Difference between revisions of "N72AP"

From The iPhone Wiki
Jump to: navigation, search
(Disclaimer)
m
 
(29 intermediate revisions by 10 users not shown)
Line 1: Line 1:
  +
[[File:iPod touch (2nd generation).png|thumb|right|iPod touch (2nd generation)]]
This is the 2nd Generation iPod Touch
 
   
  +
This is the second generation [[List of iPod touches|iPod touch]]. It has two different [[bootrom]] revisions.
Model: n72ap
 
Application Processor (OS Chip): s5l8720x
 
   
  +
'''Model''': N72AP
== Decryption of its Ramdisks, iBoot, LLB, Kernel, and friends ==
 
The application processor has a new [[GID]] key in it, so you can't decrypt kbags from it on any other device than itself. So, you pretty much will not even be able to make a pwned IPSW, let alone decrypt the RootFS, unless a low level (like, bootrom/kernel/iBoot) exploit is found. From there, it can be used to run code to decrypt the kbags so that we can in turn decrypt the files, and then to run code to actually pwn the device.
 
   
  +
'''Application Processor (OS Chip)''': [[S5L8720]]
== Hardware Hack ==
 
Place an FPGA between the NOR flash and the NOR flash socket. Allow the signature check to run as usual, then change the code to whatever you want. Since it probably uses a serial flash like the 3G, you'd only have to connect like 4 wires. This is probably what the devteam refers to as a hardware method.
 
   
  +
The name used in firmware is iPod2,1.
== Bootrom exploit = No Go ==
 
DFU in the iPod Touch 2 is now [[0x1227]], so basically they took the patched up WTF and burned it into the bootrom, meaning the bootrom stack overflow is a no go...other methods are being tested though, no word on if they work yet...
 
   
== Notes ==
+
==Hardware==
  +
See the [[S5L8720 (Hardware)]] for hardware details
-It has a new [[GID]] key.
 
 
-[[LLB]] is encrypted, which is new.
 
 
-The s5l8900 [[WTF]] is still in the firmware strangely enough, but there is no [[n72ap]] WTF.
 
 
-It uses the same [[KBAG]] method, but as previously stated, it has a new [[GID]] key so nothing can be decrypted at the time without allowing unsigned code.
 
 
==Internals==
 
<i>See: [[n72ap (Internals)]]</i> - Remarkably it has a Bluetooth Chip, shown by iFixit, but apparently it may only be used for Rf transmission to the Nike+ kit.
 
   
 
==Device IDs==
 
==Device IDs==
'''0x1227''' = DFU Mode (Basically WTF 2.0 burned into bootrom)<br>
+
'''0x1227''' = [[DFU Mode]] 2.0 (Basically WTF 2.0 burned into bootrom)
'''0x1281''' = Recovery Mode (iBEC) as well as the iBSS used when communicating with DFU mode
 
 
==Communication with DFU==
 
# Put the device in DFU mode.
 
# Upload the iBSS found in the firmware ipsw to DFU.
 
# Unplug the device from the USB cable, wait a little bit, and the screen should turn white. At this point, plug it back in.
 
# Spawn a shell with it, to clarify, you can use anything that can talk to 0x1281 (Recovery Mode 2.0), as DFU mode itself can only let you upload files to it and does not allow commands to be sent to it.
 
# Do a test command to make sure everything is properly working. For example, type 'bgcolor 255 0 0' without the 's and the screen of the device should turn from white to red
 
# If the screen color changes, congrats, you can now communicate with the iPod Touch 2G at DFU level :)
 
 
===Implementation===
 
[http://www.waitwat.org/iRecovery.zip iRecovery - Source+Mac binary included]
 
 
====Syntax====
 
./iRecovery -f <file> - Upload a file to DFU 2.0 or 0x1281 (Auto detects)
 
./iRecovery -b <file> - Upload a file to Recovery / DFU iBSS (0x1281) <-- _might_ be broken.
 
