| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

View
 

FAQ

Page history last edited by Caleb Mingle 15 years, 8 months ago

Introduction

This FAQ highlights information and questions answered by members of the Dev-Team, so that they are not constantly bombarded with the same ones.

 

The grammar and spelling used in the FAQ, were directly copy and pasted from the comments on the Dev-Team blog.  If I get time, I will attempt to correct those mistakes, but until then, I hope you get the idea.

 

This FAQ is not ran by the Dev-Team.   Although it is supported by the Dev-Team, and the answers these questions are official answers from the Dev-Team, we are not the Dev-Team.

Anyone who continues to e-mail, asking when redsn0w will be out, will be added to the idiots page.   Thanks :)

 

Thanks

I just want to say a big thank you for reading this FAQ.  I put it together to simply help out the Dev-Team, from having to answer the same questions over and over, and to use the time that they would have to use answering those questions, to develop more on redsn0w, or to simply relax.

 

I didn't really expect this FAQ to take off, like it did, and be posted around in so many places.. simply because I posted the link to one person on IRC, it seems to have spread like wildfire.

 

I hope you enjoy this FAQ, and find some answers to your questions.  If you have a question and answer (not just a question) to submit, that you have found, please e-mail it to me at: caleb@calebmingle.com

 

Table Of Contents

  1. Introduction
  2. Thanks
  3. Table Of Contents
  4. Questions
    1. General
      1. What other cool things can you do with a jailbroken 2nd gen?
      2. Could you demonstrate in a video how you look for a hole/exploit?
      3. Is there any app to pull the RSS feeds on my iPod rather than stalking the blog comments?
      4. You should see my face every couple of hours when i check the blog. It's like, is there going to be an update 6?! then I get sad.
      5. MuscleNerd, someone is claiming to be your classmate on Qik! They said you found an exploit in the third stage bootloader! And it's going to be released soon!
      6. What will happen to the files on my device after I jailbreak? Can I still use the apps?
      7. What exactly is a 'tethered' jailbreak?
    2. Release
      1. Why can't you release it now, what's the problem?
      2. Why don't you release that buggy jailbreak, so that the spamers will shut up?
      3. Are you currently looking for another exploit?
      4. Will making a petition, and getting countless users to agree, get the patch released earlier?
      5. Why won't you just release a manual method? Is there still hope for one?
      6. So the way to circumvent restributing that software, is a QuickPwn or PwnageTool style program?
      7. Why will you not release a tutorial?
      8. I know you are not giving an ETA, but I'm just asking how long it will be until it's out? How long are you estimating?
      9. Will you release the patch now?
      10. Will you release the tethered patch now?
      11. Will you give us an ETA for release?
      12. You said the jailbreak would be out today!
      13. Someone told me you did!
      14. I'm not asking for an ETA, but just some updates?
      15. I don't care about when it will be released, but today on ipodtouchfans, King Chronic said that you guys will have to find another exploit. Is this true?
      16. If you edit iBoot then the LLB (Low level Bootloader) NOT allot iBoot to start because it would fail the sigcheck. And if the LLB is editet then the Bootrom wont accept the LLB. Thats why a bootrom exploit is needed.
      17. how long will you spend looking for a new exploit until you conclude you are "stuck"?
      18. What makes you think you will lose anything?  Without Redsn0w your device won't boot - with it, it will. Simple. Nothing to do with the files or the jailbrake, just the boot problem.
      19. What operating systems are going to be supported by this release?
    3. Patch
      1. Lets say they release the jailbreak for 2.2 and a software update is released do they have to do that hacking stuff all over again from the beginning?
      2. Hey musclenerd, what exactly do you have to find to make the jailbreak untethered?
      3. What if you get out a customized firmware like you did with the other iPod(s) and iPhone(s), firmware that when you use it in a restore you get the jailbreak, it would be a good idea if you can't get a quick pwn?
        1. So technically your saying that if you don't happen to find a way to untether the jailbreak...is there a possibility that you will release a version of pwnage or quickpwn that will work with the ip2g? that way we get around the problem with the apple script that you cant release....we'd just have to use pwnage every time we reboot, correct?
