This FAQ highlights information and questions answered by members of the Dev-Team, so that they are not constantly bombarded with the same ones.
The grammar and spelling used in the FAQ, were directly copy and pasted from the comments on the Dev-Team blog. If I get time, I will attempt to correct those mistakes, but until then, I hope you get the idea.
This FAQ is not ran by the Dev-Team. Although it is supported by the Dev-Team, and the answers these questions are official answers from the Dev-Team, we are not the Dev-Team.
Anyone who continues to e-mail, asking when redsn0w will be out, will be added to the idiots page. Thanks :)
I just want to say a big thank you for reading this FAQ. I put it together to simply help out the Dev-Team, from having to answer the same questions over and over, and to use the time that they would have to use answering those questions, to develop more on redsn0w, or to simply relax.
I didn't really expect this FAQ to take off, like it did, and be posted around in so many places.. simply because I posted the link to one person on IRC, it seems to have spread like wildfire.
I hope you enjoy this FAQ, and find some answers to your questions. If you have a question and answer (not just a question) to submit, that you have found, please e-mail it to me at: caleb@calebmingle.com
The most exciting thing I've heard so far is all that bluetooth stuff.
Apparently people out there on the internet have noticed some files in the main decrypted filesystem that tie the bluetooth hardware to the Nike sneakers, and it's possible they may figure out how to expand upon that.
I know very little about bluetooth though so have no way of judging how likely that is. - MuscleNerd
That would be a very boring video :) Basically lots of assembly code that looks like random characters to non-programmers. - MuscleNerd
You should also be able to just enter the feed:// address directly as a URL into your iPod's Safari. Then bookmark (or save to your homescreen) the result. - MuscleNerd
If you subscribe to the team twitter, you'll get any major updates a lot quicker and easier :)
Or our individual twitters for less formal stuff.
And all these things have RSS feeds too :) - MuscleNerd
(From Caleb: you have to be really, really stupid.. to believe anyone in the Qik chatroom, or anything anyone says from there)
SlyFox: No.
Really, no. - MuscleNerd
Yep, that was shown in the second video last Saturday. - MuscleNerd
A tethered jailbreak means that the patch (redsn0w), must be injected every time the iPod touch boots. Sleep Mode does not affect this, and is not considered a reboot.
To inject it, everytime that the iPod boots, it must be connected to a computer to inject it, and get the iPod to boot correctly with the unsigned code.
This is what we've been looking for for the past couple of days...a way to compromise the system lower than the level we're at, to break the tethering requirement.
If it takes too long to find (if we conclude that we're "stuck"), then we'll just release the tethered version and let you guys jump through the hoops needed to get it to work (and without us redistributing Apple software of course).
But that would be a headache for everyone, so we're looking for something a lot easier to use than that. - MuscleNerd
The spamming would multiply x10 at least :) - MuscleNerd
We're looking for a lower-level exploit (probably piggy backing on the original one to get it installed) - MuscleNerd - Twitter
No. You will just make yourself look stupid, not speeding up the process.
The manual method would require us to also redistribute software we have no legal right to redistribute. - MuscleNerd
----------------------------------------------------------------------
The hope is for a non-manual release :)
The manual (tethered) release will come, if prospects for the non-tethered version vanish.
But we've only had a fully jailbroken system since Saturday. And we only started looking at this whole thing a week ago (except for that quick look-see back in September when we thought it would have more usefulness for the iPhone). - MuscleNerd
Yeah the "patch, not pirate" method of QuickPwn / PwnageTool is the goal. - MuscleNerd
The jailbreak method currently doesn't lend itself to a tutorial (because there are too many what-if scenarios). - MuscleNerd
Let's just say that nobody is more eager to get this released than we are. :) Because as nice as the iPod Touch 2G is, it's not an iPhone and this is delaying some other iPhone goals. - MuscleNerd
Simple, No.
Simple, No.
Simple, No.
No we didn't.
That someone is an idiot.
The progress and breakthroughs made while reversing and looking for exploits in something like a BIOS are very technical (and incremental) in nature. They're not easily summarized into daily updates for public mass consumption. - MuscleNerd
This is what we've been looking for for the past couple of days...a way to compromise the system lower than the level we're at, to break the tethering requirement.
