I tried updating without registering and my iPod was stuck and I was wondering if jailbreaking 3.0 would fix it. How do you jailbreak 3.0? Will jailbreaking fix it.

dude 3.0 ISNT jailbroken yet, but it is fully possible.

Its possible but we need some files for it.

would distributing the original 3.0 LLB and iBoot be against the rules here?

just so people who have a slightly higher technical level can get the IV's or whatever. If this is not allowed, then i will not do so.

Its not those kind of files we need its the firmware bundles that we need for pwnagetool. its like redsn0w all over again.

i thought the deb-team jailbroke it already.

No one knows for sure were still waiting for them to respond.

cool

is it illegal to ask for the files we need to jailbreak 3.0 i mean against the rules

No.. ^

Dudes read the Dev Team blog the jailbreak for 3.0 is the same as It would be for 4.0,5.0, etc... (as long as it's the same iPod version) just the patch files are differnt.

would distributing the original 3.0 LLB and iBoot be against the rules here?

just so people who have a slightly higher technical level can get the IV's or whatever. If this is not allowed, then i will not do so.There are no keys; the files are all unencrypted.
I've made all the necessary patches to the images, but it's useless without being able to modify the file system, which is still impossible because Apple got all hax and is hiding the FileVault key from us. :(

There are no keys; the files are all unencrypted.
I've made all the necessary patches to the images, but it's useless without being able to modify the file system, which is still impossible because Apple got all hax and is hiding the FileVault key from us. :(

Ok noob question here... does that mean it will take musclenerd some time ( i mean 3 months)

Ok noob question here... does that mean it will take musclenerd some time ( i mean 3 months)Take him time to what?
Find the FileVault key?

First of all, he is not the only one on the iPhone Dev Team, and is far from being the only one.
Second, no, I assume not, since the key has to be there somewhere.
It doesn't look like it's a plain-text string anymore, but I'm guessing it's derived from something (which reversing will tell us that, most likely reversing the asr binary).
I mean, it could be as simple as something like the SHA-1 hash of the IPSW encrypted with the GID-key (just guessing here, but hey, it could be something like this).

I cannot reverse anything very well though, so I'm limited to looking at symbols and strings for clues.

i thought the deb-team jailbroke it already.

deb-team? lol dev-team

miles just disconnect from the internet then restore.btw read m post on the jb status.geez.:P

deb-team? lol dev-team

stoopid iphone auto correct always changes "dev" to "deb"

king chronic didn't come on tonight if he did we mighta got a clue to jailbreaking this ourseles

what files do I need to jailbreak 3.0?

There are no keys; the files are all unencrypted.
I've made all the necessary patches to the images, but it's useless without being able to modify the file system, which is still impossible because Apple got all hax and is hiding the FileVault key from us. :(

Care to upload the patches??? :) For us who want to explore/help/mess up our devices.

that would be nice (the patches)

I seriously doubt that the dev-team will release a jailbroken version of the beta. It's a beta. Why would they bother with jailbreaking it now when there are still bugs in it and the fact that Apple might make more changes to it? At least we know that they will be ready for the official release when it comes out so we won't have to wait long.

I seriously doubt that the dev-team will release a jailbroken version of the beta. It's a beta. Why would they bother with jailbreaking it now when there are still bugs in it and the fact that Apple might make more changes to it? At least we know that they will be ready for the official release when it comes out so we won't have to wait long.

Good point, and also, if they jailbreak it now and release it, apple will be able to see how they jailbroke it and add a small patch to the non-beta release when they release it, and make it more difficult.

Not that many people have it to worry enough about it right now. Patience young padawans.

It doesn't really matter how they change it right now we have a hardware hack.

I seriously doubt that the dev-team will release a jailbroken version of the beta. It's a beta. Why would they bother with jailbreaking it now when there are still bugs in it and the fact that Apple might make more changes to it? At least we know that they will be ready for the official release when it comes out so we won't have to wait long.

They released it for the 2.0 Beta's as i remember.

They released it for the 2.0 Beta's as i remember.

True, and the keys are tricky to find

Care to upload the patches??? :) For us who want to explore/help/mess up our devices.

