Talk:N72AP

From The iPhone Wiki
Revision as of 02:19, 11 September 2008 by Cool name (talk | contribs)
Jump to: navigation, search

"-It has a new GID key. -iBoot seems to map itself at 0xFF00000. -LLB is encrypted, which is new. -The s5l8900 WTF is still in the firmware strangely enough, but there is no n72ap WTF. -It uses the same KBAG method, but as previously stated, it has a new GID key so nothing can be decrypted at the time without allowing unsigned code."

Few questions...the S5L8900 WTF is an 8900 file. Is it encrypted with the old 0x837 key derived from the old GID key or the new keys? Also, my theory is if the DFU exploit still exists in the new touch, we can send an exploited WTF and from there send a patched iBoot, we could possiby get iBooter or openIboot working, we could decrypt the KBAG's. Are there any problems with this theory?

problems

1. We can't send a patched iBoot without first being able to run code to decrypt th enew kbags. if the bootrom exploit still indeed exists, the nthis will definitely be doable.

2. I doubt the bootrom exploit is still there. highly.

3. The s5l WTF file is not encrypted, just compressed. If you decide to use 8900decryptor then it will recognize this and do the work for you.

4. If you can get an iBooter or implementation of it for 2.*, let me know. The iBEC is not encrypted and that would surely suffice for the purpose that you speak of. But I have some reason to believe that for some reason the iPod Touch 2 can be downgraded to an iPod Touch firmware. The reasoning behind this is that it has a totally new application processor, yet for reasons unknown, there is still support for 8900 files in it. As many know from clues hidden in firmwares dating back to 1.2 (The first build of 2.0, made available in March), 8900 encryption was used. I would have thought by now Apple would have re-written it to not have legacy 8900 support. But who knows...I may try to snag one and play around with it if that freeiphonetrade site or whatever it is called actually is legit.

interesting...

Ok Chronic cool. So if we can get iBooter working (on the touch second gen), then we can send a patched iBec and from there decrypt the KBAGs on the actual touch2 hardware with iBooter. Then we could decrypt the ramdisk, rootfs, and get on our way with a jailbreak. Also, with your point about downgrading, if you are correct then we should be able to (possibly) downgrade the touch2 to 1.1.4 and use ibooter/openiboot with no problem? I have a feeling the only problem with that would be iTunes 8 will forbid even a DFU downgrade to 1.1.4, so we would either have to downgrade to iTunes 7.5 with the touch2 drivers still intact and then restore from there. That being said, I bet the only way a downgrade to 1.1.4 would work would be with a patched WTF and the DFU exploit not fixed by apple in the touch2. Should be an interesting few months for the devteam, assuming they even try to work on the touch2. Maybe we should talk to planetbeing regarding iBooter/openiboot in 2.1...

Can a patched IBEC be accepted by an unexploited stock ipod touch2? I doubt it. - CPICH

Yeah that's what Chronic ended up telling me in IRC. He thinks now we need another exploit for iBoot in order to run unsigned code. We'll see what DevTeam has for us...that's assuming they even try to work on iPod touch second gen..