Difference between revisions of "ARM7 Go"

From The iPhone Wiki
Jump to: navigation, search
(Payload)
Line 12: Line 12:
 
The command gives the ARM7 the load address (default is 0x09000000) of an "image" you sent it, and it will jump to it. The limitation is, unlike the [[diags]] exploit you cannot just pass a patched iBoot or iBEC. You must write a payload for it to run, but one that patches iBEC or iBoot in memory would do fine.
 
The command gives the ARM7 the load address (default is 0x09000000) of an "image" you sent it, and it will jump to it. The limitation is, unlike the [[diags]] exploit you cannot just pass a patched iBoot or iBEC. You must write a payload for it to run, but one that patches iBEC or iBoot in memory would do fine.
   
  +
==Implementations==
How to execute your payload: upload ibss 2.1.1, upload payload, run arm7_go command to patch ibss, then upload your patched iboot.
 
===Implementations===
 
 
Two released payloads are [[RedSn0w]] and [[0wnboot]]
 
Two released payloads are [[RedSn0w]] and [[0wnboot]]
  +
  +
==How to use==
  +
* Enter device in [[DFU]] mode.
  +
* Upload iBSS 2.1.1.
  +
* Unplug and then replug the device.
  +
* Upload payload you wish to execute.
  +
* Run arm7_go command to execute payload.
  +
* Run arm7_stop to stop arm7 processor.
   
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Revision as of 17:27, 22 July 2009

This vulnerability is present in 2.1.1 iPod Touch 2G devices, as well as the iBEC / iBSS if you choose to upload it via DFU. It allows the running of unsigned code on the iPod Touch 2G device's ARM7 coprocessor.

This exploit cannot be used on an iPhone, iPhone 3G, or iPod touch 1G, nor is there any reason for it to be as they have already been jailbroken.

Credit

chronic and iPhone Dev Team (independently)

Exploit

There is an ARM7 coprocessor in the iPod Touch 2G in addition to the main processor, the ARM11. Like the ADM in the S5L8900 devices, it has access to everything the ARM11 has access to, such as the AES engine, the PKE accelorator, and such. The actual vulnerability is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands: arm7_stop and arm7_go. They were promptly removed in 2.2. The arm7_go command had no signature checking, permissions checking, or anything like that.

Payload

The command gives the ARM7 the load address (default is 0x09000000) of an "image" you sent it, and it will jump to it. The limitation is, unlike the diags exploit you cannot just pass a patched iBoot or iBEC. You must write a payload for it to run, but one that patches iBEC or iBoot in memory would do fine.

Implementations

Two released payloads are RedSn0w and 0wnboot

How to use

  • Enter device in DFU mode.
  • Upload iBSS 2.1.1.
  • Unplug and then replug the device.
  • Upload payload you wish to execute.
  • Run arm7_go command to execute payload.
  • Run arm7_stop to stop arm7 processor.