If it takes too long to find (if we conclude that we're "stuck"), then we'll just release the tethered version and let you guys jump through the hoops needed to get it to work (and without us redistributing Apple software of course). But that would be a headache for everyone, so we're looking for something a lot easier to use than that. - MuscleNerd
Certain invalid editing of the LLB results in what Zf calls the "Christmas Tree" effect. Rapid flashing of black and white screens with a sort of tearing/ripping effect scrolling up and down. A very scary sight. :)
I've always wanted to show a video of it but I think the framerate is too fast for an internet video..it would probably just show up as a pulsating gray screen, not nearly as dramatic as it looks in person. - MuscleNerd
When we run out of ideas to try :) - MuscleNerd
Maybe my wording was ambiguous in the demo (?)
But I tried to stress the concept that the filesystem on the ipod was already jailbroken, it was just a matter of getting the iPod Touch 2G to accept it as valid. The jailbroken filesystem itself doesn't change upon reboot...it's just a matter of convincing the iPod Touch 2G to use it. - MuscleNerd
If poorlad (the Windows Quickpwn author) is availiable, it would probably be Windows + osx (any linux version would be by planetbeing) - MuscleNerd
Once a given device has a pwnage + jailbreak flow for it, it's pretty straightforward to port it to each new Apple update.
It used to not be that way...back in the 1.x days. Back then, it was necessary to find a brand new jailbreak method with every new update.
But since pwnage works at such a low level, once it's working for a given device, that device is pretty much always pwnable and jailbreakable -- and Apple updates are easy to accomodate. And that's where we want to be with iPod Touch 2G. - MuscleNerd
A hole in the bootrom that can be exploited in a way that tricks the bootrom into accepting the next stage of the boot process. - MuscleNerd
Both the full PwnageTool method and the QuickPwn method of jailbreaking will work for the iPod Touch 2G, but they both still result in a system that (currently) needs to be tethered when the thing reboots. The part of the boot process that hits that snag happens at a level below both of them.
In other words, the ipt2g jailbreak is in many ways the same old jailbreak that we've been able to do since Pwnage 1.0. But when actually booting the jailbroken system, the ipt2G has this tethering snafu that we'd like to fix, to make it easier for everyone to install and use the jailbreak. - MuscleNerd
Yes. :) - MuscleNerd
We can patch those out easily enough, but then the bootrom would refuse to run the LLB.
The bootrom makes sure the LLB hasn't been patched. - MuscleNerd
Probably not, since we're looking a few layers below where that command is exploitable.
But, it did give us the ability to start investigating that lower layer. Not only by allowing us to get a dump of the bootrom, but to allowing us try experiments with the bootrom by running unsigned code. So in that sense it was already used. - MuscleNerd
Right, we're looking for some hole to exploit (not fix) in the bootrom to allow an untethered full boot of a jailbroken filesystem. - MuscleNerd
It's an "escrow" hash of decrypted iBoot for ipt2g (length=0x290000). Not otherwise obtainable except via an exploit (afaict) - MuscleNerd
The jailbreak itself wouldn't, but it would allow some theoretical non-appstore application (that Apple wouldn't normally allow) to come in and fix it.
A big motivation for jailbreaking is to let you tweak things that Apple wouldn't normally let you tweak. - MuscleNerd
In the previous devices (iPhones and iPod Touch 1G), the bootrom (first thing loaded) didn't sigcheck the next thing loaded (the LLB). Starting with the iPod Touch 2G, it does (and the sigchecks continue through the remaining boot stages).
So right now we're looking for weaknesses in those sigchecks.
The tethered version of redsn0w currently allows the sigchecks to happen normally. But then it exploits a hole in one of those boot stages.
I'm generally optimistic about that sort of thing :) - MuscleNerd - Twitter
Quick answer: they fixed, in hardware, the bug exploited by pwnage on the iPhones and first iPod Touch. Steve Jobs referred to it as "cat and mouse".
Finding a software exploit only took a few hours. Doing the jailbreak for the above screenshot took a few hours more. But making it widely usable will take a bit longer. We'll try to explain that more in the video.
