Tuesday, September 22, 2009
Haha just thought about saying something of that sort, but on a more technical note, the iBoot Crash Chronic uses for iPod Touch 3G is very similar to something that happened to me a few months ago. I remember my ipt2g was stuck in recovery mode and iBoot would not respond after messing up on an attempt to write a new FS. I actually tryed numerous time to restore it, in recovery and DFU, which would only go into the WTF_2.0 white screen and then crash into recovery and have an interesting restore log. I even took it to apple and the manager and whole genious bar were stumped. Little did I know, this very same crash could be invoked and uninvoked for a Jailbreak Exploit. If only I were able to reverse engineer something like that. Good job chronic! You reversed what I could not and you even have a payload made. I respect you very much =] thank you for making this work! I am proud to have found this but even more so that you exploited it!
Greenpois0n pr0ps!
Scratch my last post!
Props to Chronic Dev for finding the iBoot crash that allows a custom payload on iPod Touch 3G! Good job!
Also chronic if you read this, I would love to help make a windows version with your guidance. Of course I am just a low level guy, but I'm willing to learn more! If your interested in doing a duel release, I'll surely help make a windows version, just tell me the language(s), and give me the sauce (source) code and I'll help. I work with C++ and hexadecimal mostly and I know your just a C guy but I know I can make it run.
Thanks!
Props to Chronic Dev for finding the iBoot crash that allows a custom payload on iPod Touch 3G! Good job!
Also chronic if you read this, I would love to help make a windows version with your guidance. Of course I am just a low level guy, but I'm willing to learn more! If your interested in doing a duel release, I'll surely help make a windows version, just tell me the language(s), and give me the sauce (source) code and I'll help. I work with C++ and hexadecimal mostly and I know your just a C guy but I know I can make it run.
Thanks!
Saturday, August 29, 2009
The Odds are against us but we must fight!
It is most likely that the iPod touch 3G will have a new s5l7920x bootrom with the ECID field, new iBoot, more parameters in the kernel to kill code, and all of this with 3.1. This is no good for those who want a jailbreak. Because pwnage and 24kpwn will no longer work, jailbreaking will be tough. I suggest once you get your iPod touch 3G you should really get your generated Signed ECID.
The way I see it two methods for a "hack" are plausable.
•1. Check the BootRom for laggs. Aka the bootrom timing out on code and passing it on as 0xnull, this would be unlikely and probobly unexploitable, but it's still a thought
•2 a Custom s5l7920x Bootrom Dump routene, basically changing the nature of the routene for a bootrom dump. Thanks to WestBaer and GeoHot for discovering the dump itself. Now if you make it so that the chain of trust continues with out the RSA Signature check, then you could try patching everything else. And might get something nice.
Finally a method that I think is pointless, pay $99 for Apple certification or dev certification and sign jailbroken apps and run them under differant directories.
Otherwise wait for either
-iPhone Dev Team
-Chronic Dev
-GeoHot
-other "leet" hackers.
We might try to tackle this feat but we will probobly need help from higher people. Were good at patching on the software level but really this is hard stuff.
The way I see it two methods for a "hack" are plausable.
•1. Check the BootRom for laggs. Aka the bootrom timing out on code and passing it on as 0xnull, this would be unlikely and probobly unexploitable, but it's still a thought
•2 a Custom s5l7920x Bootrom Dump routene, basically changing the nature of the routene for a bootrom dump. Thanks to WestBaer and GeoHot for discovering the dump itself. Now if you make it so that the chain of trust continues with out the RSA Signature check, then you could try patching everything else. And might get something nice.
Finally a method that I think is pointless, pay $99 for Apple certification or dev certification and sign jailbroken apps and run them under differant directories.
Otherwise wait for either
-iPhone Dev Team
-Chronic Dev
-GeoHot
-other "leet" hackers.
We might try to tackle this feat but we will probobly need help from higher people. Were good at patching on the software level but really this is hard stuff.
Friday, August 14, 2009
Dev's for Hire!
As you may have guessed from the title I am opening spots on unknown Dev. Since the team is *ALMOST* Dead we need more people that are devoted to Developing. But like most "jobs" their are requirements
Requirements:
•you must be familiar with most iPhone/iPod Touch terms
•you must have knowledge on how a jailbreak works.
•you must have experiance with the following code of your choice.
-Hexadecimal
-C
-C+
-C++
-C#
-(optional) ASCII
-(optional) ISCII
-(not impressive/optional) VB.Net
Requirements:
•you must be familiar with most iPhone/iPod Touch terms
•you must have knowledge on how a jailbreak works.
•you must have experiance with the following code of your choice.
-Hexadecimal
-C
-C+
-C++
-C#
-(optional) ASCII
-(optional) ISCII
-(not impressive/optional) VB.Net
Wednesday, July 29, 2009
Hashish HSHS
Hi this DBD the Abyss! Just letting you know I'm still alive! :) also some news.
