 |
||
A pretty in-depth look at the progress of the 2G Jailbreak |
||
|
What are you waiting for? Be member #461825!
Discuss the latest apps and accessories, or post your question on the forums! All visitors must register before they can post and answer questions and participate in our lively community, so register for free today! 
|
|
 |
|
|
Thread Tools | Search this Thread |
|
#1
12-05-2008
|
|||||||
|
|||||||
A pretty in-depth look at the progress of the 2G Jailbreak
I posted a pretty in-depth post about the progress of the 2nd-gen (2G) iPod touch jailbreak, which is on Hack the iPod touch: here.
Please comment on the actual post over there, but here too! 
__________________
|
|
#2
12-05-2008
|
||||||
|
||||||
|
After reading the article, I'd like to point out a mistake, if you don't mind.
The Dev Team is able to communicate with the 2G, as is anyone else. It uses a the DFU mode with a different product identifier, but that's about it. The problem that they have is that the exploit used for Pwnage (the DFU bootrom certificate checking bug that unsigned images to be flashed) is now completely gone, as is 8900 file parsing (the container used by the S5L8900x to provide encryption for critical files included in software updates; it wraps an Img2 or Img3 most of the time, but 8900 files are also found alone). This means that old files cannot be sent to the device and exploited (such as through the diags command that is used to execute unsigned code at any address in the NOR, so you could send an unsigned file that is modified and use diags to strap it). Last edited by jfb392; 12-05-2008 at 10:39 PM.. |
|
#3
12-05-2008
|
|||||||
|
|||||||
|
"The updates that they have posted make me more confident that they’re not a hoax, and they’re actually going to pull through on this one."
Chronic Dev is not a hoax. Chronic's on the #xpwn IRC all the time, as well as several private-access rooms. He's definitely working on this. |
|
Sponsored Links
|
|
|
|
#4
12-06-2008
|
||||
|
||||
|
When/If chronic does jb 2G how much of the progress of 1G jb and apps will be seen in the 2G. Basically what i am asking is, is the 2G a clean slate, starting from scratch for everything?
Ive been reading 2G jb since getting it i dont think this has been asked yet or at least as regularly as "IS 2G there is a jb yet?!?!?" So any answer is appreciated THanks |
|
#5
12-06-2008
|
|||||||
|
|||||||
|
Quote:
The answer to your question is yes!.....Nothing is perfect...so there ought to be an exploit soon and then tada...jb....just have to sit it out...... |
|
#6
12-06-2008
|
|||||||
|
|||||||
|
Hey, that icon at the beginning of the article looks oddly familiar...from some kind of tool...some kind of tool that...did something to iPSWs...oh well
 Anyway, here are a few things: - It is a clean slate, in a sense. dev never released a client to communicate with dfu.20, since that was obviously new, or the recovery mode protocol of 2.*, but I guess that is different because they were saying that was 'cmws thing'. So once it was realized that we needed to be able to do this if we even wanted to think about jailbreaking the device , tom3q and wEsTbAeR-- went at it. Over the course of something like three days, huge progress was made, and eventually we had a client that could have a 2 way interactive session with iBoot, the iPod / iPhone Bootloader, or if that sounds confusing, think of it like the BIOS on your computer. - above, jfb is almost right. you see, in older iBoot revisions, the diags command would jump straight to any parameter you gave it and start executing code there, with no checks or anything. so you could just use mw to write a small amount of code to 0x9000000, or if it was a patched iboot you wanted to strap, you would just send it to 0x9000000, and from there you would just type "diags 0x9000000" and it would execute the code there. now, in 2.*, there is a permission + range check in place, so if you do not have a provisioned engineering / debug device that they have locked up at Apple HQ, then you cannot use diags  - the exploit used for the iphone / iphone 3G / ipod touch 1G was a stack overflow when parsing the 8900 certificates. the exploit was not something that just let them go unsigned for no reason, they had to actually exploit it with the right amount of padding, and it seems LR re-written to a return address that is somewhere within the secure bootloader. the only reason it worked was because the bootrom can not be reflashed, as it is in hardware, so when the iPhone came out, 8900 was the first format it knew, and Apple didn't have time to adapt the new iPhone 3G bootrom to IMG3 yet I guess, so that is why it could not be fixed and why it is firmware upgrade resistant |
|
#7
12-06-2008
|
|||||||
|
|||||||
|
Thanks King Chronic! I've added some of those comments you made as quotes into the article, and tried to fix it up so it makes better sense. I'm not on the technical side of the jailbreak, so you providing info like this really helps.
EDIT: If you had a better icon I could use, I definitely would. Last edited by Kiks52; 12-06-2008 at 06:24 AM.. |
|
#8
12-06-2008
|
||||||
|
||||||
|
thank you
you clarified many things and thanx to chronic king too, for working hard on this |
|
#9
12-06-2008
|
||||||
|
||||||
|
*fingers crossed*
Kudos to everybody for their hard work on this
|
|
#10
12-06-2008
|
|||||||
|
|||||||
|
the old devices use s5l8900x
the reason the new iPod Touch cannot get those is because it is on the s5l8720x processor with a new bootrom |
|
«
Previous Thread
|
Next Thread
»
| Thread Tools | Search this Thread |
|
|
All times are GMT -7. The time now is 01:07 AM.
