This exploit is present in 2.1.1 iPod Touch 2G devices, as well as the iBEC / iBSS if you choose to upload it via DFU. It allows the running of unsigned code on the iPod Touch 2G device's ARM7 processor (not the ARM11, mind you).
This exploit cannot be used on an iPhone, iPhone 3G, or iPod touch 1G, nor is there any reason for it to be as they have already been jailbroken.
The Exploit
There is an ARM7 in the iPod Touch 2G in addition to the main processor, the ARM11. It is on the same address bus, so it has access to everything the ARM11 has access to, such as the AES engine, the PKE accelorator, and such. The actual exploit is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands: arm7_stop and arm7_go. They were promptly removed in 2.2. The arm7_go command had no signature checking, permissions checking, or anything like that. The command gives the ARM7 the load address (default is 0x09000000) of an "image" you sent it, and it is supposed to execute it. Unfortunately, it will not jump to something like a patched iBoot / iBEC. You must first make a payload that will patch whatever is running (iboot / ibec / ibss / etc) in memory, and then you need to use "go" to jump to any unsigned code (wrapped in img3 format)
Thanks for the update :) I though this jailbreak would never happen.
it was kinda annoying that there were some people going "omg devteam if the jb is real release it now!" so this pretty much proves to them the exploit exists, but it needs a bit of work to get a stable payload + GUI
I wasn't skeptical because I knew it was coming from the dev team and well netkas and bushing I've kinda grown to trust in the osx86/wii scene.
Does being limited to the ARM7 mean less processing power or did you mean the ARM7 commands would be used for the jailbreak, but then we could access all hardware afterward?
no no, the exploit itself is running the payload on the ARM7. after the exploit is complete and 0wnz your iTouch, then it's all good :)
I know you probably are asked this quite a bit, but, I was just wondering if I can believe the rumours about a release for a iPod touch 2G jailbreak planned for this weekend-MLK day? Not trying to be a nag so if I am... Sorry :)
Bloody sunday - i looked it up and bloody sunday is on the 30th this month.. hmm.. is it really this weekend? or the 30th?
This is what we get for telling little kids the jailbreal is done, now they want it RIGHT NOW not relazing the addtional GUI programimg needed for a stable jailbreak. Btw chronic nice work on the jailbreak so far.
it's almost like Apple does its best to put a little exploit in most of their devices, like they want their devices to be jailbroken :P
nah, they quickly removed it in 2.2, it seems more like a major communication fail between their software engineering team and whoever puts together the firmwares :P
hi is it possile for apple to make it so you cannot upload a 2.1.1 iBSS via DFU i.e. in the next update 2.3 ? aldo as i dont know how to do it is it easy to upload the 2.1.1 iBSS ?
don't worry about it. apple cannot fix this.
and when redsn0w comes out, it will probably do the uploading for u, so don't worry :)
chronic, what about you try to build an exploit of your own? :D Just getting it to run an ssh server would be enough ;)
now we know how redsn0w works and its limitations will the i phone dev team relese the ibss patch to anyone ? as that would speed up the proccess of finding a more perminent work around ? i dont know much about ipod hacking but there are many others that do and would help and speed up the matter.
plz chronic, work on finding the executable format as the iphone dev team are working on finding the second exploit to make it permanent and that may take a long time so if you can get this working you can release a patch and you could go down as the first to jailbreak the ipod 2g
YEH guys plz try you best to get the JB done before the end of the month coz we are all tired of waitting. but good job on the JB so far you have made hude progress since the iPod touch 2G came out so keep it up and tell us as soon as you have checked that it works 110% so good luck
I looked at the disassembled iBoot and what does GABKD mean?
ROM:0002905C aGabkd DCB "GABKD",0
ROM:00029062 DCW 0
ROM:00029064 DCD loc_38
That's very interesting chronic. You've got a lot of really good information on this wiki. I was wondering though why some people are saying that the tool used to communicate with the iBoot is copyrighted and therefore cannot be released. Is there an Apple tool with greater functional ability than that of iRecovery? Thanks.
@sloppy711: AFAIK GABK is the start of the kbags
...figures...
it means you forgot to set the load address to 0x22000000 :)
not to mention you did not decrypt it :P
Almost done good job
You appear to have patched iBoot to allow those restricted commands to work, and from what I can tell you're not using the same tool as the devteam to upload it. Have you considered releasing your exploit for tech-heads to play around with? :)
I don't believe it's time to do that yet.
smacks head on desk
@alaricx
instead of trying to discover a non tethered version why not keep the tether but make it simple with a gui that will run all the iboot/running patch milarky so its not so manualvfor all the little kiddies and there not so computer wise friends ;P just a suggestion
Can you release software to tethered jailbreak
Why not do tethered jailbreak the use that to add more code to the 2g to automaticly inject code to the device that will then get rid of sign checks?
I know that is alot harder then it seems
Thanks, sloppy711. You appear to have missed the obvious subtext. One "releases an exploit" by either releasing the code that uses that exploit or releasing information on that exploit; in this case, what code was loaded, how that code was loaded, what utilities were used, et cetera. I'm terribly sorry you lack the ability to comprehend abbreviated sentence structure.
Commenting again guys, keep ownen it your doing great work <(!!)> :) peace out
Thanks For Posting This! Another Step Closer!