Slighly more technical redsn0w FAQ

Discussion in 'iPod touch 2G Jailbreak: redsn0w, 24kpwn, etc.' started by SmSpillaz, Jan 17, 2009.

  1. SmSpillaz

    SmSpillaz New Member

    Feb 16, 2008
    Likes Received:
    Some of you might be confused about the current state of the so-called 'redsn0w' jailbreak. I've assimilated some info from a bunch of sources explaining how it works, why certain things aren't there and why they will be difficult to over come.

    1) What is redsn0w?

    Unless you've been living under a rock for the past week, redsn0w is the code-name for a potential method of Jailbreaking (NOT pwning, more on that later) the iPod Touch 2G. The iPhone Dev-Team started making noise about it last week on their twitter account.

    2) So how does it work then

    As you might have guessed from the name, it works very similar to the yellowsn0w iPhone sim-unlock. It uses an exploit in the Firmware 2.1.1 iBoot interactive recovery bootloader to inject code to overwrite iBoot in-RAM to allow it to boot a modified Kernel. This is similar to yellowsn0w in that yellowsn0w also patches the 3G baseband on-the-fly in RAM in order to remove the unlocking code.

    For those who are interested, the exploit is in the fact that the iPod Touch 2G has an ARM7 processor (in addition to the ARM11 processor), and apple left some diagnostic stuff in the 2.1.1 iBoot to run custom code on that processor (which also has access to the main system memory, so you can patch already running sl7xxx code in RAM). They removed it in 2.2, I guess noticing the change let the two teams know that something funny was going on.

    This definition is probably a bit simplistic, I'm fairly sure that I read somewhere that signature checks are also performed in RAM on iBoot as well, however those signature checks may have only been when iBoot is loaded into RAM.

    3) iBoot? What on earth is that?

    If you don't know what this is, I should probably explain (in simple terms) the boot process from power->kernel.

    The bootrom is kind of like a read-only BIOS interface for the iPod Touch. If buttons are held down in the correct order, it will start up in DFU Mode, which will allow it to accept recovery bootloaders, at which point they are checked to see if they are authentic, then it runs them. If you are just turning on the iPod Touch, it goes to the very first bit of the NOR (secondary 8 megabit flash for storing bootloaders, NOT the main filesystem) and authenticity-checks and loads a program called the 'LLB'. Also worth noting here that you can't just overwrite the bootrom because it is read-only. Not even apple could overwrite your bootrom.

    The Low Level Bootloader (LLB) is pretty the same as the bootrom, all it does it authenticity check iBoot and load it, or if it can't do that (because iBoot is invalid or corrupt) it just enters a DFU-like mode with a few more commands (and possibly a bit more secure too). Two important things to note here (which made chronic's task difficult)
    • It overwrites the bootrom in RAM, which makes reverse-engineering the actual bootrom very difficult
      [**] EDIT: Nevermindthat, pod2g found a way of dumping it directly without having to get the image in RAM.
    • If you do the button-combination for DFU mode and this is available, you'll get this DFU mode and not the actual bootrom DFU mode (as far as I know)

    iBoot is the last and most complicated bootloader on the device. It is what provides recovery mode, a basic charging interface, can decrypt firmware using the iPod hardware and boots the actual iPhone OS. For this reason it also needs to be the most secure. This is where the actual exploit was found. In the Firmware 2.1.1 iBoot. Also note that it authenticity checks whatever is sent to it in recovery mode and the kernel when it is just booting.

    4) Wait, so I need Firmware 2.1.1 to do this?

    Yes and no. If you have firmware 2.1.1, all you have to do is enter recovery mode and apply the exploit. If you have firmware 2.2, you'll need to have the 2.1.1 firmware files enter DFU mode and I would assume any devteam tool would extract the interactive bootloader from 2.1.1 and load that for you, then exploit it.

    5) What's all this about a 'tethered jailbreak'

    This comes back to what I said earlier about the bootrom. It's perfectly possible to flash the NOR with your own custom LLB and iBoot (images etc) however the when the bootrom sees the modified LLB it will just say 'nowai' and kick you into DFU mode. You can have a fully jailbroken system on the iPod, but this interactive iBoot hole is the only way to actually start it.

    The current patch doesn't apply fully because it's an in-RAM patch, RAM == Volatile, which means that as soon as you turn the device off, you also loose the patch (Thanks 'xxx (0)' for pointing that out).

    6) So the iPod Touch 2G is jailbroken (sort of), but does that mean it is pwned?

    It can be pwned (signature checks taken out of the LLB and iBoot) but it won't actually start up, so it will be fairly useless.

    On a side note, the original iPod touch and iPhone (and 3G) bootrom did not signature check the LLB, so you only had to modify that and it would happily start it.

    7) So we've seen a video, how long can we expect a jailbreak?

    I really don't think it's worth providing any ETA's on a useable jailbreak until the devteam states that they have a way (if they can find a way) to make the bootrom pass a modified LLB as authentic.

