[Idea] Approach for Jailbreaking 2G iPod Touch?(This is NOT a Jailbreak or a request)

Discussion in 'iPod touch' started by ZhiZhi778, Oct 8, 2008.

  1. ZhiZhi778

    ZhiZhi778 Member

    Joined:
    Jan 20, 2008
    Messages:
    936
    Likes Received:
    2
    Device:
    iPhone 3G (Black)
    Hi guys,
    today I got an idea where you can also try to get a 2 way-communication with the iPod Touch 2nd Generation - it's just an idea and I need a person who has the 1G and the 2G for testing:

    I experienced that if you sync a jailbroken iPod Touch (1G) then itunes will do a backup of some files. I dont know which files exactly are being backupped but I think first at all the whole /var/mobile/ directory and also the settings!

    I also heard about some functions (settings.app ...for example the option to deactivate the autocorrection) transferred over to a fresh, restored ipod from itunes!

    so just put some prepared code/files on your jailbroken 2.x ipod touch 1g and let it backup. after that restore the 2G with itunes and also restore the backup from the 1G...

    Now the dev-teams have to continue from this point (if this way work...I'm not sure) and perhaps find an exploit to get some special files transferred/codes (..remind the settings overtaken by itunes...) to get the 2G touch accepting a 2 way communication..

    -------------------------
    do you think this can work? perhaps someone can test it out?

    feedback and questions are welcome

    mirror1
  2. King Chronic

    King Chronic New Member

    Joined:
    Mar 17, 2008
    Messages:
    687
    Likes Received:
    0
    Device:
    iPhone 3GS (Black)
    1. We HAVE two way communication with iRecovery. That has been established numerous times, so sorry if i come off as harsh

    Please Register or Log in to view images



    2. With backups, it is not custom stuff, it is stuff built into the springboard and that stuff is on the media partition, which we can access anyway. Point is, you cannot touch the preferences.app file

    3. Even if you could, the kernel will immediately kill any unsigned code. Things are different in 2.* you know.
  3. Jikoo

    Jikoo New Member

    Joined:
    Apr 5, 2008
    Messages:
    1,014
    Likes Received:
    0
    Good idea, but its a bit un-dev-team ish
  4. ZhiZhi778

    ZhiZhi778 Member

    Joined:
    Jan 20, 2008
    Messages:
    936
    Likes Received:
    2
    Device:
    iPhone 3G (Black)
    yes,
    1.we've got only 2 way communication with bootloader - thats easy 'cuz it didnt changed alot in 2G but we need usual 2 way connection to put a custom firmware on it.

    2.i dunno if thats a bug in itunes or not 'cuz I experinced as mentioned above that also some custom stuff has been taken over to the fresh-restored ipod touch.

    3.yes I know that the kernel will - I thought that you can try to use this small bug (and perhaps unleash its real power??? - i dont really believe but who knows) - because the only thing the devteams want is to find an exploit for the processor and why not in this way?
  5. Ryan

    Ryan Well-Known Member

    Joined:
    Jan 19, 2008
    Messages:
    4,129
    Likes Received:
    28
    Device:
    Nexus 4
    because the processor allows the device to run unsigned firmware and not just unlock the filesystem.
  6. glitchbit

    glitchbit New Member

    Joined:
    Sep 11, 2008
    Messages:
    45
    Likes Received:
    0
    basically it goes like this in OSX you can change the Genie effect of the dock via terminal commands so that it will change the effect to undocumented ones. That was already built into the system.

    So likewise when you have changed these hidden but already built in settings you are basically only transferring stuff over that was already a capability built into the system.

    The only way you could possibly do any good using this method would be to know the Apple programs intimately enough to change some hidden setting in one of their builtin applications (ones that have not been discovered), but even at that it would not change the fact that you are running at such a low permission level you will not be in a very useful position.

    Basically it is probably highly doubtful that any combination of hidden settings changes would result in something that is exploitable. If it would then Apple is very stupid, there is no reason to leave things in that are dormant that could leave it open to an exploit.

