The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Talk:ARM7 Go

From The iPhone Wiki
Revision as of 22:03, 19 January 2009 by Pod2g (talk | contribs) (Chronic, I may have found the way to use arm7_go)
Jump to: navigation, search

My Payload

(Since RedSn0w will be out any day, this is just for the hell of it :)

If anyone has any ideas and would like to mess around with this hack, here is some code that (should) patch a 2.1.1 iBSS that you loaded, in memory. Again, just for fun, as the dev team probably has redsn0w, it's payload, and program almost completed. 

@ ipod touch 2G ibss 2.1.1 patcher
@ by chronic with some gas help from ius
@
@ assemble this with gas

.section .text
   .global _start
   _start:
      stmdb sp!, {r0-r6}
      ldr r0, =rangePatch
      ldr r1, =permsPatch
      ldr r2, =sigchPatch
      ldr r3, =sigchecLoc
      ldr r4, =permschLoc
      ldr r6, =rangechLoc
      strh r1, [r4]
      strh r0, [r6]
      strh r2, [r3]
      ldmia sp!, {r0-r6}
      mov pc, lr

.section .data
   sigchecLoc: .word 0x2200F2FE
   permschLoc: .word 0x2200C330
   rangechLoc: .word 0x2200C3A6
   rangePatch: .hword 0x0120
   permsPatch: .hword 0x0124
   sigchPatch: .hword 0x0020

ChronicDev 19:45, 16 January 2009 (UTC)

Chronic, I may have found the way to use arm7_go

Try to add the size of your payload just before it as an 32bit integer.

1. without size : 

 I assembled your payload with gas then tried to upload it at 0x09000000 and start arm7_go.
 It did nothing.

2. with size before : 0x00000048 then your payload uploaded at 0x09000000. 

 arm7_go => it crashed my ipod 2G.

I hope it can help. I am continuing my reasearches.

~pod2g

How do you pass the bootrom RSA checks?

I've noticed that the exploit is at the iBoot level. So how do you (or the Dev-Team) pass the bootrom RSA checks?

~Oranav

RE: How do you pass the bootrom RSA checks?

I do not know how it is done, but taking the screenshot on the latest devteam blog post, they have found a way to do so.

RE: RE: How do you pass the bootrom RSA checks?

Okay, as to MuscleNerd's redsn0w demo, it's pretty yellowsn0w like - you have to let the bootrom sigchecks pass, and then use the exploit every time the device boots. Pretty annoying, but that's the only option without a way to pass bootrom sigchecks.

~Oranav

Wel...

They noted they are looking for a way around that.

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Talk:ARM7_Go&oldid=2850"