./iRecovery -s - Spawn a shell with Recovery / DFU iBSS (0x1281)
 
 
===KBAG Decryption===
 
The following idea for decrypting the IPT2 KBAGs turns out to be broken...it doesn't work. Steps 2-4 are incorrect. But the idea was:
 
   
  +
'''0x1281''' = [[Recovery Mode]] 2.0 ([[iBEC]]/[[iBSS]]/[[iBoot (Bootloader)|iBoot]])
:Since there is a new [[GID]] key in the new [[Application Processor]], KBAGs for the firmware files can only be decrypted on the iPod Touch 2G itself. Here is a theory that I propose:<br>
 
:# Send iBSS to DFU 2.0 so we can communicate
 
:# Send an iPod Touch 1G 1.1.4-2.0b3 iBEC / iBSS
 
:# Type 'go' to boot from it
 
:# As a side note, this is possible because (a) There is legacy 8900.1 / IMG2 support on the iPT2, for one reason or another, and (b) IMG2 files didn't have BORD tags stating that they can only be used on certain devices. This is just like how you can send a 1.1.4 iPhone 2G iBoot to the iPhone 3G and it will work fine :)
 
:# Once you are booted into IMG2 haven, fire up iBooter from http://iphonelinux.org/
 
:# Use geohot's or planetbeing's AES caller code like normal, use mw to write it to 0x9000000, 0x9000004, 0x9000008, 0x900000C, 0x000010, etc. etc.
 
:# Since we don't have the permissions patch and we must run a signed file as of now, instead of using 'go' as geohot demonstrated in his tutorial, we will use a different exploit that is not too widely known, called [[diags]]. We simply issue the command 'diags 0x9000000' to run our code that we just sent, and basically we can now send our kbags with 'mw' and read the decrypted output with 'mdb' :)
 
   
  +
'''0x1293''' = Normal Mode (comm with [[iTunes]] / MobileDev framework)
===Pwnage===
 
<del>After doing the above and patching the files, there is still one thing that everyone wants. It may amaze you, but some people don't give a crap about decrypted KBAGs. Crazy, isn't it? Anyway, once the KBAGs are decrypted and you have patched the IMG3 integrity check out of iBoot, upload the patched iBoot (CTRL+F in iBooter), then use 'diags 0x9000000' to load the patched iBoot. From here, patch the kernel, ASR, restored_external, iBoots, applelogo, DeviceTree, etc. Create a jailbroken ipsw and restore to it in iTunes. Keep in mind that since we used diags to boot from the patched iBoot, you must not reboot your iPhone before you do the restore, or the stock iBoot will be loaded from NOR at boot and you have to do everything all over again x.x</del>
 
   
  +
==Exploits==
dfu no longer accepts 8900 files at all. this does not work and has no possible way of working.
 
  +
See the [[S5L8720]] page for all known exploits
   
===Disclaimer===
+
==Links==
  +
* [http://www.ifixit.com/Guide/First-Look/iPod/iPod-Touch-2G iFixit page for iPod touch 2nd Generation]
<del>This has not been tested yet, as the DFU 2.0 communication client is having some problems. I will try to nag the two head devs (I won't say their names as to not have others nagging them) to post [[iRecovery]].c here on The iPhone Wiki, then everyone can contribute to it and get it up to the standards that we need it at.
 
   
  +
[[Category:Devices]]
There is now an article for [[iRecovery]] as well as a link to the source code for those interested.</del>
 

Latest revision as of 21:10, 21 March 2017

iPod touch (2nd generation)

This is the second generation iPod touch. It has two different bootrom revisions.

Model: N72AP

Application Processor (OS Chip): S5L8720

The name used in firmware is iPod2,1.

Hardware

See the S5L8720 (Hardware) for hardware details

Device IDs

0x1227 = DFU Mode 2.0 (Basically WTF 2.0 burned into bootrom)

0x1281 = Recovery Mode 2.0 (iBEC/iBSS/iBoot)

0x1293 = Normal Mode (comm with iTunes / MobileDev framework)

Exploits

See the S5L8720 page for all known exploits

Links