    Maybe I am off the mark, after all I am not an expert at any of this... atm
  7. ZhiZhi778

    ZhiZhi778 Member

    Joined:
    Jan 20, 2008
    Messages:
    936
    Likes Received:
    2
    Device:
    iPhone 3G (Black)
    hm...but why shouldnt apple do that? in the first weeks of firmware 2.x apple also said nothing about the "kill-switch" function - until the users/magazines found that...

    the kill-switch is also a kind of exploit isn't it? perhaps apple has integrated more - until now unknown vulnerabilities for example for their own issues?

    I'm also not an expert but perhaps is there an expert @IPTF?
  8. King Chronic

    King Chronic New Member

    Joined:
    Mar 17, 2008
    Messages:
    687
    Likes Received:
    0
    Device:
    iPhone 3GS (Black)
    This man is absolutely right. They are just leftover preferences. Preferences.app is untouched. It is kind of like how if you restore from a backup it will restore your brightness / ringtone, only they are already built in yet undocumented features.

    This is at the dude saying we don't have two way communication, don't feel like looking up at your name:
    No. You have no idea what you are talking about. Communicating with the bootloader of the new iPod Touch (iBoot) is NOT something where you can just change a few lines of code and BAM. no. NOT like that. the new proctool is way different from the old one. If you have USED iRecovery, you would know it gives you two way communication. Some way, some how, you have 'two way communication' confused with 'exploit', which doesn't make sense whatsoever but that is beside to point. Basically, look at it like this:
    [----exploit-loader-(iRecovery)----| exploit |----nor file decryption---|----patch-nor-files----|----pwnage----]
    Imagine it likea race track, but the 'exploit' place is a brick wall. You cannot get to Pwnage with a brick wall in your face, and you can't just climp over it because that is a semi-bad analogy

    Please Register or Log in to view images



    Oh, and in case anyone was worried about my progress analogy above looking longer, that is only what WE have to do. You, the end user, does this:
    [---loader---|---exploit---|---pwned---]
    Which would be done with an automated program, such as a new homebrew version of quickpwn (since quickpwn is closed source, we would have to make our own implementation, but that is OK

    Please Register or Log in to view images

    )
  9. ZhiZhi778

    ZhiZhi778 Member

    Joined:
    Jan 20, 2008
    Messages:
    936
    Likes Received:
    2
    Device:
    iPhone 3G (Black)
    @King Chronic:
    thanks for your explanation of the whole process

    Please Register or Log in to view images

    . No I really had no idea before I read your post and all my explanations based on thigns which I read inthe IPTF forums...
    but know I know what's the real structure of pwnage.

    yes with exploit I meant the brick-wall or whatever you wanna call this. I meant that the dev-teams will have to find a way to transfer the pwned-files to the 2G ipod touch. I did not know about the need of decrypting NOR-files...

    ok than my whole idea is crap hm...
    ok but keep on your good work with pwnage-process

    Please Register or Log in to view images



    (btw I already used iRecovery

    Please Register or Log in to view images

    )

    mirror1
  10. glitchbit

    glitchbit New Member

    Joined:
    Sep 11, 2008
    Messages:
    45
    Likes Received:
    0
    There are a ton of functions the iPhone/Touch has that we do not even know about and there are plenty of good reasons for this other than Apple does not want programs running in the background or interacting with their applications, music and data.

    When you give developers an SDK you are basically saying here are the functions that we are going to allow you to use when coding your applications for our device. Any other functions are not allowed not just because of paranoid control, but some of it relates to ensuring the stability of the device and the fact that they may have plans to change or remove certain functions all together at a later date which would undoubtedly break programs.

    Regarding the kill-switch, that is not an exploit because an exploit is not something purposely built into any device (unless you have some really crummy and untrust worthy programmer). Also why would Apple publicize the kill-switch? It obviously would not sell more iPod's and Apple does not go around telling people about their secret functions and what all they can do if they wanted to screw with you.

    While I don't consider myself an expert I avidly try and keep up with the scene for whatever device I own... whether that is the psone, ps2, xbox, psp, ds, wii, xbox 360, apache ppc-6700... doesn't matter.. if I own it then I pwn it =)

Share This Page