    8) So how would they do that?

    Two ways:

    First would be to craft a modified LLB sans the sigcheck that has the same SHA1 hash as the Apple LLB (very very hard)

    Second would be to completely erase the NOR flash so all we have is the real bootrom, reverse it and have a look for any kind of signature checking vulnerable to a stack overflow. Then, craft the signature of the bootrom in a way that exploits that stack overflow and use it to load our modified LLB anyways even though it is unsigned. It's a bit risky considering you have to hack the device (even though it is done for you by the bootrom itself (how ironic)) on every boot.

    EDIT: They've got the bootrom without dumping it from the RAM \o/

    9) I saw this video on YouTube claiming to have a specially modified QuickPwn that works on the 2G? They said it was from the devteam as a gift! And there's a link to it! And it looks like QuickPwn too! Is this for real?


    The devteam has not released any sort of tool to perform the jailbreak and anyone claiming to have that tool is probably just some script-kiddie trying to get you to download their adware / spyware / virus.

    And even if they showed your their 2G and it had some jailbreak apps / themes on it it is probably just a series of screenshots.

    And even if they wiggled those icons around it is probably just some specially crafted video.

    And even if they were wiggling those icons around, they are probably just using webclips to get a picture of the icon.

    10) I don't care if this jailbreak is tethered, can I have the tool anyways?

    We'll see if the devteam chooses to release the tool or not (they might if they can't find a way to pass a modded LLB any time soon). Even then, the tool will be quite difficult to use because you have to write to the filesystem yourself (cydia, installer, terminal, nes) and you'll need it every time your want to boot your iPod. Is that really worth it?

    11) Chronic and his folk came up with something called '0wnboot', is this the untethered jailbreak we're looking for?

    Nope. The devteam haven't released the code for redsn0w to anybody yet, it was co-incidental that both Chronic and the devteam found the arm7_go exploit in the same period of time. Chronic and his folk have just figured out how to use it (as did the devteam) and have some unsigned code running based on an in-RAM patch.

    12) OMG OMG OMG redsn0w is out!!! Does this mean we can all jailbreak our iPod Touch 2Gs?

    Yes, but with the conditions above of course. Every time you reboot your iPod you will have to be connected to a computer (usually a mac) with the redsn0w client in order to start up your iPod.

    Are you really sure you want that?

    13) Either I do want that, or I just ignored the last question. Anyways, I got to redsn0w download and readme page and it all looks like gobbledygook to me. Is there a tool that can make this easier?

    If you don't understand it, you probably shouldn't be doing it. No seriously, there is some serious potential for annoying semi-bricks that are hard to get out of if you don't know what you are doing.

    If you don't care about that there is this or this but I haven't tried either of them yet. Use at your own risk of course.


    Chronic Dev Wiki, Bootrom Challenge:

    Chronic Dev Wiki, Boot Process:

    The iPhone Wiki, Pwnage 2.0:

    The iPhone Wiki, N72ap:

    The iPhone Wiki, ARM7_go | ARM7_stop

    DevTeam CCC Presentation:

    - Sm
  2. Fenderboy

    Fenderboy New Member

    Jan 7, 2009
    Likes Received:
    2G iPod touch
    Nice FAQ guide, good job.
  3. andrew!

    andrew! New Member

    Mar 6, 2008
    Likes Received:
    iPhone 4 (Black)
    Very good read. Nice work.
  4. Cop J

    Cop J New Member

    Aug 23, 2008
    Likes Received:
    I have one question...

    Does waking your iPod from sleep mean that you are 'booting' it?

    I'm asking because I have had my iPod for a couple months and I have only turned it off completely once.
  5. Joe Rossignol

    Joe Rossignol Community Manager Staff Member

    Jan 9, 2008
    Likes Received:
    iPhone 5 (Black)
    Great job! I was going to take a technical look at the jailbreak in my own FAQ but I didn't bother because many people wouldn't understand. Anyways, this is really good though!
  6. ipodtouch1234

    ipodtouch1234 Active Member

    Oct 21, 2007
    Likes Received:
    iPad 2 (Black)
    Great Info!
    @ Cop J
    no, sleep mode is not booting it. Its like sleep on your computer, it doesn't boot up again, its just in a very low power state.
  7. nikj14

    nikj14 Active Member

    Sep 4, 2008
    Likes Received:
    iPhone 3GS (Black)
    this is the clearest explanation ive come across yet, maybe itll help stop the thousands of questions being asked daily

    Please Register or Log in to view images

  8. higuys

    higuys Member

    Dec 30, 2008
    Likes Received:
    2G iPod touch
    this is interesting, thanks.
  9. -tcq42-

    -tcq42- Active Member

    Dec 12, 2008
    Likes Received:
    2G iPod touch
    Very nice FAQ.
  10. Ruamrudee

    Ruamrudee Member

    Feb 2, 2008
    Likes Received:
    iPhone 5S

    thank you SmSpillaz!!

Share This Page