https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=MuscleNerdThe iPhone Wiki - User contributions [en]2026-06-09T15:30:38ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=User_talk:5urd&diff=18251User talk:5urd2011-05-26T23:40:50Z<p>MuscleNerd: </p>
<hr />
<div>==Stub==<br />
Hi Cole. I don't like having the stub mark everywhere. Well, it's done now, so we'll leave it. Better you ask next time before making such big changes. The problem I see is that many pages will never get updated, for example the old baseband version pages. Adding this stub mark will add no value to the page, nor help in getting the page extended. This might be good for Wikipedia, but not here. On other pages (like the [[AT+XNONCE]]) I don't see what should be missing there. If you know what is missing, please add it. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:It looked too short is why. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
<br />
==Pictures==<br />
And for the new pictures for the stub pages, you probably just copied them from somewhere on the Internet. Please draw your own images instead of stealing it from somewhere. I'll delete them otherwise. We cannot have the official Apple logo just as a mark for general Apple issues. We might be able to use official product photos or the Apple logo on a page describing Apple, but nothing else. Treat images the same way as software. The jailbreak image probably comes from a scammers page, but it's still not yours, even if they do bad things. [[User:geohot|Geohot]] has enough trouble right now, so don't add copyrighted material to this wiki. I'll delete the images tomorrow if you haven't replaced them by then. Thanks. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:Ok, i'll replace the copywrited images with Public domain. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
::Thanks. (I had to laugh when I saw your new Apple!) --[[User:Http|http]] 17:39, 19 February 2011 (UTC)<br />
:::Images:<br />
::::[[:Image:Android logo.png|Android logo.png]] - public domain, kept [[commons:File:Android_robot.svg|On Commons]]<br />
::::[[:Image:Generic iPhone.png|Generic iPhone.png]] - public domain, kept [[commons:File:iPhone.svg|On Commons]]<br />
::::[[:Image:Apple-logo.png|Apple-logo.png]] - logo, copyrited, replaced with [[commons:File:Apple Mac.png|Apple Mac.png from Commons]]<br />
::::[[:Image:Jailbreak.jpg|Jailbreak.jpg]] - unknown license, replaced with [[:Image:Gp.png|Gp.png]] <br />
::::[[:Image:Filesystem Listing.png|Filesystem Listing.jpg]] - from [http://www.hp9845.net/9845/projects/hpdir/ blog], unknown license, replaced with [http://cole.freehostingcloud.com/wiki/File:iphonefw.png Iphonefw.png from my site]<br />
::::[[:Image:Hacking.png|Hacking.png]] - icon from {{wp|GNOME}} project - unreplaced<br />
::::[[:Image:Software Icon.png|Software Icon.png]] - icon, copyrited, replaced wth [[commons:File:Crystal Clear device cdrom unmount.png|Crystal Clear device cdrom unmound.png from Commons]]<br />
::::[[:Image:P2P.gif|P2P.gif]] - unknown license, replaced with [[commons:File:P2P-network.svg|P2P-network.svg from Commons (2000px)]] at [[:Image:P2P.png|P2P.png]]<br />
:::--[[User:Balloonhead66|Balloonhead66]] 17:53, 19 February 2011 (UTC)<br />
<br />
== Flooding ==<br />
Please stop flooding the wiki with your changes about your vfdecrypt GUI (one of what like 200?) all the recent changes most of the time are from you about little menial stuff that i doubt most people care about, i had to stop following the wiki twitter account because it seemed like 99.99% of the updates were from you, all useless. PLEASE STOP --[[User:Nito|Nito]] 19:53, 26 May 2011 (UTC)<br />
:Obviously keeping the wiki up to date is more important than inconveniencing anyone regarding their twitter feeds. The more accurate the wiki, the better. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
::Yes but when his updates are about stupid crap re: ANOTHER vfdecrypt GUI then i think it does a disservice to everyone who uses the wiki. --[[User:Nito|Nito]] 20:37, 26 May 2011 (UTC)<br />
:::I think it's better not to judge *anyone's* contributions, large or small. This is a community of contributors. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
:::: I understand that, but mostly every time i look in the recent changes pages its filled up with garbage about idecryptit or whatever, rendering "recent changes" 99.99% useless imo. --[[User:Nito|Nito]] 20:42, 26 May 2011 (UTC)<br />
::::: The more active the wiki, the better. It means (1) people are contributing (2) info is being refined and corrected. Even if it's the tiniest details, over time that makes a big difference. [[User:MuscleNerd|MuscleNerd]] 20:44, 26 May 2011 (UTC)<br />
::::::Yes, because people learn a lot from a GUI. He uses the wiki as an advertisement for it. --[[User:Cj|cj]] 20:50, 26 May 2011 (UTC)<br />
:::::::If it's a valid wiki topic, then it "deserves" to be updated as much as any other topic. If it's not a valid topic, ask to have it removed. He's actually marking all of his minor edits properly (that bold "m"). Perhaps whoever owns that twitter account shouldn't rebroadcast edits marked as minor like that. [[User:MuscleNerd|MuscleNerd]] 20:54, 26 May 2011 (UTC)<br />
:::::::: I think it straddles the line of "valid" i definitely remember reading somewhere that geo didn't want the wiki to be used as an advertisement for apps --[[User:Nito|Nito]] 20:56, 26 May 2011 (UTC)<br />
::::::::: The rule is actually "don't create a page just to advertise your new website please". More details on the Ground Rules page. [[User:MuscleNerd|MuscleNerd]] 21:02, 26 May 2011 (UTC)<br />
::::::::: I am not advertising. I am just posting relevant info on an iPhone related app. Also, now that is it published, I am done. Whenever a new firmware comes out, the recent changes is flooded with about 30 edits! --[[User:Balloonhead66|Balloonhead66]] 23:16, 26 May 2011 (UTC)<br />
:::::::::: Don't worry about it...feel free to make any changes whenever they're needed. You're actually doing a good job marking minor changes as "m", and those can be filtered from the Recent Changes page via a single click in the user preference panel. (Whoever's running that twitter bot should filter away "m" changes.) [[User:MuscleNerd|MuscleNerd]] 23:29, 26 May 2011 (UTC)<br />
::::::::::: Thanks! I only try to contribute. I never advertise (except with AdWords) and I always try to do my best to make sure this wiki has the latest info. --[[User:Balloonhead66|Balloonhead66]] 23:35, 26 May 2011 (UTC)<br />
:::::::::::: Yep, there can never be "too much" latest info :) The more contributors the better! [[User:MuscleNerd|MuscleNerd]] 23:40, 26 May 2011 (UTC)</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=User_talk:5urd&diff=18249User talk:5urd2011-05-26T23:29:32Z<p>MuscleNerd: </p>
<hr />
<div>==Stub==<br />
Hi Cole. I don't like having the stub mark everywhere. Well, it's done now, so we'll leave it. Better you ask next time before making such big changes. The problem I see is that many pages will never get updated, for example the old baseband version pages. Adding this stub mark will add no value to the page, nor help in getting the page extended. This might be good for Wikipedia, but not here. On other pages (like the [[AT+XNONCE]]) I don't see what should be missing there. If you know what is missing, please add it. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:It looked too short is why. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
<br />
==Pictures==<br />
And for the new pictures for the stub pages, you probably just copied them from somewhere on the Internet. Please draw your own images instead of stealing it from somewhere. I'll delete them otherwise. We cannot have the official Apple logo just as a mark for general Apple issues. We might be able to use official product photos or the Apple logo on a page describing Apple, but nothing else. Treat images the same way as software. The jailbreak image probably comes from a scammers page, but it's still not yours, even if they do bad things. [[User:geohot|Geohot]] has enough trouble right now, so don't add copyrighted material to this wiki. I'll delete the images tomorrow if you haven't replaced them by then. Thanks. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:Ok, i'll replace the copywrited images with Public domain. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
::Thanks. (I had to laugh when I saw your new Apple!) --[[User:Http|http]] 17:39, 19 February 2011 (UTC)<br />
:::Images:<br />
::::[[:Image:Android logo.png|Android logo.png]] - public domain, kept [[commons:File:Android_robot.svg|On Commons]]<br />
::::[[:Image:Generic iPhone.png|Generic iPhone.png]] - public domain, kept [[commons:File:iPhone.svg|On Commons]]<br />
::::[[:Image:Apple-logo.png|Apple-logo.png]] - logo, copyrited, replaced with [[commons:File:Apple Mac.png|Apple Mac.png from Commons]]<br />
::::[[:Image:Jailbreak.jpg|Jailbreak.jpg]] - unknown license, replaced with [[:Image:Gp.png|Gp.png]] <br />
::::[[:Image:Filesystem Listing.png|Filesystem Listing.jpg]] - from [http://www.hp9845.net/9845/projects/hpdir/ blog], unknown license, replaced with [http://cole.freehostingcloud.com/wiki/File:iphonefw.png Iphonefw.png from my site]<br />
::::[[:Image:Hacking.png|Hacking.png]] - icon from {{wp|GNOME}} project - unreplaced<br />
::::[[:Image:Software Icon.png|Software Icon.png]] - icon, copyrited, replaced wth [[commons:File:Crystal Clear device cdrom unmount.png|Crystal Clear device cdrom unmound.png from Commons]]<br />
::::[[:Image:P2P.gif|P2P.gif]] - unknown license, replaced with [[commons:File:P2P-network.svg|P2P-network.svg from Commons (2000px)]] at [[:Image:P2P.png|P2P.png]]<br />
:::--[[User:Balloonhead66|Balloonhead66]] 17:53, 19 February 2011 (UTC)<br />
<br />
Please stop flooding the wiki with your changes about your vfdecrypt GUI (one of what like 200?) all the recent changes most of the time are from you about little menial stuff that i doubt most people care about, i had to stop following the wiki twitter account because it seemed like 99.99% of the updates were from you, all useless. PLEASE STOP --[[User:Nito|Nito]] 19:53, 26 May 2011 (UTC)<br />
:Obviously keeping the wiki up to date is more important than inconveniencing anyone regarding their twitter feeds. The more accurate the wiki, the better. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
::Yes but when his updates are about stupid crap re: ANOTHER vfdecrypt GUI then i think it does a disservice to everyone who uses the wiki. --[[User:Nito|Nito]] 20:37, 26 May 2011 (UTC)<br />
:::I think it's better not to judge *anyone's* contributions, large or small. This is a community of contributors. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
:::: I understand that, but mostly every time i look in the recent changes pages its filled up with garbage about idecryptit or whatever, rendering "recent changes" 99.99% useless imo. --[[User:Nito|Nito]] 20:42, 26 May 2011 (UTC)<br />
::::: The more active the wiki, the better. It means (1) people are contributing (2) info is being refined and corrected. Even if it's the tiniest details, over time that makes a big difference. [[User:MuscleNerd|MuscleNerd]] 20:44, 26 May 2011 (UTC)<br />
::::::Yes, because people learn a lot from a GUI. He uses the wiki as an advertisement for it. --[[User:Cj|cj]] 20:50, 26 May 2011 (UTC)<br />
:::::::If it's a valid wiki topic, then it "deserves" to be updated as much as any other topic. If it's not a valid topic, ask to have it removed. He's actually marking all of his minor edits properly (that bold "m"). Perhaps whoever owns that twitter account shouldn't rebroadcast edits marked as minor like that. [[User:MuscleNerd|MuscleNerd]] 20:54, 26 May 2011 (UTC)<br />
:::::::: I think it straddles the line of "valid" i definitely remember reading somewhere that geo didn't want the wiki to be used as an advertisement for apps --[[User:Nito|Nito]] 20:56, 26 May 2011 (UTC)<br />
::::::::: The rule is actually "don't create a page just to advertise your new website please". More details on the Ground Rules page. [[User:MuscleNerd|MuscleNerd]] 21:02, 26 May 2011 (UTC)<br />
::::::::: I am not advertising. I am just posting relevant info on an iPhone related app. Also, now that is it published, I am done. Whenever a new firmware comes out, the recent changes is flooded with about 30 edits! --[[User:Balloonhead66|Balloonhead66]] 23:16, 26 May 2011 (UTC)<br />
:::::::::: Don't worry about it...feel free to make any changes whenever they're needed. You're actually doing a good job marking minor changes as "m", and those can be filtered from the Recent Changes page via a single click in the user preference panel. (Whoever's running that twitter bot should filter away "m" changes.) [[User:MuscleNerd|MuscleNerd]] 23:29, 26 May 2011 (UTC)</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=User_talk:5urd&diff=18248User talk:5urd2011-05-26T23:28:46Z<p>MuscleNerd: </p>
<hr />
<div>==Stub==<br />
Hi Cole. I don't like having the stub mark everywhere. Well, it's done now, so we'll leave it. Better you ask next time before making such big changes. The problem I see is that many pages will never get updated, for example the old baseband version pages. Adding this stub mark will add no value to the page, nor help in getting the page extended. This might be good for Wikipedia, but not here. On other pages (like the [[AT+XNONCE]]) I don't see what should be missing there. If you know what is missing, please add it. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:It looked too short is why. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
<br />
==Pictures==<br />
And for the new pictures for the stub pages, you probably just copied them from somewhere on the Internet. Please draw your own images instead of stealing it from somewhere. I'll delete them otherwise. We cannot have the official Apple logo just as a mark for general Apple issues. We might be able to use official product photos or the Apple logo on a page describing Apple, but nothing else. Treat images the same way as software. The jailbreak image probably comes from a scammers page, but it's still not yours, even if they do bad things. [[User:geohot|Geohot]] has enough trouble right now, so don't add copyrighted material to this wiki. I'll delete the images tomorrow if you haven't replaced them by then. Thanks. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:Ok, i'll replace the copywrited images with Public domain. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
::Thanks. (I had to laugh when I saw your new Apple!) --[[User:Http|http]] 17:39, 19 February 2011 (UTC)<br />
:::Images:<br />
::::[[:Image:Android logo.png|Android logo.png]] - public domain, kept [[commons:File:Android_robot.svg|On Commons]]<br />
::::[[:Image:Generic iPhone.png|Generic iPhone.png]] - public domain, kept [[commons:File:iPhone.svg|On Commons]]<br />
