Difference between revisions of "Redsn0w Lite"

From The iPhone Wiki
Jump to: navigation, search
m (remove dead link)
 
(22 intermediate revisions by 9 users not shown)
Line 1: Line 1:
  +
{{lowercase}}
This is the [[dev team||iPhone Dev Team's]] jailbreak for the [[n72ap|iPod Touch 2G]]. It is their payload for the [[ARM7 Go]] exploit, like how [[yellowsn0w]] is the payload for the [[at+stkprof]] exploit.
 
  +
This is the [[iPhone Dev Team]]'s tethered jailbreak ("redsn0w-lite") for the [[N72AP|iPod touch (2nd generation)]] on iPhone OS 2.1.1. It is their payload for the [[ARM7 Go]] backdoor. It's analagous to how [[yellowsn0w]] is the actual unlocking payload injected by the [[at+stkprof]] exploit in baseband [[02.28.00]].
   
==Links==
+
==What it does==
  +
For the most part, it is a nicely optimized payload that does the same essential patches as [[0wnboot]], those patches being the signature check patch and the range check patch. Its compactness lends itself nicely to the "run" command and the eight-byte serial payload issued by the example iPod touch (2nd generation) dongle.
[http://redsn0w.com/ Red Sn0w Website]
 
  +
  +
===Disassm===
  +
<pre>
  +
ROM:00000000 LDR R3, =0xA1F10F ; flipped:
  +
ROM:00000000 ; 0x0FF1A100
  +
ROM:00000004 MOV R2, #0x2000
  +
ROM:00000008 STRH R2, [R3,#0x34] ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134
  +
ROM:00000008 ; this is usually the part of the sigcheck routine that
  +
ROM:00000008 ; would be jumped to if there was an error, so this
  +
ROM:00000008 ; just pretty much makes it return 0, saying everything
  +
ROM:00000008 ; went OK, versus -1, saying there was an error
  +
ROM:0000000C LDR R3, =0xFFAFF20F ; flipped:
  +
ROM:0000000C ; 0x0FF2AFFF
  +
ROM:00000010 MOVL R2, 0xFFFFFFFF
  +
ROM:00000014 STR R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0
  +
ROM:00000014 ; this patches the iboot flags to allow no range check,
  +
ROM:00000014 ; no permission check for restricted commands, aes gid
  +
ROM:00000014 ; and uid key are not restricted by devtree at boot so
  +
ROM:00000014 ; you can decrypt kbags with xpwn crypto bundle with
  +
ROM:00000014 ; no devtree patch needed, and more. basically tricks
  +
ROM:00000014 ; your device into thinking it is an engineering device
  +
ROM:00000018
  +
ROM:00000018 spin ; CODE XREF: ROM:spin�j
  +
ROM:00000018 B spin
  +
ROM:00000018 ; ---------------------------------------------------------------------------
  +
ROM:0000001C dword_1C DCD 0xA1F10F ; DATA XREF: ROM:00000000�r
  +
ROM:0000001C ; flipped:
  +
ROM:0000001C ; 0x0FF1A100
  +
ROM:00000020 dword_20 DCD 0xFFAFF20F ; DATA XREF: ROM:0000000C�r
  +
ROM:00000020 ; ROM ends ; flipped:
  +
ROM:00000020 ; 0x0FF2AFFF
  +
</pre>
  +
  +
==Source==
  +
<pre>
  +
typedef volatile unsigned int vu32;
  +
typedef volatile unsigned short vu16;
  +
typedef volatile unsigned char vu8;
  +
  +
#define A_CHECK_SIGN 0x0FF1A134 // sigcheck loc
  +
#define A_CHECK_PERM 0x0FF2ADC0 // ib flags loc
  +
  +
void redsn0w(void) {
  +
*(vu16 *)A_CHECK_SIGN = 0x2000; // pwnage
  +
*(vu32 *)A_CHECK_PERM = 0xffffffff; // permissions
  +
while(1);
  +
}
  +
</pre>
  +
  +
[[Category:Jailbreaks]]
  +
[[Category:Jailbreaking]]

Latest revision as of 04:31, 17 March 2018

This is the iPhone Dev Team's tethered jailbreak ("redsn0w-lite") for the iPod touch (2nd generation) on iPhone OS 2.1.1. It is their payload for the ARM7 Go backdoor. It's analagous to how yellowsn0w is the actual unlocking payload injected by the at+stkprof exploit in baseband 02.28.00.

What it does

For the most part, it is a nicely optimized payload that does the same essential patches as 0wnboot, those patches being the signature check patch and the range check patch. Its compactness lends itself nicely to the "run" command and the eight-byte serial payload issued by the example iPod touch (2nd generation) dongle.

Disassm

ROM:00000000                LDR     R3, =0xA1F10F   ; flipped:
ROM:00000000                                        ; 0x0FF1A100
ROM:00000004                MOV     R2, #0x2000
ROM:00000008                STRH    R2, [R3,#0x34]  ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134
ROM:00000008                                        ; this is usually the part of the sigcheck routine that
ROM:00000008                                        ; would be jumped to if there was an error, so this
ROM:00000008                                        ; just pretty much makes it return 0, saying everything
ROM:00000008                                        ; went OK, versus -1, saying there was an error
ROM:0000000C                LDR     R3, =0xFFAFF20F ; flipped:
ROM:0000000C                                        ; 0x0FF2AFFF
ROM:00000010                MOVL    R2, 0xFFFFFFFF
ROM:00000014                STR     R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0
ROM:00000014                                         ; this patches the iboot flags to allow no range check,
ROM:00000014                                         ; no permission check for restricted commands, aes gid
ROM:00000014                                         ; and uid key are not restricted by devtree at boot so
ROM:00000014                                         ; you can decrypt kbags with xpwn crypto bundle with
ROM:00000014                                         ; no devtree patch needed, and more. basically tricks
ROM:00000014                                         ; your device into thinking it is an engineering device
ROM:00000018
ROM:00000018     spin                                ; CODE XREF: ROM:spin�j
ROM:00000018                B       spin
ROM:00000018     ; ---------------------------------------------------------------------------
ROM:0000001C     dword_1C        DCD 0xA1F10F        ; DATA XREF: ROM:00000000�r
ROM:0000001C                                         ; flipped:
ROM:0000001C                                         ; 0x0FF1A100
ROM:00000020     dword_20        DCD 0xFFAFF20F      ; DATA XREF: ROM:0000000C�r
ROM:00000020     ; ROM           ends                ; flipped:
ROM:00000020                                         ; 0x0FF2AFFF

Source

typedef volatile unsigned int vu32;
typedef volatile unsigned short vu16;
typedef volatile unsigned char vu8;

#define A_CHECK_SIGN 0x0FF1A134        // sigcheck loc
#define A_CHECK_PERM 0x0FF2ADC0        // ib flags loc

void redsn0w(void) {
  *(vu16 *)A_CHECK_SIGN = 0x2000;      // pwnage
  *(vu32 *)A_CHECK_PERM = 0xffffffff;  // permissions
  while(1);
}