The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:ARM7 Go"
ChronicDev (talk | contribs) |
|||
Line 36: | Line 36: | ||
[[User:ChronicDev|ChronicDev]] 19:45, 16 January 2009 (UTC) |
[[User:ChronicDev|ChronicDev]] 19:45, 16 January 2009 (UTC) |
||
+ | |||
+ | I've noticed that the exploit is at the iBoot level. So how do you (or the Dev-Team) pass the bootrom RSA checks? |
||
+ | |||
+ | ~[[User:Oranav|Oranav]] |
Revision as of 01:07, 17 January 2009
My Payload
(Since RedSn0w will be out any day, this is just for the hell of it :)
If anyone has any ideas and would like to mess around with this hack, here is some code that (should) patch a 2.1.1 iBSS that you loaded, in memory. Again, just for fun, as the dev team probably has redsn0w, it's payload, and program almost completed.
@ ipod touch 2G ibss 2.1.1 patcher @ by chronic with some gas help from ius @ @ assemble this with gas .section .text .global _start _start: stmdb sp!, {r0-r6} ldr r0, =rangePatch ldr r1, =permsPatch ldr r2, =sigchPatch ldr r3, =sigchecLoc ldr r4, =permschLoc ldr r6, =rangechLoc strh r1, [r4] strh r0, [r6] strh r2, [r3] ldmia sp!, {r0-r6} mov pc, lr .section .data sigchecLoc: .word 0x2200F2FE permschLoc: .word 0x2200C330 rangechLoc: .word 0x2200C3A6 rangePatch: .hword 0x0120 permsPatch: .hword 0x0124 sigchPatch: .hword 0x0020
ChronicDev 19:45, 16 January 2009 (UTC)
I've noticed that the exploit is at the iBoot level. So how do you (or the Dev-Team) pass the bootrom RSA checks?