Difference between revisions of "Talk:N72AP"

From The iPhone Wiki
Jump to: navigation, search
(hold on there: new section)
m (Dialexio moved page Talk:N72ap to Talk:N72AP: Capitalization.)
 
(18 intermediate revisions by 9 users not shown)
Line 1: Line 1:
  +
== Anyone got one? ~geohot ==
"-It has a new GID key. -iBoot seems to map itself at 0xFF00000. -LLB is encrypted, which is new. -The s5l8900 WTF is still in the firmware strangely enough, but there is no n72ap WTF. -It uses the same KBAG method, but as previously stated, it has a new GID key so nothing can be decrypted at the time without allowing unsigned code."
 
   
  +
Cool, didn't realize I could download the new Touch fw.
Few questions...the S5L8900 WTF is an 8900 file. Is it encrypted with the old 0x837 key derived from the old GID key or the new keys? Also, my theory is if the DFU exploit still exists in the new touch, we can send an exploited WTF and from there send a patched iBoot, we could possiby get iBooter or openIboot working, we could decrypt the KBAG's. Are there any problems with this theory?
 
   
  +
You have a decrypted copy of iBSS in \iPod2,1_2.1.1_5F138_Restore\Firmware\dfu\iBSS.n72ap.RELEASE.dfu
== problems ==
 
   
  +
I'm almost sure the DFU exploit is still there, because the DFU file is still 89001. Use [[Obtaining_IMG3_Keys|my iBoot patch]] to patch that iBSS and run the AES engine straight from iBoot. Use [http://iphonejtag.blogspot.com/2008/07/yiphone-and-otherwise.html iran] to upload the patched version.
1. We can't send a patched iBoot without first being able to run code to decrypt th enew kbags. if the bootrom exploit still indeed exists, the nthis will definitely be doable.
 
   
  +
== okay now ==
2. I doubt the bootrom exploit is still there. highly.
 
   
  +
Is the DFU exploit there? Test it using "iran", not iTunes. If not, then we are up against something. Otherwise, why the long talk page?
3. The s5l WTF file is not encrypted, just compressed. If you decide to use 8900decryptor then it will recognize this and do the work for you.
 
   
  +
assuming the DFU exploit is still there...
4. If you can get an iBooter or implementation of it for 2.*, let me know. The iBEC is not encrypted and that would surely suffice for the purpose that you speak of. But I have some reason to believe that for some reason the iPod Touch 2 can be downgraded to an iPod Touch firmware. The reasoning behind this is that it has a totally new application processor, yet for reasons unknown, there is still support for 8900 files in it. As many know from clues hidden in firmwares dating back to 1.2 (The first build of 2.0, made available in March), 8900 encryption was used. I would have thought by now Apple would have re-written it to not have legacy 8900 support. But who knows...I may try to snag one and play around with it if that freeiphonetrade site or whatever it is called actually is legit.
 
   
  +
1. Do the old iBSSes and iBECs run(with exploit)? If so, you are done, just use my iBoot patches to run the AES engine right from iBoot. No chainloading required.
== interesting... ==
 
   
  +
2. The DFUs all weren't encrypted on the iPhone firmware, including the iBSS and iBEC ones. Still true? Then theres iBoot.
Ok Chronic cool. So if we can get iBooter working (on the touch second gen), then we can send a patched iBec and from there decrypt the KBAGs on the actual touch2 hardware with iBooter. Then we could decrypt the ramdisk, rootfs, and get on our way with a jailbreak. Also, with your point about downgrading, if you are correct then we should be able to (possibly) downgrade the touch2 to 1.1.4 and use ibooter/openiboot with no problem? I have a feeling the only problem with that would be iTunes 8 will forbid even a DFU downgrade to 1.1.4, so we would either have to downgrade to iTunes 7.5 with the touch2 drivers still intact and then restore from there. That being said, I bet the only way a downgrade to 1.1.4 would work would be with a patched WTF and the DFU exploit not fixed by apple in the touch2. Should be an interesting few months for the devteam, assuming they even try to work on the touch2. Maybe we should talk to planetbeing regarding iBooter/openiboot in 2.1...
 
   
  +
assuming the DFU exploit is gone...
Can a patched IBEC be accepted by an unexploited stock ipod touch2? I doubt it. - CPICH
 
   
  +
1. If the old iBoots run(without exploit, from normal DFU), run 1.1.4 and use the diags exploit to strap into a patched iBoot.
Yeah that's what Chronic ended up telling me in IRC. He thinks now we need another exploit for iBoot in order to run unsigned code. We'll see what DevTeam has for us...that's assuming they even try to work on iPod touch second gen.. - Cool name
 
   
  +
== questions ==
Also though think about the big picture....if an iPod Touch 2G exploit is found (that isn't the same DFU exploit as in iPhone 1G/2G and iPod Touch 1G), is that better used on that iPod Touch 2G....or sat upon until next iPhone hardware revision? - MuscleNerd
 
  +
that actually would make a lot of sense. the only thing is, would new code be needed to decrypt the kbags, or business as usual since it is just a gid key change? i would think it is the later but im no crypto genius so i cant be too sure.
   