You don't even know what the hell he's talking about besides "I have the patched files". You'd start looking for the filevault key in google if you got them.

I don't see what the point of us doing this when dev teams gonna be the one whos gonna help us out in the end.

Sigh, finally got a 2g jailbreak and now stomping on heels for a 3.0 break, chill people.

how do we make the firmware bundle for it?

Sigh, finally got a 2g jailbreak and now stomping on heels for a 3.0 break, chill people.

what he said!

Is that what i asked??

True, and the keys are tricky to findThey aren't usually.
It's just this time that Apple decided to be annoying.

how do we make the firmware bundle for it?You don't, since we neither have enough information for PwnageTool or QuickPwn.
We need the RootFS key for PwnageTool, and we technically do have enough for QuickPwn, but it doesn't like that the images aren't encrypted.
It always expects a key/IV.

Care to upload the patches??? :) For us who want to explore/help/mess up our devices.See above.

Edit: I forgot to mention, I'm actually trying to make a franken-ramdisk filled with the QuickPwn base and the newly patched 3.0 images.
Kernel patching isn't fun though, so I'm double checking.

ok that answered alot of my questions

is there a way to like put a key onto it? i thought it usually comes with a key?

ok that answered alot of my questions

is there a way to like put a key onto it? i thought it usually comes with a key?The images in 3.0 are unsigned and are just wrapped in an Img3 container.
To get rid of it, strip off the first 0x30 (48) bytes.
You can do this with xpwntool (included in the XPwn suite of tools) or, if you feel UNIX-y, with dd.

i am not an expert but why hasnt people done this yet?

i am not an expert but why hasnt people done this yet?

just shut up and do it yourself if you want it so bad. wait patiently, moron! :mad:

i am not an expert but why hasnt people done this yet?Why haven't people done what yet?

Edit: Since I'm lazy, I'll post details on what I'm attempting to do.
Note that this will only work for the 1G and both iPhones, not the 2G (because of the way QuickPwn is built).
I created a QuickPwn ramdisk before restoring to 3.0 (wait for it to get to the DFU screen, then enter %TEMP% into a Windows Explorer address bar and copy out the restore folder).
Next, extract your Img3 files and patch them (which is straightforward, they should be standard Pwnage patches).
I don't believe that there's really a need to strip the Img3 header.
After you've patched all of the images (including the kernel), decrypt your ramdisk (using it's original key and IV pair in xpwntool) and clear out your ramdisk's nor/ folder (I use XPwn's hfsplus utility; rmall nor/).
Then, create a fresh nor directory (mkdir nor/) and populate it with your images (addall ./yourimages nor/) and replace the kernel (add ./kernelcache.release.s5l8900x ./kernelcache.release.s5l8900x).
After this, there should be no need to resign your ramdisk.
Finally, strap the ramdisk using the Pwnage2 exploit (idevice in XPwn is useful for this, and I send the ramdisk and kernel with iRecovery).
You may have to send the DeviceTree also, I'm not sure, but QuickPwn does this.
Your order would be send ramdisk > execute "ramdisk" > reset USB connection > send DeviceTree > execute "devicetree" > reset USB > send kernel > execute "bootx".

Of course, this is all theoretical, since I'm too tired (and lazy) to try it right now. :)
I boot ramdisks this way all the time, so there's no question about the procedure (minus the DeviceTree, it may be needed since the DeviceTree in the NOR would be stock).
It really depends on how QuickPwn works (it may hate the fact that the images aren't encrypted) or if it even runs on 3.0 (I tried running a ramdisk filled with 2.2.1 images, just for fun, and it didn't like it much).

does anyone have the files to jailbreak 3.0?
------------------double post merged------------------
wait i think I just figured out how to jailbreak the firmware. I will try it and tell you if it works and I will post the files to jailbreak it if it works.

well, let us know!

Just for kicks, someone should execute 0wnboot, then boot the 3.0 ramdisk.
I want to see what the ramdisk says about flashing the RootFS. :)

i am trying it right now it is making the 3.0 jailbroken firmware
------------------double post merged------------------
oh it didn't work but I will try again

If it was as simple as replacing a few files, there would be tutorials already.