::::[[:Image:Apple-logo.png|Apple-logo.png]] - logo, copyrited, replaced with [[commons:File:Apple Mac.png|Apple Mac.png from Commons]]<br />
::::[[:Image:Jailbreak.jpg|Jailbreak.jpg]] - unknown license, replaced with [[:Image:Gp.png|Gp.png]] <br />
::::[[:Image:Filesystem Listing.png|Filesystem Listing.jpg]] - from [http://www.hp9845.net/9845/projects/hpdir/ blog], unknown license, replaced with [http://cole.freehostingcloud.com/wiki/File:iphonefw.png Iphonefw.png from my site]<br />
::::[[:Image:Hacking.png|Hacking.png]] - icon from {{wp|GNOME}} project - unreplaced<br />
::::[[:Image:Software Icon.png|Software Icon.png]] - icon, copyrited, replaced wth [[commons:File:Crystal Clear device cdrom unmount.png|Crystal Clear device cdrom unmound.png from Commons]]<br />
::::[[:Image:P2P.gif|P2P.gif]] - unknown license, replaced with [[commons:File:P2P-network.svg|P2P-network.svg from Commons (2000px)]] at [[:Image:P2P.png|P2P.png]]<br />
:::--[[User:Balloonhead66|Balloonhead66]] 17:53, 19 February 2011 (UTC)<br />
<br />
Please stop flooding the wiki with your changes about your vfdecrypt GUI (one of what like 200?) all the recent changes most of the time are from you about little menial stuff that i doubt most people care about, i had to stop following the wiki twitter account because it seemed like 99.99% of the updates were from you, all useless. PLEASE STOP --[[User:Nito|Nito]] 19:53, 26 May 2011 (UTC)<br />
:Obviously keeping the wiki up to date is more important than inconveniencing anyone regarding their twitter feeds. The more accurate the wiki, the better. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
::Yes but when his updates are about stupid crap re: ANOTHER vfdecrypt GUI then i think it does a disservice to everyone who uses the wiki. --[[User:Nito|Nito]] 20:37, 26 May 2011 (UTC)<br />
:::I think it's better not to judge *anyone's* contributions, large or small. This is a community of contributors. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
:::: I understand that, but mostly every time i look in the recent changes pages its filled up with garbage about idecryptit or whatever, rendering "recent changes" 99.99% useless imo. --[[User:Nito|Nito]] 20:42, 26 May 2011 (UTC)<br />
::::: The more active the wiki, the better. It means (1) people are contributing (2) info is being refined and corrected. Even if it's the tiniest details, over time that makes a big difference. [[User:MuscleNerd|MuscleNerd]] 20:44, 26 May 2011 (UTC)<br />
::::::Yes, because people learn a lot from a GUI. He uses the wiki as an advertisement for it. --[[User:Cj|cj]] 20:50, 26 May 2011 (UTC)<br />
:::::::If it's a valid wiki topic, then it "deserves" to be updated as much as any other topic. If it's not a valid topic, ask to have it removed. He's actually marking all of his minor edits properly (that bold "m"). Perhaps whoever owns that twitter account shouldn't rebroadcast edits marked as minor like that. [[User:MuscleNerd|MuscleNerd]] 20:54, 26 May 2011 (UTC)<br />
:::::::: I think it straddles the line of "valid" i definitely remember reading somewhere that geo didn't want the wiki to be used as an advertisement for apps --[[User:Nito|Nito]] 20:56, 26 May 2011 (UTC)<br />
::::::::: The rule is actually "don't create a page just to advertise your new website please". More details on the Ground Rules page. [[User:MuscleNerd|MuscleNerd]] 21:02, 26 May 2011 (UTC)<br />
::::::::: I am not advertising. I am just posting relevant info on an iPhone related app. Also, now that is it published, I am done. Whenever a new firmware comes out, the recent changes is flooded with about 30 edits! --[[User:Balloonhead66|Balloonhead66]] 23:16, 26 May 2011 (UTC)<br />
:::::::::: Don't worry about it...feel free to make any changes whenever they're needed. You're actually doing a good job marking minor changes as "m", and those can be filtered from the Recent Changes page via a single click in the user preference panel.</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=User_talk:5urd&diff=18242User talk:5urd2011-05-26T21:02:34Z<p>MuscleNerd: </p>
<hr />
<div>==Stub==<br />
Hi Cole. I don't like having the stub mark everywhere. Well, it's done now, so we'll leave it. Better you ask next time before making such big changes. The problem I see is that many pages will never get updated, for example the old baseband version pages. Adding this stub mark will add no value to the page, nor help in getting the page extended. This might be good for Wikipedia, but not here. On other pages (like the [[AT+XNONCE]]) I don't see what should be missing there. If you know what is missing, please add it. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:It looked too short is why. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
<br />
==Pictures==<br />
And for the new pictures for the stub pages, you probably just copied them from somewhere on the Internet. Please draw your own images instead of stealing it from somewhere. I'll delete them otherwise. We cannot have the official Apple logo just as a mark for general Apple issues. We might be able to use official product photos or the Apple logo on a page describing Apple, but nothing else. Treat images the same way as software. The jailbreak image probably comes from a scammers page, but it's still not yours, even if they do bad things. [[User:geohot|Geohot]] has enough trouble right now, so don't add copyrighted material to this wiki. I'll delete the images tomorrow if you haven't replaced them by then. Thanks. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:Ok, i'll replace the copywrited images with Public domain. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
::Thanks. (I had to laugh when I saw your new Apple!) --[[User:Http|http]] 17:39, 19 February 2011 (UTC)<br />
:::Images:<br />
::::[[:Image:Android logo.png|Android logo.png]] - public domain, kept [[commons:File:Android_robot.svg|On Commons]]<br />
::::[[:Image:Generic iPhone.png|Generic iPhone.png]] - public domain, kept [[commons:File:iPhone.svg|On Commons]]<br />
::::[[:Image:Apple-logo.png|Apple-logo.png]] - logo, copyrited, replaced with [[commons:File:Apple Mac.png|Apple Mac.png from Commons]]<br />
::::[[:Image:Jailbreak.jpg|Jailbreak.jpg]] - unknown license, replaced with [[:Image:Gp.png|Gp.png]] <br />
::::[[:Image:Filesystem Listing.png|Filesystem Listing.jpg]] - from [http://www.hp9845.net/9845/projects/hpdir/ blog], unknown license, replaced with [http://cole.freehostingcloud.com/wiki/File:iphonefw.png Iphonefw.png from my site]<br />
::::[[:Image:Hacking.png|Hacking.png]] - icon from {{wp|GNOME}} project - unreplaced<br />
::::[[:Image:Software Icon.png|Software Icon.png]] - icon, copyrited, replaced wth [[commons:File:Crystal Clear device cdrom unmount.png|Crystal Clear device cdrom unmound.png from Commons]]<br />
::::[[:Image:P2P.gif|P2P.gif]] - unknown license, replaced with [[commons:File:P2P-network.svg|P2P-network.svg from Commons (2000px)]] at [[:Image:P2P.png|P2P.png]]<br />
:::--[[User:Balloonhead66|Balloonhead66]] 17:53, 19 February 2011 (UTC)<br />
<br />
Please stop flooding the wiki with your changes about your vfdecrypt GUI (one of what like 200?) all the recent changes most of the time are from you about little menial stuff that i doubt most people care about, i had to stop following the wiki twitter account because it seemed like 99.99% of the updates were from you, all useless. PLEASE STOP --[[User:Nito|Nito]] 19:53, 26 May 2011 (UTC)<br />
:Obviously keeping the wiki up to date is more important than inconveniencing anyone regarding their twitter feeds. The more accurate the wiki, the better. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
::Yes but when his updates are about stupid crap re: ANOTHER vfdecrypt GUI then i think it does a disservice to everyone who uses the wiki. --[[User:Nito|Nito]] 20:37, 26 May 2011 (UTC)<br />
:::I think it's better not to judge *anyone's* contributions, large or small. This is a community of contributors. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
:::: I understand that, but mostly every time i look in the recent changes pages its filled up with garbage about idecryptit or whatever, rendering "recent changes" 99.99% useless imo. --[[User:Nito|Nito]] 20:42, 26 May 2011 (UTC)<br />
::::: The more active the wiki, the better. It means (1) people are contributing (2) info is being refined and corrected. Even if it's the tiniest details, over time that makes a big difference. [[User:MuscleNerd|MuscleNerd]] 20:44, 26 May 2011 (UTC)<br />
::::::Yes, because people learn a lot from a GUI. He uses the wiki as an advertisement for it. --[[User:Cj|cj]] 20:50, 26 May 2011 (UTC)<br />
:::::::If it's a valid wiki topic, then it "deserves" to be updated as much as any other topic. If it's not a valid topic, ask to have it removed. He's actually marking all of his minor edits properly (that bold "m"). Perhaps whoever owns that twitter account shouldn't rebroadcast edits marked as minor like that. [[User:MuscleNerd|MuscleNerd]] 20:54, 26 May 2011 (UTC)<br />
:::::::: I think it straddles the line of "valid" i definitely remember reading somewhere that geo didn't want the wiki to be used as an advertisement for apps --[[User:Nito|Nito]] 20:56, 26 May 2011 (UTC)<br />
::::::::: The rule is actually "don't create a page just to advertise your new website please". More details on the Ground Rules page. [[User:MuscleNerd|MuscleNerd]] 21:02, 26 May 2011 (UTC)</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=User_talk:5urd&diff=18240User talk:5urd2011-05-26T20:54:35Z<p>MuscleNerd: </p>
<hr />
<div>==Stub==<br />
Hi Cole. I don't like having the stub mark everywhere. Well, it's done now, so we'll leave it. Better you ask next time before making such big changes. The problem I see is that many pages will never get updated, for example the old baseband version pages. Adding this stub mark will add no value to the page, nor help in getting the page extended. This might be good for Wikipedia, but not here. On other pages (like the [[AT+XNONCE]]) I don't see what should be missing there. If you know what is missing, please add it. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:It looked too short is why. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
<br />
==Pictures==<br />
And for the new pictures for the stub pages, you probably just copied them from somewhere on the Internet. Please draw your own images instead of stealing it from somewhere. I'll delete them otherwise. We cannot have the official Apple logo just as a mark for general Apple issues. We might be able to use official product photos or the Apple logo on a page describing Apple, but nothing else. Treat images the same way as software. The jailbreak image probably comes from a scammers page, but it's still not yours, even if they do bad things. [[User:geohot|Geohot]] has enough trouble right now, so don't add copyrighted material to this wiki. I'll delete the images tomorrow if you haven't replaced them by then. Thanks. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:Ok, i'll replace the copywrited images with Public domain. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
::Thanks. (I had to laugh when I saw your new Apple!) --[[User:Http|http]] 17:39, 19 February 2011 (UTC)<br />
:::Images:<br />
::::[[:Image:Android logo.png|Android logo.png]] - public domain, kept [[commons:File:Android_robot.svg|On Commons]]<br />
::::[[:Image:Generic iPhone.png|Generic iPhone.png]] - public domain, kept [[commons:File:iPhone.svg|On Commons]]<br />
::::[[:Image:Apple-logo.png|Apple-logo.png]] - logo, copyrited, replaced with [[commons:File:Apple Mac.png|Apple Mac.png from Commons]]<br />
::::[[:Image:Jailbreak.jpg|Jailbreak.jpg]] - unknown license, replaced with [[:Image:Gp.png|Gp.png]] <br />
::::[[:Image:Filesystem Listing.png|Filesystem Listing.jpg]] - from [http://www.hp9845.net/9845/projects/hpdir/ blog], unknown license, replaced with [http://cole.freehostingcloud.com/wiki/File:iphonefw.png Iphonefw.png from my site]<br />
::::[[:Image:Hacking.png|Hacking.png]] - icon from {{wp|GNOME}} project - unreplaced<br />
::::[[:Image:Software Icon.png|Software Icon.png]] - icon, copyrited, replaced wth [[commons:File:Crystal Clear device cdrom unmount.png|Crystal Clear device cdrom unmound.png from Commons]]<br />
::::[[:Image:P2P.gif|P2P.gif]] - unknown license, replaced with [[commons:File:P2P-network.svg|P2P-network.svg from Commons (2000px)]] at [[:Image:P2P.png|P2P.png]]<br />
:::--[[User:Balloonhead66|Balloonhead66]] 17:53, 19 February 2011 (UTC)<br />
<br />
Please stop flooding the wiki with your changes about your vfdecrypt GUI (one of what like 200?) all the recent changes most of the time are from you about little menial stuff that i doubt most people care about, i had to stop following the wiki twitter account because it seemed like 99.99% of the updates were from you, all useless. PLEASE STOP --[[User:Nito|Nito]] 19:53, 26 May 2011 (UTC)<br />
:Obviously keeping the wiki up to date is more important than inconveniencing anyone regarding their twitter feeds. The more accurate the wiki, the better. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
::Yes but when his updates are about stupid crap re: ANOTHER vfdecrypt GUI then i think it does a disservice to everyone who uses the wiki. --[[User:Nito|Nito]] 20:37, 26 May 2011 (UTC)<br />
:::I think it's better not to judge *anyone's* contributions, large or small. This is a community of contributors. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
:::: I understand that, but mostly every time i look in the recent changes pages its filled up with garbage about idecryptit or whatever, rendering "recent changes" 99.99% useless imo. --[[User:Nito|Nito]] 20:42, 26 May 2011 (UTC)<br />
::::: The more active the wiki, the better. It means (1) people are contributing (2) info is being refined and corrected. Even if it's the tiniest details, over time that makes a big difference. [[User:MuscleNerd|MuscleNerd]] 20:44, 26 May 2011 (UTC)<br />
::::::Yes, because people learn a lot from a GUI. He uses the wiki as an advertisement for it. --[[User:Cj|cj]] 20:50, 26 May 2011 (UTC)<br />
:::::::If it's a valid wiki topic, then it "deserves" to be updated as much as any other topic. If it's not a valid topic, ask to have it removed. He's actually marking all of his minor edits properly (that bold "m"). Perhaps whoever owns that twitter account shouldn't rebroadcast edits marked as minor like that. [[User:MuscleNerd|MuscleNerd]] 20:54, 26 May 2011 (UTC)</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=User_talk:5urd&diff=18239User talk:5urd2011-05-26T20:53:57Z<p>MuscleNerd: </p>
<hr />
<div>==Stub==<br />
Hi Cole. I don't like having the stub mark everywhere. Well, it's done now, so we'll leave it. Better you ask next time before making such big changes. The problem I see is that many pages will never get updated, for example the old baseband version pages. Adding this stub mark will add no value to the page, nor help in getting the page extended. This might be good for Wikipedia, but not here. On other pages (like the [[AT+XNONCE]]) I don't see what should be missing there. If you know what is missing, please add it. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:It looked too short is why. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
