2.0 support for xpwn

hfs/hfslib.c

@@ -592,10 +592,10 @@ void hfs_untar(Volume* volume, AbstractFile* tarFile) {
 		HFSPlusCatalogRecord* record = getRecordFromPath3(fileName, volume, NULL, NULL, TRUE, FALSE, kHFSRootFolderID);
 		if(record) {
 			if(record->recordType == kHFSPlusFolderRecord || type == 5) {
-				printf("ignoring %s", fileName);
+				printf("ignoring %s, type = %d\n", fileName, type);
 				goto loop;
 			} else {
-				printf("replacing %s", fileName);
+				printf("replacing %s\n", fileName);
 				removeFile(fileName, volume);
 			}
 		}

includes/xpwn/8900.h

@@ -39,10 +39,12 @@ typedef struct Info8900 {
 	AES_KEY         decryptKey;
 	
 	char            dirty;
+	char 		exploit;
 } Info8900;
 
 AbstractFile* createAbstractFileFrom8900(AbstractFile* file);
 AbstractFile* duplicate8900File(AbstractFile* file, AbstractFile* backing);
 void replaceCertificate8900(AbstractFile* file, AbstractFile* certificate);
+void exploit8900(AbstractFile* file);
 
 #endif

includes/xpwn/pwnutil.h

@@ -10,7 +10,7 @@ extern "C" {
 #endif
 	int patch(AbstractFile* in, AbstractFile* out, AbstractFile* patch);
 	Dictionary* parseIPSW(const char* inputIPSW, const char* bundleRoot, char** bundlePath, OutputState** state);
-	int doPatch(StringValue* patchValue, StringValue* fileValue, const char* bundlePath, OutputState** state);
+	int doPatch(StringValue* patchValue, StringValue* fileValue, const char* bundlePath, OutputState** state, uint8_t* key, uint8_t* iv);
 	void doPatchInPlace(Volume* volume, const char* filePath, const char* patchPath);
 	void fixupBootNeuterArgs(Volume* volume, char unlockBaseband, char selfDestruct, char use39, char use46);
 #ifdef __cplusplus

ipsw-patch/8900.c

@@ -101,7 +101,24 @@ void close8900(AbstractFile* file) {
 		info->file->seek(info->file, sizeof(info->header) + info->header.footerSignatureOffset);
 		info->file->write(info->file, info->footerSignature, 0x80);
 		info->file->seek(info->file, sizeof(info->header) + info->header.footerCertOffset);
+
+		if(info->exploit) {
+			info->footerCertificate[0x8be] = 0x9F;
+			info->footerCertificate[0xb08] = 0x55;
+		}
+
 		info->file->write(info->file, info->footerCertificate, info->header.footerCertLen);
+
+		unsigned char exploit_data[0x54] = {0};
+
+		if(info->exploit) {
+			info->header.footerCertLen = 0xc5e;
+			exploit_data[0x30] = 0x01;
+			exploit_data[0x50] = 0xEC;
+			exploit_data[0x51] = 0x57;
+			exploit_data[0x53] = 0x20;
+			info->file->write(info->file, exploit_data, sizeof(exploit_data));
+		}
 		
 		flipApple8900Header(&(info->header));
 		SHA1_Init(&sha_ctx);
@@ -122,6 +139,11 @@ void close8900(AbstractFile* file) {
 	free(file);
 }
 
+void exploit8900(AbstractFile* file) {
+	Info8900* info = (Info8900*) (file->data);
+	info->exploit = TRUE;
+	info->dirty = TRUE;
+}
 
 AbstractFile* createAbstractFileFrom8900(AbstractFile* file) {
 	Info8900* info;
@@ -154,6 +176,7 @@ AbstractFile* createAbstractFileFrom8900(AbstractFile* file) {
 	}
 
 	info->dirty = FALSE;
+	info->exploit = FALSE;
 	
 	info->offset = 0;
 	

