+ Reply
Results 1 to 3 of 3

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: 1.1.2. To Be Unlocked soon new exploits

is a discussion within the

Unlocking / Activation

forums, a part of the

iPhone Modding

section;
http://www.geohotblog.com/ New Bootloader Exploits I found two exploits into the new bootloader, one hardware and one software. They are both untested and hard to implement, but I'm pretty sure they
...
  1. #1
    What's Jailbreak?
    Join Date
    Nov 2007
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default 1.1.2. To Be Unlocked soon new exploits
    http://www.geohotblog.com/

    New Bootloader Exploits

    I found two exploits into the new bootloader, one hardware and one software. They are both untested and hard to implement, but I'm pretty sure they will both work. Keep in mind these are theoretical, don't consider trying them unless you really understand the inner workings.

    Hardware:
    The version check reads from 0xA0021000 and 0xA0021004 to get the version of the main firmware. It then compares the values [0xA0021000]==~[0xA0021004]. If that check fails it ignores the version check. It is also the only bootloader access into high flash. So when A16 goes high, pull any data line high or low. That will cause the check to fail, and hence the version check to be skipped. And they shouldn't be any memory accesses in the bootloader, so it'll be fine.

    Software:
    This exploit is in the the way the secpack signature is padded. They did a lot to remove the really bad signature checking of the old bootloader that IPSF exploited. Although the secpack still has 0x28 bytes of data at the end that isn't checked for normal secpack sigs. The secpack sig is(0x30 header/padding, 0x14 main fw sha, 0x14 secpack sha, 0x28 unchecked padding) So by spoofing the first 0x58 of the RSA, you can set any secpack and main fw sha hash you want. It is very easy in exponent 3 RSA cryptosystems to spoof the first 1/3 of the message bytes. I believe with some clever math and brute force, the whole 0x58 can be spoofed. Any cryptology experts out there?

  2. #2
    iPhone? More like MyPhone chris52204's Avatar
    Join Date
    Nov 2007
    Location
    Washington
    Posts
    192
    Thanks
    10
    Thanked 31 Times in 20 Posts

    Correct me if i'm wrong but i read somewhere that geohotblog.com is the incorrect website. I can't remember remember what it is but it has geohotz... in it.

  3. #3
    Green Apple
    Join Date
    Oct 2007
    Posts
    31
    Thanks
    0
    Thanked 2 Times in 2 Posts

    its correct information, just geohotz actual website doesnt have ads around the borders. someones making money off him obviously.

    The real address is:

    http://georgehotz.com/

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts