Difference between revisions of "Talk:N72AP"

From The iPhone Wiki
Jump to: navigation, search
Line 10: Line 10:
   
 
I'm almost sure the DFU exploit is still there, because the DFU file is still there. Use [[Easier_method_of_getting_Img3_Key_/_IV|my iBoot patch]] to patch that iBSS and run the AES engine straight from iBoot.
 
I'm almost sure the DFU exploit is still there, because the DFU file is still there. Use [[Easier_method_of_getting_Img3_Key_/_IV|my iBoot patch]] to patch that iBSS and run the AES engine straight from iBoot.
 
   
 
== okay now ==
 
== okay now ==

Revision as of 11:30, 12 September 2008

"-It has a new GID key. -iBoot seems to map itself at 0xFF00000. -LLB is encrypted, which is new. -The s5l8900 WTF is still in the firmware strangely enough, but there is no n72ap WTF. -It uses the same KBAG method, but as previously stated, it has a new GID key so nothing can be decrypted at the time without allowing unsigned code."

Few questions...the S5L8900 WTF is an 8900 file. Is it encrypted with the old 0x837 key derived from the old GID key or the new keys? Also, my theory is if the DFU exploit still exists in the new touch, we can send an exploited WTF and from there send a patched iBoot, we could possiby get iBooter or openIboot working, we could decrypt the KBAG's. Are there any problems with this theory?

Anyone got one? ~geohot

Cool, didn't realize I could download the new Touch fw.

You have a decrypted copy of iBSS in \iPod2,1_2.1.1_5F138_Restore\Firmware\dfu\iBSS.n72ap.RELEASE.dfu

I'm almost sure the DFU exploit is still there, because the DFU file is still there. Use my iBoot patch to patch that iBSS and run the AES engine straight from iBoot.

okay now

Is the DFU exploit there? Test it using "iran", not iTunes. If not, then we are up against something. Otherwise, why the long talk page?

assuming the DFU exploit is still there...

1. Do the old iBSSes and iBECs run(with exploit)? If so, you are done, just use my iBoot patches to run the AES engine right from iBoot. No chainloading required.

2. The DFUs all weren't encrypted on the iPhone firmware, including the iBSS and iBEC ones. Still true? Then theres iBoot.

assuming the DFU exploit is gone...

1. If the old iBoots run(without exploit, from normal DFU), run 1.1.4 and use the diags exploit to strap into a patched iBoot.

problems

1. We can't send a patched iBoot without first being able to run code to decrypt th enew kbags. if the bootrom exploit still indeed exists, the nthis will definitely be doable.

2. I doubt the bootrom exploit is still there. highly.

3. The s5l WTF file is not encrypted, just compressed. If you decide to use 8900decryptor then it will recognize this and do the work for you.

4. If you can get an iBooter or implementation of it for 2.*, let me know. The iBEC is not encrypted and that would surely suffice for the purpose that you speak of. But I have some reason to believe that for some reason the iPod Touch 2 can be downgraded to an iPod Touch firmware. The reasoning behind this is that it has a totally new application processor, yet for reasons unknown, there is still support for 8900 files in it. As many know from clues hidden in firmwares dating back to 1.2 (The first build of 2.0, made available in March), 8900 encryption was used. I would have thought by now Apple would have re-written it to not have legacy 8900 support. But who knows...I may try to snag one and play around with it if that freeiphonetrade site or whatever it is called actually is legit.

interesting...

Ok Chronic cool. So if we can get iBooter working (on the touch second gen), then we can send a patched iBec and from there decrypt the KBAGs on the actual touch2 hardware with iBooter. Then we could decrypt the ramdisk, rootfs, and get on our way with a jailbreak. Also, with your point about downgrading, if you are correct then we should be able to (possibly) downgrade the touch2 to 1.1.4 and use ibooter/openiboot with no problem? I have a feeling the only problem with that would be iTunes 8 will forbid even a DFU downgrade to 1.1.4, so we would either have to downgrade to iTunes 7.5 with the touch2 drivers still intact and then restore from there. That being said, I bet the only way a downgrade to 1.1.4 would work would be with a patched WTF and the DFU exploit not fixed by apple in the touch2. Should be an interesting few months for the devteam, assuming they even try to work on the touch2. Maybe we should talk to planetbeing regarding iBooter/openiboot in 2.1...

Can a patched IBEC be accepted by an unexploited stock ipod touch2? I doubt it. - CPICH

Yeah that's what Chronic ended up telling me in IRC. He thinks now we need another exploit for iBoot in order to run unsigned code. We'll see what DevTeam has for us...that's assuming they even try to work on iPod touch second gen.. - Cool name

Also though think about the big picture....if an iPod Touch 2G exploit is found (that isn't the same DFU exploit as in iPhone 1G/2G and iPod Touch 1G), is that better used on that iPod Touch 2G....or sat upon until next iPhone hardware revision? - MuscleNerd

use it on the ipod

If an exploit is found/has already been found on the iPhone 1G/2G/iPod touch 1G, it should be released for the new ipod touch. It will make many people very happy with you instead of using it on the next iphone, which may not be released for another year or two. However, if the DFU exploit still works on iPod touch 2G, then don't bother burning another exploit-just my thoughts....-Cool Name

I don't agree on this, think about it, the purpose for jailbreaking an iPhone (unlocking it or using SIM proxy) is greater than that for an iPod touch, especially now that the AppStore is open. I second waiting for the next iPhone if a good hardware exploit is found. -Rekoil 17:26, 11 September 2008 (UTC)

but

Who knows when a new iPhone rev will be out? nobody but Apple. A new one may never come out. Plus, I strongly doubt that there is only one exploit left. There is always more. Not only that, but there is a chance of even more when new features are added.

In theory, if the DFU exploit still works, that is only half the battle. We can't just go of Pwning and QuickPwning willy nilly. Someone will need to create a special ramdisk that can chainload OpeniBoot and decrypt the keys and IVs. From there, we can pwn, and we can patch the kernel for hardware AES access. Then it will be nothing but smooth sailing. -Chronic

I agree that there must be more than one exploit that devteam has in their SVN or whatever. As Chronic said, you never know when a new iPhone revision will come out: months, years, or possibly never. Also devteam will piss off a lot of faithful touch users if they decide not to work on touch2 or say they are waiting for a third gen iphone before they use the exploit. Would be interesting to hear from some devteam members on this (**cough** MuscleNerd **cough**)... --Cool name 20:32, 11 September 2008 (UTC)

hold on there

we dont 'know' 100% there is a new exploit, it is just very likely. even with that, there is still the fact of actually discovering it. My point was that there are probably a lot more undiscovered exploits, so plz dont go bothering the devteam about this :P

Another new processor

I'm guessing that the iPhone 3G will be refreshed soon with a 32GB option and a new processor. It looks like Apple has another processor that they plan on using, so the Dev Team might as well use an exploit after a device with this processor is released.. Found this in the iPod 2.1 main file system: http://i34.tinypic.com/241muxt.png --James 22:43, 11 September 2008 (UTC)

omg! its my buddy!

OMG! its my best buddy s5l8920x! It survived to GM! :D

Anyway, this was also in a 2.1 beta (minus the current iTouch 2 kernel) so i am assuming that it is just a prototype for the new iTouch that got changed to something else for the GM hardware rev