What's new
Apple iPad Forum 🍎

Welcome to the Apple iPad Forum, your one stop source for all things iPad. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Which iPad1 compatible iOS is till being signed besides 4.3.5?

OP
zeroweaver

zeroweaver

iPF Noob
Joined
Aug 25, 2011
Messages
12
Reaction score
0
Location
Murfreesboro, TN
I have few questions for whomever knows enough to help pertaining to iPad1 3g/A4 Chip/iboot 574.4/4.3.5 iOS tethered jailbreak. Anyone answering please be as DETAILED as possible. I have spent many hours on google reading one vague answer after another. I'm looking for detailed, technical answers. Please, no obvious answers. (Example if I ask: "What is a bootrom?" I don't need someone to tell me "It's a chip in the iPad that handles bootups.") I dont want anyone to think I am ungreatful. I just need more details than all the answers to the same questions I found searching. I search in depth before asking a question someone else may have already answered. So 99% of the time when I post a question its because I could not find a satisfactory answer searching (and I don't give up easily when searching).

1) What is the flow of logic that requires the shsh blobs? Also what is the exact boot sequence? (A4 iBoot 574.4)

2) Exactly why has no one been able to fake a signed shsh blob?

3) Is it the iboot file on the bootrom that prevents an untethered jailbreak?

4) Is 4.3.5 the last iOS that will not require my apps to be "pushed" to my iPad on every boot? (iCloud require that?)

5) What are the pros/cons to my iPad having the A4 chip?

6) Baseband: What exactly is it? Is it stored on my bootrom? What does it do other than lock me into a specific carrier? Should I care about it with an iPad1?

7) How do I know if I have saved my current 4.3.5 signed shsh blobs just in case I need them later?

8) What exactly is UDID faker and do I need it?

9) Is there a way for me to record the data flow between my computer and iPad during tethered boot? Can I make my own bootup dongle like the "iDongle"? If so, what would I need?

I'm a bit of an information junkie. It's not unheard of for me to sit at my computer researching for 8+ hours strait. I have learned a lot about jailbreaking but still got a lot to learn. I want to learn as much as I can and start doing my own custom hacks/jailbreaking. In other words, I want to become like a dev.
 
glittergirl

glittergirl

iPF Noob
Joined
Sep 25, 2011
Messages
45
Reaction score
4
No idea about any of your questions, but someplace like the dev team blog might be a place to start. They often have a lively comments section. My head starts to hurt and I shut down when things get down to the level of actual coding. :) I'm super new here though so others will probably have much better suggestions. Developer forums or boards might be a good place to look for these types of answers.
 
f4780y

f4780y

Super Moderator
Staff member
Joined
Sep 11, 2010
Messages
7,113
Reaction score
652
Location
Troon, Scotland
@ zeroweaver - hopefully some of these responses help... Others can feel free to correct me if I've got something wrong.

1) What is the flow of logic that requires the shsh blobs? Also what is the exact boot sequence? (A4 iBoot 574.4)
Click to expand...
Boot sequence is LLB (Low Level Bootloader), iBoot, then IOS Firmware. iBSS and iBEC also come into play depending on whether your device is in recovery mode / DFU mode, etc. I don't have a detailed flow between device, iTunes, and Apple servers for blobs. Sorry.
2) Exactly why has no one been able to fake a signed shsh blob?
Click to expand...
Because it's a securely encrypted signature. Without the encryption key you are never going to break the security or make fake blobs.
3) Is it the iboot file on the bootrom that prevents an untethered jailbreak?
Click to expand...
Short answer, yes. You are forced into a tethered situation if one or more signature check will fail due to the jailbreak. A tethered device is able to boot-up using a bootrom exploit such as limera1n which allows you to bootstrap to a pwned iBSS, iBEC, or iBoot to finish the boot process, but you cannot make the change stick between boots.
4) Is 4.3.5 the last iOS that will not require my apps to be "pushed" to my iPad on every boot? (iCloud require that?)
Click to expand...
No. iCloud has nothing to do with pushing you apps to your iPad on every boot. It is just cloud storage. Your apps still need to be installed on your iPad just as they do now. There is no special cloud booting magic involved.
5) What are the pros/cons to my iPad having the A4 chip?
Click to expand...
I don't know how to answer this question, it's a little too vague. One pro of the A4 chip is we know it has a flaw which can be exploited, i.e limera1n, so there will always be a way to have a tethered JB. But thats only relevant for iPad1.
6) Baseband: What exactly is it? Is it stored on my bootrom? What does it do other than lock me into a specific carrier? Should I care about it with an iPad1?
Click to expand...
The baseband is the OS of the modem on a 3G capable device. So it is the modem firmware. No, it's not stored on the bootrom. It is installed just like IOS in it's own area of storage. The baseband runs the modem operations. It's main job is to do that, not to lock you to a carrier. That is only one very small feature, and most iPads are unlocked by default in any case. There is very little point in being interested in the iPad baseband, it is only of real interested to the iPhone world.
7) How do I know if I have saved my current 4.3.5 signed shsh blobs just in case I need them later?
Click to expand...
Follow this tutorial - http://www.ipadforums.net/jailbreak...01-how-save-your-shsh-blobs-tinyumbrella.html
8) What exactly is UDID faker and do I need it?
Click to expand...
It has little to do with legitimate hacking. You don't need it, and you won't get any help with it here as it tends to stray into the territory of app piracy.
9) Is there a way for me to record the data flow between my computer and iPad during tethered boot? Can I make my own bootup dongle like the "iDongle"? If so, what would I need?
Click to expand...
I mean no offence, but based on your level of knowledge at this stage of your journey I think you are probably quite a way from being able to attempt anything like this. You are getting into the realms of needing to understand a great deal about how both your PC's OS as well as iTunes, and the iPad. Intercepting traffic is all very well, but then you need the skills and knowledge to understand it, usually a good knowledge of Assembly language or similar is a good starting place.
Building a dongle is non-trivial electronics project but it's not something I would be able to assist you with. Sorry.
 
