The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "N72AP"
ChronicDev (talk | contribs) (→KBAG Decryption) |
ChronicDev (talk | contribs) (→KBAG Decryption) |
||
Line 51: | Line 51: | ||
===[[KBAG]] Decryption=== |
===[[KBAG]] Decryption=== |
||
− | The following idea for decrypting the IPT2 [KBAG KBAG]s turns out to be broken...it doesn't work. Steps 2-4 are incorrect. But the idea was: |
+ | The following idea for decrypting the IPT2 [[KBAG KBAG]]s turns out to be broken...it doesn't work. Steps 2-4 are incorrect. But the idea was: |
:Since there is a new [[GID]] key in the new [[Application Processor]], KBAGs for the firmware files can only be decrypted on the iPod Touch 2G itself. Here is a theory that I propose:<br> |
:Since there is a new [[GID]] key in the new [[Application Processor]], KBAGs for the firmware files can only be decrypted on the iPod Touch 2G itself. Here is a theory that I propose:<br> |
Revision as of 01:36, 27 December 2008
This is the 2nd Generation iPod Touch
Model: n72ap
Application Processor (OS Chip): s5l8720x
Contents
Decryption of its Ramdisks, iBoot, LLB, Kernel, and friends
The application processor has a new GID key in it, so you can't decrypt kbags from it on any other device than itself. So, you pretty much will not even be able to make a pwned IPSW, let alone decrypt the RootFS, unless a low level (like, bootrom/kernel/iBoot) exploit is found. From there, it can be used to run code to decrypt the kbags so that we can in turn decrypt the files, and then to run code to actually pwn the device.
Hardware Hack
Place an FPGA between the NOR flash and the NOR flash socket. Allow the signature check to run as usual, then change the code to whatever you want. Since it probably uses a serial flash like the 3G, you'd only have to connect like 4 wires. This is probably what the devteam refers to as a hardware method.
I can at least confirm that the iPod Touch 2G bootrom will sigcheck the LLB once it is already in memory. the rest is probably the same (sigchecking in RAM, not in NOR) -chronic
Bootrom exploit = No Go
DFU in the iPod Touch 2 is now 0x1227, so basically they took the patched up WTF and burned it into the bootrom, meaning the bootrom stack overflow is a no go...other methods are being tested though, no word on if they work yet...
Notes
-It has a new GID key.
-LLB is encrypted, which is new.
-The s5l8900 WTF is still in the firmware strangely enough, but there is no n72ap WTF.
-It uses the same KBAG method, but as previously stated, it has a new GID key so nothing can be decrypted at the time without allowing unsigned code.
Internals
See: n72ap (Internals) - Remarkably it has a Bluetooth Chip, shown by iFixit, but apparently it may only be used for Rf transmission to the Nike+ kit.
Device IDs
0x1227 = DFU Mode 2.0 (Basically WTF 2.0 burned into bootrom)
0x1281 = Recovery Mode 2.0 (iBEC / iBSS / iBoot)
Communication with DFU
- Put the device in DFU mode.
- Upload the iBSS found in the firmware ipsw to DFU.
- Unplug the device from the USB cable, wait a little bit, and the screen should turn white. At this point, plug it back in.
- Spawn a shell with it, to clarify, you can use anything that can talk to 0x1281 (Recovery Mode 2.0), as DFU mode itself can only let you upload files to it and does not allow commands to be sent to it.
- Do a test command to make sure everything is properly working. For example, type 'bgcolor 255 0 0' without the 's and the screen of the device should turn from white to red
- If the screen color changes, congrats, you can now communicate with the iPod Touch 2G at DFU level :)
Implementation
iRecovery - Source+Mac binary included
Syntax
./iRecovery -f <file> - Upload a file to DFU 2.0 or Recovery 2.0 (Auto detects) <del>./iRecovery -b <file> - Upload a file to Recovery / DFU iBSS (0x1281) <-- _might_ be broken.</del> '''now deprecated, -f will autodetect.''' ./iRecovery -s - Spawn a shell with an iBoot using the 0x1281 protocol
KBAG Decryption
The following idea for decrypting the IPT2 KBAG KBAGs turns out to be broken...it doesn't work. Steps 2-4 are incorrect. But the idea was:
- Since there is a new GID key in the new Application Processor, KBAGs for the firmware files can only be decrypted on the iPod Touch 2G itself. Here is a theory that I propose:
- Send iBSS to DFU 2.0 so we can communicate
- Send an iPod Touch 1G 1.1.4-2.0b3 iBEC / iBSS
- Type 'go' to boot from it
- As a side note, this is possible because (a) There is legacy 8900.1 / IMG2 support on the iPT2, for one reason or another, and (b) IMG2 files didn't have BORD tags stating that they can only be used on certain devices. This is just like how you can send a 1.1.4 iPhone 2G iBoot to the iPhone 3G and it will work fine :)
- Once you are booted into IMG2 haven, fire up iBooter from http://iphonelinux.org/
- Use geohot's or planetbeing's AES caller code like normal, use mw to write it to 0x9000000, 0x9000004, 0x9000008, 0x900000C, 0x000010, etc. etc.
- Since we don't have the permissions patch and we must run a signed file as of now, instead of using 'go' as geohot demonstrated in his tutorial, we will use a different exploit that is not too widely known, called diags. We simply issue the command 'diags 0x9000000' to run our code that we just sent, and basically we can now send our kbags with 'mw' and read the decrypted output with 'mdb' :)
Pwnage
After doing the above and patching the files, there is still one thing that everyone wants. It may amaze you, but some people don't give a crap about decrypted KBAGs. Crazy, isn't it? Anyway, once the KBAGs are decrypted and you have patched the IMG3 integrity check out of iBoot, upload the patched iBoot (CTRL+F in iBooter), then use 'diags 0x9000000' to load the patched iBoot. From here, patch the kernel, ASR, restored_external, iBoots, applelogo, DeviceTree, etc. Create a jailbroken ipsw and restore to it in iTunes. Keep in mind that since we used diags to boot from the patched iBoot, you must not reboot your iPhone before you do the restore, or the stock iBoot will be loaded from NOR at boot and you have to do everything all over again x.x
dfu no longer accepts 8900 files at all. this does not work and has no possible way of working.
Disclaimer
This has not been tested yet, as the DFU 2.0 communication client is having some problems. I will try to nag the two head devs (I won't say their names as to not have others nagging them) to post iRecovery.c here on The iPhone Wiki, then everyone can contribute to it and get it up to the standards that we need it at.
There is now an article for iRecovery as well as a link to the source code for those interested.