<br />
==Pictures==<br />
And for the new pictures for the stub pages, you probably just copied them from somewhere on the Internet. Please draw your own images instead of stealing it from somewhere. I'll delete them otherwise. We cannot have the official Apple logo just as a mark for general Apple issues. We might be able to use official product photos or the Apple logo on a page describing Apple, but nothing else. Treat images the same way as software. The jailbreak image probably comes from a scammers page, but it's still not yours, even if they do bad things. [[User:geohot|Geohot]] has enough trouble right now, so don't add copyrighted material to this wiki. I'll delete the images tomorrow if you haven't replaced them by then. Thanks. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:Ok, i'll replace the copywrited images with Public domain. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
::Thanks. (I had to laugh when I saw your new Apple!) --[[User:Http|http]] 17:39, 19 February 2011 (UTC)<br />
:::Images:<br />
::::[[:Image:Android logo.png|Android logo.png]] - public domain, kept [[commons:File:Android_robot.svg|On Commons]]<br />
::::[[:Image:Generic iPhone.png|Generic iPhone.png]] - public domain, kept [[commons:File:iPhone.svg|On Commons]]<br />
::::[[:Image:Apple-logo.png|Apple-logo.png]] - logo, copyrited, replaced with [[commons:File:Apple Mac.png|Apple Mac.png from Commons]]<br />
::::[[:Image:Jailbreak.jpg|Jailbreak.jpg]] - unknown license, replaced with [[:Image:Gp.png|Gp.png]] <br />
::::[[:Image:Filesystem Listing.png|Filesystem Listing.jpg]] - from [http://www.hp9845.net/9845/projects/hpdir/ blog], unknown license, replaced with [http://cole.freehostingcloud.com/wiki/File:iphonefw.png Iphonefw.png from my site]<br />
::::[[:Image:Hacking.png|Hacking.png]] - icon from {{wp|GNOME}} project - unreplaced<br />
::::[[:Image:Software Icon.png|Software Icon.png]] - icon, copyrited, replaced wth [[commons:File:Crystal Clear device cdrom unmount.png|Crystal Clear device cdrom unmound.png from Commons]]<br />
::::[[:Image:P2P.gif|P2P.gif]] - unknown license, replaced with [[commons:File:P2P-network.svg|P2P-network.svg from Commons (2000px)]] at [[:Image:P2P.png|P2P.png]]<br />
:::--[[User:Balloonhead66|Balloonhead66]] 17:53, 19 February 2011 (UTC)<br />
<br />
Please stop flooding the wiki with your changes about your vfdecrypt GUI (one of what like 200?) all the recent changes most of the time are from you about little menial stuff that i doubt most people care about, i had to stop following the wiki twitter account because it seemed like 99.99% of the updates were from you, all useless. PLEASE STOP --[[User:Nito|Nito]] 19:53, 26 May 2011 (UTC)<br />
:Obviously keeping the wiki up to date is more important than inconveniencing anyone regarding their twitter feeds. The more accurate the wiki, the better. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
::Yes but when his updates are about stupid crap re: ANOTHER vfdecrypt GUI then i think it does a disservice to everyone who uses the wiki. --[[User:Nito|Nito]] 20:37, 26 May 2011 (UTC)<br />
:::I think it's better not to judge *anyone's* contributions, large or small. This is a community of contributors. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
:::: I understand that, but mostly every time i look in the recent changes pages its filled up with garbage about idecryptit or whatever, rendering "recent changes" 99.99% useless imo. --[[User:Nito|Nito]] 20:42, 26 May 2011 (UTC)<br />
::::: The more active the wiki, the better. It means (1) people are contributing (2) info is being refined and corrected. Even if it's the tiniest details, over time that makes a big difference. [[User:MuscleNerd|MuscleNerd]] 20:44, 26 May 2011 (UTC)<br />
::::::Yes, because people learn a lot from a GUI. He uses the wiki as an advertisement for it. --[[User:Cj|cj]] 20:50, 26 May 2011 (UTC)<br />
:::::::If it's a valid wiki topic, then it "deserves" to be updated as much as any other topic. If it's not a valid topic, ask to have it removed. He's actually marking all of his minor edits properly (that bold "m").</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=User_talk:5urd&diff=18237User talk:5urd2011-05-26T20:44:07Z<p>MuscleNerd: </p>
<hr />
<div>==Stub==<br />
Hi Cole. I don't like having the stub mark everywhere. Well, it's done now, so we'll leave it. Better you ask next time before making such big changes. The problem I see is that many pages will never get updated, for example the old baseband version pages. Adding this stub mark will add no value to the page, nor help in getting the page extended. This might be good for Wikipedia, but not here. On other pages (like the [[AT+XNONCE]]) I don't see what should be missing there. If you know what is missing, please add it. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:It looked too short is why. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
<br />
==Pictures==<br />
And for the new pictures for the stub pages, you probably just copied them from somewhere on the Internet. Please draw your own images instead of stealing it from somewhere. I'll delete them otherwise. We cannot have the official Apple logo just as a mark for general Apple issues. We might be able to use official product photos or the Apple logo on a page describing Apple, but nothing else. Treat images the same way as software. The jailbreak image probably comes from a scammers page, but it's still not yours, even if they do bad things. [[User:geohot|Geohot]] has enough trouble right now, so don't add copyrighted material to this wiki. I'll delete the images tomorrow if you haven't replaced them by then. Thanks. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:Ok, i'll replace the copywrited images with Public domain. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
::Thanks. (I had to laugh when I saw your new Apple!) --[[User:Http|http]] 17:39, 19 February 2011 (UTC)<br />
:::Images:<br />
::::[[:Image:Android logo.png|Android logo.png]] - public domain, kept [[commons:File:Android_robot.svg|On Commons]]<br />
::::[[:Image:Generic iPhone.png|Generic iPhone.png]] - public domain, kept [[commons:File:iPhone.svg|On Commons]]<br />
::::[[:Image:Apple-logo.png|Apple-logo.png]] - logo, copyrited, replaced with [[commons:File:Apple Mac.png|Apple Mac.png from Commons]]<br />
::::[[:Image:Jailbreak.jpg|Jailbreak.jpg]] - unknown license, replaced with [[:Image:Gp.png|Gp.png]] <br />
::::[[:Image:Filesystem Listing.png|Filesystem Listing.jpg]] - from [http://www.hp9845.net/9845/projects/hpdir/ blog], unknown license, replaced with [http://cole.freehostingcloud.com/wiki/File:iphonefw.png Iphonefw.png from my site]<br />
::::[[:Image:Hacking.png|Hacking.png]] - icon from {{wp|GNOME}} project - unreplaced<br />
::::[[:Image:Software Icon.png|Software Icon.png]] - icon, copyrited, replaced wth [[commons:File:Crystal Clear device cdrom unmount.png|Crystal Clear device cdrom unmound.png from Commons]]<br />
::::[[:Image:P2P.gif|P2P.gif]] - unknown license, replaced with [[commons:File:P2P-network.svg|P2P-network.svg from Commons (2000px)]] at [[:Image:P2P.png|P2P.png]]<br />
:::--[[User:Balloonhead66|Balloonhead66]] 17:53, 19 February 2011 (UTC)<br />
<br />
Please stop flooding the wiki with your changes about your vfdecrypt GUI (one of what like 200?) all the recent changes most of the time are from you about little menial stuff that i doubt most people care about, i had to stop following the wiki twitter account because it seemed like 99.99% of the updates were from you, all useless. PLEASE STOP --[[User:Nito|Nito]] 19:53, 26 May 2011 (UTC)<br />
:Obviously keeping the wiki up to date is more important than inconveniencing anyone regarding their twitter feeds. The more accurate the wiki, the better. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
::Yes but when his updates are about stupid crap re: ANOTHER vfdecrypt GUI then i think it does a disservice to everyone who uses the wiki. --[[User:Nito|Nito]] 20:37, 26 May 2011 (UTC)<br />
:::I think it's better not to judge *anyone's* contributions, large or small. This is a community of contributors. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
:::: I understand that, but mostly every time i look in the recent changes pages its filled up with garbage about idecryptit or whatever, rendering "recent changes" 99.99% useless imo. --[[User:Nito|Nito]] 20:42, 26 May 2011 (UTC)<br />
::::: The more active the wiki, the better. It means (1) people are contributing (2) info is being refined and corrected. Even if it's the tiniest details, over time that makes a big difference. [[User:MuscleNerd|MuscleNerd]] 20:44, 26 May 2011 (UTC)</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=User_talk:5urd&diff=18235User talk:5urd2011-05-26T20:40:14Z<p>MuscleNerd: </p>
<hr />
<div>==Stub==<br />
Hi Cole. I don't like having the stub mark everywhere. Well, it's done now, so we'll leave it. Better you ask next time before making such big changes. The problem I see is that many pages will never get updated, for example the old baseband version pages. Adding this stub mark will add no value to the page, nor help in getting the page extended. This might be good for Wikipedia, but not here. On other pages (like the [[AT+XNONCE]]) I don't see what should be missing there. If you know what is missing, please add it. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:It looked too short is why. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
<br />
==Pictures==<br />
And for the new pictures for the stub pages, you probably just copied them from somewhere on the Internet. Please draw your own images instead of stealing it from somewhere. I'll delete them otherwise. We cannot have the official Apple logo just as a mark for general Apple issues. We might be able to use official product photos or the Apple logo on a page describing Apple, but nothing else. Treat images the same way as software. The jailbreak image probably comes from a scammers page, but it's still not yours, even if they do bad things. [[User:geohot|Geohot]] has enough trouble right now, so don't add copyrighted material to this wiki. I'll delete the images tomorrow if you haven't replaced them by then. Thanks. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:Ok, i'll replace the copywrited images with Public domain. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
::Thanks. (I had to laugh when I saw your new Apple!) --[[User:Http|http]] 17:39, 19 February 2011 (UTC)<br />
:::Images:<br />
::::[[:Image:Android logo.png|Android logo.png]] - public domain, kept [[commons:File:Android_robot.svg|On Commons]]<br />
::::[[:Image:Generic iPhone.png|Generic iPhone.png]] - public domain, kept [[commons:File:iPhone.svg|On Commons]]<br />
::::[[:Image:Apple-logo.png|Apple-logo.png]] - logo, copyrited, replaced with [[commons:File:Apple Mac.png|Apple Mac.png from Commons]]<br />
::::[[:Image:Jailbreak.jpg|Jailbreak.jpg]] - unknown license, replaced with [[:Image:Gp.png|Gp.png]]<br />
::::[[:Image:Filesystem Listing.png|Filesystem Listing.jpg]] - from [http://www.hp9845.net/9845/projects/hpdir/ blog], unknown license, replaced with [http://cole.freehostingcloud.com/wiki/File:iphonefw.png Iphonefw.png from my site]<br />
::::[[:Image:Hacking.png|Hacking.png]] - icon from {{wp|GNOME}} project - unreplaced<br />
::::[[:Image:Software Icon.png|Software Icon.png]] - icon, copyrited, replaced wth [[commons:File:Crystal Clear device cdrom unmount.png|Crystal Clear device cdrom unmound.png from Commons]]<br />
::::[[:Image:P2P.gif|P2P.gif]] - unknown license, replaced with [[commons:File:P2P-network.svg|P2P-network.svg from Commons (2000px)]] at [[:Image:P2P.png|P2P.png]]<br />
:::--[[User:Balloonhead66|Balloonhead66]] 17:53, 19 February 2011 (UTC)<br />
<br />
Please stop flooding the wiki with your changes about your vfdecrypt GUI (one of what like 200?) all the recent changes most of the time are from you about little menial stuff that i doubt most people care about, i had to stop following the wiki twitter account because it seemed like 99.99% of the updates were from you, all useless. PLEASE STOP --[[User:Nito|Nito]] 19:53, 26 May 2011 (UTC)<br />
:Obviously keeping the wiki up to date is more important than inconveniencing anyone regarding their twitter feeds. The more accurate the wiki, the better. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)<br />
::Yes but when his updates are about stupid crap re: ANOTHER vfdecrypt GUI then i think it does a disservice to everyone who uses the wiki. --[[User:Nito|Nito]] 20:37, 26 May 2011 (UTC)<br />
:::I think it's better not to judge *anyone's* contributions, large or small. This is a community of contributors. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=User_talk:5urd&diff=18233User talk:5urd2011-05-26T20:34:35Z<p>MuscleNerd: </p>
<hr />
<div>==Stub==<br />
Hi Cole. I don't like having the stub mark everywhere. Well, it's done now, so we'll leave it. Better you ask next time before making such big changes. The problem I see is that many pages will never get updated, for example the old baseband version pages. Adding this stub mark will add no value to the page, nor help in getting the page extended. This might be good for Wikipedia, but not here. On other pages (like the [[AT+XNONCE]]) I don't see what should be missing there. If you know what is missing, please add it. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:It looked too short is why. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
<br />
==Pictures==<br />
And for the new pictures for the stub pages, you probably just copied them from somewhere on the Internet. Please draw your own images instead of stealing it from somewhere. I'll delete them otherwise. We cannot have the official Apple logo just as a mark for general Apple issues. We might be able to use official product photos or the Apple logo on a page describing Apple, but nothing else. Treat images the same way as software. The jailbreak image probably comes from a scammers page, but it's still not yours, even if they do bad things. [[User:geohot|Geohot]] has enough trouble right now, so don't add copyrighted material to this wiki. I'll delete the images tomorrow if you haven't replaced them by then. Thanks. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)<br />
:Ok, i'll replace the copywrited images with Public domain. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)<br />
::Thanks. (I had to laugh when I saw your new Apple!) --[[User:Http|http]] 17:39, 19 February 2011 (UTC)<br />
:::Images:<br />
::::[[:Image:Android logo.png|Android logo.png]] - public domain, kept [[commons:File:Android_robot.svg|On Commons]]<br />
