|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Redsn0w Lite"
MuscleNerd (talk | contribs) |
MuscleNerd (talk | contribs) |
||
| Line 34: | Line 34: | ||
ROM:00000020 ; ROM ends ; flipped: |
ROM:00000020 ; ROM ends ; flipped: |
||
ROM:00000020 ; 0x0FF2AFFF |
ROM:00000020 ; 0x0FF2AFFF |
||
| + | </pre> |
||
| + | |||
| + | ==Source== |
||
| + | <pre> |
||
| + | void redsn0w(void) { |
||
| + | *(vu16 *)A_CHECK_SIGN = 0x2000; // pwnage |
||
| + | *(vu32 *)A_CHECK_PERM = 0xffffffff; // permissions |
||
| + | while(1); |
||
| + | } |
||
</pre> |
</pre> |
||
Revision as of 17:22, 31 January 2009
This is the iPhone Dev Team's tethered jailbreak ("redsn0w-lite") for the iPod Touch 2G. It is their payload for the ARM7 Go backdoor. It's analagous to how yellowsn0w is the actual unlocking payload injected by the at+stkprof exploit in baseband 02.28.00.
Contents
What it does
For the most part, it is a nicely optimized payload that does the same patches as 0wnboot, being the signature check patch and the range check patch.
Disassm
ROM:00000000 LDR R3, =0xA1F10F ; flipped: ROM:00000000 ; 0x0FF1A100 ROM:00000004 MOV R2, #0x2000 ROM:00000008 STRH R2, [R3,#0x34] ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134 ROM:00000008 ; this is usually the part of the sigcheck routine that ROM:00000008 ; would be jumped to if there was an error, so this ROM:00000008 ; just pretty much makes it return 0, saying everything ROM:00000008 ; went OK, versus -1, saying there was an error ROM:0000000C LDR R3, =0xFFAFF20F ; flipped: ROM:0000000C ; 0x0FF2AFFF ROM:00000010 MOVL R2, 0xFFFFFFFF ROM:00000014 STR R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0 ROM:00000014 ; this patches the iboot flags to allow no range check, ROM:00000014 ; no permission check for restricted commands, aes gid ROM:00000014 ; and uid key are not restricted by devtree at boot so ROM:00000014 ; you can decrypt kbags with xpwn crypto bundle with ROM:00000014 ; no devtree patch needed, and more. basically tricks ROM:00000014 ; your device into thinking it is an engineering device ROM:00000018 ROM:00000018 spin ; CODE XREF: ROM:spin�j ROM:00000018 B spin ROM:00000018 ; --------------------------------------------------------------------------- ROM:0000001C dword_1C DCD 0xA1F10F ; DATA XREF: ROM:00000000�r ROM:0000001C ; flipped: ROM:0000001C ; 0x0FF1A100 ROM:00000020 dword_20 DCD 0xFFAFF20F ; DATA XREF: ROM:0000000C�r ROM:00000020 ; ROM ends ; flipped: ROM:00000020 ; 0x0FF2AFFF
Source
void redsn0w(void) {
*(vu16 *)A_CHECK_SIGN = 0x2000; // pwnage
*(vu32 *)A_CHECK_PERM = 0xffffffff; // permissions
while(1);
}