I have applyed a fellow members ECID to his Phones 3.1 LLB inside the HSHS String and then resized it to 0x24000 bytes and it succesfully restored!
This could help if I decide to move forth with the Jailbreak. Now I have not used any unsigned code so don't get to excited =P. But this seems promising :)
@geohot... Good job on your tools! Keep up the good work :D
I have applyed a fellow members ECID to his Phones 3.1 LLB inside the HSHS String and then resized it to 0x24000 bytes and it succesfully restored!
This could help if I decide to move forth with the Jailbreak. Now I have not used any unsigned code so don't get to excited =P. But this seems promising :)
@geohot... Good job on your tools! Keep up the good work :D
Friday, July 17, 2009
Calling all unknown developers!
Ok guys our new project is to make a 3.1 jailbreak for 3Gs Meaning get your ECID's Ready cause were gonna get our jailbreak on >:)
Wednesday, July 1, 2009
The 0wls Egg
As you may have seen in the comments we are making very fast progress and just need a couple patches for a Jailbreak
Arthur made a custom ramdisk here's what he said:
So what we have in custom dmg?
Its all original files + cydia package (also some other files and patches from 3G)
Also root partition now should be 700mb, so yo will have around 90mb extra for themes and cydia apps-
I myself must patch iBoot, iBec, and iBss with the RSA signatures in order to put ANY nice jailbreaking stuff :P
Arthur made a custom ramdisk here's what he said:
So what we have in custom dmg?
Its all original files + cydia package (also some other files and patches from 3G)
Also root partition now should be 700mb, so yo will have around 90mb extra for themes and cydia apps-
I myself must patch iBoot, iBec, and iBss with the RSA signatures in order to put ANY nice jailbreaking stuff :P
Let's get started and ha let's get it started in here!
Sorry for the cheesy title :P but we have more progress :)
ok first off We have patched iBoot ibec ibss the devicetree with ECID and now (as to allow a jailbreak) I applyed the RSA signatures (used for getting signed :P) and also some permissions. The RSA sigs and permissions are in iBoot only but the ECID is inside all those
shall we?
Let's get it jailbroken and ha... :D
ok first off We have patched iBoot ibec ibss the devicetree with ECID and now (as to allow a jailbreak) I applyed the RSA signatures (used for getting signed :P) and also some permissions. The RSA sigs and permissions are in iBoot only but the ECID is inside all those
shall we?
Let's get it jailbroken and ha... :D
Team members
Dmacpro91,drew,DBDtheAbyss,Arthur, derekg612 an a few people pitching in on geohots page.
project sn0wy 0wl
were unknown developments. Were making a tethered hombebrew jailbreak to relieve you people who want a 3Gs jailbreak now. Were a DAY into the project and we have already
patched all sig checked files with a unique ECID
team member Derek and I did this Derek made the method we use
Derek said:
"so i noticed that in the iBSS the "HSHS" string also exists. here's the hex string found in the iBSS, iBoot, and the purplera1nyday file... "48 53 48 53 8C 00 00 00 80 00 00 00". i'm gonna take a look at the other img3s as well.
a few minuetes later he ran a test restore
and said this:
the iBoot i created using the method described above worked for me. the phone is currently restoring... been copying files and progressing for a while now. it's gonna fail because i used a decrypted 018-5302-002.dmg file and when you do this it fails verification with apple at about 50% progress bar (iphone). i guess this means we can "patch" all of the files containing that hex sequence.
Later I made a patched iBoot and sent it to Team member Arthur. It was HIS unique ECID I encoded into iBoot.
For examples of my ECID patched system pieces go to http://www.megaupload.com/?d=EI25M3Y9 it has no jailbreaking data as of yet but we are still working on patching :)
patched all sig checked files with a unique ECID
team member Derek and I did this Derek made the method we use
Derek said:
"so i noticed that in the iBSS the "HSHS" string also exists. here's the hex string found in the iBSS, iBoot, and the purplera1nyday file... "48 53 48 53 8C 00 00 00 80 00 00 00". i'm gonna take a look at the other img3s as well.
a few minuetes later he ran a test restore
and said this:
the iBoot i created using the method described above worked for me. the phone is currently restoring... been copying files and progressing for a while now. it's gonna fail because i used a decrypted 018-5302-002.dmg file and when you do this it fails verification with apple at about 50% progress bar (iphone). i guess this means we can "patch" all of the files containing that hex sequence.
Later I made a patched iBoot and sent it to Team member Arthur. It was HIS unique ECID I encoded into iBoot.
For examples of my ECID patched system pieces go to http://www.megaupload.com/?d=EI25M3Y9 it has no jailbreaking data as of yet but we are still working on patching :)