Difference between revisions of "N72AP"

From The iPhone Wiki
Jump to: navigation, search
Line 19: Line 19:
 
-The s5l8900 [[WTF]] is still in the firmware strangely enough, but there is no [[n72ap]] WTF.
 
-The s5l8900 [[WTF]] is still in the firmware strangely enough, but there is no [[n72ap]] WTF.
   
  +
-It uses the same
-It uses the same [[KBAG]] method, but as previously stated, it has a new [[GID]] key so nothing can be decrypted at the time without allowing unsigned code.
 
  +
[[KBAG]] method, but as previously stated, it has a new [[GID]] key so nothing can be decrypted at the time without allowing unsigned code.
   
 
==Internals==
 
==Internals==
Line 45: Line 46:
 
'''./iRecovery -s''' - Spawn a shell with 0x1281 (If you are in DFU, remember to follow the above steps to be able to actually spawn the shell)
 
'''./iRecovery -s''' - Spawn a shell with 0x1281 (If you are in DFU, remember to follow the above steps to be able to actually spawn the shell)
 
'''./iRecovery -b <file>''' - Send a file to 0x1281 (Could be broken)
 
'''./iRecovery -b <file>''' - Send a file to 0x1281 (Could be broken)
  +
  +
===KBAG Decryption===
  +
Since there is a new [[GID]] key in the new [[Application Processor]], KBAGs for the firmware files can only be decrypted on the iPod Touch 2G itself. Here is a theory that I propose:<br>
  +
# Send iBSS to DFU 2.0 so we can communicate
  +
# Send an iPod Touch 1G 1.1.4-2.0b3 iBEC / iBSS
  +
# Type 'go' to boot from it
  +
# As a side note, this is possible because (a) There is legacy 8900.1 / IMG2 support on the iPT2, for one reason or another, and (b) IMG2 files didn't have BORD tags stating that they can only be used on certain devices. This is just like how you can send a 1.1.4 iPhone 2G iBoot to the iPhone 3G and it will work fine :)
  +
# Once you are booted into IMG2 haven, fire up iBooter from http://iphonelinux.org/
  +
# Use geohot's or planetbeing's AES caller code like normal, use mw to write it to 0x9000000, 0x9000004, 0x9000008, 0x900000C, 0x000010, etc. etc.
  +
# Since we don't have the permissions patch and we must run a signed file as of now, instead of using 'go' as geohot demonstrated in his tutorial, we will use a different exploit that is not too widely known, called [[diags]]. We simply issue the command 'diags 0x9000000' to run our code that we just sent, and basically we can now send our kbags with 'mw' and read the decrypted output with 'mdb' :)
  +
  +
===Pwnage===
  +
After doing the above and patching the files, there is still one thing that everyone wants. It may amaze you, but some people don't give a crap about decrypted KBAGs. Crazy, isn't it? Anyway, once the KBAGs are decrypted and you have patched the IMG3 integrity check out of iBoot, upload the patched iBoot (CTRL+F in iBooter), then use 'diags 0x9000000' to load the patched iBoot. From here, patch the kernel, ASR, restored_external, iBoots, applelogo, DeviceTree, etc. Create a jailbroken ipsw and restore to it in iTunes. Keep in mind that since we used diags to boot from the patched iBoot, you must not reboot your iPhone before you do the restore, or the stock iBoot will be loaded from NOR at boot and you have to do everything all over again x.x
  +
  +
===Disclaimer===
  +
This has not been tested yet, as the DFU 2.0 communication client is having some problems. I will try to nag the two head devs (I won't say their names as to not have others nagging them) to post iRecovery.c here on The iPhone Wiki, then everyone can contribute to it and get it up to the standards that we need it at.

Revision as of 02:44, 20 September 2008

This is the 2nd Generation iPod Touch

Model: n72ap Application Processor (OS Chip): s5l8720x

Decryption of it's Ramdisks, iBoot, LLB, Kernel, and friends

The application processor has a new GID key in it, so you can't decrypt kbags from it on any other device than itself. So, you pretty much will not even be able to make a pwned IPSW, let alone decrypt the RootFS, unless a low level (like, bootrom/kernel/iBoot) exploit is found. From there, it can be used to run code to decrypt the kbags so that we can in turn decrypt the files, and then to run code to actually pwn the device.

Bootrom exploit = No Go

DFU in the iPod Touch 2 is now 0x1227, so basically they took the patched up WTF and burned it into the bootrom, meaning the bootrom stack overflow is a no go...other methods are being tested though, no word on if they work yet...

