Verbose boot patch

Discussion in 'iOS Jailbreak & Cydia' started by MuscleNerd, Mar 28, 2009.

  1. MuscleNerd

    MuscleNerd Member

    Joined:
    May 11, 2008
    Messages:
    350
    Likes Received:
    0
    Device:
    iPhone 4 (Black)
    Here's an iBoot patch that will give you a verbose boot on iPod Touch first gen devices running 2.2.1 firmware. Drop this patch file into the appropriate directory of xpwn or PwnageTool for verbose boots.

    http://iphwn.org/verbose_ipt1g_221.zip

    Some people were asking for this after seeing all the people having verbose boot fun with the iPod Touch 2G. I suspect that more iPod Touch 1G/2G users like verbose mode than iPhone users because for iPhone, the boot process is painfully long and so they avoid it as much as possible

    Please Register or Log in to view images

  2. ithug

    ithug New Member

    Joined:
    Aug 28, 2008
    Messages:
    3
    Likes Received:
    0
    Device:
    2G iPod touch
    • Illegal/piracy-related discussions
    heres one for the ipod touch 2g

    [REMOVED]

    and heres a video tutorial also
    video tutorial
  3. jfb392

    jfb392 New Member

    Joined:
    Oct 20, 2007
    Messages:
    2,512
    Likes Received:
    21
    Device:
    iPod touch
    Thanks for distributing a copyrighted image.
    Since patching is much better, here's the patch.
  4. micaheljcaboose

    micaheljcaboose Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,855
    Likes Received:
    82
    Thank you MuscleNerd

    Please Register or Log in to view images



    And is there a way to apply it with QuickPwn (or something that requires no restore)? Or must I go into xPWN? I'm windows only.
  5. MuscleNerd

    MuscleNerd Member

    Joined:
    May 11, 2008
    Messages:
    350
    Likes Received:
    0
    Device:
    iPhone 4 (Black)
    Here's one for the iPhone 3G running 2.2.1 (another twitter request

    Please Register or Log in to view images

    ... )

    http://iphwn.org/verbose_iphone3g_221.zip
    ------------------double post merged------------------
    I'm not up to date on how QuickPwn for windows is structured. If it doesn't contain directories with individual patches in them, then yeah you've gotta use xpwn instead, if you want to avoid a full filesystem restore. Or QuickPwn on Mac. Or work it into one of the "nor-only" solutions in the ipt2g section.
  6. micaheljcaboose

    micaheljcaboose Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,855
    Likes Received:
    82
    I sense the start of a long and boring journey of mess ups for me. Then finally getting it done a few hours later.
  7. jfb392

    jfb392 New Member

    Joined:
    Oct 20, 2007
    Messages:
    2,512
    Likes Received:
    21
    Device:
    iPod touch
    It's actually quite easy.
    There are two routes you can take; build a custom firmware with the verbose boot patch or decrypt iBoot and patch it manually using bspatch.
    Since I was lazy, I chose the first, however the second may actually be easier.
    If you want to use the first option, just rename the old iBoot patch and copy in the verbose boot one, then build your firmware.
    After it is built, extract the iBoot image.

    If you were to choose the second option, simply decrypt the stock iBoot with xpwntool (included in XPwn).
    To do this, extract the stock image from your IPSW into your XPwn directory, then use xpwntool as follows:
    Code:
    xpwntool iBoot.n45ap.RELEASE.img3 iBoot.decrypted -k *key* -iv *iv*
    
    Since I don't know how the staff here feels about posting key/IV pairs, I won't.
    However, you can obtain them easily from the Info.plist in the 2.2.1 firmware bundle.
    After decrypting the image, you can patch it using bspatch (which can be found here).
    Your syntax would be as follows:
    Code:
    bspatch iBoot.decrypted iBoot.verbose iBoot.n45ap.RELEASE.patch
    
    Be sure that you have bzip2.exe in your XPwn directory (it's a dependency, which is actually really annoying) and the verbose boot patch MuscleNerd posted.

