Difference between revisions of "N72AP"

From The iPhone Wiki
Jump to: navigation, search
(Device IDs)
Line 25: Line 25:
   
 
==Device IDs==
 
==Device IDs==
0x1227 = DFU Mode (Basically WTF 2.0 burned into bootrom)
+
'''0x1227''' = DFU Mode (Basically WTF 2.0 burned into bootrom)<br>
0x1281 = Recovery Mode (iBEC) as well as the iBSS used when communicating with DFU mode
+
'''0x1281''' = Recovery Mode (iBEC) as well as the iBSS used when communicating with DFU mode

Revision as of 02:17, 20 September 2008

This is the 2nd Generation iPod Touch

Model: n72ap Application Processor (OS Chip): s5l8720x

Decryption of it's Ramdisks, iBoot, LLB, Kernel, and friends

The application processor has a new GID key in it, so you can't decrypt kbags from it on any other device than itself. So, you pretty much will not even be able to make a pwned IPSW, let alone decrypt the RootFS, unless a low level (like, bootrom/kernel/iBoot) exploit is found. From there, it can be used to run code to decrypt the kbags so that we can in turn decrypt the files, and then to run code to actually pwn the device.

Bootrom exploit = No Go

DFU in the iPod Touch 2 is now 0x1227, so basically they took the patched up WTF and burned it into the bootrom, meaning the bootrom stack overflow is a no go...other methods are being tested though, no word on if they work yet...

Notes

-It has a new GID key.

-iBoot seems to map itself at 0xFF00000.

-LLB is encrypted, which is new.

-The s5l8900 WTF is still in the firmware strangely enough, but there is no n72ap WTF.

-It uses the same KBAG method, but as previously stated, it has a new GID key so nothing can be decrypted at the time without allowing unsigned code.

Internals

See: n72ap (Internals) - Remarkably it has a Bluetooth Chip, shown by iFixit, but apparently it may only be used for Rf transmission to the Nike+ kit.

Device IDs

0x1227 = DFU Mode (Basically WTF 2.0 burned into bootrom)
0x1281 = Recovery Mode (iBEC) as well as the iBSS used when communicating with DFU mode