The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "Redsn0w Lite"

From The iPhone Wiki
Jump to: navigation, search
Line 1: Line 1:
 
This is the [[dev team|iPhone Dev Team's]] jailbreak for the [[n72ap|iPod Touch 2G]]. It is their payload for the [[ARM7 Go]] exploit, like how [[yellowsn0w]] is the payload for the [[at+stkprof]] exploit.
  
This is the [[dev team|iPhone Dev Team's]] jailbreak for the [[n72ap|iPod Touch 2G]]. It is their payload for the [[ARM7 Go]] exploit, like how [[yellowsn0w]] is the payload for the [[at+stkprof]] exploit.
  +
  +
==What it does==
  +
For the most part, it is a nicely optimized payload that does the same patches as [[0wnboot]], being the signature check patch and the range check patch.
  +
  +
===Disassm===
  +
<pre>
  +
ROM:00000000 LDR R3, =0xA1F10F ; flipped:
  +
ROM:00000000 ; 0x0FF1A100
  +
ROM:00000004 MOV R2, #0x2000
  +
ROM:00000008 STRH R2, [R3,#0x34] ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134
  +
ROM:00000008 ; this is usually the part of the sigcheck routine that
  +
ROM:00000008 ; would be jumped to if there was an error, so this
  +
ROM:00000008 ; just pretty much makes it return 0, saying everything
  +
ROM:00000008 ; went OK, versus -1, saying there was an error
  +
ROM:0000000C LDR R3, =0xFFAFF20F ; flipped:
  +
ROM:0000000C ; 0x0FF2AFFF
  +
ROM:00000010 MOVL R2, 0xFFFFFFFF
  +
ROM:00000014 STR R2, [R3,#-0x23F] ; patch flags at to 0xffffffff at addr 0xFF2ADC0
  +
ROM:00000014 ; this patches the iboot flags to allow no range check,
  +
ROM:00000014 ; no permission check for restricted commands, aes gid
  +
ROM:00000014 ; and uid key are not restricted by devtree at boot so
  +
ROM:00000014 ; you can decrypt kbags with xpwn crypto bundle with
  +
ROM:00000014 ; no devtree patch needed, and more. basically tricks
  +
ROM:00000014 ; your device into thinking it is an engineering device
  +
ROM:00000018
  +
ROM:00000018 spin ; CODE XREF: ROM:spin�j
  +
ROM:00000018 B spin
  +
ROM:00000018 ; ---------------------------------------------------------------------------
  +
ROM:0000001C dword_1C DCD 0xA1F10F ; DATA XREF: ROM:00000000�r
  +
ROM:0000001C ; flipped:
  +
ROM:0000001C ; 0x0FF1A100
  +
ROM:00000020 dword_20 DCD 0xFFAFF20F ; DATA XREF: ROM:0000000C�r
  +
ROM:00000020 ; ROM ends ; flipped:
  +
ROM:00000020 ; 0x0FF2AFFF
  +
</pre>
   
 
==Links==
  
==Links==

Revision as of 16:59, 31 January 2009

This is the iPhone Dev Team's jailbreak for the iPod Touch 2G. It is their payload for the ARM7 Go exploit, like how yellowsn0w is the payload for the at+stkprof exploit.

What it does

For the most part, it is a nicely optimized payload that does the same patches as 0wnboot, being the signature check patch and the range check patch.

Disassm

ROM:00000000                LDR     R3, =0xA1F10F   ; flipped:
ROM:00000000                                        ; 0x0FF1A100
ROM:00000004                MOV     R2, #0x2000
ROM:00000008                STRH    R2, [R3,#0x34]  ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134
ROM:00000008                                        ; this is usually the part of the sigcheck routine that
ROM:00000008                                        ; would be jumped to if there was an error, so this
ROM:00000008                                        ; just pretty much makes it return 0, saying everything
ROM:00000008                                        ; went OK, versus -1, saying there was an error
ROM:0000000C                LDR     R3, =0xFFAFF20F ; flipped:
ROM:0000000C                                        ; 0x0FF2AFFF
ROM:00000010                MOVL    R2, 0xFFFFFFFF
ROM:00000014                STR     R2, [R3,#-0x23F] ; patch flags at to 0xffffffff at addr 0xFF2ADC0
ROM:00000014                                         ; this patches the iboot flags to allow no range check,
ROM:00000014                                         ; no permission check for restricted commands, aes gid
ROM:00000014                                         ; and uid key are not restricted by devtree at boot so
ROM:00000014                                         ; you can decrypt kbags with xpwn crypto bundle with
ROM:00000014                                         ; no devtree patch needed, and more. basically tricks
ROM:00000014                                         ; your device into thinking it is an engineering device
ROM:00000018
ROM:00000018     spin                                ; CODE XREF: ROM:spin�j
ROM:00000018                B       spin
ROM:00000018     ; ---------------------------------------------------------------------------
ROM:0000001C     dword_1C        DCD 0xA1F10F        ; DATA XREF: ROM:00000000�r
ROM:0000001C                                         ; flipped:
ROM:0000001C                                         ; 0x0FF1A100
ROM:00000020     dword_20        DCD 0xFFAFF20F      ; DATA XREF: ROM:0000000C�r
ROM:00000020     ; ROM           ends                ; flipped:
ROM:00000020                                         ; 0x0FF2AFFF

Links

Red Sn0w Website

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Redsn0w_Lite&oldid=2910"