Fully software jailbreak for 1.1.3 iPod touch/
ZiPhone 可以直接針對 1.1.3 firmware 的 iPod touch/iPhone 作 jailbreak。在我的 Mac OS X 10.5.2 環境下,iTunes 為 7.6,iPod touch 1.1.3版。直接接上 usb 後,離開 iTunes,執行 ziphone -j -v 一段時間後,iPod 就自己重新開機,並且顯示一堆文字模式的開機和安裝過程。經過再一次重新開機,裡面就已經安裝有 Installer,這時候就算已經 jailbreak 成功,並且可以自己安裝程式。
破解原理:透過 Apple Mobile Device 的介面把 zibri.dat 這個 ramdisk 傳送到 iPod/iPhone,然後設定 nvram 裡面屬性(把要做的事情記在 nvram),並且設 boot-args rd=md0 pmd0=0x09CC2000.0x0133D000,OpenFirmware 使用者應該很清楚,可以設定 boot-args 在開機時候指定 root disk,這裡指定到 memory disk。開機後就會執行到 /etc/profile。然後就 mount 系統本來 flash 裡面的 disk,開始 patch,然後清掉設定的 nvram 屬性,恢復原本開機 root disk,重開機 done。Great Works!!
# System-wide .profile for sh(1) PATH="/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin" export PATH /bin/sleep 5 /bin/echo "Starting unlock..." if [ "`/usr/bin/nvram -p|/bin/grep unlock1`" != "" ] ; then /zib/gunlock /zib/secpack /zib/ICE04.02.13_G.fls; fi if [ "`/usr/bin/nvram -p|/bin/grep unlock2`" != "" ] ; then /zib/gunlock2 /zib/secpack /zib/ICE04.02.13_G.fls a12345 6789012345 ; fi /sbin/fsck_hfs /dev/disk0s1 /sbin/fsck_hfs /dev/disk0s2 if [ "`/usr/bin/nvram -p|/bin/grep jailbreak`" != "" ] ; then /bin/echo "Starting jailbreak..." /sbin/mount_hfs -o noasync,sync /dev/disk0s1 /mnt1 /sbin/mount_hfs -o noasync,sync /dev/disk0s2 /mnt2 if [ -e /dev/rmd1 ]; then /bin/dd if=/dev/rmd1 of=/mnt2/root/mem_dump.bin bs=4096 count=4096; fi #/zib/bbupdater -l /zib/BOOT03.09_M3S2.fls #/bin/sleep 20 # jailbreak # disk0s1 if [ "`/usr/bin/nvram -p|/bin/grep activate`" != "" ] ; then /bin/echo "Patching lockdownd..." /bin/ipatcher -l /mnt1/usr/libexec/lockdownd /bin/cp /zib/fstab /mnt1/private/etc/fstab /usr/bin/unzip -o -K -X /zib/Installer.zip -d /mnt1/Applications/ #/usr/bin/unzip -o -K -X /zib/BSD_Subsystem.zip -d /mnt1/ #/usr/bin/unzip -o -K -X /zib/openssh-4.6p1-1.zip -d /mnt1/ # disk0s2 if [ "`/usr/bin/nvram -p|/bin/grep activate`" != "" ] ; then /bin/echo "Activating youtube..." /bin/mkdir -p /mnt2/private/var/root/Library/Lockdown /bin/cp /zib/data_ark.plist /mnt2/root/Library/Lockdown/ /bin/cp /zib/device_private_key.pem /mnt2/root/Library/Lockdown/ /bin/cp /zib/device_public_key.pem /mnt2/root/Library/Lockdown/ /bin/mkdir -p /mnt2/mobile/Library/Installer/Temp /bin/mkdir -p /mnt2/root/Library/Installer/Temp /bin/cp /zib/LocalPackages.plist /mnt2/mobile/Library/Installer/ /bin/cp /zib/LocalPackages.plist /mnt2/root/Library/Installer/ #/bin/cp /zib/RemotePackages.plist /mnt2/mobile/Library/Installer/ #/bin/cp /zib/RemotePackages.plist /mnt2/root/Library/Installer/ /bin/cp /zib/PackageSources.plist /mnt2/mobile/Library/Installer/ /bin/cp /zib/PackageSources.plist /mnt2/root/Library/Installer/ /bin/cp /zib/TrustedSources.plist /mnt2/mobile/Library/Installer/ /bin/cp /zib/TrustedSources.plist /mnt2/root/Library/Installer/ /bin/cp /zib/com.apptapp.Installer.plist /mnt2/mobile/Library/Preferences/ /bin/cp /zib/com.apptapp.Installer.plist /mnt2/root/Library/Preferences/ #end jailbreak /bin/echo "Unmounting filesystems..." /usr/bin/umount /mnt1 /usr/bin/umount /mnt2 /sbin/fsck_hfs /dev/disk0s1 /sbin/fsck_hfs /dev/disk0s2 /usr/bin/nvram auto-boot=true /usr/bin/nvram boot-args="" /usr/bin/nvram -d unlock1 /usr/bin/nvram -d unlock2 /usr/bin/nvram -d jailbreak /usr/bin/nvram -d activate #/usr/bin/nvram -d unlock2 /bin/echo "Now rebooting..." /sbin/reboot while (true); do sleep 1; done
發表文章
張貼留言