Pwnage 2.0

From freemyipod.org
Revision as of 00:00, 13 July 2010 by Cmwslw (talk | contribs) (Added overview of the Pwnage 2.0 exploit)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Overview

Planetbeing has adapted the Pwnage 2.0 exploit to work on the iPod Nano and Classic line. This exploit is at the bootrom level, so it cannot be patched by Apple. Apple built in the functionality to upload a WTF recovery stage to the iPod when it is in DFU mode. There is a bug in the certificate parsing code that permits an unauthorized jump to an arbitrary location. It is also convenient that a payload can be embedded in the main body of the WTF. It is know that the entire WTF is copied to 0x22000000. If you put your exploit payload at 0x800 in the WTF, you should jump to 0x22000800.

Preparing WTF

To be continued...