Difference between revisions of "Redsn0w Lite"

From The iPhone Wiki
Jump to: navigation, search
(Source: (added addresses))
Line 38: Line 38:
 
==Source==
 
==Source==
 
<pre>
 
<pre>
  +
#define A_CHECK_SIGN 0x0FF1A134 // sigcheck loc
  +
#define A_CHECK_PERM 0xFF2ADC0 // ib flags loc
  +
 
void redsn0w(void) {
 
void redsn0w(void) {
 
*(vu16 *)A_CHECK_SIGN = 0x2000; // pwnage
 
*(vu16 *)A_CHECK_SIGN = 0x2000; // pwnage

Revision as of 17:42, 31 January 2009

This is the iPhone Dev Team's tethered jailbreak ("redsn0w-lite") for the iPod Touch 2G. It is their payload for the ARM7 Go backdoor. It's analagous to how yellowsn0w is the actual unlocking payload injected by the at+stkprof exploit in baseband 02.28.00.

What it does

For the most part, it is a nicely optimized payload that does the same patches as 0wnboot, being the signature check patch and the range check patch.

Disassm

ROM:00000000                LDR     R3, =0xA1F10F   ; flipped:
ROM:00000000                                        ; 0x0FF1A100
ROM:00000004                MOV     R2, #0x2000
ROM:00000008                STRH    R2, [R3,#0x34]  ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134
ROM:00000008                                        ; this is usually the part of the sigcheck routine that
ROM:00000008                                        ; would be jumped to if there was an error, so this
ROM:00000008                                        ; just pretty much makes it return 0, saying everything
ROM:00000008                                        ; went OK, versus -1, saying there was an error
ROM:0000000C                LDR     R3, =0xFFAFF20F ; flipped:
ROM:0000000C                                        ; 0x0FF2AFFF
ROM:00000010                MOVL    R2, 0xFFFFFFFF
ROM:00000014                STR     R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0
ROM:00000014                                         ; this patches the iboot flags to allow no range check,
ROM:00000014                                         ; no permission check for restricted commands, aes gid
ROM:00000014                                         ; and uid key are not restricted by devtree at boot so
ROM:00000014                                         ; you can decrypt kbags with xpwn crypto bundle with
ROM:00000014                                         ; no devtree patch needed, and more. basically tricks
ROM:00000014                                         ; your device into thinking it is an engineering device
ROM:00000018
ROM:00000018     spin                                ; CODE XREF: ROM:spin�j
ROM:00000018                B       spin
ROM:00000018     ; ---------------------------------------------------------------------------
ROM:0000001C     dword_1C        DCD 0xA1F10F        ; DATA XREF: ROM:00000000�r
ROM:0000001C                                         ; flipped:
ROM:0000001C                                         ; 0x0FF1A100
ROM:00000020     dword_20        DCD 0xFFAFF20F      ; DATA XREF: ROM:0000000C�r
ROM:00000020     ; ROM           ends                ; flipped:
ROM:00000020                                         ; 0x0FF2AFFF

Source

#define A_CHECK_SIGN 0x0FF1A134 // sigcheck loc
#define A_CHECK_PERM 0xFF2ADC0  // ib flags loc

void redsn0w(void) {
  *(vu16 *)A_CHECK_SIGN = 0x2000;      // pwnage
  *(vu32 *)A_CHECK_PERM = 0xffffffff;  // permissions
  while(1);
}

Links

Red Sn0w Website