::::[[:Image:Generic iPhone.png|Generic iPhone.png]] - public domain, kept [[commons:File:iPhone.svg|On Commons]]<br />
::::[[:Image:Apple-logo.png|Apple-logo.png]] - logo, copyrited, replaced with [[commons:File:Apple Mac.png|Apple Mac.png from Commons]]<br />
::::[[:Image:Jailbreak.jpg|Jailbreak.jpg]] - unknown license, replaced with [[:Image:Gp.png|Gp.png]]<br />
::::[[:Image:Filesystem Listing.png|Filesystem Listing.jpg]] - from [http://www.hp9845.net/9845/projects/hpdir/ blog], unknown license, replaced with [http://cole.freehostingcloud.com/wiki/File:iphonefw.png Iphonefw.png from my site]<br />
::::[[:Image:Hacking.png|Hacking.png]] - icon from {{wp|GNOME}} project - unreplaced<br />
::::[[:Image:Software Icon.png|Software Icon.png]] - icon, copyrited, replaced wth [[commons:File:Crystal Clear device cdrom unmount.png|Crystal Clear device cdrom unmound.png from Commons]]<br />
::::[[:Image:P2P.gif|P2P.gif]] - unknown license, replaced with [[commons:File:P2P-network.svg|P2P-network.svg from Commons (2000px)]] at [[:Image:P2P.png|P2P.png]]<br />
:::--[[User:Balloonhead66|Balloonhead66]] 17:53, 19 February 2011 (UTC)<br />
<br />
Please stop flooding the wiki with your changes about your vfdecrypt GUI (one of what like 200?) all the recent changes most of the time are from you about little menial stuff that i doubt most people care about, i had to stop following the wiki twitter account because it seemed like 99.99% of the updates were from you, all useless. PLEASE STOP --[[User:Nito|Nito]] 19:53, 26 May 2011 (UTC)<br />
:Obviously keeping the wiki up to date is more important than inconveniencing anyone regarding their twitter feeds. The more accurate the wiki, the better.</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Talk:AT%2BXNONCE&diff=15866Talk:AT+XNONCE2011-02-06T07:24:15Z<p>MuscleNerd: </p>
<hr />
<div>Actually it's at+xnonce?, not at+nonce :)</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Talk:AT%2BXNONCE&diff=15865Talk:AT+XNONCE2011-02-06T07:23:37Z<p>MuscleNerd: New page: Actually it's at+xnonce, not at+nonce :)</p>
<hr />
<div>Actually it's at+xnonce, not at+nonce :)</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=NAND&diff=14201NAND2010-12-18T11:14:44Z<p>MuscleNerd: </p>
<hr />
<div>[[Image:8GBflash.jpg|thumb|left|Example of a NAND chip.]]<br />
This refers to the NAND flash chip used in the [[Apple TV]], [[iPad]], [[iPhone]], and [[iPod touch]]. This is where all the storage capacity comes from. The capacity can range from as little as 4GB to as many as 64GB. in iOS, it is partitioned into two: the system partition and the user partition. The system partition contains the [[iOS]] operating system and the native Apple applications, and is mounted as read-only. The user partition contains all user data, including installed applications, music, and movies, and is mounted as read/write.<br />
A bare-bones jailbreak modifies the file "[[/etc/fstab]]" and enables read and write on all 2 partitions.<br />
<br />
NAND partition layout in modern devices, courtesy [[CPICH]], published in [http://twitter.com/cpich3g/status/15966288660660224 Twitter] ([http://freepdfhosting.com/29256fdff9.pdf NAND partition layout])...<br />
<br />
[[Image:N1.png]]<br />
[[Image:N2.png]]<br />
[[Image:N3.png]]<br />
[[Image:N4.png]]<br />
[[Image:N5.png]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=File:N5.png&diff=14200File:N5.png2010-12-18T11:12:45Z<p>MuscleNerd: </p>
<hr />
<div></div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=File:N4.png&diff=14199File:N4.png2010-12-18T11:12:24Z<p>MuscleNerd: </p>
<hr />
<div></div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=File:N3.png&diff=14198File:N3.png2010-12-18T11:12:07Z<p>MuscleNerd: </p>
<hr />
<div></div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=File:N2.png&diff=14197File:N2.png2010-12-18T11:11:47Z<p>MuscleNerd: </p>
<hr />
<div></div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=File:N1.png&diff=14196File:N1.png2010-12-18T11:11:19Z<p>MuscleNerd: </p>
<hr />
<div></div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=S5L8930&diff=9117S5L89302010-09-09T19:57:54Z<p>MuscleNerd: </p>
<hr />
<div>An SoC developed by Apple in-house chip design department. It is currently used in [[k48ap|iPad]], [[N90ap|iPhone 4]], and [[N81ap|iPod Touch 4G]]. Publicly, Apple refers to this chip as the '''A4'''.<br />
<br />
== Exploits ==<br />
<br />
=== [[iBoot]] ===<br />
* [http://www.youtube.com/watch?v=0NValNoW5Rc Unreleased Untethered iBoot Exploit]<br />
<br />
=== [[Kernel]] ===<br />
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.2<br />
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 3.2.1<br />
<br />
=== [[Userland]] ===<br />
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.2<br />
* [[PDF CFF Font Stack Overflow]] - Works up to [[iOS]] 3.2.1<br />
<br />
== Boot Chain ==<br />
[[S5L8930 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]<br />
<br />
== Specifications ==<br />
* '''CPU''': ARM Cortex-A8<br />
* '''GPU''': PowerVR SGX 535<br />
* '''A/V Playback''': PowerVR VXD<br />
<br />
These are the same specifications as the [[S5L8920]] and [[S5L8922]], except this processor has a higher clock speed.<br />
<br />
== See also ==<br />
* [[S5L8930 (Bootrom)]]<br />
<br />
== Links ==<br />
* http://www.apple.com/ipad/specs/<br />
* http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=AT%2BXAPP_Vulnerability&diff=6788AT+XAPP Vulnerability2010-06-29T19:04:10Z<p>MuscleNerd: Undo revision 6786 by Leobruh (Talk)</p>
<hr />
<div>Used as an injection vector for the current iPhone 3G and iPhone 3GS unlock payloads - ultrasn0w 0.93. Currently available in all baseband versions until 05.13.04.<br />
<br />
== Credit ==<br />
<br />
* '''vulnerability''': [http://twitter.com/sherif_hashim sherif_hashim], also discovered by [http://twitter.com/westbaer westbaer], [[geohot]] and [http://twitter.com/oranav Oranav] (each one independently)<br />
* '''exploitation''': [[iPhone Dev Team]]<br />
<br />
<br />
== Exploit ==<br />
<br />
<br />
There is a stack overflow in the AT+XAPP="..." command, which allows unsigned code execution on the [[X-Gold 608]]<br />
<br />
at+xapp="0000111122223333444455556666777788889999000011112222"<br />
<br />
applying a string of more than 52 characters will trigger the overflow<br />
<br />
<br />
== Implementation ==<br />
<br />
<br />
The exploit was used by [[iPhone Dev Team]] in [[Ultrasn0w]] 0.93 which is able to unlock 4.26.08, 5.11.07, 5.12.01 and 5.13.04 BB firmwares<br />
<br />
----<br />
<br />
[[Category:Baseband Exploits]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Talk:Spirit&diff=6322Talk:Spirit2010-05-05T20:17:35Z<p>MuscleNerd: </p>
<hr />
<div>There exists also a tool called [[Spirit Fixer|Spirit Fixer v1.01]], written by [[Kirma]]. Anybody knows what that is? Here's a link: http://twitter.com/elior231/status/13296125900<br />
<br />
--[[User:Http|http]] 21:42, 4 May 2010 (UTC)<br />
<br />
<br />
I'd love to see a technical writeup of everything, although I don't blame you if you don't. I'm lazy about those things too. As far as trying to keep it secret from Apple, I don't feel theres a point, they'll find it no matter what we do.<br />
<br />
--[[User:Geohot|geohot]] 14:02, 5 May 2010 (UTC)<br />
<br />
<br />
I have started reverse engineering Spirit and making some UML(like) data flow and function diagrams. The problem is that I am guessing at too many things since I did not wana post anything and have someone get pissed it was out there. I am up for putting a formal brief together if others want to collaborate. I would imagine as Geohot said, that apple had this disassembled before the .tar was dry. Not to mention that they are not just looking for the exploit that was used (since they most likely had a whiteboard full of potentials during design) , they are looking for copyright violations and their stollen code in every bit of its bits. <br />
<br />
--KodeSlinger 16:31, 5 May 2010 (UTC)<br />
<br />
Meh, as mentioned on spiritjb.com, once Apple has shown that they've fixed it, the source will be released anyway. - MuscleNerd<br />
<br />
<br />
@MuscleNerd - I started working on it BS (Before Spirit :) ), to create a centralized location that dynamically maps (HW/FW/SW) physical and logical drawings together. My thought was something like this wiki on crack. Ideally to generate functional diagrams of the idevice that act as a starting point to link to more detailed sections pertaining to that functions exploits, related functions, and source code samples(or any other data). Since I am new to this community I have been trying to organize this data for my own brain, and thought others might use it. I will post some screen shots later. The more organized we are the easier it will be to exploit the next vulnerability. <br />
--[[User:Viper911h|KodeSlinger]] 20:11, 5 May 2010 (UTC)<br />
<br />
Oh hah, cool :) If you do that though, obviously you shouldn't go overboard and start publicly discussing variations of this that would help Apple close other holes yet to be exploited (it sounds like your well-versed enough to do that!) - MuscleNerd</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Talk:Spirit&diff=6320Talk:Spirit2010-05-05T18:51:14Z<p>MuscleNerd: source is coming anyway</p>
<hr />
<div>There exists also a tool called [[Spirit Fixer|Spirit Fixer v1.01]], written by [[Kirma]]. Anybody knows what that is? Here's a link: http://twitter.com/elior231/status/13296125900<br />
<br />
--[[User:Http|http]] 21:42, 4 May 2010 (UTC)<br />
<br />
<br />
I'd love to see a technical writeup of everything, although I don't blame you if you don't. I'm lazy about those things too. As far as trying to keep it secret from Apple, I don't feel theres a point, they'll find it no matter what we do.<br />
<br />
--[[User:Geohot|geohot]] 14:02, 5 May 2010 (UTC)<br />
<br />
<br />
I have started reverse engineering Spirit and making some UML(like) data flow and function diagrams. The problem is that I am guessing at too many things since I did not wana post anything and have someone get pissed it was out there. I am up for putting a formal brief together if others want to collaborate. I would imagine as Geohot said, that apple had this disassembled before the .tar was dry. Not to mention that they are not just looking for the exploit that was used (since they most likely had a whiteboard full of potentials during design) , they are looking for copyright violations and their stollen code in every bit of its bits. <br />
<br />
--KodeSlinger 16:31, 5 May 2010 (UTC)<br />
<br />
Meh, as mentioned on spiritjb.com, once Apple has shown that they've fixed it, the source will be released anyway. - MuscleNerd</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Ramdisk_Hack&diff=6238Ramdisk Hack2010-04-24T01:13:15Z<p>MuscleNerd: LOL while we're off in fantasy land</p>
<hr />
<div>This allows unsigned ramdisks to be booted. It was first publicized by [[ZiPhone]] <br />
<br />
==Credit==<br />
[[Zibri]]<br />
<br />
==Exploit==<br />
Passing pmd*= boot-args specifying a ramdisk in ram > 0x9C000000 allows any ramdisk to be booted.<br />
<br />
==Implementation==<br />
* [[PwnageTool]]<br />
* [[ZiPhone]]<br />
* iPlus<br />
* iLibertyX / [[iLiberty+]]<br />
* iFree <br />
* iPhone Forensics Toolkit<br />
* iNdependence<br />
* Any Jailbreak program so far<br />
* iTunes<br />
* Android<br />
* Zune<br />
<br />
[[Category:Jailbreaks]]<br />
[[Category:Exploits]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Sn0wbreeze&diff=5830Sn0wbreeze2010-02-15T21:42:21Z<p>MuscleNerd: dmg.exe needs source</p>
<hr />
<div>sn0wbreeze is a [[PwnageTool]] port to windows, developed by [[iH8sn0w]]. It currently jailbreaks the 3.1.2, and 3.1.3 firmware.<br />
<br />
== Models Supported ==<br />
{| class="wikitable"<br />
|-<br />
! Model<br />
|-<br />
| [[M68ap|iPhone 2G]]<br />
|-<br />
| [[N45ap|iPod touch 1G]]<br />
|-<br />
| [[N82ap|iPhone 3G]]<br />
|-<br />
| [[N72ap|iPod touch 2G]] '''NON-MC'''<br />
|-<br />
| [[N88ap|iPhone 3GS]] '''Old Bootrom'''<br />
|}<br />
Note that the iPod touch 3G is not supported. With the iPod touch 2G and iPhone 3GS you need to be already jailbroken. The [[S5L8900]] devices you can go into [[DFU]] mode and restore with [[iTunes]] without being jailbroken.<br />
<br />
==Versions==<br />
<br />
sn0wbreeze was first released January 13, 2010 as a beta version.<br />
The following versions that are shown here are official. <br />
<br />
=== 3.1.X ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Changes<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== Public Beta ====<br />
| style="white-space: nowrap;" | January 13, 2010<br />
| |<br />
* Initial release<br />
* Jailbreaks 3.1.2 firmware<br />
* Only allows you to be able to select simple mode<br />
* Taken down due to copyright issues with [[xPWN]]<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.0 ====<br />
| style="white-space: nowrap;" | January 16, 2010<br />
| |<br />
* Official release of sn0wbreeze<br />
* Jailbreaks 3.1.2 Firmware<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.1 ====<br />
| style="white-space: nowrap;" | January 19, 2010<br />
| |<br />
* Fixes [[Cydia]] problems<br />
* Fixes problems with NOR on [[S5L8900]] device's<br />
* Fixes custom packages not being installed<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.2 ====<br />
| style="white-space: nowrap;" |January 21, 2010<br />
| |<br />
* GUI fixes<br />
* Fixed even more [[Cydia]] problems<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.3 ====<br />
| style="white-space: nowrap;" | January 23, 2010<br />
| |<br />
* fixes bug where some [[Cydia]] repositories could not be added and downloaded from<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.4 ====<br />
| style="white-space: nowrap;" | January 26, 2010<br />
| |<br />
* Fixed vital bug where deb files may not be added to the right place<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.5 ====<br />
| style="white-space: nowrap;" | February 5, 2010<br />
| |<br />
* '''Jailbreaks 3.1.3'''<br />
* removed verbose mode support<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
<br />
==== 1.5.1 ====<br />
| style="white-space: nowrap;" | February 7, 2010<br />
| |<br />
* Removed blacksn0w due to com center issues (Fix being worked on)<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
<br />
==Problems==<br />
There are some problems with blacksn0w because it relies on the 3.1.2 CommCenter, and needs to be updated the the 3.1.3 version. If installed it will cause your iPhone to go into a boot loop.<br />
<br />
== Use of xpwn ==<br />
The backend of sn0wbreeze is [http://github.com/planetbeing/xpwn xpwn], an open-source custom IPSW generator created by planetbeing in parallel with [[iPhone Dev Team]] developments of techniques and tools. xpwn runs on Windows, Mac OS X, and Linux. Given a "bundle" of patches from either [[PwnageTool]] or sn0wbreeze, xpwn driven from the command line is able to create the same custom IPSW as either tool. One of the fixes to xpwn made by iH8sn0w has been made available. [http://github.com/iH8sn0w/xpwn]. Others have yet to posted (dmg.exe).<br />
