Let's get started and ha let's get it started in here!
Sorry for the cheesy title :P but we have more progress :)
ok first off We have patched iBoot ibec ibss the devicetree with ECID and now (as to allow a jailbreak) I applyed the RSA signatures (used for getting signed :P) and also some permissions. The RSA sigs and permissions are in iBoot only but the ECID is inside all those
shall we?
Let's get it jailbroken and ha... :D
ok first off We have patched iBoot ibec ibss the devicetree with ECID and now (as to allow a jailbreak) I applyed the RSA signatures (used for getting signed :P) and also some permissions. The RSA sigs and permissions are in iBoot only but the ECID is inside all those
shall we?
Let's get it jailbroken and ha... :D
116 Comments:
keep up the good work! Im getting excited.... lol
Ha were far from complete but were making good progress :)
That does sound like U'r making very fast progress (allthough a lot of work as I can "read")...exciting!!! :)
Ha yeah
Hey guys i love ur work u make a good job!
I read every comment om geohotz blog and im very interessed to leard how to hack or how to do this work!
I wish u good luck for ur progress of the iphone jailbreak!
Sorry for my bad english!
Greez from germany!
I have a 3gs I'll start working on the user application for us. Can you email me what you have so far and I'll load it with irecovery. brad457@gmail.com
I dont have any knowledge about that but if anyone need some help that i can do please tell me! My e-mail is : greekindahouse@gmx.de
congrats for your work !
I follow every post on geohot's blog since the beginning and I wish you good luck to goes on further !
If could help I'ld do but I'm quite new in Apple's world.
I am a rom cooker for HTC HD, and I come here since a few weeks !
I'll follow you all !
Alain > your skills could be used here I would think. You should read over the iphonewiki that geo hotz has contributed to.
Thanks Brad,
You can see my work on this French web page:
http://htc-touch-hd.forumactif.biz/index.htm
I'm Alain18 on this blog, and I cooked for HTC HD.
I'll read the wiki and try to help.
If you need beta tester's I'll be in for sure, cause I'm not afraid in flashing my device !
I get off work in 6hrs then I'm up all night with you all getting the rest of this figured out.
Amazing progress though guys.
@DBTheAbyss
can you email me the files so I can catch back up to you all. Thanks.
Been following your progress and am very excited about it.
I'd be interested in Beta Testing as well when the time comes.
Alright guys i am back..So i see u guys making progress.
Because you already made permision and rsa sigcheck patches can you patch it with my ECID to and send me to e-mail...
Arthur,
did you open that private irc or chat?
Cheers,
Jens
Been following you guys on geohot blog and now here. Keep up the good work guys. Snowy owl and purplera1n for the win!!
Yeah i will get it up...
It is indeed interessting to follow all the blogs. One product, which is basically a smartphone, can move hundrets and thousands of people just for a jailbreak which is kind of a feature. Interessting. I really love apple (exept network products.. guys..) :)
ok irc is up...uses yesterdays password..
http://cgiirc.blitzed.org/irc.cgi
chanel #udev
Question: Won't your work be a waste once 3.1 comes out soon?
Arthur, would you give me the pwd ? jvdheydt@gmx.de please
So if you are wondering guys, I am working right now on creating custom DMG file with cydia included. So when Derek, DBDTheAbyss and DMacro91 will be back we can test out what we have right now
you da man arthur .I'm working on a clubhouse sandwich. ;]
Good job guys, keep it going.
Watching with interest.
setting up a twitterfeed would be great. like many people, i'm following geohot, chronicdev, devteam. would love to follow your blog on twitter.
Only 4 more hours then work is over and then it's JAILBREAK JAILBREAK JAILBREAK for the next 10 hours!!!
@Arthur
What is the password to the irc. I can get on it as soon as i get home.
email is dmacpro91@yahoo.com
I followed over from geohots blog keep up the good work.
Gully
This comment has been removed by the author.
