Talk:N72AP

From The iPhone Wiki
Revision as of 18:30, 11 September 2008 by ChronicDev (talk | contribs) (but: new section)
Jump to: navigation, search

"-It has a new GID key. -iBoot seems to map itself at 0xFF00000. -LLB is encrypted, which is new. -The s5l8900 WTF is still in the firmware strangely enough, but there is no n72ap WTF. -It uses the same KBAG method, but as previously stated, it has a new GID key so nothing can be decrypted at the time without allowing unsigned code."

Few questions...the S5L8900 WTF is an 8900 file. Is it encrypted with the old 0x837 key derived from the old GID key or the new keys? Also, my theory is if the DFU exploit still exists in the new touch, we can send an exploited WTF and from there send a patched iBoot, we could possiby get iBooter or openIboot working, we could decrypt the KBAG's. Are there any problems with this theory?

problems

1. We can't send a patched iBoot without first being able to run code to decrypt th enew kbags. if the bootrom exploit still indeed exists, the nthis will definitely be doable.

2. I doubt the bootrom exploit is still there. highly.

3. The s5l WTF file is not encrypted, just compressed. If you decide to use 8900decryptor then it will recognize this and do the work for you.

4. If you can get an iBooter or implementation of it for 2.*, let me know. The iBEC is not encrypted and that would surely suffice for the purpose that you speak of. But I have some reason to believe that for some reason the iPod Touch 2 can be downgraded to an iPod Touch firmware. The reasoning behind this is that it has a totally new application processor, yet for reasons unknown, there is still support for 8900 files in it. As many know from clues hidden in firmwares dating back to 1.2 (The first build of 2.0, made available in March), 8900 encryption was used. I would have thought by now Apple would have re-written it to not have legacy 8900 support. But who knows...I may try to snag one and play around with it if that freeiphonetrade site or whatever it is called actually is legit.

interesting...

Ok Chronic cool. So if we can get iBooter working (on the touch second gen), then we can send a patched iBec and from there decrypt the KBAGs on the actual touch2 hardware with iBooter. Then we could decrypt the ramdisk, rootfs, and get on our way with a jailbreak. Also, with your point about downgrading, if you are correct then we should be able to (possibly) downgrade the touch2 to 1.1.4 and use ibooter/openiboot with no problem? I have a feeling the only problem with that would be iTunes 8 will forbid even a DFU downgrade to 1.1.4, so we would either have to downgrade to iTunes 7.5 with the touch2 drivers still intact and then restore from there. That being said, I bet the only way a downgrade to 1.1.4 would work would be with a patched WTF and the DFU exploit not fixed by apple in the touch2. Should be an interesting few months for the devteam, assuming they even try to work on the touch2. Maybe we should talk to planetbeing regarding iBooter/openiboot in 2.1...

Can a patched IBEC be accepted by an unexploited stock ipod touch2? I doubt it. - CPICH

Yeah that's what Chronic ended up telling me in IRC. He thinks now we need another exploit for iBoot in order to run unsigned code. We'll see what DevTeam has for us...that's assuming they even try to work on iPod touch second gen.. - Cool name

Also though think about the big picture....if an iPod Touch 2G exploit is found (that isn't the same DFU exploit as in iPhone 1G/2G and iPod Touch 1G), is that better used on that iPod Touch 2G....or sat upon until next iPhone hardware revision? - MuscleNerd

use it on the ipod

If an exploit is found/has already been found on the iPhone 1G/2G/iPod touch 1G, it should be released for the new ipod touch. It will make many people very happy with you instead of using it on the next iphone, which may not be released for another year or two. However, if the DFU exploit still works on iPod touch 2G, then don't bother burning another exploit-just my thoughts....-Cool Name

I don't agree on this, think about it, the purpose for jailbreaking an iPhone (unlocking it or using SIM proxy) is greater than that for an iPod touch, especially now that the AppStore is open. I second waiting for the next iPhone if a good hardware exploit is found. -Rekoil 17:26, 11 September 2008 (UTC)

but

Who knows when a new iPhone rev will be out? nobody but Apple. A new one may never come out. Plus, I strongly doubt that there is only one exploit left. There is always more. Not only that, but there is a chance of even more when new features are added.

In theory, if the DFU exploit still works, that is only half the battle. We can't just go of Pwning and QuickPwning willy nilly. Someone will need to create a special ramdisk that can chainload OpeniBoot and decrypt the keys and IVs. From there, we can pwn, and we can patch the kernel for hardware AES access. Then it will be nothing but smooth sailing.