      4. But is it possible to find the source of the sig checks in the LLB and just null them out?
      5. So this other patch, will it use the Arm_7 go command?
      6. So you need to find a way to get it into the startup everytime?
      7. What is this: 32957a35889c4dd2f8dfe483dd9023eafb6b4a22? Has anyone decoded it?
      8. I read that Apple built in a kinda volume locker on the iPod Touch. So you can't get in on full volume. If that is true will the JB fix that?
      9. The second thing loaded into memory, doesn't signature check the previous one.. is this what you could be looking at?
      10. Do you think you will get an untethered version working?
      11. What is so different about the iPod Touch 2G from the 1G that makes it so much more timeconsuming to jailbreak, surely they use the same commands and hacking lines from the 1G to jailbreak?  Or is the hardware so much more different it makes it alot harder?
      12. I heard that this mod involves modifying hardware.. am I right?
      13. Is this jailbreak more difficult then the other jailbreaks?
      14. Will the jailbreak/patch work on an iPod with firmware 2.2?
      15. Does the ipt have to be tethered to the computer, the entire time, after injecting the patch?  Can I disconnect it after?
      16. Does the patch need to be applied everytime you reboot your iPod, or only once?
      17. Does sleep mode count as rebooting?
      18. When you press the sleep button, what happens?
    4. Bootrom
      1. You said that "the bootrom makes sure the LLB hasn't been patched" , then is there any way to bypass the bootrom checking if the LLB has been patched?
      2. Do you think the "Christmas tree" effect shows any signs of something exploitable in the bootrom? Or just a simple bug?
      3. have you thought about dumping the bootrom to finding another exploit?
      4. Have you successfully dumped the bootrom?
      5. Are you looking for a hole in the bootrom?
      6. You got a dump of the bootrom? I thought that was nearly impossible.
    5. Springboard
      1. Musclenerd is there a way to delete stocks when this comes out?
      2. Well, the person who mentioned holding down an app then hitting the home button, was right about it basically working like a reboot.  I did the trick to get the dock to vanish, then I did the hold app then press home trick and sure enough it came back as if I had rebooted it.
    6. Applications
      1. Will 'Backgrounder' work on an jailbroken IPT2G?
    7. Cydia
      1. Do you think all Cydia apps will work properly on the 2G?
      2. Will Cydia come with the initial JB like yellowsnow, or will we have to manually install it?
    8. Technical
      1. I used IDA Pro and disassembled the 2.2 iBSS. The diagnostic tool (or whatever this is) ranges from the addresses ROM:22012864 to ROM:22015C80, can you explain what this is?
      2. So... you can change the background color?
    9. Misc
      1. Is there an official chatroom?  The QIK chat has loads of spamming, and the comments just suck..
      2. If I jailbreak my iPod, will the App Store and iTunes still work on my iPod? And if I change my wallpaper, is it possible to change it back to the plain black background without restoring it?
      3. My iPod touch 2g sync's fine in iTunes, but, it is recognized as a camera! Will this affect me being able to jailbreak it?
      4. MuscleNerd, what gym do you go to?
      5. MuscleNerd, are you MuscleNerd of www.musclenerdfitness.com?
      6. What app was used to show iPhone screen on computer display live?

 

Questions

 

General

 

What other cool things can you do with a jailbroken 2nd gen?

 

The most exciting thing I've heard so far is all that bluetooth stuff.

 

Apparently people out there on the internet have noticed some files in the main decrypted filesystem that tie the bluetooth hardware to the Nike sneakers, and it's possible they may figure out how to expand upon that.

 

I know very little about bluetooth though so have no way of judging how likely that is. - MuscleNerd

 

Could you demonstrate in a video how you look for a hole/exploit?

 

That would be a very boring video :)  Basically lots of assembly code that looks like random characters to non-programmers. - MuscleNerd

 

Is there any app to pull the RSS feeds on my iPod rather than stalking the blog comments?

 

You should also be able to just enter the feed:// address directly as a URL into your iPod's Safari. Then bookmark (or save to your homescreen) the result. - MuscleNerd

 

You should see my face every couple of hours when i check the blog. It's like, is there going to be an update 6?! then I get sad.

 

If you subscribe to the team twitter, you'll get any major updates a lot quicker and easier :)  

 

Or our individual twitters for less formal stuff. 