Edit:
It'll probably double-post me, but I might as well bump the thread. (It didn't bump it, so ignore this.)
I plan on trying more stuff tomorrow; I'll actually check my patches, clean out the original ramdisk, dump the QuickPwn ramdisk .tar onto it, throw the new NOR images into it (and the kernel), then throw a small payload into there (not Cydia, just OpenSSH for now so it cuts down on the size, plus some debugging stuff probably), and finally pack it into an Img3 container.
Since manually booting a ramdisk seems to act up on me, I'll then probably pack everything into an IPSW (consisting of the ramdisk and patched images only), then restore to it.

I really wish I had a 2G, since there are much more useful exploits.
I mean, I could patch the iBoot family to allow for no permission checks, but it'd be much easier to patch it live using a payload for 0wnboot.
Also, having verbose ramdisks (and not to mention, verbose booting) would be useful.
Hopefully one Monday I'll get one..

Why haven't people done what yet?

Edit: Since I'm lazy, I'll post details on what I'm attempting to do.
Note that this will only work for the 1G and both iPhones, not the 2G (because of the way QuickPwn is built).
I created a QuickPwn ramdisk before restoring to 3.0 (wait for it to get to the DFU screen, then enter %TEMP% into a Windows Explorer address bar and copy out the restore folder).
Next, extract your Img3 files and patch them (which is straightforward, they should be standard Pwnage patches).
I don't believe that there's really a need to strip the Img3 header.
After you've patched all of the images (including the kernel), decrypt your ramdisk (using it's original key and IV pair in xpwntool) and clear out your ramdisk's nor/ folder (I use XPwn's hfsplus utility; rmall nor/).
Then, create a fresh nor directory (mkdir nor/) and populate it with your images (addall ./yourimages nor/) and replace the kernel (add ./kernelcache.release.s5l8900x ./kernelcache.release.s5l8900x).
After this, there should be no need to resign your ramdisk.
Finally, strap the ramdisk using the Pwnage2 exploit (idevice in XPwn is useful for this, and I send the ramdisk and kernel with iRecovery).
You may have to send the DeviceTree also, I'm not sure, but QuickPwn does this.
Your order would be send ramdisk > execute "ramdisk" > reset USB connection > send DeviceTree > execute "devicetree" > reset USB > send kernel > execute "bootx".

Of course, this is all theoretical, since I'm too tired (and lazy) to try it right now. :)
I boot ramdisks this way all the time, so there's no question about the procedure (minus the DeviceTree, it may be needed since the DeviceTree in the NOR would be stock).
It really depends on how QuickPwn works (it may hate the fact that the images aren't encrypted) or if it even runs on 3.0 (I tried running a ramdisk filled with 2.2.1 images, just for fun, and it didn't like it much).

I started getting lost at the "before restoring to 3.0" part and by the time you got to the "After you've patched all of the images" part my head exploded. Thanks for reminding me just how stupid I really am. The last time I messed with any kind of programing was back in my Commodore 64 days when I use to play with B.A.S.I.C. I use to buy these magazine called Compute Gazette and would copy the programs from the magazine by typing each code in one by one. It would take days and days of typing just to make a simple little game. God now I feel old too. Thanks alot.:(

Where are the files please

I tried updating without registering and my iPod was stuck and I was wondering if jailbreaking 3.0 would fix it. How do you jailbreak 3.0? Will jailbreaking fix it.

You get 3.0 legally.

i am really close

what do u mean by "really close"?

i already know people who have fully jailbroked on 3.0 apprently they dontated or payed dev team for it and they got it

i already know people who have fully jailbroked on 3.0 apprently they dontated or payed dev team for it and they got it


dev team doesn't accept donations so thats fake.

i already know people who have fully jailbroked on 3.0 apprently they dontated or payed dev team for it and they got it

Don't believe this....

Yeah you were going good until you made that statement. Now I don't believe a word you're saying.

It is possible to downgrade ipodtouch 2g 3.0 firmware back to 2.2.1?