Thank you guys for taking a wack at this! Nice to have a little competition, and you guys definitely seem to be on the right path.
Also...
I would love to beta test. I was involved with some beta testing with 2.1, and I do have a pretty extensive background with technology. inzandity@gmail.com!!!
For guys who are developing...we need to set up irc so that it doesnt go down when somebody goes offline or switches OS....any suggestions?
Ok small update, I implemented the whole customization of 3G dmg file inside 3GS dmg file.. know I am waiting for patches to actually upload this to the phone
Go go UDev!
So what we have in custom dmg?
Its all original files + cydia package (also some other files and patches from 3G)
Also root partition now should be 700mb, so yo will have around 90mb extra for themes and cydia apps
Did somebody try to patch iBBS with the ECID and load it with iRecovery into the phone? I wonder if it would still say invalid image...
1st off all even orginal iBoot and iBSS do invalid image
reason - you have to be in DFU
dmacpro, i sent u an email
Arthur how would you send a file to the phone in dfu then? Seems like I'm missing something important :)
-f filename
using what tool?
@floyd25 I think you put the iphone in DFU and then (via irecovery) send the iBoot/iBSS. Nothing that is so difficult.
Simone,
iRecovery only works when the phone is in recovery mode (itunes Logo). The DFU-Mode does not display anything on the phone and when you start iRecovery it only prints out that no phone in recovery mode is found. Seems pretty obvious :)
Tried to use dfu-util from the xpwn package but the util would stop working because the phone returned an error after sending.
i use rslite....works fine...its just you need file signed with ECID and Apple certificate...
IMPORTANT! I have checked iBoot from 3.1 and 3.0 (compared)
looks like APple did change it (dont know for sure yet if exploit is gone)
I was reading about the "HSHS" point in the Files where whe should patch the ECID into. I could do that, but how would one patch the cert into the files? Dont really know at what position or after which hex I should insert it.
hey guys... good job arthur i can see your working hard
iRecovery with ipdtcg 2g works both on Recovery and DFU (from iphonewiki: "It currently connects to [...] 0x1227: [...]iPod touch 2G: DFU Mode").
So with itouch2g it works, BUT i don't know for the 3gs. For the dfu-util error from xpw, i don't know too. But i read time ago that currently xpwn doesn't work very well with 3.x and dev team is going to release a new version.
@DBDTheAbyss i create chat?
or maybe a bit faster to use MSN?
Like it would be simpler to send file...u already know mine.. same as e-mail
@Simone/floyd25, it worked for me. Try using the older version of redsn0w. I'll check the version when I'm home.
Here it's two o'clock in the night. Good night [to] everyone (i don't know if it's "to everyone" or "everyone").
@DBDtheAbyss
Also were you succesfull to patch iBoot for rsa sigchecks?
And permissions and etc? i have my new iBoot with my ECID
i can send you it so you can patch it for exploit
Simone, thx for the info. I'll try again though I still don't know how to patch the ECID and the cert into those files.
Hey I made you guys a logo, I still have the PSD so if you want any changes made just ask
http://kttns.org/ewogq
You don't have to use it if you don't want, I just made it to show my support and boredom :P
http://kttns.org/ewogq
looks cool denio :)
@DBDTheAbyss
Can you send me patched iBoot? i will add my ECID myself
Also did you get iBSS and iBoot signed with Apple Certificate?
By the way change my account display name..
@DBDtheAbyss please change Team members (Arthur to InhexSTER)
So also i figured out that when you restore signed files save in /tmp on Mac, looks like no need for purpera1n :)
So basically it will be all the img3 signed with ur ECID...no need for patching...NICE!
back again.. sorry for popping around...
ok i have the rsa sigs tags and permissions written to iBoot :)
did you read what i said...it looks like apple saves recieved files in tmp whitch already signed. So now all we need is to implement exploit into iBoot
Hey! Sorry to congest the comments here, but I just wanted to say that I don't really know you guys, but I wish you the best of luck and hope you can bring us a jailbreak shortly and make everyone happy. :] Thanks again!
