THIS IS A ROUGH DRAFT OF A TUTORIAL WRITTEN FOR WINDOWS IPOD TOUCH USERS

Many people are jailbreaking their iPod touches with a combination of Niacin's hack and the tutorial at http://www.iphonealley.com/news/iphone-v1-1-1-jailbreak-apptapp-installation-guide. However, the tutorial doesn't give any love to Windows users, who were unfortunately stuck with a version of iPhuc which cannot download or upload an image to or from the flash drive in the touch. Thus, attempts to upload a modified version of /etc/fstab failed to stick after a reboot since it went to a RAM disk, not the flash drive itself.

The modified iPhuc at http://rapidshare.com/files/61742428/iphuc.zip aims to resolve this problem. (partial source included, based off of iphucwin32, with get_file based off of an anonymous pastebin submission)

This is far from a one-click solution and you're probably better off borrowing a friend's Mac. This tutorial assumes good general computer proficiency and basic console proficiency. If you don't have those, there are other resources out there that can help you with doing the tasks here. But if you don't have a Mac and can't wait (like I didn't and couldn't), here's what I did:

Getting ready

1. I recommend you start from a clean, blank iPod. Restore your iPod to a factory state through iTunes. Don't bother to sync it until you've fully jailbroken it. You might easily mess up and have to start over anyway.

2. Go to http://jailbreak.toc2rta.com/ with Safari on your iPod, (Connecting it to a wireless network, etc. before). Safari should crash (exit silently).

3. On your computer, exit iTunes and use process manager to kill the iTunesHelper.exe process. You don't want iTunes to get in the way when you're trying to use iPhuc.

Preparing iPhuc

4. Extract iPhuc.exe from http://rapidshare.com/files/61742428/iphuc.zip.

5. Copy iTunesMobileDevice.dll from C:\Program Files\Common Files\Apple\Mobile Device Support\bin to the same folder as iPhuc.exe.

6. Copy readline5.dll from http://gnuwin32.sourceforge.net/downlinks/readline-bin-zip.php to the same folder as iPhuc.exe.

7. Run iPhuc.exe. The window should indicate that it is waiting for a connection.

8. Plug in your iPod. The window should indicate that it has made a connection, and gives you a prompt.

9. In iPhuc, type "getfile /dev/rdisk0s1 rdisk0s1 314572800" without quotes, of course. You are now downloading a 300 MB image of the operating system part of your iPod's flash disk, therefore this may take awhile.

10. Make a backup copy of the rdisk0s1 file that you just downloaded to your iPhuc folder.

11. You now need to do some hex editing. The tool I use for doing this is HxD (http://www.mh-nexus.de/hxd/), but you may use anything you like (as long as you're familiar and proficient with the tool). What we want to do is find fstab in the image, modify it so we get read/write access, and send it back. Open rdisk0s1 with your hex editor.

12. Search for the ASCII string "noexec" in the file. The second hit should look like the /etc/fstab file:

/dev/disk0s1 / hfs ro 0 1
/dev/disk0s2 /private/var hfs rw,noexec 0 2

Only, of course, hex editors will just display newlines as a '.' character or similar. This series of characters are often found at 0xF8F9000-0xF8F9045. They will have the following character codes:

2F 64 65 76 2F 64 69 73 6B 30 73 31 20 2F 20 68 66 73 20 72 6F 20 30 20 31 0A 2F 64 65 76 2F 64 69 73 6B 30 73 32 20 2F 70 72 69 76 61 74 65 2F 76 61 72 20 68 66 73 20 72 77 2C 6E 6F 65 78 65 63 20 30 20 32 0A

13. Change these to

/dev/disk0s1 / hfs rw 0 1 /dev/disk0s2 /private/var hfs rw 0 2

With newlines padding the end of the string so it ends up being exactly the same size as the old /etc/fstab. The new series of characters ought to be:

2F 64 65 76 2F 64 69 73 6B 30 73 31 20 2F 20 68 66 73 20 72 77 20 30 20 31 0A 2F 64 65 76 2F 64 69 73 6B 30 73 32 20 2F 70 72 69 76 61 74 65 2F 76 61 72 20 68 66 73 20 72 77 20 30 20 32 0A 0A 0A 0A 0A 0A 0A 0A

14. Save your changes. I'm assuming that you're replacing the old rdisk0s1 file on your hard drive with this modified version. As a final safety check, make sure the file sizes of your modified version and your backup versions are exactly the same, down to the last byte.

15. Upload the modified rdisk0s1 image to your iPod. In iPhuc, type "putfile rdisk0s1 /dev/rdisk0s1".

16. Exit iPhuc and reboot your iPod.

17. Open iPhuc again so it connects to your freshly rebooted iPod. As a check, type "getfile /etc/fstab". This will download fstab to iPhuc's directory. Open it up with your favorite text editor and confirm that the changes we have made are still there. If they are, congratulations. You have a jailbroken iPod. Sort of.

18. We now need to install ssh and associated tools. This is all now old territory, but unfortunately, everything is either "one-click" or designed for Macs. Thus we need to do some sweating here. Download http://iphone.natetrue.com/dropbearkey.exe. You also need cygwin1.dll from somewhere (it is easy to find) which should be placed in the same directory as dropbearkey. With this command, execute the following in a windows command-line prompt.

dropbearkey -t rsa -f dropbear_rsa_host_key
dropbearkey -t dss -f dropbear_dss_host_key

You should now have two files in that directory, dropbear_rsa_host_key and dropbear_dss_host_key. Copy or move these into your iPhuc directory.