Notes

-It has a new GID key.

-iBoot seems to map itself at 0xFF00000.

-LLB is encrypted, which is new.

-The s5l8900 WTF is still in the firmware strangely enough, but there is no n72ap WTF.

-It uses the same

KBAG method, but as previously stated, it has a new GID key so nothing can be decrypted at the time without allowing unsigned code.

Internals

See: n72ap (Internals) - Remarkably it has a Bluetooth Chip, shown by iFixit, but apparently it may only be used for Rf transmission to the Nike+ kit.

Device IDs

0x1227 = DFU Mode (Basically WTF 2.0 burned into bootrom)
0x1281 = Recovery Mode (iBEC) as well as the iBSS used when communicating with DFU mode

Communication with DFU

  1. Put the device in DFU mode.
  2. Upload the iBSS found in the firmware ipsw to DFU.
  3. Unplug the device from the USB cable, wait a little bit, and the screen should turn white. At this point, plug it back in.
  4. Spawn a shell with it, to clarify, you can use anything that can talk to 0x1281 (Recovery Mode 2.0), as DFU mode itself can only let you upload files to it and does not allow commands to be sent to it.
  5. Do a test command to make sure everything is properly working. For example, type 'bgcolor 255 0 0' without the 's and the screen of the device should turn from white to red
  6. If the screen color changes, congrats, you can now communicate with the iPod Touch 2G at DFU level :)

Implementation

A tool called 'iRecovery' is in the works. When finished, it will most likely be released with source. All that we need to do is get two things working:

  1. We need to be able to have two way communication with 0x1281. This will allow us to talk to iBSS and receive a response, so if something isn't working we will know why
  2. Fix uploading files to 0x1281 feature, if it is broken (we don't know, because we can't yet get a response from 0x1281 to see what our problem is

The command list will be as follows:
./iRecovery -f <file> - Send a file to 0x1227 (DFU 2.0) ./iRecovery -s - Spawn a shell with 0x1281 (If you are in DFU, remember to follow the above steps to be able to actually spawn the shell) ./iRecovery -b <file> - Send a file to 0x1281 (Could be broken)

KBAG Decryption

Since there is a new GID key in the new Application Processor, KBAGs for the firmware files can only be decrypted on the iPod Touch 2G itself. Here is a theory that I propose:

  1. Send iBSS to DFU 2.0 so we can communicate
  2. Send an iPod Touch 1G 1.1.4-2.0b3 iBEC / iBSS
  3. Type 'go' to boot from it
  4. As a side note, this is possible because (a) There is legacy 8900.1 / IMG2 support on the iPT2, for one reason or another, and (b) IMG2 files didn't have BORD tags stating that they can only be used on certain devices. This is just like how you can send a 1.1.4 iPhone 2G iBoot to the iPhone 3G and it will work fine :)
  5. Once you are booted into IMG2 haven, fire up iBooter from http://iphonelinux.org/
  6. Use geohot's or planetbeing's AES caller code like normal, use mw to write it to 0x9000000, 0x9000004, 0x9000008, 0x900000C, 0x000010, etc. etc.
  7. Since we don't have the permissions patch and we must run a signed file as of now, instead of using 'go' as geohot demonstrated in his tutorial, we will use a different exploit that is not too widely known, called diags. We simply issue the command 'diags 0x9000000' to run our code that we just sent, and basically we can now send our kbags with 'mw' and read the decrypted output with 'mdb' :)

Pwnage

After doing the above and patching the files, there is still one thing that everyone wants. It may amaze you, but some people don't give a crap about decrypted KBAGs. Crazy, isn't it? Anyway, once the KBAGs are decrypted and you have patched the IMG3 integrity check out of iBoot, upload the patched iBoot (CTRL+F in iBooter), then use 'diags 0x9000000' to load the patched iBoot. From here, patch the kernel, ASR, restored_external, iBoots, applelogo, DeviceTree, etc. Create a jailbroken ipsw and restore to it in iTunes. Keep in mind that since we used diags to boot from the patched iBoot, you must not reboot your iPhone before you do the restore, or the stock iBoot will be loaded from NOR at boot and you have to do everything all over again x.x

Disclaimer

This has not been tested yet, as the DFU 2.0 communication client is having some problems. I will try to nag the two head devs (I won't say their names as to not have others nagging them) to post iRecovery.c here on The iPhone Wiki, then everyone can contribute to it and get it up to the standards that we need it at.