mar 17, 2008
    Messages:
    687
    Likes Received:
    0
    Device:
    iPhone 3GS (Black)
    the old devices use s5l8900x

    the reason the new iPod Touch cannot get those is because it is on the s5l8720x processor with a new bootrom

Share This Page