 

And all these things have RSS feeds too :) - MuscleNerd

 

MuscleNerd, someone is claiming to be your classmate on Qik! They said you found an exploit in the third stage bootloader! And it's going to be released soon!

 

(From Caleb:  you have to be really, really stupid.. to believe anyone in the Qik chatroom, or anything anyone says from there)

 

SlyFox: No.

 

Really, no. - MuscleNerd

 

What will happen to the files on my device after I jailbreak? Can I still use the apps?

 

Yep, that was shown in the second video last Saturday. - MuscleNerd

 

What exactly is a 'tethered' jailbreak?

 

A tethered jailbreak means that the patch (redsn0w), must be injected every time the iPod touch boots.  Sleep Mode does not affect this, and is not considered a reboot.

 

To inject it, everytime that the iPod boots, it must be connected to a computer to inject it, and get the iPod to boot correctly with the unsigned code.

 

Release

 

Why can't you release it now, what's the problem?

 

This is what we've been looking for for the past couple of days...a way to compromise the system lower than the level we're at, to break the tethering requirement.

 

If it takes too long to find (if we conclude that we're "stuck"), then we'll just release the tethered version and let you guys jump through the hoops needed to get it to work (and without us redistributing Apple software of course).

 

 But that would be a headache for everyone, so we're looking for something a lot easier to use than that. - MuscleNerd

 

Why don't you release that buggy jailbreak, so that the spamers will shut up?

 

The spamming would multiply x10 at least :) - MuscleNerd

 

Are you currently looking for another exploit?

 

We're looking for a lower-level exploit (probably piggy backing on the original one to get it installed) - MuscleNerd - Twitter

 

Will making a petition, and getting countless users to agree, get the patch released earlier?

 

No.  You will just make yourself look stupid, not speeding up the process.

 

Why won't you just release a manual method? Is there still hope for one?

 

The manual method would require us to also redistribute software we have no legal right to redistribute.  - MuscleNerd

 

----------------------------------------------------------------------

 

The hope is for a non-manual release :)   

 

The manual (tethered) release will come, if prospects for the non-tethered version vanish. 

 

But we've only had a fully jailbroken system since Saturday.  And we only started looking at this whole thing a week ago (except for that quick look-see back in September when we thought it would have more usefulness for the iPhone). - MuscleNerd

 

So the way to circumvent restributing that software, is a QuickPwn or PwnageTool style program?

 

Yeah the "patch, not pirate" method of QuickPwn / PwnageTool is the goal. - MuscleNerd

 

Why will you not release a tutorial?

 

The jailbreak method currently doesn't lend itself to a tutorial (because there are too many what-if scenarios). - MuscleNerd

 

I know you are not giving an ETA, but I'm just asking how long it will be until it's out? How long are you estimating?

 

Let's just say that nobody is more eager to get this released than we are. :) Because as nice as the iPod Touch 2G is, it's not an iPhone and this is delaying some other iPhone goals. - MuscleNerd

 

Will you release the patch now?

 

Simple, No.

 

Will you release the tethered patch now?

 

Simple, No.

 

Will you give us an ETA for release?

 

Simple, No.

 

You said the jailbreak would be out today!

 

No we didn't.

 

Someone told me you did!

 

That someone is an idiot.

 

I'm not asking for an ETA, but just some updates?

 

The progress and breakthroughs made while reversing and looking for exploits in something like a BIOS are very technical (and incremental) in nature. They're not easily summarized into daily updates for public mass consumption. - MuscleNerd

 

I don't care about when it will be released, but today on ipodtouchfans, King Chronic said that you guys will have to find another exploit. Is this true?

 

This is what we've been looking for for the past couple of days...a way to compromise the system lower than the level we're at, to break the tethering requirement.

 

If it takes too long to find (if we conclude that we're "stuck"), then we'll just release the tethered version and let you guys jump through the hoops needed to get it to work (and without us redistributing Apple software of course). But that would be a headache for everyone, so we're looking for something a lot easier to use than that. - MuscleNerd

 

If you edit iBoot then the LLB (Low level Bootloader) NOT allot iBoot to start because it would fail the sigcheck. And if the LLB is editet then the Bootrom wont accept the LLB. Thats why a bootrom exploit is needed.

