iPhone, iPad & iPod touch

Some of you might be confused about the current state of the so-called 'redsn0w' jailbreak. I've assimilated some info from a bunch of sources explaining how it works, why certain things aren't there and why they will be difficult to over come.

1) What is redsn0w?

Unless you've been living under a rock for the past week, redsn0w is the code-name for a potential method of Jailbreaking (NOT pwning, more on that later) the iPod Touch 2G. The iPhone Dev-Team started making noise about it last week on their twitter account.

2) So how does it work then

As you might have guessed from the name, it works very similar to the yellowsn0w iPhone sim-unlock. It uses an exploit in the Firmware 2.1.1 iBoot interactive recovery bootloader to inject code to overwrite iBoot in-RAM to allow it to boot a modified Kernel. This is similar to yellowsn0w in that yellowsn0w also patches the 3G baseband on-the-fly in RAM in order to remove the unlocking code.

For those who are interested, the exploit is in the fact that the iPod Touch 2G has an ARM7 processor (in addition to the ARM11 processor), and apple left some diagnostic stuff in the 2.1.1 iBoot to run custom code on that processor (which also has access to the main system memory, so you can patch already running sl7xxx code in RAM). They removed it in 2.2, I guess noticing the change let the two teams know that something funny was going on.

This definition is probably a bit simplistic, I'm fairly sure that I read somewhere that signature checks are also performed in RAM on iBoot as well, however those signature checks may have only been when iBoot is loaded into RAM.

3) iBoot? What on earth is that?

If you don't know what this is, I should probably explain (in simple terms) the boot process from power->kernel.

The bootrom is kind of like a read-only BIOS interface for the iPod Touch. If buttons are held down in the correct order, it will start up in DFU Mode, which will allow it to accept recovery bootloaders, at which point they are checked to see if they are authentic, then it runs them. If you are just turning on the iPod Touch, it goes to the very first bit of the NOR (secondary 8 megabit flash for storing bootloaders, NOT the main filesystem) and authenticity-checks and loads a program called the 'LLB'. Also worth noting here that you can't just overwrite the bootrom because it is read-only. Not even apple could overwrite your bootrom.

The Low Level Bootloader (LLB) is pretty the same as the bootrom, all it does it authenticity check iBoot and load it, or if it can't do that (because iBoot is invalid or corrupt) it just enters a DFU-like mode with a few more commands (and possibly a bit more secure too). Two important things to note here (which made chronic's task difficult)
It overwrites the bootrom in RAM, which makes reverse-engineering the actual bootrom very difficult
[**] EDIT: Nevermindthat, pod2g found a way of dumping it directly without having to get the image in RAM.
If you do the button-combination for DFU mode and this is available, you'll get this DFU mode and not the actual bootrom DFU mode (as far as I know)

iBoot is the last and most complicated bootloader on the device. It is what provides recovery mode, a basic charging interface, can decrypt firmware using the iPod hardware and boots the actual iPhone OS. For this reason it also needs to be the most secure. This is where the actual exploit was found. In the Firmware 2.1.1 iBoot. Also note that it authenticity checks whatever is sent to it in recovery mode and the kernel when it is just booting.

4) Wait, so I need Firmware 2.1.1 to do this?

Yes and no. If you have firmware 2.1.1, all you have to do is enter recovery mode and apply the exploit. If you have firmware 2.2, you'll need to have the 2.1.1 firmware files enter DFU mode and I would assume any devteam tool would extract the interactive bootloader from 2.1.1 and load that for you, then exploit it.

5) What's all this about a 'tethered jailbreak'

This comes back to what I said earlier about the bootrom. It's perfectly possible to flash the NOR with your own custom LLB and iBoot (images etc) however the when the bootrom sees the modified LLB it will just say 'nowai' and kick you into DFU mode. You can have a fully jailbroken system on the iPod, but this interactive iBoot hole is the only way to actually start it.

The current patch doesn't apply fully because it's an in-RAM patch, RAM == Volatile, which means that as soon as you turn the device off, you also loose the patch (Thanks 'xxx (0)' for pointing that out).

6) So the iPod Touch 2G is jailbroken (sort of), but does that mean it is pwned?

It can be pwned (signature checks taken out of the LLB and iBoot) but it won't actually start up, so it will be fairly useless.

On a side note, the original iPod touch and iPhone (and 3G) bootrom did not signature check the LLB, so you only had to modify that and it would happily start it.

7) So we've seen a video, how long can we expect a jailbreak?

I really don't think it's worth providing any ETA's on a useable jailbreak until the devteam states that they have a way (if they can find a way) to make the bootrom pass a modified LLB as authentic.

8) So how would they do that?

Two ways:

First would be to craft a modified LLB sans the sigcheck that has the same SHA1 hash as the Apple LLB (very very hard)

Second would be to completely erase the NOR flash so all we have is the real bootrom, reverse it and have a look for any kind of signature checking vulnerable to a stack overflow. Then, craft the signature of the bootrom in a way that exploits that stack overflow and use it to load our modified LLB anyways even though it is unsigned. It's a bit risky considering you have to hack the device (even though it is done for you by the bootrom itself (how ironic)) on every boot.

EDIT: They've got the bootrom without dumping it from the RAM \o/

9) I saw this video on YouTube claiming to have a specially modified QuickPwn that works on the 2G? They said it was from the devteam as a gift! And there's a link to it! And it looks like QuickPwn too! Is this for real?

NO

The devteam has not released any sort of tool to perform the jailbreak and anyone claiming to have that tool is probably just some script-kiddie trying to get you to download their adware / spyware / virus.

And even if they showed your their 2G and it had some jailbreak apps / themes on it it is probably just a series of screenshots.

And even if they wiggled those icons around it is probably just some specially crafted video.

And even if they were wiggling those icons around, they are probably just using webclips to get a picture of the icon.

10) I don't care if this jailbreak is tethered, can I have the tool anyways?

We'll see if the devteam chooses to release the tool or not (they might if they can't find a way to pass a modded LLB any time soon). Even then, the tool will be quite difficult to use because you have to write to the filesystem yourself (cydia, installer, terminal, nes) and you'll need it every time your want to boot your iPod. Is that really worth it?

11) Chronic and his folk came up with something called '0wnboot', is this the untethered jailbreak we're looking for?

Nope. The devteam haven't released the code for redsn0w to anybody yet, it was co-incidental that both Chronic and the devteam found the arm7_go exploit in the same period of time. Chronic and his folk have just figured out how to use it (as did the devteam) and have some unsigned code running based on an in-RAM patch.

thanks for clearing some stuff up for me. so do u have any idea how long in till the dev team releases redsnow with a gui and un tethered version? i thought you might know cuz i found all this stuff out

wow this is long but thanks for the explainations it was good

its worth reading it if someone is unsure, i read it and it made some good sence. is it true that the un tethered jailbreak will be available after the new iphones are released?

Wow