19. Download and extract http://iphone.natetrue.com/BSD_Base-2.0.tar.gz into your iPhuc directory.

20. Download and extract http://www.abigato.com/iphone-ssh-kit-vr1.tar.bz2 into your iPhuc directory. Make sure dropbear, fd6, au.asn.ucc.matt.dropbear.plist, glob6, goto, osh and sh6 are in the same directory as iPhuc.exe. Move them there if you have to.

Don't worry about obeying the following directions to the letter. As long as /etc/dropbear/dropbear_rsa_host_key, /etc/dropbear/dropbear_dss_host_key, /bin/chmod, /bin/sh and /usr/bin/dropbear exists on your iPod, we're good.

21. Open up iPhuc and type in "mkdir /etc/dropbear".

22. Then "cd /etc/dropbear"

23. "putfile dropbear_rsa_host_key"

24. "putfile dropbear_dss_host_key"

25. "cd /bin"

26. "putfile chmod"

27. Rename sh6 in your iPhuc directory to sh, then "putfile sh" in iPhuc.

28. "cd /usr/bin"

29. "putfile dropbear"

30. Make sure /etc/dropbear/dropbear_rsa_host_key, /etc/dropbear/dropbear_dss_host_key, /bin/chmod, /bin/sh and /usr/bin/dropbear now exist on your iPod with iPhuc.

31. "cd /usr/sbin"

32. "getfile update"

33. In Windows Explorer, rename "update", which you just downloaded, to "update.orig".

34. Rename "chmod" in the iPhuc folder to "update".

35. In iPhuc, "putfile update". So you're replacing /usr/sbin/update with chmod.

36. "cd /System/Library/LaunchDaemons/"

37. "getfile com.apple.update.plist" Open this downloaded file with your text editor. You should see something like:







                Label

                com.apple.update

                ProgramArguments

                

                     /usr/sbin/update

                

                OnDemand

38. Right after it says

/usr/sbin/update

, add the following lines:

555
/bin/chmod
/bin/sh
/usr/bin/dropbear

Your file should look like this:







                Label

                com.apple.update

                ProgramArguments

                

                     /usr/sbin/update

                     555
                     /bin/chmod
                     /bin/sh
                     /usr/bin/dropbear
                

                OnDemand

Remember that /usr/sbin/update is now actually "chmod". This tells Apple to execute the following line upon every reboot: "chmod 555 /bin/chmod /bin/sh /usr/bin/dropbear", giving our new commands execute privileges.

39. Save the file. Upload the modified version with "putfile com.apple.update.plist"

40. Also, "putfile au.asn.ucc.matt.dropbear.plist". Since that will tell the iPod to execute the dropbear ssh daemon on every restart.

41. Reboot the iPod twice. (That is, turn it off, turn it back on, wait for it to boot, turn it off and then turn it back on). The first reboot should set the required permissions. The second should start the ssh server (since proper permissions are now set).

42. Theoretically, SSH should be working now. Find out the IP of your iPod in the iPod's wireless settings.

43. Try to ssh to it (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) with username root, password alpine.

44. Download http://apps.iphonexe.com/24940.zip. You will need /libexec/sftp-server, /usr/bin/scp and /usr/lib/libarmfp.dylib from that archive. Extract them all to your iPhuc folder.

45. Using iPhuc's putfile capability, put sftp-server in /usr/libexec/, put scp in /usr/bin/, and put libarmfp.dylib in /usr/lib/. All of these directories should already exist.

46. Remember that BSD_Base folder you extracted? We need to raid it for some commands. You will need /bin/ls, /bin/mv, /bin/pwd, and /bin/csh. Copy those to your iPhuc directory.

47. Use iPhuc to put all of these files into the /bin folder on your iPod.

48. SSH into your iPod. What we now need to do is chmod them all executable.

49. In SSH, "/bin/chmod 555 /bin/ls"

50. "/bin/chmod 555 /bin/mv"

51. "/bin/chmod 555 /bin/pwd"

52. "/bin/chmod 555 /bin/csh"

53. "/bin/chmod 555 /usr/bin/scp"

54. "/bin/chmod 555 /usr/libexec/sftp-server". sftp should now be working.

55. Also upload glob6 to "/bin" with iPhuc and in SSH, "/bin/chmod 555 /bin/glob6".

56. Type "/bin/csh" in SSH to test out this shell. This has advantages of not requiring you to type in the full path of every executable in the future.

57. In SSH "cd /var/root".

58. "ls". You should have a Library, Mediaold, and Media directory.

59. "mv Media Media_sym", case sensitive

60. "mv Mediaold Media", case sensitive

61. Reboot the iPod and welcome your 16 GB back.

62. Download and install 7-zip (http://www.7-zip.org/). We need it to crack open the dumb Installer.app Nullsoft installer.

63. Download the Windows installer for Installer.app at http://www.nullriver.com/~adam/AppTappInstaller.exe

64. Use 7-zip to open AppTappInstaller.exe and extract the Installer.app folder from it.

65. Use SFTP to upload Installer.App into /Applications on your iPod.

The following is adapted from the iPhone Alley guide:

66. In SSH, type "/bin/chmod -Rf +x /Applications/"

67. Slide to unlock your iPod then type "/Applications/Installer.app/Installer" in SSH and hit return to launch Installer.

68. After AppTapp opens, press control+c in SSH to close it

69. Open Safari on the iPod and navigate to http://conceitedsoftware.com/iphone/beta. Please make sure while you're doing this that the hacked TIFF image isn't loaded again. So if it starts loading, hit the X.

70. Tap yes to add it to Installer

71. Back in ssh, type "/Applications/Installer.app/Installer" and hit return to launch Installer again.

72. Install the Community Sources package.

73. Install Trip1PogoStick located under the "System" category to enable scrolling and applications.

74. Restart the iPod. You should be done.