Talk:Jailbreak (S5L8720x)

Worth nothing
There is a kernelcache in 2.1 betas, and possibly other firmwares too, with the extension ".s5l8920x". This implies that (1) Apple is making yet ANOTHER revision, for some reason, and (2) this is pure speculation, so take it as it is, but it _might_ mean that there is an exploit in the s5l8720x rev that Apple found and is quitely trying to fixed. Again, that is pure speculation, because for all we know that could have been the first new processor rev, then Apple might have found a bug in THAT, and replaced it with the s5l8720x. Who knows :P

For what it is worth though, the s5l8920x kernel cache uses aes-256 instead of the currently used aes-128. It also has a second KBAG with a "2" in the space that would normally have "1" (meaning IV / Key pair is encrypted by the GID key) or "0" (meaning the IV / Key pair is not encrypted, but I do not believe they ever used this publicly, I am just saying this based on the code in iBoot). Now, provided, it is probably known that this wouldn't really count as "new encryption", as we know form the support iBoot already has for it that the first 16 bytes are the IV and then the proceeding 32 are the key, and we know it is encrypted with the gid key because of the "1" identifier (at least on the first KBAG), but I am just throwing it out there.

ChronicDev 20:45, 4 January 2009 (UTC)

Do like Pusher does?
Have you considered using the method RiP Dev used for their Pusher app? They claim that unlike Pwnage their app uses Apple-approved means for initial software installation (they say that it is called in-house deploying from enterprise SDK) and do not change system partition contents. To bypass signature checking Pusher uses in-memory patching, they say, so the warranty remains valid.

RE: Do like Pusher does?
I'll look into it for the hell of it, but as far as I know, they use the Pwnage exploit. but hmmm...it would not be below RiP Dev to get an enterprise membership just so that they could codesign Installer, now that you mention it...

the ramdisk in Pusher.app is somehow encrypted, btw. anyone good with x86 wanna take a stab at reversing it?

ChronicDev 02:14, 5 January 2009 (UTC)

Pusher Ramdisk
Thanks to some 1337sauce from np101137 who helped me figure this out via gdb hax, this is how to scope out the Pusher ramdisk.

1. Plug in an iPhone / iPhone 3G

2. Use gdb to start Pusher gdb Pusher

3. Insert the following breakpoint (gdb) tb *0x0002e9c6

4. Go! (gdb) run

5. Go along with it, put your device in DFU mode, etc etc. (It's OK, trust me)

6. At the breakpoint, you will see the RiP Dev Logo on the screen of your device. But nothing has been uploaded yet, so all is OK :)

7. In terminal: cd /tmp/ipsw/018-4378-1.dmg ~/Desktop/pushpacked.dmg

8. Get xpwntool, and do: xpnwtool ~/Desktop/pushpacked.dmg ~/Desktop/PusherRamdisk.dmg

And there you go! PusherRamdisk.dmg is the decrypted Pusher ramdisk!

Hardware
Maybe your going about this the wrong way, what if there was a way to do it by means of the hardware, maybe if you cross circut two leads on the processor or chip board and send a patched bootloader while its being shorted, similar to the PSP pandora battery one wire mod...just a brainstorm thought i thought i should share

RE: Hardware
Pandora battery actually relied on a few exploits. This is different. Plus, if you read the page, you will see that the bootrom signature checks LLB, so even if you got an unsigned one in NOR, which seems to be what you are proposing, then it will still fail the sigcheck every boot