The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Redsn0w Lite"
m (remove dead link) |
|||
(21 intermediate revisions by 8 users not shown) | |||
Line 1: | Line 1: | ||
+ | {{lowercase}} |
||
− | This is the [[dev team|iPhone Dev Team's]] jailbreak for the [[n72ap|iPod Touch 2G]]. It is their payload for the [[ARM7 Go]] exploit, like how [[yellowsn0w]] is the payload for the [[at+stkprof]] exploit. |
||
+ | This is the [[iPhone Dev Team]]'s tethered jailbreak ("redsn0w-lite") for the [[N72AP|iPod touch (2nd generation)]] on iPhone OS 2.1.1. It is their payload for the [[ARM7 Go]] backdoor. It's analagous to how [[yellowsn0w]] is the actual unlocking payload injected by the [[at+stkprof]] exploit in baseband [[02.28.00]]. |
||
− | == |
+ | ==What it does== |
+ | For the most part, it is a nicely optimized payload that does the same essential patches as [[0wnboot]], those patches being the signature check patch and the range check patch. Its compactness lends itself nicely to the "run" command and the eight-byte serial payload issued by the example iPod touch (2nd generation) dongle. |
||
− | [http://redsn0w.com/ Red Sn0w Website] |
||
+ | |||
+ | ===Disassm=== |
||
+ | <pre> |
||
+ | ROM:00000000 LDR R3, =0xA1F10F ; flipped: |
||
+ | ROM:00000000 ; 0x0FF1A100 |
||
+ | ROM:00000004 MOV R2, #0x2000 |
||
+ | ROM:00000008 STRH R2, [R3,#0x34] ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134 |
||
+ | ROM:00000008 ; this is usually the part of the sigcheck routine that |
||
+ | ROM:00000008 ; would be jumped to if there was an error, so this |
||
+ | ROM:00000008 ; just pretty much makes it return 0, saying everything |
||
+ | ROM:00000008 ; went OK, versus -1, saying there was an error |
||
+ | ROM:0000000C LDR R3, =0xFFAFF20F ; flipped: |
||
+ | ROM:0000000C ; 0x0FF2AFFF |
||
+ | ROM:00000010 MOVL R2, 0xFFFFFFFF |
||
+ | ROM:00000014 STR R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0 |
||
+ | ROM:00000014 ; this patches the iboot flags to allow no range check, |
||
+ | ROM:00000014 ; no permission check for restricted commands, aes gid |
||
+ | ROM:00000014 ; and uid key are not restricted by devtree at boot so |
||
+ | ROM:00000014 ; you can decrypt kbags with xpwn crypto bundle with |
||
+ | ROM:00000014 ; no devtree patch needed, and more. basically tricks |
||
+ | ROM:00000014 ; your device into thinking it is an engineering device |
||
+ | ROM:00000018 |
||
+ | ROM:00000018 spin ; CODE XREF: ROM:spin�j |
||
+ | ROM:00000018 B spin |
||
+ | ROM:00000018 ; --------------------------------------------------------------------------- |
||
+ | ROM:0000001C dword_1C DCD 0xA1F10F ; DATA XREF: ROM:00000000�r |
||
+ | ROM:0000001C ; flipped: |
||
+ | ROM:0000001C ; 0x0FF1A100 |
||
+ | ROM:00000020 dword_20 DCD 0xFFAFF20F ; DATA XREF: ROM:0000000C�r |
||
+ | ROM:00000020 ; ROM ends ; flipped: |
||
+ | ROM:00000020 ; 0x0FF2AFFF |
||
+ | </pre> |
||
+ | |||
+ | ==Source== |
||
+ | <pre> |
||
+ | typedef volatile unsigned int vu32; |
||
+ | typedef volatile unsigned short vu16; |
||
+ | typedef volatile unsigned char vu8; |
||
+ | |||
+ | #define A_CHECK_SIGN 0x0FF1A134 // sigcheck loc |
||
+ | #define A_CHECK_PERM 0x0FF2ADC0 // ib flags loc |
||
+ | |||
+ | void redsn0w(void) { |
||
+ | *(vu16 *)A_CHECK_SIGN = 0x2000; // pwnage |
||
+ | *(vu32 *)A_CHECK_PERM = 0xffffffff; // permissions |
||
+ | while(1); |
||
+ | } |
||
+ | </pre> |
||
+ | |||
+ | [[Category:Jailbreaks]] |
||
+ | [[Category:Jailbreaking]] |
Latest revision as of 04:31, 17 March 2018
This is the iPhone Dev Team's tethered jailbreak ("redsn0w-lite") for the iPod touch (2nd generation) on iPhone OS 2.1.1. It is their payload for the ARM7 Go backdoor. It's analagous to how yellowsn0w is the actual unlocking payload injected by the at+stkprof exploit in baseband 02.28.00.
What it does
For the most part, it is a nicely optimized payload that does the same essential patches as 0wnboot, those patches being the signature check patch and the range check patch. Its compactness lends itself nicely to the "run" command and the eight-byte serial payload issued by the example iPod touch (2nd generation) dongle.
Disassm
ROM:00000000 LDR R3, =0xA1F10F ; flipped: ROM:00000000 ; 0x0FF1A100 ROM:00000004 MOV R2, #0x2000 ROM:00000008 STRH R2, [R3,#0x34] ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134 ROM:00000008 ; this is usually the part of the sigcheck routine that ROM:00000008 ; would be jumped to if there was an error, so this ROM:00000008 ; just pretty much makes it return 0, saying everything ROM:00000008 ; went OK, versus -1, saying there was an error ROM:0000000C LDR R3, =0xFFAFF20F ; flipped: ROM:0000000C ; 0x0FF2AFFF ROM:00000010 MOVL R2, 0xFFFFFFFF ROM:00000014 STR R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0 ROM:00000014 ; this patches the iboot flags to allow no range check, ROM:00000014 ; no permission check for restricted commands, aes gid ROM:00000014 ; and uid key are not restricted by devtree at boot so ROM:00000014 ; you can decrypt kbags with xpwn crypto bundle with ROM:00000014 ; no devtree patch needed, and more. basically tricks ROM:00000014 ; your device into thinking it is an engineering device ROM:00000018 ROM:00000018 spin ; CODE XREF: ROM:spin�j ROM:00000018 B spin ROM:00000018 ; --------------------------------------------------------------------------- ROM:0000001C dword_1C DCD 0xA1F10F ; DATA XREF: ROM:00000000�r ROM:0000001C ; flipped: ROM:0000001C ; 0x0FF1A100 ROM:00000020 dword_20 DCD 0xFFAFF20F ; DATA XREF: ROM:0000000C�r ROM:00000020 ; ROM ends ; flipped: ROM:00000020 ; 0x0FF2AFFF
Source
typedef volatile unsigned int vu32; typedef volatile unsigned short vu16; typedef volatile unsigned char vu8; #define A_CHECK_SIGN 0x0FF1A134 // sigcheck loc #define A_CHECK_PERM 0x0FF2ADC0 // ib flags loc void redsn0w(void) { *(vu16 *)A_CHECK_SIGN = 0x2000; // pwnage *(vu32 *)A_CHECK_PERM = 0xffffffff; // permissions while(1); }