The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:TinyUmbrella"
(→Recovery) |
m (→Restore / downgrade iPad 2 GSM without baseband) |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | Didn't he used to support Linux? --[[User:JacobVengeance|JakeAnthraX]] 19:59, 7 May 2011 (UTC) |
||
− | :Not that I know of. --[[User:Balloonhead66|Balloonhead66]] 21:56, 15 July 2011 (UTC) |
||
− | :The JAR file is in the Mac .app file (right-click>show package contents), wouldn't that work (sortof) with Linux? --[[User:Rdqronos|rdqronos]] 20:02, 18 July 2011 (MDT) |
||
− | |||
== Restore / downgrade iPad 2 GSM without baseband == |
== Restore / downgrade iPad 2 GSM without baseband == |
||
− | Does anybody know details on how semaphore does a TSS downgrade of an [[ |
+ | Does anybody know details on how semaphore does a TSS downgrade of an [[K94AP|iPad 2 (GSM)]] firmware, without modifying the baseband and without running into a recovery loop? (see [http://cl.ly/2i151c3x1C3z3W2i0l0q this screenshot]) The latest TinyUmbrella release supports such downgrades and there is no bootrom exploit that would allow a kick out of recovery. I thought such a downgrade is possible by getting the [[SHSH]] from the local backup and the baseband SHSH from Apple (because of the nonce problem). As long as Apple signs the same baseband, even a baseband downgrade from an iOS5 beta baseband would be possible. Or, in the more common case, a complete restore from iOS 4.3.4 to 4.3.3 (including baseband). But TinyUmbrella doesn't even try to change the baseband, so his method must be totally different. He also twitted me "it is WAY more complicated". Anybody knows more? --[[User:Http|http]] 06:13, 20 July 2011 (MDT) |
== Source == |
== Source == |
||
Where is the source of TinyUmbrella? --[[User:XiiiX|XiiiX]] 16:46, 14 August 2011 (MDT) |
Where is the source of TinyUmbrella? --[[User:XiiiX|XiiiX]] 16:46, 14 August 2011 (MDT) |
||
− | :Take the Mac (.PKG) file look at the contents. I am on Windows, so I extracted it to a SUB-dir and navigated to a file called <tt>Payload</tt> and extracted that to get <tt>Payload~</tt>. Extracted that to get the app and then the .class files are just Java files that can be decompiled with any free Java decompiler. PS, I used 7-Zip for extraction... --[[User: |
+ | :Take the Mac (.PKG) file look at the contents. I am on Windows, so I extracted it to a SUB-dir and navigated to a file called <tt>Payload</tt> and extracted that to get <tt>Payload~</tt>. Extracted that to get the app and then the .class files are just Java files that can be decompiled with any free Java decompiler. PS, I used 7-Zip for extraction... --[[User:5urd|5urd]] 20:10, 14 August 2011 (MDT) |
== Recovery == |
== Recovery == |
||
Line 18: | Line 14: | ||
::::: So, no execution with the DLL through CMD? --[[User:Dylan Laws|Dylan Laws]] 14:41, 22 January 2012 (MST) |
::::: So, no execution with the DLL through CMD? --[[User:Dylan Laws|Dylan Laws]] 14:41, 22 January 2012 (MST) |
||
:::::: You can't execute DLLs, you have to get the MobileDevice Header, include it in your Application and then link against the dll. --[[User:Rud0lf77|rud0lf77]] 15:55, 22 January 2012 (MST) |
:::::: You can't execute DLLs, you have to get the MobileDevice Header, include it in your Application and then link against the dll. --[[User:Rud0lf77|rud0lf77]] 15:55, 22 January 2012 (MST) |
||
− | ::::::Make a C# app, and add |
||
− | struct am_device |
||
− | { |
||
− | unsigned char unknown0[16]; /* 0 - zero */ |
||
− | unsigned int device_id; /* 16 */ |
||
− | unsigned int product_id; /* 20 - set to AMD_IPHONE_PRODUCT_ID */ |
||
− | char *serial; /* 24 - set to UDID, Unique Device Identifier */ |
||
− | unsigned int unknown1; /* 28 */ |
||
− | unsigned int unknown2; /* 32 - reference counter, increased by AMDeviceRetain, decreased by AMDeviceRelease*/ |
||
− | unsigned int lockdown_conn; /* 36 */ |
||
− | unsigned char unknown3[8]; /* 40 */ |
||
− | unsigned int unknown4; /* 48 - used to store CriticalSection Handle*/ |
||
− | unsigned char unknown5[24]; /* 52 */ |
||
− | } |
||
− | [DLLImport("{ABSOLUTEPATHTODLL}")] |
||
− | public static extern mach_error_t AMDeviceEnterRecovery(struct am_device *device); |
||
− | public static void Main(string[] args) |
||
− | { |
||
− | am_device am = new am_device; |
||
− | am.device_id = ... |
||
− | AMDeviceEnterRecovery(&am); |
||
− | } |
||
− | ::::::--[[User:5urd|5urd]] 17:22, 22 January 2012 (MST) |
Latest revision as of 09:46, 29 March 2017
Restore / downgrade iPad 2 GSM without baseband
Does anybody know details on how semaphore does a TSS downgrade of an iPad 2 (GSM) firmware, without modifying the baseband and without running into a recovery loop? (see this screenshot) The latest TinyUmbrella release supports such downgrades and there is no bootrom exploit that would allow a kick out of recovery. I thought such a downgrade is possible by getting the SHSH from the local backup and the baseband SHSH from Apple (because of the nonce problem). As long as Apple signs the same baseband, even a baseband downgrade from an iOS5 beta baseband would be possible. Or, in the more common case, a complete restore from iOS 4.3.4 to 4.3.3 (including baseband). But TinyUmbrella doesn't even try to change the baseband, so his method must be totally different. He also twitted me "it is WAY more complicated". Anybody knows more? --http 06:13, 20 July 2011 (MDT)
Source
Where is the source of TinyUmbrella? --XiiiX 16:46, 14 August 2011 (MDT)
- Take the Mac (.PKG) file look at the contents. I am on Windows, so I extracted it to a SUB-dir and navigated to a file called Payload and extracted that to get Payload~. Extracted that to get the app and then the .class files are just Java files that can be decompiled with any free Java decompiler. PS, I used 7-Zip for extraction... --5urd 20:10, 14 August 2011 (MDT)
Recovery
Does anybody know how TU puts the device into recovery mode? And how to go from recovery to DFU? --Dylan Laws 01:18, 22 January 2012 (MST)
- The iTunes MobileDevice Library has a function to put the device into Recovery Mode. --rud0lf77 08:36, 22 January 2012 (MST)
- Do you know the command? --Dylan Laws 12:32, 22 January 2012 (MST)
- Learn Java, decompile the Java scripts, examine. done :) --5urd 13:47, 22 January 2012 (MST)
- In the Headers of MobileDevice Library you can find: AMDeviceEnterRecovery , have fun with it. --rud0lf77 14:12, 22 January 2012 (MST)
- So, no execution with the DLL through CMD? --Dylan Laws 14:41, 22 January 2012 (MST)
- You can't execute DLLs, you have to get the MobileDevice Header, include it in your Application and then link against the dll. --rud0lf77 15:55, 22 January 2012 (MST)
- So, no execution with the DLL through CMD? --Dylan Laws 14:41, 22 January 2012 (MST)
- Do you know the command? --Dylan Laws 12:32, 22 January 2012 (MST)
- The iTunes MobileDevice Library has a function to put the device into Recovery Mode. --rud0lf77 08:36, 22 January 2012 (MST)