Talk:Usb control msg(0xA1, 1) Exploit

From The iPhone Wiki
Jump to: navigation, search

Is this even suppose to be here? :S

iH8sn0w 00:31, 21 September 2010 (UTC)

Pod2g posted it himself so I don't see much of a problem for it as it doesn't sound like it will work on new devices. --OMEGA_RAZER

So would this exploit lead to a tethered jailbreak or would it be untethered? --JacobVengeance 01:50, 21 September 2010 (UTC)

Tethered. This just allows unsigned code execution to be performed regardless of SHSH or model revision at the DFU/bootrom level. This is useful for redsn0w or blackra1n type hacks as they provide a quick and unclosable exploit to perform the actual jailbreak. Functionally, this replaces the need for sending 2.1.1 iBSS + iBEC to use Arm7Go or the 3.1.2 iBSS/iBEC (if that can even be done?) for that other USB control msg exploit in 3.1.2 iBoot. Iemit737 02:37, 21 September 2010 (UTC)

the new bootrom ipod touch 2g where ipod touch 3g so will this exploit work on ipod3g and iphone 3gs --liamchat 14:51, 21 September 2010 (UTC)

I don't completely understand your question, but no, this exploit will work on nothing other than the 2nd generation iPod touch (and is not particularly big news, since we can already run unsigned code on the second gen touch). AriX 18:01, 21 September 2010 (UTC)

Pod2g : I released this one because it's old devices only (Apple engineers already found and fixed it). The good thing about it, is that it's a way to execute unsigned assembly code easily in the context of the bootrom. Researchers can use it to explore the bootrom, try things, etc. Also, maybe it could be useful for iDroid ?

palz2015 : So could it be untethered using the exploit to run code that patches the kernel, and preform a userland-only jailbreak, just from DFU?

no because the exploit will replace the rdisk with a pwnd one ( that will fail the check ) and cydia will need to know how to use the exploit but you can re inject apple's rdisk --liamchat 18:55, 27 September 2010 (UTC)

What are you talking about? Filesystem modification causes no problems, dropping in a dylib, adding a daemon for a userland jailbreak and changing FStab is a fully functional jailbreak. Also cydia does not have knowledge of how to use any exploit... Iemit737 21:19, 30 September 2010 (UTC)

What is classified as a 'New Device'. Would an iPod Touch 2G with the 2nd revision of the S5L8720 bootrom be classified as a new device? --ac3xx 17:44, 30 September 2010 (UTC)

The second revision of the touch 2G does have this exploit, but no devices after that. Iemit737 21:19, 30 September 2010 (UTC)

But really, you could execute an unsigned ramdisk, have it patch the kernel at boot (so no recovery mode), and userland jailbreak. Untethered? --Palz 21:41, 30 September 2010 (UTC)

Where would this ramdisk come from that patches the kernel at boot?? Ramdisks only come from Recovery/DFU mode which is what SHAtter is all about. But if this ramdisk's purpose is just to drop in a dynamic library / binary you can convince iOS to execute that uses another userland exploit in some framework, then you would have an untethered jailbreak. Iemit737 21:46, 30 September 2010 (UTC)
You could do that. So long as you have an exploit (like this) and a payload, you can exploit, upload payload and then upload a pwned iBSS. Then, once in a pwned environment you can easily boot a pwned ramdisk with a userland jailbreak on it - no problem :) blackthund3r 06:14, 18 October 2010 (UTC)
Yeah, I mean use this, run the ramdisk, patch the kernel, it adds a daemon for jailbreame star or spirit to make it untethered. Like limera1n. --Palz 16:51, 18 October 2010 (UTC)
Oh yes you can do that - no problem xD - wonder if you could install an AFC2 service with it? blackthund3r 17:47, 3 November 2010 (UTC)

you don't need to Bootrom 240.4 and Bootrom 240.5.1 don't check SHSH so you can inject any copy of IBoot into the memory then run an old exploit to modify the kernel --liamchat 21:25, 18 October 2010 (UTC)

Might sound like a n00by question but how do u actually use it?? Can I use iRecovery? Or compile something with GNU ARM? I want to work on AES decryption stuff but I can't seem to work it out :S can anybody make it a little less technical? Thanks for any help possible :P blackthund3r 17:39, 3 November 2010 (UTC)

well the AES calling is different from using the exploit but I do remember the source codes of Iran and if you add this exploit data it Should work ( I think the padding that is sent for pwnage 2 Should be able to trigger the overflow ) then make a copy of IBSS that calles the AES --liamchat 23:28, 3 November 2010 (UTC)


Is this the Steaks4U exploit pod2g mentioned on twitter? --Rekoil 14:43, 18 October 2010 (UTC)

Yes. Look at article's history, last two edits by him. -- http 16:44, 18 October 2010 (UTC)