@so i will check files i got from that tmp folder (if they work i will send you might i boot for exploit patching)
yes but you need the rsa stuff for the bootrom from doing anything...if you want help exploiting this ill help :)
lol chronic thinks im ipodtouchoverlord...
@DBDTheAbyss sent you iBoot to patch with my ECID in it already
@DBDTheAbyss Also it doesnt have Apple certificate thing, i dunno if you got it yet? patch for it also
that post was kind of unnecessary, he was going off, not even really knowing who u are.
rock on guys! :)
dev team new blog post guys! check it out.
Knew it before their post
only file that i am not able to get from there is IBSS it gets deleted to quickly
@DBDTheAbyss i have created dmg files basing on custom 3G resore. So all the jailbreaking patches and cydia in there...Now i need that iBoot from you so i can try resore :)
gee thanks :(
Goog luck guys..... I hope you get crack this cold case!
can you tell us if ne need to do the 2 restore processes to get the signed iBSS and iBEC Files from /tmp even if we already have our ECID&the purplera1nyday file?
if we "should" have it (easier JBing?) then tell me (us) here how the correct name of these 2 files is, and ill write a small bash script for mac which does the job for you, just in time!
greetz, martin
PS: Wanna help you guys - have a Unibody Macbook and a Windows PC and a lot of coding knowledge so if you want my help ill do so, just contact me -> codelab23@googlemail.com ;)
@WHiTY it would be very usefull...
the idea is that there custom.preference.bundle.* folder
were is some hex number
but we have to grab all files from there
but it would be nice so script grabs it every second or even 0.5 seconds
cause the IBSS file is send once (when white screen flashes and apple logo appears) and it s gonne in lesse than a second
pretty much we need 2 scripts 1 for getting iBSS and probably iBEC... 2nd for getting everything else (which stays there all the restore time)
yep, i just have a first prototype of the script...its able to get all files which it has to get. i only need to know which files (filenames were useful). in case on every restore process the names are the same there is no need not to type them statically into my script.
so please tell me just the iBSS/iBEC Filenames in /tmp and i can post a first version of the script - i planned it that u have only to start it once via Terminal before starting the restore process, and just kill it until the process ended. and in the meantime it has saved all wanted files to a alternate filename or directory if wanted.
so, please tell me the filenames and ill post the script v.1.0 here ;)
oh only read your last post....yeah i can manage it to check every 0.1sec (better it is ;)) and itll "backup" all files in the "custom..." directory, right?
yeah..so basically thats the idea...so you start it and it copies whatever in that directory...and if file already exists skips copying it. just copies new files as they arrive..also possible just allow to rewrite previous ones
the folder name all the times is different...i wil go into mac and check...but it ands all the time on different hex number so you need use start...and just copy the whole folder i guess
so the directory name you posted above is written correctly? if yep, then ill write the script just to use this directory (if exists) and make a backup of every file in there until you kill the script (which means your Restore has finished)
ok - iam using the dir name above now....can you add me to your team here or so!? maybe a mail or do i have to post the script here in the comments?
directory name is like that
/tmp/PersonalizedRestoreBundle.*
* means there is hexadecimal random number...but mac can do autofill
so what..../tmp/PersonalizedRestoreBundle.* or custom.preference.bundle.*?? or both?
no personalized one
so the script only needs to check /tmp/custom....dir?
Need to copy only Personilzed,,,,
so only this -> /tmp/PersonalizedRestoreBundle.*
k?
ok...@coding now...
ok script is almost done in v.1.0 ;) but cant test it because dont have restore ipsw or something else. but i can send it over - its well documented and written with great care - so there should be NO risk!