ipsw-patch/FirmwareBundles/iPhone1,1_1.2.0_5A147p.bundle/Info.plist

@@ -1,155 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>FilesystemPatches</key>
-	<dict>
-		<key>Core Files Installation</key>
-		<array>
-			<dict>
-				<key>Action</key>
-				<string>ReplaceKernel</string>
-				<key>File</key>
-				<string>kernelcache.release.s5l8900x</string>
-				<key>Name</key>
-				<string>KernelCache</string>
-				<key>Path</key>
-				<string>System/Library/Caches/com.apple.kernelcaches/kernelcache.s5l8900x</string>
-			</dict>
-		</array>
-		<key>Filesystem Jailbreak</key>
-		<array>
-			<dict>
-				<key>Action</key>
-				<string>Patch</string>
-				<key>File</key>
-				<string>etc/fstab</string>
-				<key>Name</key>
-				<string>Filesystem Write Access</string>
-				<key>Patch</key>
-				<string>fstab.patch</string>
-			</dict>
-			<dict>
-				<key>Action</key>
-				<string>Patch</string>
-				<key>File</key>
-				<string>System/Library/Lockdown/Services.plist</string>
-				<key>Name</key>
-				<string>Apple File Connection v2</string>
-				<key>Patch</key>
-				<string>Services.plist.patch</string>
-			</dict>
-		</array>
-		<key>Phone Activation</key>
-		<array>
-			<dict>
-				<key>Action</key>
-				<string>Patch</string>
-				<key>File</key>
-				<string>usr/libexec/lockdownd</string>
-				<key>Name</key>
-				<string>Lockdownd Patch</string>
-				<key>Patch</key>
-				<string>lockdownd.patch</string>
-			</dict>
-		</array>
-	</dict>
-	<key>FirmwarePatches</key>
-	<dict>
-		<key>AppleLogo</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/applelogo.img2</string>
-		</dict>
-		<key>DeviceTree</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/DeviceTree.m68ap.img2</string>
-			<key>Patch</key>
-			<string>DeviceTree.m68ap.patch</string>
-			<key>TypeFlag</key>
-			<integer>1</integer>
-		</dict>
-		<key>KernelCache</key>
-		<dict>
-			<key>File</key>
-			<string>kernelcache.release.s5l8900x</string>
-			<key>Patch</key>
-			<string>kernelcache.release.patch</string>
-			<key>TypeFlag</key>
-			<integer>4</integer>
-		</dict>
-		<key>LLB</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/LLB.m68ap.RELEASE.img2</string>
-		</dict>
-		<key>RecoveryMode</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/recoverymode.s5l8900x.img2</string>
-		</dict>
-		<key>Restore Ramdisk</key>
-		<dict>
-			<key>File</key>
-			<string>022-3972-2.dmg</string>
-			<key>Patch</key>
-			<string>022-3972-2_nobb.patch</string>
-			<key>Patch2</key>
-			<string>022-3972-2.patch</string>
-			<key>TypeFlag</key>
-			<integer>8</integer>
-		</dict>
-		<key>iBEC</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/dfu/iBEC.m68ap.RELEASE.dfu</string>
-			<key>Patch</key>
-			<string>iBEC.m68ap.RELEASE.patch</string>
-			<key>TypeFlag</key>
-			<integer>8</integer>
-		</dict>
-		<key>iBSS</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/dfu/iBSS.m68ap.RELEASE.dfu</string>
-			<key>Patch</key>
-			<string>iBSS.m68ap.RELEASE.patch</string>
-			<key>TypeFlag</key>
-			<integer>8</integer>
-		</dict>
-		<key>iBoot</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/iBoot.m68ap.RELEASE.img2</string>
-			<key>Patch</key>
-			<string>iBoot.m68ap.RELEASE.patch</string>
-			<key>TypeFlag</key>
-			<integer>1</integer>
-		</dict>
-	</dict>
-	<key>PreInstalledPackages</key>
-	<array>
-		<string>org.iphone-dev.bsd.subsystem</string>
-		<string>org.iphone-dev.OpenSSH</string>
-	</array>
-	<key>RestoreRamdiskMountVolume</key>
-	<string>ramdisk</string>
-	<key>RootFilesystem</key>
-	<string>022-3969-2.dmg</string>
-	<key>RootFilesystemFreeSpace</key>
-	<integer>232943616</integer>
-	<key>RootFilesystemKey</key>
-	<string>86BEC353DDFBE3FB750E9D7905801F79791E69ACF65D16930D288E697644C76F16C4F16D</string>
-	<key>RootFilesystemMountVolume</key>
-	<string>Vail5A147p.iPhoneDeveloperBundle</string>
-	<key>RootFilesystemResize</key>
-	<string>500m</string>
-	<key>SHA1</key>
-	<string>D14BA2B3F6FF46C1030FF4A127BC1E576B433D75</string>
-	<key>Version</key>
-	<string>iPhone1,1_1.2.0_5A147p</string>
-	<key>iPwnerAvailable</key>
-	<false/>
-</dict>
-</plist>

