|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:ARM7 Go"
(→Chronic, I may have found the way to use arm7_go) |
ChronicDev (talk | contribs) (→We may have something!: new section) |
||
| Line 67: | Line 67: | ||
They noted they are looking for a way around that. |
They noted they are looking for a way around that. |
||
| + | |||
| + | == We may have something! == |
||
| + | |||
| + | I tried what iPod2G said. |
||
| + | |||
| + | Now, after running my payload...well...things are acting really WEIRD. the first time I tried,it crashed, and now... |
||
| + | |||
| + | http://pastie.org/private/gpsvfcve6yqnm3uk4qzouq |
||
| + | |||
| + | mdb is messed up. Oh, and my screen turned blue for some reason. |
||
| + | |||
| + | Just tried again, and it turned green :O |
||
Revision as of 22:55, 19 January 2009
Contents
My Payload
(Since RedSn0w will be out any day, this is just for the hell of it :)
If anyone has any ideas and would like to mess around with this hack, here is some code that (should) patch a 2.1.1 iBSS that you loaded, in memory. Again, just for fun, as the dev team probably has redsn0w, it's payload, and program almost completed.
@ ipod touch 2G ibss 2.1.1 patcher
@ by chronic with some gas help from ius
@
@ assemble this with gas
.section .text
.global _start
_start:
stmdb sp!, {r0-r6}
ldr r0, =rangePatch
ldr r1, =permsPatch
ldr r2, =sigchPatch
ldr r3, =sigchecLoc
ldr r4, =permschLoc
ldr r6, =rangechLoc
strh r1, [r4]
strh r0, [r6]
strh r2, [r3]
ldmia sp!, {r0-r6}
mov pc, lr
.section .data
sigchecLoc: .word 0x2200F2FE
permschLoc: .word 0x2200C330
rangechLoc: .word 0x2200C3A6
rangePatch: .hword 0x0120
permsPatch: .hword 0x0124
sigchPatch: .hword 0x0020
ChronicDev 19:45, 16 January 2009 (UTC)
Chronic, I may have found the way to use arm7_go
Try to add the size of your payload just before it as an 32bit integer.
1. without size :
I assembled your payload with gas then tried to upload it at 0x09000000 and start arm7_go. It did nothing.
2. with size before : 0x00000048 then your payload uploaded at 0x09000000.
arm7_go => it crashed my ipod 2G.
I hope it can help. I am continuing my reasearches.
How do you pass the bootrom RSA checks?
I've noticed that the exploit is at the iBoot level. So how do you (or the Dev-Team) pass the bootrom RSA checks?
RE: How do you pass the bootrom RSA checks?
I do not know how it is done, but taking the screenshot on the latest devteam blog post, they have found a way to do so.
RE: RE: How do you pass the bootrom RSA checks?
Okay, as to MuscleNerd's redsn0w demo, it's pretty yellowsn0w like - you have to let the bootrom sigchecks pass, and then use the exploit every time the device boots. Pretty annoying, but that's the only option without a way to pass bootrom sigchecks.
Wel...
They noted they are looking for a way around that.
We may have something!
I tried what iPod2G said.
Now, after running my payload...well...things are acting really WEIRD. the first time I tried,it crashed, and now...
http://pastie.org/private/gpsvfcve6yqnm3uk4qzouq
mdb is messed up. Oh, and my screen turned blue for some reason.
Just tried again, and it turned green :O
