Difference between revisions of "Redsn0w Lite"

From The iPhone Wiki
Jump to: navigation, search
m
m (Fix dialexio's typo)
Line 1: Line 1:
This is the [[dev team|iPhone Dev Team's]] tethered jailbreak ("redsn0w-lite") for the [[n72ap|iPod rouch 2G]]. It is their payload for the [[ARM7 Go]] backdoor. It's analagous to how [[yellowsn0w]] is the actual unlocking payload injected by the [[at+stkprof]] exploit in baseband 02.28.00.
+
This is the [[dev team|iPhone Dev Team's]] tethered jailbreak ("redsn0w-lite") for the [[n72ap|iPod touch 2G]]. It is their payload for the [[ARM7 Go]] backdoor. It's analagous to how [[yellowsn0w]] is the actual unlocking payload injected by the [[at+stkprof]] exploit in baseband 02.28.00.
   
 
==What it does==
 
==What it does==

Revision as of 18:46, 3 February 2011

This is the iPhone Dev Team's tethered jailbreak ("redsn0w-lite") for the iPod touch 2G. It is their payload for the ARM7 Go backdoor. It's analagous to how yellowsn0w is the actual unlocking payload injected by the at+stkprof exploit in baseband 02.28.00.

What it does

For the most part, it is a nicely optimized payload that does the same essential patches as 0wnboot, those patches being the signature check patch and the range check patch. Its compactness lends itself nicely to the "run" command and the eight-byte serial payload issued by the example iPod touch 2G dongle

Disassm

ROM:00000000                LDR     R3, =0xA1F10F   ; flipped:
ROM:00000000                                        ; 0x0FF1A100
ROM:00000004                MOV     R2, #0x2000
ROM:00000008                STRH    R2, [R3,#0x34]  ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134
ROM:00000008                                        ; this is usually the part of the sigcheck routine that
ROM:00000008                                        ; would be jumped to if there was an error, so this
ROM:00000008                                        ; just pretty much makes it return 0, saying everything
ROM:00000008                                        ; went OK, versus -1, saying there was an error
ROM:0000000C                LDR     R3, =0xFFAFF20F ; flipped:
ROM:0000000C                                        ; 0x0FF2AFFF
ROM:00000010                MOVL    R2, 0xFFFFFFFF
ROM:00000014                STR     R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0
ROM:00000014                                         ; this patches the iboot flags to allow no range check,
ROM:00000014                                         ; no permission check for restricted commands, aes gid
ROM:00000014                                         ; and uid key are not restricted by devtree at boot so
ROM:00000014                                         ; you can decrypt kbags with xpwn crypto bundle with
ROM:00000014                                         ; no devtree patch needed, and more. basically tricks
ROM:00000014                                         ; your device into thinking it is an engineering device
ROM:00000018
ROM:00000018     spin                                ; CODE XREF: ROM:spin�j
ROM:00000018                B       spin
ROM:00000018     ; ---------------------------------------------------------------------------
ROM:0000001C     dword_1C        DCD 0xA1F10F        ; DATA XREF: ROM:00000000�r
ROM:0000001C                                         ; flipped:
ROM:0000001C                                         ; 0x0FF1A100
ROM:00000020     dword_20        DCD 0xFFAFF20F      ; DATA XREF: ROM:0000000C�r
ROM:00000020     ; ROM           ends                ; flipped:
ROM:00000020                                         ; 0x0FF2AFFF

Source

typedef volatile unsigned int vu32;
typedef volatile unsigned short vu16;
typedef volatile unsigned char vu8;

#define A_CHECK_SIGN 0x0FF1A134        // sigcheck loc
#define A_CHECK_PERM 0x0FF2ADC0        // ib flags loc

void redsn0w(void) {
  *(vu16 *)A_CHECK_SIGN = 0x2000;      // pwnage
  *(vu32 *)A_CHECK_PERM = 0xffffffff;  // permissions
  while(1);
}

Links

redsn0w Website