 

Certain invalid editing of the LLB results in what Zf calls the "Christmas Tree" effect. Rapid flashing of black and white screens with a sort of tearing/ripping effect scrolling up and down. A very scary sight. :)

 

I've always wanted to show a video of it but I think the framerate is too fast for an internet video..it would probably just show up as a pulsating gray screen, not nearly as dramatic as it looks in person. - MuscleNerd

 

how long will you spend looking for a new exploit until you conclude you are "stuck"?

 

When we run out of ideas to try :) - MuscleNerd

 

What makes you think you will lose anything?  Without Redsn0w your device won't boot - with it, it will. Simple. Nothing to do with the files or the jailbrake, just the boot problem.

 

Maybe my wording was ambiguous in the demo (?)

 

But I tried to stress the concept that the filesystem on the ipod was already jailbroken, it was just a matter of getting the iPod Touch 2G to accept it as valid. The jailbroken filesystem itself doesn't change upon reboot...it's just a matter of convincing the iPod Touch 2G to use it. - MuscleNerd

 

What operating systems are going to be supported by this release?

 

If poorlad (the Windows Quickpwn author) is availiable, it would probably be Windows + osx (any linux version would be by planetbeing) - MuscleNerd

 

 

Patch

 

Lets say they release the jailbreak for 2.2 and a software update is released do they have to do that hacking stuff all over again from the beginning?

 

Once a given device has a pwnage + jailbreak flow for it, it's pretty straightforward to port it to each new Apple update.

 

It used to not be that way...back in the 1.x days. Back then, it was necessary to find a brand new jailbreak method with every new update.

 

But since pwnage works at such a low level, once it's working for a given device, that device is pretty much always pwnable and jailbreakable -- and Apple updates are easy to accomodate. And that's where we want to be with iPod Touch 2G. - MuscleNerd

 

Hey musclenerd, what exactly do you have to find to make the jailbreak untethered?

 

A hole in the bootrom that can be exploited in a way that tricks the bootrom into accepting the next stage of the boot process. - MuscleNerd

 

What if you get out a customized firmware like you did with the other iPod(s) and iPhone(s), firmware that when you use it in a restore you get the jailbreak, it would be a good idea if you can't get a quick pwn?

 

Both the full PwnageTool method and the QuickPwn method of jailbreaking will work for the iPod Touch 2G, but they both still result in a system that (currently) needs to be tethered when the thing reboots. The part of the boot process that hits that snag happens at a level below both of them.

 

In other words, the ipt2g jailbreak is in many ways the same old jailbreak that we've been able to do since Pwnage 1.0. But when actually booting the jailbroken system, the ipt2G has this tethering snafu that we'd like to fix, to make it easier for everyone to install and use the jailbreak. - MuscleNerd

 

So technically your saying that if you don't happen to find a way to untether the jailbreak...is there a possibility that you will release a version of pwnage or quickpwn that will work with the ip2g? that way we get around the problem with the apple script that you cant release....we'd just have to use pwnage every time we reboot, correct?

 

Yes. :) - MuscleNerd

 

But is it possible to find the source of the sig checks in the LLB and just null them out?

 

We can patch those out easily enough, but then the bootrom would refuse to run the LLB.

 

The bootrom makes sure the LLB hasn't been patched. - MuscleNerd

 

So this other patch, will it use the Arm_7 go command?

 

Probably not, since we're looking a few layers below where that command is exploitable.

 

But, it did give us the ability to start investigating that lower layer. Not only by allowing us to get a dump of the bootrom, but to allowing us try experiments with the bootrom by running unsigned code. So in that sense it was already used. - MuscleNerd

 

So you need to find a way to get it into the startup everytime?

 

Right, we're looking for some hole to exploit (not fix) in the bootrom to allow an untethered full boot of a jailbroken filesystem. - MuscleNerd

 

What is this: 32957a35889c4dd2f8dfe483dd9023eafb6b4a22? Has anyone decoded it?

 

It's an "escrow" hash of decrypted iBoot for ipt2g (length=0x290000). Not otherwise obtainable except via an exploit (afaict) - MuscleNerd

 

I read that Apple built in a kinda volume locker on the iPod Touch. So you can't get in on full volume. If that is true will the JB fix that?