There are still hardware exploit possibilities, but those are on the backburner for now. - MuscleNerd
No it's software-only. - MuscleNerd
If it's too difficult, we'll probably hold off on the release until it's simpler and safer.
Our goal is to fit it into the current PwnageTool and/or QuickPwn methods, which are very simple and safe. - MuscleNerd
Yes. - MuscleNerd
The tethered redsn0w hack requires you to be make the patch at boot time with a connection to a computer. But after that you can disconnect it. - MuscleNerd
At the current time, the patch must be applied everytime you reboot your iPod.
No, sleep mode does not count as rebooting your iPod, and the patch is still in effect, after returning from sleep mode.
Apple probably already puts the iPod Touch into its lowest possible power state when you hit the sleep button (and if they don't, we sure don't have enough specs on the chipset to do any better).
It's been a while since I've run down the battery all the way on the iPod Touch...when you do that and you get the battery-empty symbol, and then finally plug it into a power supply, do you actually go through a new reboot cycle? Or does the homescreen come up as soon as the battery has enough charge? Because if it's that then the redsn0w patch will still be in effect. - MuscleNerd
The bootrom, as far as we know, is truly read-only -- most likely a mask ROM.
In the devices prior to iPod Touch 2G, the read-only nature of the bootrom benefits the jailbreak community. It means Apple can never *add* signature checking of the LLB by the bootrom in those devices. And it means they can never fix the DFU-mode hole exploited by our Pwnage process.
For the iPod Touch 2G, the read-only nature of the bootrom will either be a benefit or a burden -- that's still to be determined :) - MuscleNerd
The christmas tree effect is basically a very rapid power cycling done when the llb crashes very early. - MuscleNerd - Twitter
Yep that's what we're looking at :) - MuscleNerd
The bootrom dump was one of the first things we did :) And it's where we're looking for holes for an untethered redsn0w. - MuscleNerd
Right, we're looking for some hole to exploit (not fix) in the bootrom to allow an untethered full boot of a jailbroken filesystem. - MuscleNerd
Yeah we've been looking at it since Saturday. It's a bit more clever than the previous versions. That makes it more fun though :) - MuscleNerd
Yep you'll be able to log in and basically just do "rm -rf /Applications/Stocks.app; killall -HUP SpringBoard" and it'll be gone. - MuscleNerd
Application crashes (like this SpringBoard crash) were pretty useful back in the 1.x days. For instance, http://jailbreakme.com made use of this sort of thing for a very easy-to-install 1.1.1 jailbreak.
But these crashes became all but useless starting with 2.x, when Apple started using application signature checking, sandboxing, and better privilege separation. - MuscleNerd
Yep Backgrounder works fine on the jb ipt2g (well at least on those apps that it normally gets along well with on the other devices). - MuscleNerd
Yes, except for any that have hardware dependencies (the camera for instance). - MuscleNerd
Both Cydia and Installer would be included, since they bootstrap the whole unofficial application side of things. - MuscleNerd - Twitter
iBSS is one of the members of the iBoot family. While iBoot is bigger and can do more things, iBSS is still needed (temporarily) in certain scenarios.
The range you've pointed out in iBSS contains the menu structure used by the main command task's interactive prompt. If you saw the video demo, that's the prompt that RecoveryTool was interacting with. (Notice though, that iBSS doesn't contain the "fsboot" command used in the video..that's because that's one of the functions left to the larger iBoot boot-monitor).
(By the way, it's great to see more people pulling this stuff apart! It's very fun (in a nerdy way) to play with these programs :)) - MuscleNerd
Yeah that's one of the unrestricted commands. For example: bgcolor 0 255 0
With some hacking you can do the restricted commands too. With the iPod Touches, most of them are recoverable if you somehow mess up your device. With the iPhones there are some things you can do to really mess things up though. - MuscleNerd
The official chat medium is IRC, server = irc.osx86.hu, channel = #itouch (for ipt2g stuff) or #iphone (for iphone) - MuscleNerd
Yes. - MuscleNerd
No it won't. - MuscleNerd
Usually 24-Hour Fitness..Most flexible that way:) - MuscleNerd
No that's not me :) - MuscleNerd
That was done using the veency VNC server for the iPhone, available via Cydia - MuscleNerd - Twitter