The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Redsn0w Lite"
m |
m |
||
Line 1: | Line 1: | ||
{{lowercase}} |
{{lowercase}} |
||
− | This is the [[iPhone Dev Team]]'s tethered jailbreak ("redsn0w-lite") for the [[N72AP|iPod touch 2G]] on iPhone OS 2. |
+ | This is the [[iPhone Dev Team]]'s tethered jailbreak ("redsn0w-lite") for the [[N72AP|iPod touch 2G]] on iPhone OS 2.1.1. It is their payload for the [[ARM7 Go]] backdoor. It's analagous to how [[yellowsn0w]] is the actual unlocking payload injected by the [[at+stkprof]] exploit in baseband [[02.28.00]]. |
==What it does== |
==What it does== |
Revision as of 20:24, 12 March 2017
This is the iPhone Dev Team's tethered jailbreak ("redsn0w-lite") for the iPod touch 2G on iPhone OS 2.1.1. It is their payload for the ARM7 Go backdoor. It's analagous to how yellowsn0w is the actual unlocking payload injected by the at+stkprof exploit in baseband 02.28.00.
Contents
What it does
For the most part, it is a nicely optimized payload that does the same essential patches as 0wnboot, those patches being the signature check patch and the range check patch. Its compactness lends itself nicely to the "run" command and the eight-byte serial payload issued by the example iPod touch 2G dongle.
Disassm
ROM:00000000 LDR R3, =0xA1F10F ; flipped: ROM:00000000 ; 0x0FF1A100 ROM:00000004 MOV R2, #0x2000 ROM:00000008 STRH R2, [R3,#0x34] ; patch the NEGS R0, R0 to MOVS R0, #0 at 0x0FF1A134 ROM:00000008 ; this is usually the part of the sigcheck routine that ROM:00000008 ; would be jumped to if there was an error, so this ROM:00000008 ; just pretty much makes it return 0, saying everything ROM:00000008 ; went OK, versus -1, saying there was an error ROM:0000000C LDR R3, =0xFFAFF20F ; flipped: ROM:0000000C ; 0x0FF2AFFF ROM:00000010 MOVL R2, 0xFFFFFFFF ROM:00000014 STR R2, [R3,#-0x23F] ; patch flags to 0xffffffff at addr 0xFF2ADC0 ROM:00000014 ; this patches the iboot flags to allow no range check, ROM:00000014 ; no permission check for restricted commands, aes gid ROM:00000014 ; and uid key are not restricted by devtree at boot so ROM:00000014 ; you can decrypt kbags with xpwn crypto bundle with ROM:00000014 ; no devtree patch needed, and more. basically tricks ROM:00000014 ; your device into thinking it is an engineering device ROM:00000018 ROM:00000018 spin ; CODE XREF: ROM:spin�j ROM:00000018 B spin ROM:00000018 ; --------------------------------------------------------------------------- ROM:0000001C dword_1C DCD 0xA1F10F ; DATA XREF: ROM:00000000�r ROM:0000001C ; flipped: ROM:0000001C ; 0x0FF1A100 ROM:00000020 dword_20 DCD 0xFFAFF20F ; DATA XREF: ROM:0000000C�r ROM:00000020 ; ROM ends ; flipped: ROM:00000020 ; 0x0FF2AFFF
Source
typedef volatile unsigned int vu32; typedef volatile unsigned short vu16; typedef volatile unsigned char vu8; #define A_CHECK_SIGN 0x0FF1A134 // sigcheck loc #define A_CHECK_PERM 0x0FF2ADC0 // ib flags loc void redsn0w(void) { *(vu16 *)A_CHECK_SIGN = 0x2000; // pwnage *(vu32 *)A_CHECK_PERM = 0xffffffff; // permissions while(1); }