It is possible to downgrade ipodtouch 2g 3.0 firmware back to 2.2.1?

yes, but with a the jailbreaked firmeware
and then you instal the normal fw

yes, but with a the jailbreaked firmeware
and then you instal the normal fw

No, this is incorrect. You can downgrade directly to normal firmware. I did it myself.

Yea dfu mode works perfectly luckily

how did you downgrade...? I have no luck. (note I have Ipod Touch 1G)

what does these keys look like?

there are a lot of keys in the BuildSubmission.plist there look something like this:


<key>IsFirmwarePayload</key>
<true/>
<key>Path</key>
<string>Firmware/all_flash/all_flash.n72ap.production/applelogo.s5l8720x.img3</string>
</dict>
<key>PartialDigest</key>
<data>
QAAAALgcAACeykLi9rJsSRk/zJbxE70+jlDu+Q==
</data>
<key>Trusted</key>
<true/>



is it something like that, or what?

I created the Custom ipsw but I remember that in 2.2.1 you have to go through some steps to make the iPod recognize the custom ipsw. Help please

what does these keys look like?

there are a lot of keys in the BuildSubmission.plist there look something like this:


<key>IsFirmwarePayload</key>
<true/>
<key>Path</key>
<string>Firmware/all_flash/all_flash.n72ap.production/applelogo.s5l8720x.img3</string>
</dict>
<key>PartialDigest</key>
<data>
QAAAALgcAACeykLi9rJsSRk/zJbxE70+jlDu+Q==
</data>
<key>Trusted</key>
<true/>



is it something like that, or what?

Not them, but BuildSubmissions.plist is very..... interesting.... to say the least.

what does these keys look like?

there are a lot of keys in the BuildSubmission.plist there look something like this:


<key>IsFirmwarePayload</key>
<true/>
<key>Path</key>
<string>Firmware/all_flash/all_flash.n72ap.production/applelogo.s5l8720x.img3</string>
</dict>
<key>PartialDigest</key>
<data>
QAAAALgcAACeykLi9rJsSRk/zJbxE70+jlDu+Q==
</data>
<key>Trusted</key>
<true/>



is it something like that, or what?There is only one key we need (and I believe it is 72 characters, I've never counted though).
These are just hashes though for the images, and BuildSubmission only exists in the 2G IPSW (as far as I know), so it may be nothing.

Why haven't people done what yet?

Edit: Since I'm lazy, I'll post details on what I'm attempting to do.
Note that this will only work for the 1G and both iPhones, not the 2G (because of the way QuickPwn is built).
I created a QuickPwn ramdisk before restoring to 3.0 (wait for it to get to the DFU screen, then enter %TEMP% into a Windows Explorer address bar and copy out the restore folder).
Next, extract your Img3 files and patch them (which is straightforward, they should be standard Pwnage patches).
I don't believe that there's really a need to strip the Img3 header.
After you've patched all of the images (including the kernel), decrypt your ramdisk (using it's original key and IV pair in xpwntool) and clear out your ramdisk's nor/ folder (I use XPwn's hfsplus utility; rmall nor/).
Then, create a fresh nor directory (mkdir nor/) and populate it with your images (addall ./yourimages nor/) and replace the kernel (add ./kernelcache.release.s5l8900x ./kernelcache.release.s5l8900x).
After this, there should be no need to resign your ramdisk.
Finally, strap the ramdisk using the Pwnage2 exploit (idevice in XPwn is useful for this, and I send the ramdisk and kernel with iRecovery).
You may have to send the DeviceTree also, I'm not sure, but QuickPwn does this.
Your order would be send ramdisk > execute "ramdisk" > reset USB connection > send DeviceTree > execute "devicetree" > reset USB > send kernel > execute "bootx".

Of course, this is all theoretical, since I'm too tired (and lazy) to try it right now. :)
I boot ramdisks this way all the time, so there's no question about the procedure (minus the DeviceTree, it may be needed since the DeviceTree in the NOR would be stock).
It really depends on how QuickPwn works (it may hate the fact that the images aren't encrypted) or if it even runs on 3.0 (I tried running a ramdisk filled with 2.2.1 images, just for fun, and it didn't like it much).

holy macaroni.
how do you even figure that out...
granted i don't have a 2g, and have never looked at Xpwn... but anyway

hell yeap yes you guys, 3.0 fimewire jailbreack is coming soon =]

hell yeap yes you guys, 3.0 fimewire jailbreack is coming soon =]Why would it come soon?

