Tuesday, March 10, 2009

Jailbreaking the iPod Touch 2G

The Dev team recently released a Jailbreak for the iPod Touch 2G, and I was surprised to find a fairly concise writeup of how the exploit worked over at the iPhone wiki:

http://www.theiphonewiki.com/wiki/index.php?title=0x24000_Segment_Overflow

Basically, it's a classic overflow exploit.  The LLB is loaded into 0x22000000 in the memory and is 0x24000 bytes long under normal circumstances.  At 0x22024000 it has stashed some global variables which, if overwritten, provide a pathway to running unsigned code.

The flaw in the code is that the code that loads the LLB from the NOR (where it is stashed when the iPod is off) doesn't check to make sure that the LLB is less than or equal to 0x24000 bytes long.  So, all you have to do is grab Apple's LLB, stick all your code goodies onto the end of it (so it's longer than 0x24000 bytes) and load it into NOR--something they've been able to do for a while.  When the iPod loads the LLB into memory, it trashes the global variables at 0x22024000 and overwrites them with whatever you stuck at the end of the LLB.  Voila!

No comments:

Post a Comment