Difference between revisions of "N72AP"

From The iPhone Wiki
Jump to: navigation, search
m
 
(42 intermediate revisions by 14 users not shown)
Line 1: Line 1:
  +
[[File:iPod touch (2nd generation).png|thumb|right|iPod touch (2nd generation)]]
This is the 2nd Generation iPod Touch
 
   
  +
This is the second generation [[List of iPod touches|iPod touch]]. It has two different [[bootrom]] revisions.
Model: n72ap
 
Application Processor (OS Chip): s5l8720x
 
   
  +
'''Model''': N72AP
== Decryption of it's Ramdisks, iBoot, LLB, Kernel, and friends ==
 
The application processor has a new [[GID]] key in it, so you can't decrypt kbags from it on any other device than itself. So, you pretty much will not even be able to make a pwned IPSW, let alone decrypt the RootFS, unless a low level (like, bootrom/kernel/iBoot) exploit is found. From there, it can be used to run code to decrypt the kbags so that we can in turn decrypt the files, and then to run code to actually pwn the device.
 
   
  +
'''Application Processor (OS Chip)''': [[S5L8720]]
== Bootrom exploit = No Go ==
 
DFU in the iPod Touch 2 is now [[0x1227]], so basically they took the patched up WTF and burned it into the bootrom, meaning the bootrom stack overflow is a no go...other methods are being tested though, no word on if they work yet...
 
   
  +
The name used in firmware is iPod2,1.
== Notes ==
 
-It has a new [[GID]] key.
 
   
  +
==Hardware==
-[[iBoot]] seems to map itself at 0xFF00000.
 
  +
See the [[S5L8720 (Hardware)]] for hardware details
   
  +
==Device IDs==
-[[LLB]] is encrypted, which is new.
 
  +
'''0x1227''' = [[DFU Mode]] 2.0 (Basically WTF 2.0 burned into bootrom)
   
  +
'''0x1281''' = [[Recovery Mode]] 2.0 ([[iBEC]]/[[iBSS]]/[[iBoot (Bootloader)|iBoot]])
-The s5l8900 [[WTF]] is still in the firmware strangely enough, but there is no [[n72ap]] WTF.
 
   
  +
'''0x1293''' = Normal Mode (comm with [[iTunes]] / MobileDev framework)
-It uses the same [[KBAG]] method, but as previously stated, it has a new [[GID]] key so nothing can be decrypted at the time without allowing unsigned code.
 
 
==Internals==
 
<i>See: [[n72ap (Internals)]]</i> - Remarkably it has a Bluetooth Chip, shown by iFixit, but apparently it may only be used for Rf transmission to the Nike+ kit.
 
 
==Device IDs==
 
'''0x1227''' = DFU Mode (Basically WTF 2.0 burned into bootrom)<br>
 
'''0x1281''' = Recovery Mode (iBEC) as well as the iBSS used when communicating with DFU mode
 
   
  +
==Exploits==
==Communication with DFU==
 
  +
See the [[S5L8720]] page for all known exploits
# Put the device in DFU mode.
 
# Upload the iBSS found in the firmware ipsw to DFU.
 
# Unplug the device from the USB cable, wait a little bit, and the screen should turn white. At this point, plug it back in.
 
# Spawn a shell with it, to clarify, you can use anything that can talk to 0x1281 (Recovery Mode 2.0), as DFU mode itself can only let you upload files to it and does not allow commands to be sent to it.
 
# Do a test command to make sure everything is properly working. For example, type 'bgcolor 255 0 0' without the 's and the screen of the device should turn from white to red
 
# If the screen color changes, congrats, you can now communicate with the iPod Touch 2G at DFU level :)
 
   
  +
==Links==
===Implementation===
 
  +
* [http://www.ifixit.com/Guide/First-Look/iPod/iPod-Touch-2G iFixit page for iPod touch 2nd Generation]
A tool called 'iRecovery' is in the works. When finished, it will most likely be released with source. All that we need to do is get two things working:
 
# We need to be able to have two way communication with 0x1281. This will allow us to talk to iBSS and receive a response, so if something isn't working we will know why
 
# Fix uploading files to 0x1281 feature, if it is broken (we don't know, because we can't yet get a response from 0x1281 to see what our problem is
 
   
  +
[[Category:Devices]]
The command list will be as follows:<br>
 
'''./iRecovery -f <file>''' - Send a file to 0x1227 (DFU 2.0)
 
'''./iRecovery -s''' - Spawn a shell with 0x1281 (If you are in DFU, remember to follow the above steps to be able to actually spawn the shell)
 
'''./iRecovery -b <file>''' - Send a file to 0x1281 (Could be broken)
 

Latest revision as of 21:10, 21 March 2017

iPod touch (2nd generation)

This is the second generation iPod touch. It has two different bootrom revisions.

Model: N72AP

Application Processor (OS Chip): S5L8720

The name used in firmware is iPod2,1.

Hardware

See the S5L8720 (Hardware) for hardware details

Device IDs

0x1227 = DFU Mode 2.0 (Basically WTF 2.0 burned into bootrom)

0x1281 = Recovery Mode 2.0 (iBEC/iBSS/iBoot)

0x1293 = Normal Mode (comm with iTunes / MobileDev framework)

Exploits

See the S5L8720 page for all known exploits

Links