Script done! Cant test because have no ipsw and need my phone, so cannot play with it but i took as much care as you can expect from a people that wrotes a bash script just 4 am in the morning ;)
@InhexSTER tell me where i have to put it so you or anyone else can test it!? (Mail/IRC/?)
inhexster@hotmail.com
ok forgot a little routine that tests if the directory exists and THEN copies all files over ;) will write a small tutorial for it too so everyone understand what this script does
Yeah, it wont be nice if it creates duplicates of files...it haz to replace them if they exist
@InhexSTER: can i expect that iTunes deletes the Personalized...Directory after restore from tmp-Dir? If yes my script now has COMPLETLY finished and should work as expected now, really ;)
yes..itunes gets rid off tmp files as soon as its done resroring
send me it and i will test it right now..
@Ashley
Thanks. Got your email and am working on trying to catch back up to everybody. Thanks again.
@Dmacpro91..Do you know anything about that DBDTtheDarkAbyss got sig checks and permissions patched?
Use this script to catch all the files you need
open terminal
type: mkdir Pwnage_save
hit enter.
type: "while [ 1 ]; do cp -R /tmp/* /Users/your_username/Pwnage_save/; done" without the quotes.
Let it run until one of the folders has the iBSS.
PS: To see contents of these folders open terminal. Type sudo su. Then cd into each folder and use the"ls" command to view it's contents.
@InhexSTER
Thats what i'm working on. I had to work late today and go to sleep last night so now i'm stuck trying to play catchup.
i posted it at pastebin with just a little description - enjoy and post comments or errors per mail to codelab23...googlemail com....Going to bed now...will read it l8er (in 3h about)
Script: pastebin.ca/1481447
greets
@Dmacpro091: your small "script" or command row isnt very useful - if your tmp folder is gotten huge youre backup up a lot of crap, this takes time use my script (last post above) instead - this should to the job better ;)
@WHiTY
True but it does work at least. Once you get the files you need just move them and delete the folder.
Yours is rather refined though i must admit.
yeah....but it has 2 "bugs" it doesnt use the WAIT variable - only replace both "$SLEEP 1" with "$SLEEP $WAIT" and of course i meant "can" instead of "cant" at howto-point 3. ;)
@Dmacpro091:
yeah i refined mine alot more ;) both of our scripts working - one more efficient than the other - its just a little problem (the /tmp/ readout) ....so i think, everyone can use the "script" of their choice ;)
Going to sleep now - its just 5am here (Dresden, Germany) ;)
Looks like we have got this way also signed ramdisk dmg
Also i didnt get IBSS yet..i think i have to do DFU restore for that
Yeah i was right so, this guys scripts is very good...
Helped a lot...so now i have all the files wich are signed..now i need to implement exploit in iBoot
Any progress Dmacpro91?
@InhexSTER
Not yet i cant get any program to patch the iBoot and other"i" files.
Any thoughts? Shouldn't i be able to apply the patches with a standard hex editor?
yes, the problem is where to apply i tried searching for hex addresses that geo provided there is none like that 0x4FF1..... one for example
Alright its 1130Pm and i didn sleep well last two nights..i will go get some sleep, if you guys are able to patch it tonight or something send me instructions i will patch mine i will run a test..i have complete custom dmg ready..
Alright. L8r. @InhexSTER Get some good sleep.
Get som sleep
I'm alive :D
I missed all the fun sorry :(
InhexSTER,
I don't think that the patch addresses geohot gave us are actually inside a file. I assume that those are memory addresses that we have to patch during boot process. What do you think?
Also, the /tmp - thing for iTunes is pretty interesting though all we get from it are our own personalized, signed files. It doesn't help a thing to include custom Software inside inside the pack.
But WHAT it is good for is to check our patches against the files. For example the ECID and other addresses. We can make a diff from the original files to check if we were right and that's a good thing :) Will do so now.
Post a Comment
Subscribe to Post Comments [Atom]
<< Home