Research: Pwnage Patches
If you have IDA Pro and you are at least semi-handy with ARM please contribute :)
Thanks to CPICH for helping out!
There are three core patches in Pwnage.
The patch is simple. This is the default non-patched area:
ROM:00002636 _fail ; CODE XREF: rsaCheck+3C�j ROM:00002636 ; rsaCheck+84�j ROM:00002636 ; rsaCheck+A0�j ROM:00002636 ; rsaCheck+B4�j ROM:00002636 ; rsaCheck+F0�j ROM:00002636 ; rsaCheck+100�j ROM:00002636 ; rsaCheck+10C�j ROM:00002636 ; rsaCheck+110�j ROM:00002636 ; rsaCheck+118�j ROM:00002636 ; rsaCheck+11C�j ... ROM:00002636 454 01 20 MOVS R0, #1 ROM:00002638 454 40 42 NEGS R0, R0
Now, all that they do is change the "40 42" you see at 0x2638 to "00 20" (negs r0,r0->movs r0,#0).
This simply patches "secure-root-prefix" and "function-disable_keys". It seems that you could bypass this patch by simply patching the iBoot flags to 0xffffffff, but I have personally never verified that the decrypted KBAG was correct, so anyone that is feeling adventurous and wants to verify, please do.
Haven't really looked into this too far, but I know that the kernel is patched for codesign as well as a write and execution patch to allow addons such as Mobile Substrate to execute on / at the kernel