<br />
== License ==<br />
sn0wbreeze is freeware.<br />
<br />
== Download ==<br />
[http://ih8sn0w.com/index.php/download/file/sn0wbreeze/pc Download sn0wbreeze 3.1.3]<br />
<br />
[[Category:Hacking Software]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Sn0wbreeze&diff=5809Sn0wbreeze2010-02-12T19:12:46Z<p>MuscleNerd: use of xpwn</p>
<hr />
<div>sn0wbreeze is a [[PwnageTool]] port to windows, developed by [[iH8sn0w]]. It currently jailbreaks the 3.1.2, and 3.1.3 firmware.<br />
<br />
== Models Supported ==<br />
{| class="wikitable"<br />
|-<br />
! Model<br />
|-<br />
| [[M68ap|iPhone 2G]]<br />
|-<br />
| [[N45ap|iPod touch 1G]]<br />
|-<br />
| [[N82ap|iPhone 3G]]<br />
|-<br />
| [[N72ap|iPod touch 2G]] '''NON-MC'''<br />
|-<br />
| [[N88ap|iPhone 3GS]] '''Old Bootrom'''<br />
|}<br />
Note that the iPod touch 3G is not supported. With the iPod touch 2G and iPhone 3GS you need to be already jailbroken. The [[S5L8900]] devices you can go into [[DFU]] mode and restore with [[iTunes]] without being jailbroken.<br />
<br />
==Versions==<br />
<br />
sn0wbreeze was first released January 13, 2010 as a beta version.<br />
The following versions that are shown here are official. <br />
<br />
=== 3.1.X ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Changes<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== Public Beta ====<br />
| style="white-space: nowrap;" | January 13, 2010<br />
| |<br />
* Initial release<br />
* Jailbreaks 3.1.2 firmware<br />
* Only allows you to be able to select simple mode<br />
* Token down due to copyright issues with [[xPWN]]<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.0 ====<br />
| style="white-space: nowrap;" | January 16, 2010<br />
| |<br />
* Official release of sn0wbreeze<br />
* Jailbreaks 3.1.2 Firmware<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.1 ====<br />
| style="white-space: nowrap;" | January 19, 2010<br />
| |<br />
* Fixes [[Cydia]] problems<br />
* Fixes problems with NOR on [[S5L8900]] device's<br />
* Fixes custom packages not being installed<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.2 ====<br />
| style="white-space: nowrap;" |January 21, 2010<br />
| |<br />
* GUI fixes<br />
* Fixed even more [[Cydia]] problems<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.3 ====<br />
| style="white-space: nowrap;" | January 23, 2010<br />
| |<br />
* fixes bug where some [[Cydia]] repositories could not be added and downloaded from<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.4 ====<br />
| style="white-space: nowrap;" | January 26, 2010<br />
| |<br />
* Fixed vital bug where deb files may not be added to the right place<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.5 ====<br />
| style="white-space: nowrap;" | February 5, 2010<br />
| |<br />
* '''Jailbreaks 3.1.3'''<br />
* removed verbose mode support<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
<br />
==== 1.5.1 ====<br />
| style="white-space: nowrap;" | February 7, 2010<br />
| |<br />
* Removed blacksn0w due to com center issues (Fix being worked on)<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
<br />
==Problems==<br />
There are some problems with blacksn0w because it realies on the 3.1.2 com center, and needs to be updated the the 3.1.3 version. If installed it will cause you iPhone to go into a boot loop.<br />
<br />
== Use of xpwn ==<br />
The backend of sn0wbreeze is [http://github.com/planetbeing/xpwn xpwn], an open-source custom IPSW generator created by planetbeing in parallel with Devteam developments of techniques and tools. xpwn runs on Windows, OS X, and Linux. GIven a "bundle" of patches from either PwnageTool or sn0wbreeze, xpwn driven from the command line is able to create the same custom IPSW as either tool. There are some outstanding fixes to xpwn that the developers of sn0wbreeze made, which they said they would put back into the open-source version in compliance with the license (this has not yet been done though).<br />
<br />
== License ==<br />
sn0wbreeze is freeware.<br />
<br />
== Download ==<br />
[http://ih8sn0w.com/index.php/download/file/sn0wbreeze/pc Download sn0wbreeze 3.1.3]<br />
<br />
[[Category:Hacking Software]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Redsn0w&diff=3770Redsn0w2009-06-07T05:45:39Z<p>MuscleNerd: </p>
<hr />
<div>The redsn0w program is a specific implementation of the [[0x24000 Segment Overflow]] for the iPod Touch 2G. It's a command-line utility for Windows, OS X and Linux that jailbreaks the device and installs basic jailbroken software on it, in a manner similar to QuickPwn. It's currently closed-sourced but the executable is being worked into several third-party GUIs as the underlying engine.<br />
<br />
== Credit ==<br />
[[IPhone_Dev_Team|The iPhone Dev Team]]<br />
<br />
== Exploit ==<br />
See the [[0x24000 Segment Overflow]] page for a full description of the vulnerability and exploit. Credit for that work goes to a mixture of the Chronic Dev and [[IPhone_Dev_Team|The iPhone Dev Team]].<br />
<br />
== Download ==<br />
* http://redsn0w.com/</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Redsn0w&diff=3769Redsn0w2009-06-07T05:43:54Z<p>MuscleNerd: oops forgot about linux</p>
<hr />
<div>The redsn0w program is a specific implementation of the [[0x24000 Segment Overflow]] for the iPod Touch 2G. It's a command-line utility for Windows, OS X and Linux that jailbreaks the device and installs basic jailbroken software on it, in a manner similar to QuickPwn. It's currently closed-sourced but the executable is being worked into several third-party GUIs as the underlying engine.<br />
<br />
== Credit ==<br />
[[dev team|The iPhone Dev Team]]<br />
<br />
== Exploit ==<br />
See the [[0x24000 Segment Overflow]] page for a full description of the vulnerability and exploit. Credit for that work goes to a mixture of the Chronic Dev and [[dev team|The iPhone Dev Team]].<br />
<br />
== Download ==<br />
* http://redsn0w.com/</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Redsn0w&diff=3768Redsn0w2009-06-07T05:42:26Z<p>MuscleNerd: redsn0w is a dev team implementation</p>
<hr />
<div>The redsn0w program is a specific implementation of the [[0x24000 Segment Overflow]] for the iPod Touch 2G. It's a command-line utility for both Windows and Mac that jailbreaks the device and installs basic jailbroken software on it, in a manner similar to QuickPwn. It's currently closed-sourced but the executable is being worked into several third-party GUIs as the underlying engine.<br />
<br />
== Credit ==<br />
[[dev team|The iPhone Dev Team]]<br />
<br />
== Exploit ==<br />
See the [[0x24000 Segment Overflow]] page for a full description of the vulnerability and exploit. Credit for that work goes to a mixture of the Chronic Dev and [[dev team|The iPhone Dev Team]].<br />
<br />
== Download ==<br />
* http://redsn0w.com/</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Dual_Boot_Exploit&diff=3692Dual Boot Exploit2009-05-09T21:15:44Z<p>MuscleNerd: </p>
<hr />
<div>== Credit ==<br />
[[the dev team]]<br />
<br />
== Exploit ==<br />
The user would create a copy of the currently installed jailbroken OS to /dev/disk0s3, then in iTunes update to the latest unjailbroken firmware. They would then boot to the jailbroken OS, SSH in, and mount /dev/disk0s1, where the unjailbroken OS was. Finally, they would copy over Installer / OpenSSH / Terminal to the unjailbroken OS.<br />
<br />
=== Defeating Countermeasures ===<br />
In 1.1.1, a routine called "check_for_suspicious_partitions()" came about, in which for any partition other than the System partition (/dev/disk0s1), it would stat(); "/sbin/launchd" to check the existance of the file. [[the dev team]] got around this by simply making /sbin/launchd a symlink to the actual launchd in /mysbin/launchd. Since stat(); does not follow symlinks, this workaround worked great.<br />
<br />
== Why it no longer works ==<br />
There are two reasons that it no longer works<br />
<br />
=== Booting ===<br />
In firmware 2.0b4 and beyond, [[iBoot]] no longer allows you to pass boot-args to the kernel, so you cannot boot to the new partition.<br />
<br />
=== lstat(); ===<br />
The "check_for_suspicious_partitions" routine now uses lstat(); instead of stat(); meaning that the method for defeating the 1.1.1+ countermeasure no longer works. I am not sure when Apple started using lstat(); instead of stat();<br />
<br />
==External links==<br />
* [http://wikee.iphwn.org/s5l8900:dualboot Full writeup on the dev team wiki]<br />
* [http://wikee.iphwn.org/s5l8900:dualboot_logfile Logfile of session creating dual boot system]<br />
<br />
[[Category:Jailbreaks]]<br />
[[Category:Exploits]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=IPhone_Dev_Team&diff=3222IPhone Dev Team2009-03-14T06:31:36Z<p>MuscleNerd: </p>
<hr />
<div>==Blog==<br />
[http://blog.iphone-dev.org Dev Team blog]<br />
<br />
==Current members== <br />
asap18, bgm, Bugout, bushing, c1de0x, chris, dinopio, drudge, Fred_, ghost_000, gray, iZsh, jim–, MuscleNerd, netkas, np101137, penisbird, planetbeing, pr3d4t0r, pumpkin, pytey, roxfan, saurik, Turbo, w___, wizdaz, Zf<br />
<br />
==Previous Members==<br />
[[geohot]], gj, kroo, Nate True, NerveGas, sam, Whiterat, [[Zibri]]<br />
<br />
==See also==<br />
* [[PwnageTool]]<br />
* [[pwnage]]<br />
* [[pwnage 2.0]]<br />
* [[yellowsn0w]]<br />
* [[redsn0w]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=IPhone_Dev_Team&diff=3221IPhone Dev Team2009-03-14T06:31:17Z<p>MuscleNerd: /* Homepage */</p>
<hr />
<div>==Homepage==<br />
[http://blog.iphone-dev.org Dev Team blog]<br />
<br />
==Current members== <br />
asap18, bgm, Bugout, bushing, c1de0x, chris, dinopio, drudge, Fred_, ghost_000, gray, iZsh, jim–, MuscleNerd, netkas, np101137, penisbird, planetbeing, pr3d4t0r, pumpkin, pytey, roxfan, saurik, Turbo, w___, wizdaz, Zf<br />
<br />
==Previous Members==<br />
[[geohot]], gj, kroo, Nate True, NerveGas, sam, Whiterat, [[Zibri]]<br />
<br />
==See also==<br />
* [[PwnageTool]]<br />
* [[pwnage]]<br />
* [[pwnage 2.0]]<br />
* [[yellowsn0w]]<br />
* [[redsn0w]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=32200x24000 Segment Overflow2009-03-14T06:23:10Z<p>MuscleNerd: </p>
<hr />
<div>Also known by its codename, "24kPwn", this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
==Note==<br />
It is unclear how, but the company "NitroKey" is selling this. We were planning on holding back for the new iPhone (which subsequently could mean an iPod 3G as well), but now that they are profiteering off of this we would like to explain exactly how this works as soon as possible so people do not have to pay for it.<br />
<br />
==Credit==<br />
A "hybrid" team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', '''MuscleNerd''', '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] SoC has a MIU configuration which maps the "Secure ROM" to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000. Statically allocated variables, heap, and stack must use the SRAM, as "Secure ROM" is unwritable. A region of memory starting from 0x22024000 is used for this purpose. The region of memory from 0x22000000 to 0x22024000 is used as a buffer for loading the next stage bootloader code (the LLB). The LLB code is stored in NOR, along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at 0x22024000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from Secure ROM.<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] img3 from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of its img3 header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation. The method described below uses the SHA1 register addresses.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] img3, so that the payload code can be placed within the [[LLB]] img3.<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the bootrom had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the img3 DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] img3 would replace sub_5E54's LR. This is because this is the first dword of the img3 that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the bootrom would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the img3, and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a size-able portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit img3 was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular Img3 with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
==Deployment==<br />
<br />
Although the exploitive [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary img3s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the img3 is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitive total size.<br />
<br />
==Timing Impact==<br />
This exploit would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's bootrom. Even if it is too late to fix the bootrom now, it is not too late for Apple to fix the restore process in the initial shipping ipsw so that we have no way to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they now can prioritize a fix for this oversight.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party, this eventuality is a near-certainty and erased the possibility of the next generation iPhone from being jailbroken right off the bat. May they burn in hell.<br />
<br />
[[Category:Exploits]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=32190x24000 Segment Overflow2009-03-14T06:21:37Z<p>MuscleNerd: /* Deployment */</p>
<hr />
<div>Also known by it's codename, "24kPwn", this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
==Note==<br />
It is unclear how, but the company "NitroKey" is selling this. We were planning on holding back for the new iPhone (which subsequently could mean an iPod 3G as well), but now that they are profiteering off of this we would like to explain exactly how this works as soon as possible so people do not have to pay for it.<br />
<br />
==Credit==<br />