    After patching, you can inject your patched iBoot back into it's Img3 container, which can be done with xpwntool:
    Code:
    xpwntool iBoot.verbose iBoot.n45ap.verbose.img3 -t iBoot.n45ap.RELEASE.img3 -k *key* -iv *iv*
    
    Again, you'll need the iBoot key pair.
    After you've injected your image into it's container, simply get rid of the original and rename your new one:
    Code:
    del iBoot.n45ap.RELEASE.img3
    rename iBoot.n45ap.verbose.img3 iBoot.n45ap.RELEASE.img3
    
    Now, this part is a bit rough, but it's actually easy once you get used to it.
    Since Windows has no DMG manipulation built in, we have to rely on things like XPwn's dmg and hfsplus utilities, which are command line tools like the rest of the suite.
    Because of this, we can't easily create our own ramdisks.
    However, we can use other programs that have a GUI to quickly create a template.
    Open up the newest QuickPwn and follow the steps as usual, but do not check either Cydia or Installer (kind of useless if you already have them, plus they'll mess up your package lists).
    When you get to the screen before the DFU mode tutorial, open up a Windows Explorer window.
    In the address bar, type %TEMP%; there should be a folder named "restore", copy it to your Desktop for now.
    After you've copied the folder, continue on with the DFU mode tutorial.
    When QuickPwn sends the exploit bootloader and executes it (your screen turns white), close QuickPwn.

    In the restore folder, we now have a ramdisk we can use and all of the other files we can use for a nice, small IPSW.
    Now, to add your new iBoot.
    Copy the ramdisk to your XPwn directory (it should be the only .dmg in your restore folder).
    We must decrypt the ramdisk using it's key pair and strip off some certificate junk to be able to open it (on Windows, that is).
    To decrypt it, use xpwntool again:
    Code:
    xpwntool 018-4437-16.dmg 018-4437-16-out.dmg -k *key* -iv *iv*
    
    Again, you can get your key pair from the Info.plist in your firmware bundle.
    Look for the "Update Ramdisk" key.

    Now that we have a decrypted ramdisk, the rest is simple.
    We're going to use the hfsplus utility to add your new iBoot to the ramdisk"
    Code:
    hfsplus 018-4437-16-out.dmg add iBoot.n45ap.RELEASE.img3 /nor/iBoot.n45ap.RELEASE.img3
    
    Now that we've added the file, it's time to resign the ramdisk:
    Code:
    xpwntool 018-4437-16-out.dmg 018-4437-16-pwn.dmg -t 018-4437-16.dmg -k *key* -iv *iv*
    
    Finally, it's time to rename the ramdisk:
    Code:
    del 018-4437-16.dmg
    rename 018-4437-16-pwn.dmg 018-4437-16.dmg
    
    Now, you can create your own IPSW that you can restore to in iTunes.
    Copy 018-4437-16.dmg from your XPwn folder and paste it back into your restore folder; replace it when asked.
    Then, zip up the files and rename it to .ipsw.
    To do this, I use WinRAR; I highlight the Firmware folder, the kernel, the disk image, and Restore.plist, then hit "Add to archive".
    When you get the popup, choose ZIP as your type, then for the filename, just name it something like "pwn.ipsw".
    Hit OK, then wait for it to compress.
    Now, you can restore to this IPSW in iTunes using shift-restore.
    It will stick on "Preparing iPod for restore..", but when you see the QuickPwn program on your iPod, kill iTunes using Task Manager.

    Easy, huh?

    Please Register or Log in to view images

  8. micaheljcaboose

    micaheljcaboose Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,855
    Likes Received:
    82
    So now I have my touch in restore mode. I restored with the patch in DFU, that didn't work. Booted up fine. Applied it normally (no modes, homescreen) Now it gets kicked into restore mode(plug into iTunes). QuickPwn won't use it. I'm at a loss here. I would rather not restore. I did everything in there except follow through with QuickPwn. I just exited it.
    It had the regular QuickPwn stuff when I did the restore, but it just booted into recovery. Any thoughts?

    Edit: I get: iPod could not be restored. Error 1604
  9. jfb392

    jfb392 New Member

    Joined:
    Oct 20, 2007
    Messages:
    2,512
    Likes Received:
    21
    Device:
    iPod touch
    Honestly, I don't know what to tell you.
    The only thing I can say is make sure you followed all of the instructions correctly.
    I tried to make it as clear-cut as I could, and I know for-sure that it works; I use it to load all of my self-made ramdisks, like ones I use to test my patched images when a new firmware comes out.
    I'm not sure if the SHA1's will help (or if timestamps affect the hashes, probably do), but mine are as follows:

    04cdeba565103bf7b13ba1df15c465cb01cf2cfc pwn.ipsw
    905786f6ef2915c562b1d48ff5647bd8ca08357a 018-4437-16.dmg
  10. micaheljcaboose

    micaheljcaboose Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,855
    Likes Received:
    82
    I even tried applying the new dmg file with QuickPwn, inserting it right before the jailbreak. That kicked me into restore mode again. I've restored my iPod. This is a pain in the ass.

Share This Page