Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Can some explain the Pwnage exploit

T

thundermustard

macrumors regular
Original poster
Apr 21, 2008
152
1
Just trying to understand what is going on behind the scenes.
Here are the facts that I understand. You must have a SHSH blob saved to get iTunes to allow you to (after bypassing their servers) downgrade. Those signatures only happen when that firmware is available. So if you bought an old iPhone in the box running 3.0 you can only get Cydia to save the most current firmware in the wild.
However, if you have a 3GS on the old boot rom and a Pwned iPhone you can make custom firmwares and then update/downgrade without using Apple's servers at all.
What is it about the Pwned iPhone that allows that (why does iTunes allow you to bypass the signature verification). And is there nothing that could happen to your iPhone that would remove that code that allows it?
What if you used BlackRa1n before, can you make a new custom firmware and update the same as if it had been Pwned?
 
thundermustard said:
Just trying to understand what is going on behind the scenes.
Here are the facts that I understand. You must have a SHSH blob saved to get iTunes to allow you to (after bypassing their servers) downgrade. Those signatures only happen when that firmware is available. So if you bought an old iPhone in the box running 3.0 you can only get Cydia to save the most current firmware in the wild.
However, if you have a 3GS on the old boot rom and a Pwned iPhone you can make custom firmwares and then update/downgrade without using Apple's servers at all.
What is it about the Pwned iPhone that allows that (why does iTunes allow you to bypass the signature verification). And is there nothing that could happen to your iPhone that would remove that code that allows it?
What if you used BlackRa1n before, can you make a new custom firmware and update the same as if it had been Pwned?
Click to expand...

The iphone boots in a chain. Each level boots another, so if you were to break the chain and insert your own code, you "own" the rest of the chain. High-level JB like Sprit aren't that "exciting" because you only get really high level stuff (after OS loads). Low-level JB, most noticeability, the bootrom, are the holy grail, because you own the system at a low enough level that you can bypass signature checks (every code on the iPhone is signed by apple, and doesn't load without the signature, and the signature is broken when the code is modified) before the system starts, therefore allowing you to load your own firmware. The bootrom is also a separate chip, so they can't fix exploits in it without making a new revision/device.
 
Trakis said:
..... So, is there an iPhone 4 JB yet?
Click to expand...

Btw there are threads going on about the iPhone 4 jailbreak just look and read. the TS asked nothing about iPhone 4. best to either start your own thread or even better look at the other threads already started. if you look at the threads about it you will see some very good news as of today.
 
yifanlu said:
The iphone boots in a chain. Each level boots another, so if you were to break the chain and insert your own code, you "own" the rest of the chain. High-level JB like Sprit aren't that "exciting" because you only get really high level stuff (after OS loads). Low-level JB, most noticeability, the bootrom, are the holy grail, because you own the system at a low enough level that you can bypass signature checks (every code on the iPhone is signed by apple, and doesn't load without the signature, and the signature is broken when the code is modified) before the system starts, therefore allowing you to load your own firmware. The bootrom is also a separate chip, so they can't fix exploits in it without making a new revision/device.
Click to expand...

Thanks for that informative reply.
Doesn't it seem like iTunes could be rewritten to never allow a bypassing of the signature check.
I now understand the importance of not updating iTunes until the all clear is given.
 
thundermustard said:
Thanks for that informative reply.
Doesn't it seem like iTunes could be rewritten to never allow a bypassing of the signature check.
I now understand the importance of not updating iTunes until the all clear is given.
Click to expand...

It is not iTunes that does the signature check. It's the OS itself and all the middle boot up programs and scripts in the iPhone. All iTunes does is upload and install the OS, nothing more.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back