If you're wondering how I'm coming along with my efforts:
I'm patching the 3.0 images (finally, after trying a bunch of other stuff first) and I'm having lots of trouble with the kernel.
They add a lot (there's almost a megabyte difference in the 2.2.1 and 3.0 kernels, which is to be expected), so it's pretty difficult.
Instead of byte searching, it looks like I'm going to find the actual functions that are patched (this is where IDA will really help).

Interesting...

Sadly enough, it looks like the functions have even changed in the kernel (instead of having a bunch of crappy, unnamed functions, Apple decided to give them names) and everything has been moved around (or so it seems), so there's really no hope for me ever patching the kernel.
I'll leave it up to the people who actually know how to reverse.

Thanks for you efforts jfb392, much appreciated.

so? how far are we from the jailbreak?

so? how far are we from the jailbreak?



nowhere near, unless we can magically find the key.

Why don't you just restore to 2.2 and jb, if you're so impatient.

nowhere near, unless we can magically find the key.

Why don't you just restore to 2.2 and jb, if you're so impatient.Even with the key, the kernel patches are still sucky.

I may have come closer to making the correct patches (found the block that seems to be MobileIntegrity), but I'll have to guess and check.

If it was as simple as replacing a few files, there would be tutorials already.

Edit:
It'll probably double-post me, but I might as well bump the thread. (It didn't bump it, so ignore this.)
I plan on trying more stuff tomorrow; I'll actually check my patches, clean out the original ramdisk, dump the QuickPwn ramdisk .tar onto it, throw the new NOR images into it (and the kernel), then throw a small payload into there (not Cydia, just OpenSSH for now so it cuts down on the size, plus some debugging stuff probably), and finally pack it into an Img3 container.
Since manually booting a ramdisk seems to act up on me, I'll then probably pack everything into an IPSW (consisting of the ramdisk and patched images only), then restore to it.

I really wish I had a 2G, since there are much more useful exploits.
I mean, I could patch the iBoot family to allow for no permission checks, but it'd be much easier to patch it live using a payload for 0wnboot.
Also, having verbose ramdisks (and not to mention, verbose booting) would be useful.
Hopefully one Monday I'll get one..

Does it have to be a monday? Friday is better.
Anyway, way is everyone soooooooooo anxiuos to get 3.0 jailbroken? ITS A BETA!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Why????? Im dint even want the 3.0 firmware right now. Im waiting until it comes out in june or july which ever one that is. So lets all be patie t and wait for daddy to fix the problem, ok??

I actually got through the point where they ask you to sign up for a dev to use the beta version. But iI don't know if it's allowed to explain how to do it here..

thanks alot for everything

i already know people who have fully jailbroked on 3.0 apprently they dontated or payed dev team for it and they got it

BULLS*IT! Why the hell do people even do this? Please, lay off on the heroin, it's not helping anyone.

i thought the deb-team jailbroke it already.

they did and decided to show off that they did and decide not to release it

First off the dev-team is most likely holding back the jailbreak for a good reason if they did.(I think its cause they don't want the key's location to be changed) Second why is this thread still open if someone finds a way to jailbreak then theyll tell us.

If somebody will find a way to unlock the Bluetooth for the iPod Touch 2G using there knowledge of the new OS. Maybe a lot of us would hold off on the whole "I want to jailbreak the 3.0 now!"

(You know I am throwing hints left and right :D)

I saw that the ipod touch 1g and the iphones 3.0 can be jailbroken but does anyone know anything about the ipod touch 2g

Spend a little time seeing how useless it is to jailbreak 3.0 and save yourself a lot of time trying to figure out how to do.

Tutorial: How to Jailbreak iPhone 3G 3.0 firmware using PwnageTool for mac http://tinyurl.com/hwtojailbreak30