  +
I know the jist of how the diags exploit works, but how exactly would i strap on another iBoot. basically, do you have code handy for that? preferably in the form of already laid out 'mw's so that i can just copy and paste :P but thats asking too much. in all seriousness, please let me know if you do as i paln on picking one up soon.
== use it on the ipod ==
 
   
  +
== wait! ==
If an exploit is found/has already been found on the iPhone 1G/2G/iPod touch 1G, it should be released for the new ipod touch. It will make many people very happy with you instead of using it on the ''next'' iphone, which may not be released for another year or two. However, if the DFU exploit still works on iPod touch 2G, then don't bother burning another exploit-just my thoughts....-Cool Name
 
   
  +
Although it for some strange reason parses 8900 files, I just realized...they could have just fixed the bootrom stack overflow, and kept parsing intact for whatever reason...
I don't agree on this, think about it, the purpose for jailbreaking an iPhone (unlocking it or using SIM proxy) is greater than that for an iPod touch, especially now that the AppStore is open. I second waiting for the next iPhone if a good hardware exploit is found. -[[User:Rekoil|Rekoil]] 17:26, 11 September 2008 (UTC)
 
   
== but ==
+
== i have one ==
   
  +
i have the 2g touch if anyone wants me to do any testing. I use a mac, if you need to contact me email me at fiftyfour123@gmail.com cuz i won't be checking this page.
Who knows when a new iPhone rev will be out? nobody but Apple. A new one may never come out. Plus, I strongly doubt that there is only one exploit left. There is always more. Not only that, but there is a chance of even more when new features are added.
 
   
  +
I got one too. I'll have to stop using it before November since I'll give it as a birthday present, but not I can test that it is working well :p. My email address is julienf.collin@gmail.com Geohot, if you want to contact me, mail me, use google talk (either via gmail or via iChat for mac) or this address as a Windows Live Messenger. BTW, I sent you a 10 US$ donation for the bootloader 4.6 software unlock(s) and all your work.
In theory, if the DFU exploit still works, that is only half the battle. We can't just go of Pwning and QuickPwning willy nilly. Someone will need to create a special ramdisk that can chainload OpeniBoot and decrypt the keys and IVs. From there, we can pwn, and we can patch the kernel for hardware AES access. Then it will be nothing but smooth sailing. -Chronic
 
   
  +
i have a 2g touch. I tried to upload an old iBSS but I get 'Memory image not valid' when I try to run it. Any ideas?
I agree that there must be more than one exploit that devteam has in their SVN or whatever. As Chronic said, you never know when a new iPhone revision will come out: months, years, or possibly never. Also devteam will piss off a lot of faithful touch users if they decide not to work on touch2 or say they are waiting for a third gen iphone before they use the exploit. Would be interesting to hear from some devteam members on this (**cough** MuscleNerd **cough**)...
 
--[[User:Cool name|Cool name]] 20:32, 11 September 2008 (UTC)
 
 
== hold on there ==
 
 
we dont 'know' 100% there is a new exploit, it is just very likely. even with that, there is still the fact of actually discovering it. My point was that there are probably a lot more undiscovered exploits, so plz dont go bothering the devteam about this :P
 

Latest revision as of 21:07, 6 October 2015

Anyone got one? ~geohot

Cool, didn't realize I could download the new Touch fw.

You have a decrypted copy of iBSS in \iPod2,1_2.1.1_5F138_Restore\Firmware\dfu\iBSS.n72ap.RELEASE.dfu

I'm almost sure the DFU exploit is still there, because the DFU file is still 89001. Use my iBoot patch to patch that iBSS and run the AES engine straight from iBoot. Use iran to upload the patched version.

okay now

Is the DFU exploit there? Test it using "iran", not iTunes. If not, then we are up against something. Otherwise, why the long talk page?

assuming the DFU exploit is still there...

1. Do the old iBSSes and iBECs run(with exploit)? If so, you are done, just use my iBoot patches to run the AES engine right from iBoot. No chainloading required.

2. The DFUs all weren't encrypted on the iPhone firmware, including the iBSS and iBEC ones. Still true? Then theres iBoot.

assuming the DFU exploit is gone...

1. If the old iBoots run(without exploit, from normal DFU), run 1.1.4 and use the diags exploit to strap into a patched iBoot.

questions

that actually would make a lot of sense. the only thing is, would new code be needed to decrypt the kbags, or business as usual since it is just a gid key change? i would think it is the later but im no crypto genius so i cant be too sure.

I know the jist of how the diags exploit works, but how exactly would i strap on another iBoot. basically, do you have code handy for that? preferably in the form of already laid out 'mw's so that i can just copy and paste :P but thats asking too much. in all seriousness, please let me know if you do as i paln on picking one up soon.

wait!

Although it for some strange reason parses 8900 files, I just realized...they could have just fixed the bootrom stack overflow, and kept parsing intact for whatever reason...

i have one

i have the 2g touch if anyone wants me to do any testing. I use a mac, if you need to contact me email me at fiftyfour123@gmail.com cuz i won't be checking this page.

I got one too. I'll have to stop using it before November since I'll give it as a birthday present, but not I can test that it is working well :p. My email address is julienf.collin@gmail.com Geohot, if you want to contact me, mail me, use google talk (either via gmail or via iChat for mac) or this address as a Windows Live Messenger. BTW, I sent you a 10 US$ donation for the bootloader 4.6 software unlock(s) and all your work.

i have a 2g touch. I tried to upload an old iBSS but I get 'Memory image not valid' when I try to run it. Any ideas?