iPhone 3G iPhone 3G S Jailbreak and Unlock -- "Soon" according to MuscleNerd

Discussion in 'iPhone' started by MacPwn, Jun 25, 2009.

  1. MacPwn

    MacPwn Banned

    Joined:
    Jun 9, 2009
    Messages:
    138
    Likes Received:
    0
    It seems as though there have been some new developments in the jailbreak scene. Apparently the 24kpwn exploit is still present in the iPhone 3G S bootrom, meaning the iPhone Dev Team and the Chronic Dev Team will be able to jailbreak/unlock the device soon.

    Please Register or Log in to view images


    Please Register or Log in to view images



    Here is the notes from the iPhone Dev Blog explaining where the exploit in the 3G S is:

    Code:
    # iPhone Dev Team notes
    # iPhone 3GS bootrom
    # 24Kpwn lives on!
    
    
    _start+112  44 49                       LDR     R1, =0x84024000
    _start+114  F8 22 D2 05                 MOVS    R2, 0x7C000000
    _start+118              max_llb_size = 0x24000
    _start+118  52 18                       ADDS    R2, R2, R1
    _start+118
    _start+11A
    _start+11A              loc_808                                 ; DATA XREF: sub_4AB0+DEo
    _start+11A                                                      ; ROM:off_4BCCo
    _start+11A              max_llb_size = R10
    _start+11A  92 46                       MOV     max_llb_size, R2
         . . . . .
         . . . . .
         . . . . .
         . . . . .
    _start+146
    _start+14A  48 E0                       B       handle_illb
    _start+14A
    _start+1DE
    _start+1DE              handle_illb                             ; CODE XREF: _start+14Aj
    _start+1DE              memz = R5
    _start+1DE  05 1C                       ADDS    memz, R0, #0
    _start+1DE
    _start+1E0
    _start+1E0              start_module_if_valid_memz              ; CODE XREF: _start+1BAj
    _start+1E0  00 2D                       CMP     memz, #0
    _start+1E2  09 D0                       BEQ     FAIL
    _start+1E2
    _start+1E4  84 21                       MOVS    R1, #0x84 ; ''
    _start+1E6  28 1C                       MOVS    R0, memz
    _start+1E8  09 06                       LSLS    R1, R1, #24     ; R1 = 0x84000000
    _start+1EA  52 46                       MOV     R2, max_llb_size
    _start+1EC  01 9B                       LDR     R3, [SP,#0x38+setting1]
    _start+1EE  FF F7 EC FE                 BL      start_module    ; (memz, entry, max_size, setting1)
    
         . . . . .
         . . . . .
         . . . . .
         . . . . .
    
    
    start_module                  ; =============== S U B R O U T I N E =======================================
    start_module
    start_module                  ; (memz, entry, max_size, setting1)
    start_module                  ; Attributes: bp-based frame
    start_module
    start_module                  start_module                            ; CODE XREF: _start+196p
    start_module                                                          ; _start+1EEp
    start_module
    start_module                  max_size        = -0x14
    start_module                  entry           = -0x10
    start_module                  oldR4           = -0xC
    start_module                  oldR7           = -8
    start_module                  oldLR           = -4
    start_module
    start_module      90 B5                       PUSH    {R4,R7,LR}
    start_module+2    01 AF                       ADD     R7, SP, #4
    start_module+4    82 B0                       SUB     SP, SP, #8
    start_module+6    01 91                       STR     R1, [SP,#0x14+entry]
    start_module+8                max_size is saved but never used!
    start_module+8    00 92                       STR     R2, [SP,#0x14+max_size]
    start_module+A    04 69                       LDR     R4, [R0,#0x10]
    start_module+C    01 21                       MOVS    R1, #1
    start_module+E    22 1C                       MOVS    R2, R4
    start_module+10   0A 43                       ORRS    R2, R1
    start_module+12   02 61                       STR     R2, [R0,#0x10]
    start_module+14   0B 42                       TST     R3, R1
    start_module+16   02 D1                       BNE     loc_6D6
    start_module+16
    start_module+18   03 23                       MOVS    R3, #3
    start_module+1A   23 43                       ORRS    R3, R4
    start_module+1C   03 61                       STR     R3, [R0,#0x10]
    start_module+1C
    start_module+1E
    start_module+1E               loc_6D6                                 ; CODE XREF: start_module+16j
    start_module+1E   01 A9                       ADD     R1, SP, #0x14+entry
    start_module+20   6A 46                       MOV     R2, SP
    start_module+22   01 F0 11 FC                 BL      load_module     ; (memz_or_img3, &outbuf_addr, &outbuf_len)
    start_module+22                                                       ; Returns 0 on success
    start_module+22
    start_module+26   00 28                       CMP     R0, #0
    start_module+28   03 D1                       BNE     loc_6EA
    start_module+28
    start_module+2A   01 99                       LDR     R1, [SP,#0x14+entry]
    start_module+2C   00 22                       MOVS    R2, #0
    start_module+2E   03 F0 3F F9                 BL      run_code
    start_module+2E
    start_module+32
    start_module+32               loc_6EA                                 ; CODE XREF: start_module+28j
    start_module+32   02 B0                       ADD     SP, SP, #8
    start_module+34   90 BD                       POP     {R4,R7,PC}
    start_module+34
    start_module+34               ; End of function start_module
    start_module+34
    Info on USB dumps by geohot
  2. studangerous

    studangerous Super Moderator Emeritus Staff Member

    Joined:
    Dec 2, 2007
    Messages:
    5,975
    Likes Received:
    30
    Device:
    iPhone 4 (Black)

Share This Page