N72AP

From The iPhone Wiki
Revision as of 05:09, 25 September 2008 by Zeros (talk | contribs) (iRecovery wikilink)
Jump to: navigation, search

This is the 2nd Generation iPod Touch

Model: n72ap Application Processor (OS Chip): s5l8720x

Decryption of it's Ramdisks, iBoot, LLB, Kernel, and friends

The application processor has a new GID key in it, so you can't decrypt kbags from it on any other device than itself. So, you pretty much will not even be able to make a pwned IPSW, let alone decrypt the RootFS, unless a low level (like, bootrom/kernel/iBoot) exploit is found. From there, it can be used to run code to decrypt the kbags so that we can in turn decrypt the files, and then to run code to actually pwn the device.

Bootrom exploit = No Go

DFU in the iPod Touch 2 is now 0x1227, so basically they took the patched up WTF and burned it into the bootrom, meaning the bootrom stack overflow is a no go...other methods are being tested though, no word on if they work yet...

Notes

-It has a new GID key.

-LLB is encrypted, which is new.

-The s5l8900 WTF is still in the firmware strangely enough, but there is no n72ap WTF.

-It uses the same KBAG method, but as previously stated, it has a new GID key so nothing can be decrypted at the time without allowing unsigned code.

Internals

See: n72ap (Internals) - Remarkably it has a Bluetooth Chip, shown by iFixit, but apparently it may only be used for Rf transmission to the Nike+ kit.

Device IDs

0x1227 = DFU Mode (Basically WTF 2.0 burned into bootrom)
0x1281 = Recovery Mode (iBEC) as well as the iBSS used when communicating with DFU mode

Communication with DFU

  1. Put the device in DFU mode.
  2. Upload the iBSS found in the firmware ipsw to DFU.
  3. Unplug the device from the USB cable, wait a little bit, and the screen should turn white. At this point, plug it back in.
  4. Spawn a shell with it, to clarify, you can use anything that can talk to 0x1281 (Recovery Mode 2.0), as DFU mode itself can only let you upload files to it and does not allow commands to be sent to it.
  5. Do a test command to make sure everything is properly working. For example, type 'bgcolor 255 0 0' without the 's and the screen of the device should turn from white to red
  6. If the screen color changes, congrats, you can now communicate with the iPod Touch 2G at DFU level :)

Implementation

iRecovery - Source+Mac binary included

Syntax

./iRecovery -f <file> - Upload a file to DFU 2.0 or 0x1281 (Auto detects)
./iRecovery -b <file> - Upload a file to Recovery / DFU iBSS (0x1281) <-- _might_ be broken.
./iRecovery -s - Spawn a shell with Recovery / DFU iBSS (0x1281)

KBAG Decryption

The following idea for decrypting the IPT2 KBAGs turns out to be broken...it doesn't work. Steps 2-4 are incorrect. But the idea was:

Since there is a new GID key in the new Application Processor, KBAGs for the firmware files can only be decrypted on the iPod Touch 2G itself. Here is a theory that I propose:
  1. Send iBSS to DFU 2.0 so we can communicate
  2. Send an iPod Touch 1G 1.1.4-2.0b3 iBEC / iBSS
  3. Type 'go' to boot from it
  4. As a side note, this is possible because (a) There is legacy 8900.1 / IMG2 support on the iPT2, for one reason or another, and (b) IMG2 files didn't have BORD tags stating that they can only be used on certain devices. This is just like how you can send a 1.1.4 iPhone 2G iBoot to the iPhone 3G and it will work fine :)
  5. Once you are booted into IMG2 haven, fire up iBooter from http://iphonelinux.org/
  6. Use geohot's or planetbeing's AES caller code like normal, use mw to write it to 0x9000000, 0x9000004, 0x9000008, 0x900000C, 0x000010, etc. etc.
  7. Since we don't have the permissions patch and we must run a signed file as of now, instead of using 'go' as geohot demonstrated in his tutorial, we will use a different exploit that is not too widely known, called diags. We simply issue the command 'diags 0x9000000' to run our code that we just sent, and basically we can now send our kbags with 'mw' and read the decrypted output with 'mdb' :)

Pwnage

After doing the above and patching the files, there is still one thing that everyone wants. It may amaze you, but some people don't give a crap about decrypted KBAGs. Crazy, isn't it? Anyway, once the KBAGs are decrypted and you have patched the IMG3 integrity check out of iBoot, upload the patched iBoot (CTRL+F in iBooter), then use 'diags 0x9000000' to load the patched iBoot. From here, patch the kernel, ASR, restored_external, iBoots, applelogo, DeviceTree, etc. Create a jailbroken ipsw and restore to it in iTunes. Keep in mind that since we used diags to boot from the patched iBoot, you must not reboot your iPhone before you do the restore, or the stock iBoot will be loaded from NOR at boot and you have to do everything all over again x.x

Disclaimer

This has not been tested yet, as the DFU 2.0 communication client is having some problems. I will try to nag the two head devs (I won't say their names as to not have others nagging them) to post iRecovery.c here on The iPhone Wiki, then everyone can contribute to it and get it up to the standards that we need it at.

There is now an article for iRecovery as well as a link to the source code for those interested.