Posted by on under iphe, backward compatibility, system library, iphone, localtime, symlinks, symlink, kilobytes, kernels, caches, kernel, folders, new features | 
Alright, here's the skinny on what's changed in the new iPhone firmware (1.0.2):
- /private/var/db/localtime has been changed from a file to a symlink,
looks like a fix related to time zones.
- The kernel caches in /System/Library/Caches/com.apple.kernelcaches/ have been changed. So
a few changes in the kernel. The new kernels are actually
smaller by about 6 kilobytes.
- The Info.plist for the Multitouch driver in /System/Library/Extensions/AppleMultitouchSPI.kext has been changed. This corresponds with what appears to be reprogrammed multitouch firmware,
possibly fixing some multitouch issues for some.
- A few files have been rearranged, for the IOKit, MultitouchSupport, OfficeImport, and System frameworks (/System/Library/Frameworks). Looks like they've replaced some static folders with symlinks into the Versions folder of each framework. Possibly a backward compatibility move? I'm just thinking...
Read the rest of this post
Tagi: iphe, backward compatibility, system library, iphone, localtime, symlinks, symlink, kilobytes, kernels, caches, kernel, folders, new features
Posted by George Hotz on under rsa keys, bootrom, bootloaders, unsigned code, interactive mode, baseband, eep, fls, wi fi, datasheet, rae, firmware, 3g, kernel, checks, memory, gold |
The 3G bootloader is sig checked by the bootrom. So even removing the NOR and patching the bootloader(to remove main fw sig checks) and main firmware doesn't work for an unlock. Big thanks to
TA_Mobile for dumping the NOR and confirming this. You have some real skills.
The X-Gold 608 is the chip used. The
lame "datasheet" infineon gives us shows the hardware RSA and the secure bootrom. So we have a real problem. Even if we find an unsigned code exploit, which wasn't done for the previous two bootloaders in software(we found tricks to play with the nor), we still can't unlock.
Even though the bootloader isn't available for download, theres really nothing there. This bootloader doesn't contain any of the interactive mode functions, just a stub which is very similar to the old bootrom(but with sig checking). The interactive loader is tacked on to the end of every fls and eep file, and is loaded at 0x86000. BBUpdaterExtreme contains several ramloaders as well, but I believe the one used is from the update file itself. You do not need the bootloader to work on the baseband, you just need the files off the ramdisk. Also interesting to note, the 2 rsa keys the bootloaders use haven't changed since 3.9 or 4.6 So you have these too.
Killing CommCenter on 2.0 kills the wi-fi, which will make working with the baseband a bit harder. Entering interactive mode is now done with a call to the kernel to raise an I/O pin before resetting.
The first step to tackling this is dumping the bootrom. We need some exploit, I don't care where, to dump arbitrary memory. Then we can dump 0x400000, which is the new "secure" bootrom.
Tagi: rsa keys, bootrom, bootloaders, unsigned code, interactive mode, baseband, eep, fls, wi fi, datasheet, rae, firmware, 3g, kernel, checks, memory, gold
Posted by on under iphe, th weekend, beta releases, reas, ipod touch, frts, expiry, ski resort, betas, timeframe, kernel, challenges, blog |
While we continue working on the two current remaining challenges from Apple (the iPhone 3G soft unlock and iPod Touch 2G jailbreakâ??see the end of this post), weâ??re also watching the latest beta releases from Apple.
The first beta 2.2 from Apple reveals a few things:
- Theyâ??re continuing with their ski-resort theme; Version 2.2 is nicknamed TImberline.
- Theyâ??ve gone back to using expiry dates. The first 2.2 beta is due to expire on November 30, 2008. They stopped using expiry dates about halfway through the 2.1 betas, but for some reason theyâ??ve started using them again.
- Version 2.2 is still vulnerable to pwnage and quickpwn on everything but iPod Touch 2G.
To demonstrate point #3, hereâ??s the non-AppStore application Terminal.app running on 2.2, showing the kernel build information.
Hardware already vulnerable to pwnage remains vulnerable in version 2.2.
Regarding the two current challenges: the 3G iPhone soft unlock and iPod Touch 2G jailbreak are still relatively new challenges (compare them with the timeframe of the iPhone challenges last year). Weâ??re making slow advances on both fronts, but itâ??s not the sort of thing that can be easily described in a blog like this.
But, to maybe show how interlinked these challenges are, this weekend weâ??ll be trying some hardware based ideas on the iPod Touch 2G jailbreak :)
Tagi: iphe, th weekend, beta releases, reas, ipod touch, frts, expiry, ski resort, betas, timeframe, kernel, challenges, blog
Posted by on under iphe, th weekend, beta releases, reas, ipod touch, frts, expiry, ski resort, betas, timeframe, kernel, challenges, blog |
While we continue working on the two current remaining challenges from Apple (the iPhone 3G soft unlock and iPod Touch 2G jailbreakâ??see the end of this post), weâ??re also watching the latest beta releases from Apple.
The first beta 2.2 from Apple reveals a few things:
- Theyâ??re continuing with their ski-resort theme; Version 2.2 is nicknamed TImberline.
- Theyâ??ve gone back to using expiry dates. The first 2.2 beta is due to expire on November 30, 2008. They stopped using expiry dates about halfway through the 2.1 betas, but for some reason theyâ??ve started using them again.
- Version 2.2 is still vulnerable to pwnage and quickpwn on everything but iPod Touch 2G.
To demonstrate point #3, hereâ??s the non-AppStore application Terminal.app running on 2.2, showing the kernel build information.
Hardware already vulnerable to pwnage remains vulnerable in version 2.2.
Regarding the two current challenges: the 3G iPhone soft unlock and iPod Touch 2G jailbreak are still relatively new challenges (compare them with the timeframe of the iPhone challenges last year). Weâ??re making slow advances on both fronts, but itâ??s not the sort of thing that can be easily described in a blog like this.
But, to maybe show how interlinked these challenges are, this weekend weâ??ll be trying some hardware based ideas on the iPod Touch 2G jailbreak :)
Tagi: iphe, th weekend, beta releases, reas, ipod touch, frts, expiry, ski resort, betas, timeframe, kernel, challenges, blog
Posted by planetbeing on under iphe, realiti, comex, obama, oses, worst case, sdk, voodoo, kernel, presidency, sectors, samsung, linux, map |
So the big news yesterday (other than Obama winning the presidency!) is that we have enough of a low-level NAND driver now that we're able to read from NAND! It was epic win. There turns out to be not as much hardware voodoo as, say, Merlot, so that's pretty good news. It seems to work (albeit slowly) and I even wrote the ECC routines today (and those seem to work as well).
Unfortunately, in the course of this, we discovered several unfortunate things. First, I can't seem to find anything that might write to NAND. It's probably not much more complicated and probably reuses a lot of the stuff we've been doing, but it means that we might have to look in the kernel for that code, which sort of bites (a lot of the kernel is in C++ and not as friendly to reverse).
The second thing is the realization that all of Samsung's proprietary FTL code is in this thing. Without being able to understand it, we can't actually map sectors to data and we can't make sense of the NAND data or write new data to it in a useful way. Unfortunately, this code is liable to be ridiculously complex, since it's basically their SDK they ship to everyone. Without it, we can still proceed, but the iPhone can't read Linux's data and Linux can't read iPhone's data. In the worst case, we can't even have both OSes on the NAND at once.
Still, being able to dump NAND through USB is a substantial accomplishment, and we're well on our way.
Tagi: iphe, realiti, comex, obama, oses, worst case, sdk, voodoo, kernel, presidency, sectors, samsung, linux, map
