zowki wrote:
If I'm not wrong, several people on the old forums suggested that the firmware partition be replaced by the code we want to execute and they were all shunned by the smart guys saying that it is impossible since any code to be executed has to be encrypted and without knowing the encryption keys this cannot be done. So how do you explain iLoader works? Can someone clear this up for me?
It is true that the code stored in the firmware partition has to be encrypted, and it is also true that we don't have the encryption key. This made it impossible to initially gain execution of custom code on the 2G by simply replacing the contents of the firmware partition, and thus a different solution was necessary. Eventually, an exploit was discovered that took advantage of a bug in the Notes feature of the 2G to allow custom code to be executed on the device.
Once developers had a way to execute their code on the 2G, it was possible to start dumping data and analyze how the boot process worked. It turns out that the firmware encryption key is stored in the processor, with no way available to read it out. However, it is possible to have the processor encrypt or decrypt a piece of data for you using this key. Thus the developers were able to feed their code to the processor, and have it give back the encrypted version which could be stored on the firmware partition.
The key here is that using the processor to encrypt a custom bootloader is not possible until the ability to execute custom code has been achieved through some other means.
Disclaimer: I am not a developer in any related project, and this information is merely what I have gleaned from reading various public sources. I may be incorrect on one or many points.
Login
Register
FAQ
Search