OP
zeroweaver

zeroweaver

iPF Noob
Joined
Aug 25, 2011
Messages
12
Reaction score
0
Location
Murfreesboro, TN
#3 Is that because the LLB is hard written onto the bootrom? What changed between 4.3.3 to 4.3.5 that killed the untethered jailbreak?
 
f4780y

f4780y

Super Moderator
Staff member
Joined
Sep 11, 2010
Messages
7,113
Reaction score
652
Location
Troon, Scotland
Well, all ROM is read only memory, but that's not the reason for No 3.
To execute it, the ROM must be read and written into RAM so the processor can deal with it. IF you can somehow exploit the copy which is in RAM then you can pwn it. It's just not as simple as it sounds, because that process is well protected at multiple levels within the architecture of the system. In over simplistic terms you need a flaw in the ROM which you can exploit, such as limera1n or SHAtter, in order to get your own code "into" the copy of the bootrom which is running in RAM. If the flaw is in the read-only area then it will always be copied into RAM and therefore you can always exploit it. That is why we say the A4 devices are pwnd for life. Apple can't fix it without revising the hardware.

@i0n1c posted details on how the untether was fixed when 4.3.4 was released. It relied on a vulnerability in the dynamic linker which Apple patched, but this was not part of the rom (otherwise they would not have been able to fix it).
The following is part of what he tweeted:

The dynamic linker performs additional checks on the mach-o header to stop a class of attacks against the dynamic linker.
This is how Apple broke your hearts: ADD.W R3, R11, #0xFFFFFFFF – CMP R3, #9 – BHI get_out_of_here
It checks the demux_count in ndrv_setspec. Actually no. That code is the code that fixes the untether exploit.
Click to expand...

You are going to have to get to grips with understanding the assembly language commands I have highlighted in bold if you want a chance at becoming a JB developer (developing the JB, not the tweaks / apps). I highly recommend starting by reading "Hacking: The art of exploitation" by Jon Erickson, and also looking into disassembling. The tool of choice for iDevice jailbreakers is IDA Pro, but I warn you now, it isn't cheap. But if you are serious about it, it's the way to go IMHO.

Again, if anyone else knows better, feel free to chip in.
 
Last edited:
f4780y

f4780y

Super Moderator
Staff member
Joined
Sep 11, 2010
Messages
7,113
Reaction score
652
Location
Troon, Scotland
You're welcome. And don't let the enormity of the task ahead put you off trying. The world needs as many JB developers as it can get. You just won't be becoming one overnight, that's all... :)
 
You must log in or register to reply here.

Most reactions

Similar threads

f4780y
iPad2 3G Jailbreakers - IOS5 WARNING - 1 DAY TO GO!
2
Replies
15
Views
15K
Pablogr
P
E
Old 4.3.0 ipad 2 firmware jailbreakable???
Replies
3
Views
3K
graywolf
graywolf
A
ipad 1 32gig version 4.3.3 8j3 showing as version but want to restore
Replies
3
Views
3K
angellonewolf
A
f4780y
Jailbreakers Rejoice - iPad1 Tethered Jailbreak for IOS 5.1 released...
Replies
6
Views
4K
graywolf
graywolf
H
are apple still signing 5.0.1?
Replies
10
Views
4K
hazi1610
H

Latest posts

Top