A "hybrid" team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', '''MuscleNerd''', '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] SoC has a MIU configuration which maps the "Secure ROM" to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000. Statically allocated variables, heap, and stack must use the SRAM, as "Secure ROM" is unwritable. A region of memory starting from 0x22024000 is used for this purpose. The region of memory from 0x22000000 to 0x22024000 is used as a buffer for loading the next stage bootloader code (the LLB). The LLB code is stored in NOR, along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at 0x22024000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from Secure ROM.<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] img3 from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of its img3 header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation. The method described below uses the SHA1 register addresses.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] img3, so that the payload code can be placed within the [[LLB]] img3.<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the bootrom had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the img3 DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] img3 would replace sub_5E54's LR. This is because this is the first dword of the img3 that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the bootrom would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the img3, and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a size-able portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit img3 was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular Img3 with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
==Deployment==<br />
<br />
Although the exploitive [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary img3s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the img3 is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitive total size.<br />
<br />
==Timing Impact==<br />
This exploit would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's bootrom. Even if it is too late to fix the bootrom now, it is not too late for Apple to fix the restore process in the initial shipping ipsw so that we have no way to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they now can prioritize a fix for this oversight.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party, this eventuality is a near-certainty and erased the possibility of the next generation iPhone from being jailbroken right off the bat. May they burn in hell.<br />
<br />
[[Category:Exploits]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=32180x24000 Segment Overflow2009-03-14T06:19:48Z<p>MuscleNerd: /* Vulnerability */</p>
<hr />
<div>Also known by it's codename, "24kPwn", this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
==Note==<br />
It is unclear how, but the company "NitroKey" is selling this. We were planning on holding back for the new iPhone (which subsequently could mean an iPod 3G as well), but now that they are profiteering off of this we would like to explain exactly how this works as soon as possible so people do not have to pay for it.<br />
<br />
==Credit==<br />
A "hybrid" team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', '''MuscleNerd''', '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] SoC has a MIU configuration which maps the "Secure ROM" to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000. Statically allocated variables, heap, and stack must use the SRAM, as "Secure ROM" is unwritable. A region of memory starting from 0x22024000 is used for this purpose. The region of memory from 0x22000000 to 0x22024000 is used as a buffer for loading the next stage bootloader code (the LLB). The LLB code is stored in NOR, along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at 0x22024000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from Secure ROM.<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] img3 from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of its img3 header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation. The method described below uses the SHA1 register addresses.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] img3, so that the payload code can be placed within the [[LLB]] img3.<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the bootrom had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the img3 DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] img3 would replace sub_5E54's LR. This is because this is the first dword of the img3 that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the bootrom would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the img3, and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a size-able portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit img3 was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular Img3 with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
==Deployment==<br />
<br />
Although the exploitive [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary img3s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the img3 is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitive total size.<br />
<br />
This would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's bootrom. Even if it is too late to fix the bootrom now, it is not too late for Apple to fix the restore process in the initial shipping ipsw so that we have no way to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they now can prioritize a fix for this oversight.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party, this eventuality is a near-certainty and erased the possibility of the next generation iPhone from being jailbroken right off the bat. May they burn in hell.<br />
<br />
[[Category:Exploits]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=32170x24000 Segment Overflow2009-03-14T06:17:03Z<p>MuscleNerd: /* Credit */</p>
<hr />
<div>Also known by it's codename, "24kPwn", this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
==Note==<br />
It is unclear how, but the company "NitroKey" is selling this. We were planning on holding back for the new iPhone (which subsequently could mean an iPod 3G as well), but now that they are profiteering off of this we would like to explain exactly how this works as soon as possible so people do not have to pay for it.<br />
<br />
==Credit==<br />
A "hybrid" team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', '''MuscleNerd''', '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] SoC has a MIU configuration which maps the "Secure ROM" to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000. Statically allocated variables, heap, and stack must use the SRAM, as "Secure ROM" is unwritable. A region of memory starting from 0x22024000 is used for this purpose. The region of memory from 0x22000000 to 0x22024000 is used as a buffer for loading the next stage bootloader code (the LLB). The LLB code is stored in NOR, along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at 0x22024000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from Secure ROM.<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] img3 from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of its img3 header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] img3, so that the payload code can be placed within the [[LLB]] img3.<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the bootrom had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the img3 DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] img3 would replace sub_5E54's LR. This is because this is the first dword of the img3 that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the bootrom would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the img3, and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a size-able portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit img3 was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular Img3 with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
==Deployment==<br />
<br />
Although the exploitive [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary img3s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the img3 is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitive total size.<br />
<br />
This would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's bootrom. Even if it is too late to fix the bootrom now, it is not too late for Apple to fix the restore process in the initial shipping ipsw so that we have no way to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they now can prioritize a fix for this oversight.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party, this eventuality is a near-certainty and erased the possibility of the next generation iPhone from being jailbroken right off the bat. May they burn in hell.<br />
<br />
[[Category:Exploits]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=32160x24000 Segment Overflow2009-03-14T06:16:37Z<p>MuscleNerd: </p>
<hr />
<div>Also known by it's codename, "24kPwn", this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
==Note==<br />
It is unclear how, but the company "NitroKey" is selling this. We were planning on holding back for the new iPhone (which subsequently could mean an iPod 3G as well), but now that they are profiteering off of this we would like to explain exactly how this works as soon as possible so people do not have to pay for it.<br />
<br />
==Credit==<br />
A "hybrid" team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', ""MuscleNerd"" '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] SoC has a MIU configuration which maps the "Secure ROM" to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000. Statically allocated variables, heap, and stack must use the SRAM, as "Secure ROM" is unwritable. A region of memory starting from 0x22024000 is used for this purpose. The region of memory from 0x22000000 to 0x22024000 is used as a buffer for loading the next stage bootloader code (the LLB). The LLB code is stored in NOR, along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at 0x22024000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from Secure ROM.<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] img3 from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of its img3 header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] img3, so that the payload code can be placed within the [[LLB]] img3.<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the bootrom had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the img3 DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] img3 would replace sub_5E54's LR. This is because this is the first dword of the img3 that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the bootrom would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the img3, and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a size-able portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit img3 was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular Img3 with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
==Deployment==<br />
<br />
Although the exploitive [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary img3s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the img3 is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitive total size.<br />
<br />
This would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's bootrom. Even if it is too late to fix the bootrom now, it is not too late for Apple to fix the restore process in the initial shipping ipsw so that we have no way to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they now can prioritize a fix for this oversight.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party, this eventuality is a near-certainty and erased the possibility of the next generation iPhone from being jailbroken right off the bat. May they burn in hell.<br />
<br />
[[Category:Exploits]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Redsn0w_Lite&diff=3073Redsn0w Lite2009-02-19T13:31:06Z<p>MuscleNerd: /* What it does */</p>
<hr />
<div>This is the [[dev team|iPhone Dev Team's]] tethered jailbreak ("redsn0w-lite") for the [[n72ap|iPod Touch 2G]]. It is their payload for the [[ARM7 Go]] backdoor. It's analagous to how [[yellowsn0w]] is the actual unlocking payload injected by the [[at+stkprof]] exploit in baseband 02.28.00.<br />
<br />
==What it does==<br />
For the most part, it is a nicely optimized payload that does the same essential patches as [[0wnboot]], those patches being the signature check patch and the range check patch. Its compactness lends itself nicely to the "run" command and the eight-byte serial payload issued by the [http://qik.com/video/1055647 example iPod Touch 2G dongle]<br />
[<br />
===Disassm===<br />
<pre><br />
ROM:00000000 LDR R3, =0xA1F10F ; flipped:<br />
ROM:00000000 ; 0x0FF1A100<br />
ROM:00000004 MOV R2, #0x2000<br />
ROM:00000008 STRH R2, [R3,#0x34] ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134<br />
ROM:00000008 ; this is usually the part of the sigcheck routine that<br />
ROM:00000008 ; would be jumped to if there was an error, so this<br />
ROM:00000008 ; just pretty much makes it return 0, saying everything<br />
ROM:00000008 ; went OK, versus -1, saying there was an error<br />
ROM:0000000C LDR R3, =0xFFAFF20F ; flipped:<br />
ROM:0000000C ; 0x0FF2AFFF<br />
ROM:00000010 MOVL R2, 0xFFFFFFFF<br />
ROM:00000014 STR R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0<br />
ROM:00000014 ; this patches the iboot flags to allow no range check,<br />
ROM:00000014 ; no permission check for restricted commands, aes gid<br />
ROM:00000014 ; and uid key are not restricted by devtree at boot so<br />
ROM:00000014 ; you can decrypt kbags with xpwn crypto bundle with<br />
ROM:00000014 ; no devtree patch needed, and more. basically tricks<br />
ROM:00000014 ; your device into thinking it is an engineering device<br />
ROM:00000018<br />
ROM:00000018 spin ; CODE XREF: ROM:spin�j<br />
ROM:00000018 B spin<br />
ROM:00000018 ; ---------------------------------------------------------------------------<br />
ROM:0000001C dword_1C DCD 0xA1F10F ; DATA XREF: ROM:00000000�r<br />
ROM:0000001C ; flipped:<br />
ROM:0000001C ; 0x0FF1A100<br />
ROM:00000020 dword_20 DCD 0xFFAFF20F ; DATA XREF: ROM:0000000C�r<br />
ROM:00000020 ; ROM ends ; flipped:<br />
ROM:00000020 ; 0x0FF2AFFF<br />
</pre><br />
<br />
==Source==<br />
<pre><br />
#define A_CHECK_SIGN 0x0FF1A134 // sigcheck loc<br />
#define A_CHECK_PERM 0xFF2ADC0 // ib flags loc<br />
<br />
void redsn0w(void) {<br />
*(vu16 *)A_CHECK_SIGN = 0x2000; // pwnage<br />
*(vu32 *)A_CHECK_PERM = 0xffffffff; // permissions<br />
while(1);<br />
}<br />
</pre><br />
<br />
==Links==<br />
[http://redsn0w.com/ Red Sn0w Website]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Timeline&diff=3002Timeline2009-02-08T10:30:35Z<p>MuscleNerd: /* January */</p>
<hr />
<div>==2009==<br />
<br />
===January===<br />
* January 31 -- [[The dev team]] released a "lite" version of [[redsn0w]], a tethered jailbreak for the [[iPod touch 2G]]. It combines the [[ARM7 Go]] exploit with the well-established pwnage flow for other Apple mobile devices. It is bundled in a way that will allow usage on the 2.2.1 firmware.<br />
<br />
* January 25 -- [[0wnboot]] is released to chronicdev google code page, thanks to AriX, chronic, CPICH, westbaer, ius, pod2g, the rest of the iPod devel crew on IRC, and to the #iphone-hax lab rats. In effect, within days AriX as well as other independent devs got a ramdisk booting and / or a pwnage bundle created and working.<br />
<br />
* January 17 -- [[The dev team]] [http://twitter.com/MuscleNerd/status/1127346766 shows a video demo] of the first jailbroken iPod Touch 2G. This tethered jailbreak is released 2 weeks later.<br />