 

The jailbreak itself wouldn't, but it would allow some theoretical non-appstore application (that Apple wouldn't normally allow) to come in and fix it.   

 

A big motivation for jailbreaking is to let you tweak things that Apple wouldn't normally let you tweak. - MuscleNerd

 

The second thing loaded into memory, doesn't signature check the previous one.. is this what you could be looking at?

 

In the previous devices (iPhones and iPod Touch 1G), the bootrom (first thing loaded) didn't sigcheck the next thing loaded (the LLB). Starting with the iPod Touch 2G, it does (and the sigchecks continue through the remaining boot stages).

 

So right now we're looking for weaknesses in those sigchecks.     

 

The tethered version of redsn0w currently allows the sigchecks to happen normally.  But then it exploits a hole in one of those boot stages.

 

Do you think you will get an untethered version working?

 

I'm generally optimistic about that sort of thing :) - MuscleNerd - Twitter

 

What is so different about the iPod Touch 2G from the 1G that makes it so much more timeconsuming to jailbreak, surely they use the same commands and hacking lines from the 1G to jailbreak?  Or is the hardware so much more different it makes it alot harder?

 

Quick answer: they fixed, in hardware, the bug exploited by pwnage on the iPhones and first iPod Touch. Steve Jobs referred to it as "cat and mouse".

 

Finding a software exploit only took a few hours. Doing the jailbreak for the above screenshot took a few hours more. But making it widely usable will take a bit longer. We'll try to explain that more in the video.

 

There are still hardware exploit possibilities, but those are on the backburner for now. - MuscleNerd

 

I heard that this mod involves modifying hardware.. am I right?

 

No it's software-only. - MuscleNerd

 

Is this jailbreak more difficult then the other jailbreaks?

 

If it's too difficult, we'll probably hold off on the release until it's simpler and safer.

 

Our goal is to fit it into the current PwnageTool and/or QuickPwn methods, which are very simple and safe. - MuscleNerd

 

Will the jailbreak/patch work on an iPod with firmware 2.2?

 

Yes.  - MuscleNerd

 

Does the ipt have to be tethered to the computer, the entire time, after injecting the patch?  Can I disconnect it after?

 

The tethered redsn0w hack requires you to be make the patch at boot time with a connection to a computer. But after that you can disconnect it. - MuscleNerd

 

Does the patch need to be applied everytime you reboot your iPod, or only once?

 

At the current time, the patch must be applied everytime you reboot your iPod. 

 

Does sleep mode count as rebooting?

 

No, sleep mode does not count as rebooting your iPod, and the patch is still in effect, after returning from sleep mode.

 

When you press the sleep button, what happens?

 

Apple probably already puts the iPod Touch into its lowest possible power state when you hit the sleep button (and if they don't, we sure don't have enough specs on the chipset to do any better).

 

It's been a while since I've run down the battery all the way on the iPod Touch...when you do that and you get the battery-empty symbol, and then finally plug it into a power supply, do you actually go through a new reboot cycle? Or does the homescreen come up as soon as the battery has enough charge? Because if it's that then the redsn0w patch will still be in effect. - MuscleNerd

 

Bootrom

 

You said that "the bootrom makes sure the LLB hasn't been patched" , then is there any way to bypass the bootrom checking if the LLB has been patched?

 

The bootrom, as far as we know, is truly read-only -- most likely a mask ROM.

 

In the devices prior to iPod Touch 2G, the read-only nature of the bootrom benefits the jailbreak community. It means Apple can never *add* signature checking of the LLB by the bootrom in those devices. And it means they can never fix the DFU-mode hole exploited by our Pwnage process.

 

For the iPod Touch 2G, the read-only nature of the bootrom will either be a benefit or a burden -- that's still to be determined :) - MuscleNerd

 

Do you think the "Christmas tree" effect shows any signs of something exploitable in the bootrom? Or just a simple bug?

 

The christmas tree effect is basically a very rapid power cycling done when the llb crashes very early. - MuscleNerd - Twitter

 

have you thought about dumping the bootrom to finding another exploit?

 

Yep that's what we're looking at :) - MuscleNerd

 

Have you successfully dumped the bootrom?

