Pwnage

This exploit is in the VROM

Credit
The dev team

Exploit
The VROM doesn't sig check the stuff it jumps to in the NOR. So to use the exploit, one finds a way of writing to the NOR unsigned, either with iBoot hacks or kernel patches.

This exploit has been fixed on the iPod Touch 2G. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU mode.

Implementation

 * PwnageTool
 * iPhoneLinux