<br />
* January 16 -- [[ARM7 Go]] hole disclosed where else but here on The iPhone Wiki, for developers to poke and prod at<br />
<br />
* January 15 -- [[The dev team]] [http://twitter.com/iphone_dev/status/1120595069 tweets the vfdecrypt key] for the [[iPod touch 2G]] 2.2 firmware, demonstrating for the first time that unsigned code can now be run on that device.<br />
<br />
* January 1 -- [[The dev team]] released [[yellowsn0w]] 0.9 beta for baseband 02.28.00.<br />
<br />
==2008==<br />
<br />
===December===<br />
* December 21 -- [[MuscleNerd]], of [[the dev team]] does a live demo of the 3G unlock, dubbed as 'yellowsn0w': http://qik.com/video/729275<br />
<br />
===August===<br />
* August 18 -- [[The dev team]] releases [http://wikee.iphwn.org/news:pwnage20announcement QuickPwn], a 2.x [[pwnage]]/ramdisk combination exploit that allows jailbreaking without needing to create custom IPSWs.<br />
<br />
===July===<br />
* July 22 -- [[TA_Mobile]] hardware dumps the 3G baseband (bootloader 5.8 & FW 1.45.00) by desoldering the [[NOR]].<br />
* July 19 -- [[The dev team]] releases [[PwnageTool]] 2.0, jailbreaking and unlocking the 2.0 software on the iPhone 2G and jailbreaking the 2.0 software on the iPhone 3G.<br />
* July 11 -- [[iPhone 3G]] is released.<br />
<br />
===June===<br />
* June 9 - [[iPhone 3G]] is announced at [[WWDC]] '08.<br />
<br />
===April===<br />
* April 3 -- Dev team releases [[PwnageTool]] 1.0, making use of the pmdx exploit (to patch RSA checks out of the [[kernel]], to write unsigned to [[NOR]])<br />
<br />
===March===<br />
* March 12 -- Dev team releases dual-boot jailbreak method, only to be silently fixed in 2.0.<br />
* March 4 -- [[User:N000b|George Zhu (n000b)]] releases [[ILiberty / ILiberty%2B]].<br />
<br />
===February===<br />
* February 11 -- [[Zibri]] releases [[ZiPhone]], the first all-in-one unlock, activate, jailbreak solution.<br />
* February 8 -- [[User:Geohot|geohot]] releases software unlock for 4.6, Apple states 25% of phones were never activated with AT&T.<br />
<br />
===January===<br />
* January 28 -- Dev team releases soft upgrade jailbreak for 1.1.3.<br />
* January 18 -- Geohot and his friends [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html unlocked 1.1.2 OTB 4.6 by test point], the unbeatable version at that time.<br />
* January 18 -- Dev team posts YouTube video of a jailbroken 1.1.3, which was made possible by the dual boot jailbreak from bgm.<br />
<br />
== 2007 ==<br />
===November===<br />
* November 15 -- New baseband [[Bootloader 4.6|bootloader (4.6)]] comes out, new iPhones can't be unlocked.<br />
* November 2 -- [[Jailbreakme]] is released, bringing jailbreaking to the mainstream iPhone user.<br />
<br />
===October===<br />
* October 23 -- iPhone-Elite Team releases the [[Virginizer]].<br />
<br />
===September===<br />
* September 11 -- [[The dev team]] releases [[iUnlock]], first free software unlock.<br />
* September 10 -- [[IPSF]] releases first paid software unlock.<br />
<br />
===August===<br />
* August 23 -- [[User:Geohot|geohot]] and team release [[hardware unlock]] method.<br />
* August 21 -- Installer.app is released, first GUI apps are distributed.<br />
<br />
===July===<br />
* July 23 -- First phones are used with other carriers by means of [[SIM hacks]].<br />
* July 20 -- nightwatch adapts a [[toolchain]] to the iPhone. The first apps are compiled.<br />
* July 9 -- [[The dev team]] releases a [[jailbreak]] method. The first use of this is ringtones.<br />
* July 3 -- DVD Jon first cracks [[activation]]. People can use the apps on the phone without a subscription.<br />
<br />
===June===<br />
* June 29 -- [[iPhone]] is released. World's most hyped consumer product.</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Timeline&diff=3001Timeline2009-02-08T10:19:57Z<p>MuscleNerd: /* January */</p>
<hr />
<div>==2009==<br />
<br />
===January===<br />
* January 31 -- [[The dev team]] released a "lite" version of [[redsn0w]], a tethered jailbreak for the [[iPod touch 2G]], hinging on the [[ARM7 Go]] exploit. It is bundled in a way that will allow usage on the 2.2.1 firmware.<br />
<br />
* January 25 -- [[0wnboot]] is released to chronicdev google code page, thanks to AriX, chronic, CPICH, westbaer, ius, pod2g, the rest of the iPod devel crew on IRC, and to the #iphone-hax lab rats. In effect, within days AriX as well as other independent devs got a ramdisk booting and / or a pwnage bundle created and working.<br />
<br />
* January 17 -- [[The dev team]] [http://twitter.com/MuscleNerd/status/1127346766 shows a video demo] of the first jailbroken iPod Touch 2G. This tethered jailbreak is released 2 weeks later.<br />
<br />
* January 16 -- [[ARM7 Go]] hole disclosed where else but here on The iPhone Wiki, for developers to poke and prod at<br />
<br />
* January 15 -- [[The dev team]] [http://twitter.com/iphone_dev/status/1120595069 tweets the vfdecrypt key] for the [[iPod touch 2G]] 2.2 firmware, demonstrating for the first time that unsigned code can now be run on that device.<br />
<br />
* January 1 -- [[The dev team]] released [[yellowsn0w]] 0.9 beta for baseband 02.28.00.<br />
<br />
==2008==<br />
<br />
===December===<br />
* December 21 -- [[MuscleNerd]], of [[the dev team]] does a live demo of the 3G unlock, dubbed as 'yellowsn0w': http://qik.com/video/729275<br />
<br />
===August===<br />
* August 18 -- [[The dev team]] releases [http://wikee.iphwn.org/news:pwnage20announcement QuickPwn], a 2.x [[pwnage]]/ramdisk combination exploit that allows jailbreaking without needing to create custom IPSWs.<br />
<br />
===July===<br />
* July 22 -- [[TA_Mobile]] hardware dumps the 3G baseband (bootloader 5.8 & FW 1.45.00) by desoldering the [[NOR]].<br />
* July 19 -- [[The dev team]] releases [[PwnageTool]] 2.0, jailbreaking and unlocking the 2.0 software on the iPhone 2G and jailbreaking the 2.0 software on the iPhone 3G.<br />
* July 11 -- [[iPhone 3G]] is released.<br />
<br />
===June===<br />
* June 9 - [[iPhone 3G]] is announced at [[WWDC]] '08.<br />
<br />
===April===<br />
* April 3 -- Dev team releases [[PwnageTool]] 1.0, making use of the pmdx exploit (to patch RSA checks out of the [[kernel]], to write unsigned to [[NOR]])<br />
<br />
===March===<br />
* March 12 -- Dev team releases dual-boot jailbreak method, only to be silently fixed in 2.0.<br />
* March 4 -- [[User:N000b|George Zhu (n000b)]] releases [[ILiberty / ILiberty%2B]].<br />
<br />
===February===<br />
* February 11 -- [[Zibri]] releases [[ZiPhone]], the first all-in-one unlock, activate, jailbreak solution.<br />
* February 8 -- [[User:Geohot|geohot]] releases software unlock for 4.6, Apple states 25% of phones were never activated with AT&T.<br />
<br />
===January===<br />
* January 28 -- Dev team releases soft upgrade jailbreak for 1.1.3.<br />
* January 18 -- Geohot and his friends [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html unlocked 1.1.2 OTB 4.6 by test point], the unbeatable version at that time.<br />
* January 18 -- Dev team posts YouTube video of a jailbroken 1.1.3, which was made possible by the dual boot jailbreak from bgm.<br />
<br />
== 2007 ==<br />
===November===<br />
* November 15 -- New baseband [[Bootloader 4.6|bootloader (4.6)]] comes out, new iPhones can't be unlocked.<br />
* November 2 -- [[Jailbreakme]] is released, bringing jailbreaking to the mainstream iPhone user.<br />
<br />
===October===<br />
* October 23 -- iPhone-Elite Team releases the [[Virginizer]].<br />
<br />
===September===<br />
* September 11 -- [[The dev team]] releases [[iUnlock]], first free software unlock.<br />
* September 10 -- [[IPSF]] releases first paid software unlock.<br />
<br />
===August===<br />
* August 23 -- [[User:Geohot|geohot]] and team release [[hardware unlock]] method.<br />
* August 21 -- Installer.app is released, first GUI apps are distributed.<br />
<br />
===July===<br />
* July 23 -- First phones are used with other carriers by means of [[SIM hacks]].<br />
* July 20 -- nightwatch adapts a [[toolchain]] to the iPhone. The first apps are compiled.<br />
* July 9 -- [[The dev team]] releases a [[jailbreak]] method. The first use of this is ringtones.<br />
* July 3 -- DVD Jon first cracks [[activation]]. People can use the apps on the phone without a subscription.<br />
<br />
===June===<br />
* June 29 -- [[iPhone]] is released. World's most hyped consumer product.</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Timeline&diff=3000Timeline2009-02-08T10:16:49Z<p>MuscleNerd: /* January */</p>
<hr />
<div>==2009==<br />
<br />
===January===<br />
* January 31 -- [[The dev team]] released a "lite" version of [[redsn0w]], a tethered jailbreak for the [[iPod touch 2G]], hinging on the [[ARM7 Go]] exploit. It is bundled in a way that will allow usage on the 2.2.1 firmware.<br />
<br />
* January 25 -- [[0wnboot]] is released to chronicdev google code page, thanks to AriX, chronic, CPICH, westbaer, ius, pod2g, the rest of the iPod devel crew on IRC, and to the #iphone-hax lab rats. In effect, within days AriX as well as other independent devs got a ramdisk booting and / or a pwnage bundle created and working.<br />
<br />
* January 17 -- [[The dev team]] [http://twitter.com/MuscleNerd/status/1127346766 shows a video demo] of the first jailbroken iPod Touch 2G. This tethered jailbreak is released 2 weeks later.<br />
<br />
* January 16 -- [[ARM7 Go]] hole disclosed where else but here on The iPhone Wiki, for developers to poke and prod at<br />
<br />
* January 15 -- [[The dev team]] [http://twitter.com/iphone_dev/status/1120595069 tweets the vfdecrypt key] for the [[iPod touch 2G]], demonstrating for the first time that unsigned code can now be run on that device.<br />
<br />
* January 1 -- [[The dev team]] released [[yellowsn0w]] 0.9 beta for baseband 02.28.00.<br />
<br />
==2008==<br />
<br />
===December===<br />
* December 21 -- [[MuscleNerd]], of [[the dev team]] does a live demo of the 3G unlock, dubbed as 'yellowsn0w': http://qik.com/video/729275<br />
<br />
===August===<br />
* August 18 -- [[The dev team]] releases [http://wikee.iphwn.org/news:pwnage20announcement QuickPwn], a 2.x [[pwnage]]/ramdisk combination exploit that allows jailbreaking without needing to create custom IPSWs.<br />
<br />
===July===<br />
* July 22 -- [[TA_Mobile]] hardware dumps the 3G baseband (bootloader 5.8 & FW 1.45.00) by desoldering the [[NOR]].<br />
* July 19 -- [[The dev team]] releases [[PwnageTool]] 2.0, jailbreaking and unlocking the 2.0 software on the iPhone 2G and jailbreaking the 2.0 software on the iPhone 3G.<br />
* July 11 -- [[iPhone 3G]] is released.<br />
<br />
===June===<br />
* June 9 - [[iPhone 3G]] is announced at [[WWDC]] '08.<br />
<br />
===April===<br />
* April 3 -- Dev team releases [[PwnageTool]] 1.0, making use of the pmdx exploit (to patch RSA checks out of the [[kernel]], to write unsigned to [[NOR]])<br />
<br />
===March===<br />
* March 12 -- Dev team releases dual-boot jailbreak method, only to be silently fixed in 2.0.<br />
* March 4 -- [[User:N000b|George Zhu (n000b)]] releases [[ILiberty / ILiberty%2B]].<br />
<br />
===February===<br />
* February 11 -- [[Zibri]] releases [[ZiPhone]], the first all-in-one unlock, activate, jailbreak solution.<br />
* February 8 -- [[User:Geohot|geohot]] releases software unlock for 4.6, Apple states 25% of phones were never activated with AT&T.<br />
<br />
===January===<br />
* January 28 -- Dev team releases soft upgrade jailbreak for 1.1.3.<br />
* January 18 -- Geohot and his friends [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html unlocked 1.1.2 OTB 4.6 by test point], the unbeatable version at that time.<br />
* January 18 -- Dev team posts YouTube video of a jailbroken 1.1.3, which was made possible by the dual boot jailbreak from bgm.<br />
<br />
== 2007 ==<br />
===November===<br />
* November 15 -- New baseband [[Bootloader 4.6|bootloader (4.6)]] comes out, new iPhones can't be unlocked.<br />
* November 2 -- [[Jailbreakme]] is released, bringing jailbreaking to the mainstream iPhone user.<br />
<br />
===October===<br />
* October 23 -- iPhone-Elite Team releases the [[Virginizer]].<br />
<br />
===September===<br />
* September 11 -- [[The dev team]] releases [[iUnlock]], first free software unlock.<br />
* September 10 -- [[IPSF]] releases first paid software unlock.<br />
<br />
===August===<br />
* August 23 -- [[User:Geohot|geohot]] and team release [[hardware unlock]] method.<br />
* August 21 -- Installer.app is released, first GUI apps are distributed.<br />
<br />
===July===<br />
* July 23 -- First phones are used with other carriers by means of [[SIM hacks]].<br />
* July 20 -- nightwatch adapts a [[toolchain]] to the iPhone. The first apps are compiled.<br />
* July 9 -- [[The dev team]] releases a [[jailbreak]] method. The first use of this is ringtones.<br />
* July 3 -- DVD Jon first cracks [[activation]]. People can use the apps on the phone without a subscription.<br />
<br />
===June===<br />
* June 29 -- [[iPhone]] is released. World's most hyped consumer product.</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Redsn0w_Lite&diff=2915Redsn0w Lite2009-01-31T17:22:07Z<p>MuscleNerd: </p>
<hr />
<div>This is the [[dev team|iPhone Dev Team's]] tethered jailbreak ("redsn0w-lite") for the [[n72ap|iPod Touch 2G]]. It is their payload for the [[ARM7 Go]] backdoor. It's analagous to how [[yellowsn0w]] is the actual unlocking payload injected by the [[at+stkprof]] exploit in baseband 02.28.00.<br />
<br />
==What it does==<br />
For the most part, it is a nicely optimized payload that does the same patches as [[0wnboot]], being the signature check patch and the range check patch.<br />
<br />
===Disassm===<br />
<pre><br />
ROM:00000000 LDR R3, =0xA1F10F ; flipped:<br />
ROM:00000000 ; 0x0FF1A100<br />
ROM:00000004 MOV R2, #0x2000<br />
ROM:00000008 STRH R2, [R3,#0x34] ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134<br />
ROM:00000008 ; this is usually the part of the sigcheck routine that<br />
ROM:00000008 ; would be jumped to if there was an error, so this<br />
ROM:00000008 ; just pretty much makes it return 0, saying everything<br />
ROM:00000008 ; went OK, versus -1, saying there was an error<br />
ROM:0000000C LDR R3, =0xFFAFF20F ; flipped:<br />
ROM:0000000C ; 0x0FF2AFFF<br />
ROM:00000010 MOVL R2, 0xFFFFFFFF<br />
ROM:00000014 STR R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0<br />
ROM:00000014 ; this patches the iboot flags to allow no range check,<br />
ROM:00000014 ; no permission check for restricted commands, aes gid<br />
ROM:00000014 ; and uid key are not restricted by devtree at boot so<br />
ROM:00000014 ; you can decrypt kbags with xpwn crypto bundle with<br />
ROM:00000014 ; no devtree patch needed, and more. basically tricks<br />
ROM:00000014 ; your device into thinking it is an engineering device<br />
ROM:00000018<br />
ROM:00000018 spin ; CODE XREF: ROM:spin�j<br />