 

The bootrom dump was one of the first things we did :) And it's where we're looking for holes for an untethered redsn0w. - MuscleNerd

 

Are you looking for a hole in the bootrom?

 

Right, we're looking for some hole to exploit (not fix) in the bootrom to allow an untethered full boot of a jailbroken filesystem. - MuscleNerd

 

You got a dump of the bootrom? I thought that was nearly impossible.

 

Yeah we've been looking at it since Saturday. It's a bit more clever than the previous versions. That makes it more fun though :) - MuscleNerd

 

Springboard

 

Musclenerd is there a way to delete stocks when this comes out?

 

Yep you'll be able to log in and basically just do "rm -rf /Applications/Stocks.app; killall -HUP SpringBoard" and it'll be gone. - MuscleNerd

 

Well, the person who mentioned holding down an app then hitting the home button, was right about it basically working like a reboot.  I did the trick to get the dock to vanish, then I did the hold app then press home trick and sure enough it came back as if I had rebooted it.

 

Application crashes (like this SpringBoard crash) were pretty useful back in the 1.x days. For instance, http://jailbreakme.com made use of this sort of thing for a very easy-to-install 1.1.1 jailbreak.

 

But these crashes became all but useless starting with 2.x, when Apple started using application signature checking, sandboxing, and better privilege separation. - MuscleNerd 

 

Applications

 

Will 'Backgrounder' work on an jailbroken IPT2G?

 

Yep Backgrounder works fine on the jb ipt2g (well at least on those apps that it normally gets along well with on the other devices). - MuscleNerd

 

Cydia

 

Do you think all Cydia apps will work properly on the 2G?

 

Yes, except for any that have hardware dependencies (the camera for instance). - MuscleNerd

 

Will Cydia come with the initial JB like yellowsnow, or will we have to manually install it?

 

Both Cydia and Installer would be included, since they bootstrap the whole unofficial application side of things. - MuscleNerd - Twitter

 

Technical

 

I used IDA Pro and disassembled the 2.2 iBSS. The diagnostic tool (or whatever this is) ranges from the addresses ROM:22012864 to ROM:22015C80, can you explain what this is?

 

iBSS is one of the members of the iBoot family. While iBoot is bigger and can do more things, iBSS is still needed (temporarily) in certain scenarios.

 

The range you've pointed out in iBSS contains the menu structure used by the main command task's interactive prompt. If you saw the video demo, that's the prompt that RecoveryTool was interacting with. (Notice though, that iBSS doesn't contain the "fsboot" command used in the video..that's because that's one of the functions left to the larger iBoot boot-monitor).

 

(By the way, it's great to see more people pulling this stuff apart! It's very fun (in a nerdy way) to play with these programs :)) - MuscleNerd

 

So... you can change the background color?

 

Yeah that's one of the unrestricted commands. For example: bgcolor 0 255 0

 

With some hacking you can do the restricted commands too. With the iPod Touches, most of them are recoverable if you somehow mess up your device. With the iPhones there are some things you can do to really mess things up though. - MuscleNerd

 

Misc

 

Is there an official chatroom?  The QIK chat has loads of spamming, and the comments just suck..

 

The official chat medium is IRC, server = irc.osx86.hu, channel = #itouch (for ipt2g stuff) or #iphone (for iphone)  - MuscleNerd

 

If I jailbreak my iPod, will the App Store and iTunes still work on my iPod? And if I change my wallpaper, is it possible to change it back to the plain black background without restoring it?

 

Yes.  - MuscleNerd

 

My iPod touch 2g sync's fine in iTunes, but, it is recognized as a camera! Will this affect me being able to jailbreak it?

 

No it won't. - MuscleNerd

 

MuscleNerd, what gym do you go to?

 

Usually 24-Hour Fitness..Most flexible that way:) - MuscleNerd

 

MuscleNerd, are you MuscleNerd of www.musclenerdfitness.com?

 

No that's not me :) - MuscleNerd

 

What app was used to show iPhone screen on computer display live?

 

That was done using the veency VNC server for the iPhone, available via Cydia - MuscleNerd - Twitter

 

 

Comments (0)

You don't have permission to comment on this page.