ROM:00000018 B spin<br />
ROM:00000018 ; ---------------------------------------------------------------------------<br />
ROM:0000001C dword_1C DCD 0xA1F10F ; DATA XREF: ROM:00000000�r<br />
ROM:0000001C ; flipped:<br />
ROM:0000001C ; 0x0FF1A100<br />
ROM:00000020 dword_20 DCD 0xFFAFF20F ; DATA XREF: ROM:0000000C�r<br />
ROM:00000020 ; ROM ends ; flipped:<br />
ROM:00000020 ; 0x0FF2AFFF<br />
</pre><br />
<br />
==Source==<br />
<pre><br />
void redsn0w(void) {<br />
*(vu16 *)A_CHECK_SIGN = 0x2000; // pwnage<br />
*(vu32 *)A_CHECK_PERM = 0xffffffff; // permissions<br />
while(1);<br />
}<br />
</pre><br />
<br />
==Links==<br />
[http://redsn0w.com/ Red Sn0w Website]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Redsn0w_Lite&diff=2914Redsn0w Lite2009-01-31T17:18:43Z<p>MuscleNerd: </p>
<hr />
<div>This is the [[dev team|iPhone Dev Team's]] tethered jailbreak ("redsn0w-lite") for the [[n72ap|iPod Touch 2G]]. It is their payload for the [[ARM7 Go]] backdoor. It's analagous to how [[yellowsn0w]] is the actual unlocking payload injected by the [[at+stkprof]] exploit in baseband 02.28.00.<br />
<br />
==What it does==<br />
For the most part, it is a nicely optimized payload that does the same patches as [[0wnboot]], being the signature check patch and the range check patch.<br />
<br />
===Disassm===<br />
<pre><br />
ROM:00000000 LDR R3, =0xA1F10F ; flipped:<br />
ROM:00000000 ; 0x0FF1A100<br />
ROM:00000004 MOV R2, #0x2000<br />
ROM:00000008 STRH R2, [R3,#0x34] ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134<br />
ROM:00000008 ; this is usually the part of the sigcheck routine that<br />
ROM:00000008 ; would be jumped to if there was an error, so this<br />
ROM:00000008 ; just pretty much makes it return 0, saying everything<br />
ROM:00000008 ; went OK, versus -1, saying there was an error<br />
ROM:0000000C LDR R3, =0xFFAFF20F ; flipped:<br />
ROM:0000000C ; 0x0FF2AFFF<br />
ROM:00000010 MOVL R2, 0xFFFFFFFF<br />
ROM:00000014 STR R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0<br />
ROM:00000014 ; this patches the iboot flags to allow no range check,<br />
ROM:00000014 ; no permission check for restricted commands, aes gid<br />
ROM:00000014 ; and uid key are not restricted by devtree at boot so<br />
ROM:00000014 ; you can decrypt kbags with xpwn crypto bundle with<br />
ROM:00000014 ; no devtree patch needed, and more. basically tricks<br />
ROM:00000014 ; your device into thinking it is an engineering device<br />
ROM:00000018<br />
ROM:00000018 spin ; CODE XREF: ROM:spin�j<br />
ROM:00000018 B spin<br />
ROM:00000018 ; ---------------------------------------------------------------------------<br />
ROM:0000001C dword_1C DCD 0xA1F10F ; DATA XREF: ROM:00000000�r<br />
ROM:0000001C ; flipped:<br />
ROM:0000001C ; 0x0FF1A100<br />
ROM:00000020 dword_20 DCD 0xFFAFF20F ; DATA XREF: ROM:0000000C�r<br />
ROM:00000020 ; ROM ends ; flipped:<br />
ROM:00000020 ; 0x0FF2AFFF<br />
</pre><br />
<br />
==Links==<br />
[http://redsn0w.com/ Red Sn0w Website]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Firmware_Keys&diff=2819Firmware Keys2009-01-15T18:41:00Z<p>MuscleNerd: </p>
<hr />
<div>== Introduction ==<br />
These keys are for use with the 'vfdecrypt' tool to decrypt the main filesystem DMG found in every iPhone/iPhone 3G/iPod touch .ipsw file. Every key will work on the main filesystem DMG for that build, regardless if it is for the iPhone or iPod touch unless specified. The DMG that you are after is the bigger one, in the case of current builds of 2.0, it can sometimes be 200+ MB!<br />
<br />
== VFDecrypt Usage ==<br />
./vfdecrypt -i <dmg> -o decrypted_fs.dmg -k <key><br />
<br />
== Gaps ==<br />
As you will notice, there may be a gap or two, or a key for a current build that is not there. Please feel free to add them, but please be sure that it is only the key for a User or Developer build, as if you gave the key for another type of build that might or may not be out there '''people could get in trouble, and we do not want that'''. Thanks for contributing!<br />
<br />
== Downloads ==<br />
<br />
* http://rgov.org/files/vfdecrypt.zip (Mac OS X Universal) (link is broken)<br />
* http://iphoneelite.googlecode.com/files/vfdecrypt.zip (Windows)<br />
<br />
* Source Credit: http://lorenzo.yellowspace.net/corrupt-sparseimage.html<br />
<br />
== 1.0 (Build 1A543a) ==<br />
28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090ecccc15e82d<br />
<br />
== 1.0.1 (Build 1C25) ==<br />
7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5<br />
<br />
== 1.0.2 (Build 1C28) ==<br />
7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5<br />
<br />
== 1.1.1 (Build 3A109a) ==<br />
f45de7637a62b200950e550f4144696d7ff3dc5f0b19c8efdf194c88f3bc2fa808fea3b3<br />
<br />
== 1.1.1 (Build 3A110a) ==<br />
d45b837ddd85bdae0ec82a033ba00ea03ceb8c827040034f7554c65d6376472844b8dc6a<br />
<br />
== 1.1.2 (Build 3B48b) ==<br />
70e11d7209602ada5b15fbecc1709ad4910d0ad010bb9a9125b78f9f50e25f3e05c595e2<br />
<br />
== 1.1.3 (Build 4A93) ==<br />
11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816<br />
<br />
== 1.1.4 (Build 4A102) ==<br />
d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe<br />
<br />
== 1.1.5 (Build 4B1) ==<br />
c7973558e8f6af22e38d4573737d1533f1d5eec202bf86a32d941975d76f8906c7f0afe4<br />
<br />
== 1.2 (Beta 1) (Build 5A147p) ==<br />
86bec353ddfbe3fb750e9d7905801f79791e69acf65d16930d288e697644c76f16c4f16d<br />
<br />
== 2.0 (Beta 2) (Build 5A225c) ==<br />
ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7<br />
<br />
== 2.0 (Beta 3) (Build 5A240d) ==<br />
e24bfab40a2e5d3dc25e089291846e5615b640897ae8b424946c587bcf53b201a1041d36<br />
<br />
== 2.0 (Beta 4) (Build 5A258f) ==<br />
198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c<br />
<br />
== 2.0 (Beta 5) (Build 5a274d) ==<br />
589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb72cf130f40e15e00bcf2fc7<br />
<br />
== 2.0 (Beta 6 Pre-Release) (Build 5a292g) ==<br />
890b1fbf22975e0d4be2ea3f9bc5c87f38fd8158394fd31cf80a43ad25547573bbd0ec4e<br />
<br />
== 2.0 (Beta 6 Final) (Build 5a308) ==<br />
3964ca8d8bf5d3715cdc172986f2d9606672c54d5e0aa3f3a892166b4e54e4cefef21279<br />
<br />
== 2.0 (Beta 7) (Build 5a331) ==<br />
3d9a9832a108fc5084fc9329d6e84e38edf06e380554c49376b70e951f8a8d1ed943f819<br />
<br />
== 2.0 (Build 5a347) ==<br />
Ramdisk Key: 85 0A FC 27 11 32 D1 5A E6 98 95 65 56 7E 65 BF<br />
Ramdisk IV: 29 68 1F 62 5D 1F 61 27 1E C3 11 66 01 B8 BC DE<br />
2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755<br />
<br />
== 2.0.1 (Build 5B108) ==<br />
Ramdisk Key: 21 9E AC 3E 01 27 6C 7E C5 04 32 12 3F 50 97 1A<br />
Ramdisk IV: 02 4f DB BA 71 EB F3 4D F5 B5 25 CD 97 5A EF E8<br />
2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755<br />
<br />
== 2.0.2 (Build 5C1) ==<br />
Ramdisk Key: CC 02 8F D2 9D C2 7F 89 5E 40 1D 98 65 E7 21 00<br />
Ramdisk IV: 53 7E B4 E7 12 9E A8 1F 57 2E C2 3D BE C4 2B 80<br />
31e3ff09ff046d5237187346ee893015354d2135e3f0f39480be63dd2a18444961c2da5d<br />
<br />
== 2.1 (Beta 1) (Build 5F90) ==<br />
Ramdisk Key: 78 29 32 89 1F 0D 76 DB 49 0F DD CA 02 7A 13 B2<br />
Ramdisk IV: 6B EA 32 6D 0F 41 10 51 59 F0 AE A8 F9 9F E7 77<br />
f61c14aa0d53386dd42c49163686e8ccdeb86d14aafdecfe99c2e12c41a7f9f2811daa3d<br />
<br />
== 2.1 (Build 5F136) ==<br />
Ramdisk Key: 42 B4 F3 99 76 AF A5 9F 9E C6 80 FC CD 2C 7D 04<br />
Ramdisk IV: FD 53 0C 4C F8 A8 78 F1 63 87 43 29 88 B1 99 B8<br />
562ca0f7963eafb462da74a9c1f01a45c30a7eb5f1f493feceecae03ee6521a334f4ff68<br />
<br />
== 2.1 (Build 5F137) ==<br />
Ramdisk Key: 7C 80 7F 65 65 01 5D AA 6D 18 2D FF 79 5E 10 91<br />
Ramdisk IV: 5C B7 FA 82 E8 FC 42 B9 DB 6C 02 7D 8F 4C 7C 39<br />
9714f2cb955afa550d6287a1c7dd7bd0efb3c26cf74b948de7c43cf934913df69fc5a05f<br />
<br />
== 2.2 (Build 5G77) ==<br />
Ramdisk Key: EE A6 E8 78 24 A3 C0 B0 BE 86 E8 E2 BB D8 CF E9<br />
Ramdisk IV: 18 2C DD A9 0A 38 87 0D E9 68 80 EE 7F F5 BB BC<br />
dc39d88afe4cbd8a3f36824b8fd68acf04ac72718c09100816c5cb89889b8079e96802f0<br />
<br />
== 2.2 (Build 5G77a) ==<br />
148025cde5c51d51d7733e74c6857dfca70d7240287d6eb039a1ed835413120b0af1e296<br />
<br />
== See also ==<br />
<br />
* [[System]] - a page with links to download the firmware images</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Talk:AT%2Bstkprof&diff=2784Talk:AT+stkprof2009-01-08T20:18:34Z<p>MuscleNerd: </p>
<hr />
<div>== damn ==<br />
<br />
props Darkmen, that is some epic shit right there :)<br />
<br />
== wrong topic ==<br />
<br />
it's on the wrong topic</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=2721Ultrasn0w2009-01-05T19:05:34Z<p>MuscleNerd: removed leech website</p>
<hr />
<div>The first [[iPhone 3G]] [[Unlock 2.0|unlock]] payload. Released on 01/01/09. [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]<br />
<br />
==Credit==<br />
MuscleNerd, and [[The dev team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Current Injection Vector==<br />
<br />
yellowsn0w refers to the reuseable '''payload''', but it requires an injection vector in order to be inserted into the baseband. yellowsn0w was originally to be released with an injection vector that works on pre-2.28.00 baseband versions. However, [[geohot]] had an injection vector for 2.28.00 and the decision was made to release yellowsn0w with this injection vector to benefit the most people.<br />
<br />
The injection vector is discussed [[AT+stkprof Exploit|here]]<br />
<br />
==Source Code==<br />
The source code for yellowsn0w is now live [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==Compatibility==<br />
<br />
{| class="wikitable sortable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
! Country<br />
! Provider<br />
! yellowsn0w Version<br />
! SIM/USIM<br />
! Ingoing Calls?<br />
! Outgoing Calls?<br />
! SMS?<br />
! GPRS/EDGE?<br />
! UMTS/HSDPA?<br />
! Comments<br />
|-<br />
| Bermuda<br />
| Mobility<br />
| 0.9.5<br />
| SIM<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes}}<br />
| Not Available<br />
| <br />
|-<br />
| Germany<br />
| O2<br />
| <=0.9.4<br />
| SIM<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes}}<br />
| Icon shown but not tested<br />
| Icon shown but not tested<br />
| <br />
|-<br />
| Israel<br />
| IL Orange<br />
| 0.9.5<br />
| USIM<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes}}<br />
| Requires turning airplane mode on and off to get signal. After that, works perfectly.<br />
|}<br />
<br />
Additional information:<br />
http://report.yellowsn0w.com/<br />
<br />
==See Also==<br />
* [[Unlock 2.0]]<br />
* [[X-Gold 608]]<br />
* [[Baseband]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's Demo]<br />
<br />
[[Category:Unlocking Methods]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Diags_(iBoot_command)&diff=2420Diags (iBoot command)2008-12-12T04:07:13Z<p>MuscleNerd: </p>
<hr />
<div>This was an exploit that allowed the running of unsigned code at iBoot level present of pre-2.0 versions of iBoot.<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
This is a very easy-to-use exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the S5L using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen or serial or USB).<br />
<br />
In 2.0 iBoots, they have a flag check on this command (checks bit 4 of the iBoot flags), and that flag will not be present on a retail device, just an engineering one with a 'whitelisted' CHIPID, so this exploit doesn't work.<br />
<br />
[[Category:Jailbreaks]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=JerrySIM&diff=2407JerrySIM2008-12-08T05:14:21Z<p>MuscleNerd: I think the policy is not to copy and paste large chunks from other URLs</p>
<hr />
<div>This was the dev teams approach to unlocking [[Bootloader 4.6]]<br />
<br />
==Credit==<br />
The dev team/elite team.<br />
<br />
==Exploit==<br />
This relied on a buffer overflow in the STK.<br />
<br />
==Resources==<br />
[http://code.google.com/p/iphone-elite/wiki/JerrySim the elite wiki's page on the topic]<br />
<br />
==Leaked Source==<br />
===Note===<br />
Zibri removed it from the Google Code page, but the source is still easily available via google cache, or the fact that Google Code wiki pages are svn based and you can easily just look at an earlier rev :)<br />
<br />
On the page before the source got deleted, Zibri referred to it as C source, although by the looks of it he may have failed to realize that it is a payload meant to be run off of a TurboSIM<br />
<br />
===Code===<br />
[http://code.google.com/p/iphone-elite/source/browse/wiki/JerrySim.wiki?r=581 link to code]<br />
<br />
[[Category:Unlocking Methods]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Diags_(iBoot_command)&diff=2383Diags (iBoot command)2008-11-29T04:25:25Z<p>MuscleNerd: </p>
<hr />
<div>This was an exploit in pre 2.0 versions of iBoot<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
This is a very simple exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the s5l using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen or serial or USB).<br />
<br />
In 2.0 iBoots, they check the permission register for this command, so the exploit doesn't work.<br />
<br />
[[Category:Jailbreaks]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Diags_(iBoot_command)&diff=2382Diags (iBoot command)2008-11-29T04:23:04Z<p>MuscleNerd: </p>
<hr />
<div>This was an exploit in pre 2.0 versions of iBoot<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
This is a very simple exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the s5l using this, but the GPIOs need to be restored first.<br />
<br />
In 2.0 iBoots, they check the permission register for this command, so the exploit doesn't work.<br />
<br />
[[Category:Jailbreaks]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Diags_(iBoot_command)&diff=2381Diags (iBoot command)2008-11-29T01:22:06Z<p>MuscleNerd: </p>
<hr />
<div>This was an exploit in pre 2.0 versions of iBoot<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
This is a very simple exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the baseband using this, but the GPIOs need to be restored first.<br />
<br />
In 2.0 iBoots, they check the permission register for this command, so the exploit doesn't work.<br />
<br />
[[Category:Jailbreaks]]</div>MuscleNerdhttps://www.theiphonewiki.com/w/index.php?title=Pwnage_2.0&diff=2375Pwnage 2.02008-11-25T11:19:24Z<p>MuscleNerd: pwnagetool and family load the dfu exploit explicitly now</p>
<hr />
<div>This exploit in the [[VROM]] is really the ultimate exploit, since it allows unsigned code to be run at the lowest level. It can be patched out '''only''' by a new hardware revision.<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
There is a stack overflow in the certificate parsing code. By passing a malformed certificate, unsigned code can be run.<br />
<br />
==Implementations==<br />
*[[PwnageTool]]<br />
*[[QuickPwn]]<br />
*[[WinPwn]]<br />
*[http://lpahome.com/geohot/iran.rar iran]<br />
<br />
[[Category:Jailbreaks]]</div>MuscleNerd