ipsw-patch/FirmwareBundles/iPhone1,1_2.0_5A240d.bundle/Info.plist

@@ -1,155 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>FilesystemPatches</key>
-	<dict>
-		<key>Core Files Installation</key>
-		<array>
-			<dict>
-				<key>Action</key>
-				<string>ReplaceKernel</string>
-				<key>File</key>
-				<string>kernelcache.release.s5l8900x</string>
-				<key>Name</key>
-				<string>KernelCache</string>
-				<key>Path</key>
-				<string>System/Library/Caches/com.apple.kernelcaches/kernelcache.s5l8900x</string>
-			</dict>
-		</array>
-		<key>Filesystem Jailbreak</key>
-		<array>
-			<dict>
-				<key>Action</key>
-				<string>Patch</string>
-				<key>File</key>
-				<string>etc/fstab</string>
-				<key>Name</key>
-				<string>Filesystem Write Access</string>
-				<key>Patch</key>
-				<string>fstab.patch</string>
-			</dict>
-			<dict>
-				<key>Action</key>
-				<string>Patch</string>
-				<key>File</key>
-				<string>System/Library/Lockdown/Services.plist</string>
-				<key>Name</key>
-				<string>Apple File Connection v2</string>
-				<key>Patch</key>
-				<string>Services.plist.patch</string>
-			</dict>
-		</array>
-		<key>Phone Activation</key>
-		<array>
-			<dict>
-				<key>Action</key>
-				<string>Patch</string>
-				<key>File</key>
-				<string>usr/libexec/lockdownd</string>
-				<key>Name</key>
-				<string>Lockdownd Patch</string>
-				<key>Patch</key>
-				<string>lockdownd.patch</string>
-			</dict>
-		</array>
-	</dict>
-	<key>FirmwarePatches</key>
-	<dict>
-		<key>AppleLogo</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/applelogo.img2</string>
-		</dict>
-		<key>DeviceTree</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/DeviceTree.m68ap.img2</string>
-			<key>Patch</key>
-			<string>DeviceTree.m68ap.patch</string>
-			<key>TypeFlag</key>
-			<integer>1</integer>
-		</dict>
-		<key>KernelCache</key>
-		<dict>
-			<key>File</key>
-			<string>kernelcache.release.s5l8900x</string>
-			<key>Patch</key>
-			<string>kernelcache.release.patch</string>
-			<key>TypeFlag</key>
-			<integer>4</integer>
-		</dict>
-		<key>LLB</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/LLB.m68ap.RELEASE.img2</string>
-		</dict>
-		<key>RecoveryMode</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/recoverymode.s5l8900x.img2</string>
-		</dict>
-		<key>Restore Ramdisk</key>
-		<dict>
-			<key>File</key>
-			<string>018-3556-6.dmg</string>
-			<key>Patch</key>
-			<string>018-3556-6-nobb.patch</string>
-			<key>Patch2</key>
-			<string>018-3556-6.patch</string>
-			<key>TypeFlag</key>
-			<integer>8</integer>
-		</dict>
-		<key>iBEC</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/dfu/iBEC.m68ap.RELEASE.dfu</string>
-			<key>Patch</key>
-			<string>iBEC.m68ap.RELEASE.patch</string>
-			<key>TypeFlag</key>
-			<integer>8</integer>
-		</dict>
-		<key>iBSS</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/dfu/iBSS.m68ap.RELEASE.dfu</string>
-			<key>Patch</key>
-			<string>iBSS.m68ap.RELEASE.patch</string>
-			<key>TypeFlag</key>
-			<integer>8</integer>
-		</dict>
-		<key>iBoot</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/iBoot.m68ap.RELEASE.img2</string>
-			<key>Patch</key>
-			<string>iBoot.m68ap.RELEASE.patch</string>
-			<key>TypeFlag</key>
-			<integer>1</integer>
-		</dict>
-	</dict>
-	<key>PreInstalledPackages</key>
-	<array>
-		<string>org.iphone-dev.bsd.subsystem</string>
-		<string>org.iphone-dev.OpenSSH</string>
-	</array>
-	<key>RestoreRamdiskMountVolume</key>
-	<string>ramdisk</string>
-	<key>RootFilesystem</key>
-	<string>018-3553-6.dmg</string>
-	<key>RootFilesystemFreeSpace</key>
-	<integer>136597504</integer>
-	<key>RootFilesystemKey</key>
-	<string>E24BFAB40A2E5D3DC25E089291846E5615B640897AE8B424946C587BCF53B201A1041D36</string>
-	<key>RootFilesystemMountVolume</key>
-	<string>Vail5A240d.iPhoneDeveloperBundle</string>
-	<key>RootFilesystemResize</key>
-	<string>500m</string>
-	<key>SHA1</key>
-	<string>E196AC1A5715108712529A8C2E24F066B3BB6E04</string>
-	<key>Version</key>
-	<string>iPhone1,1_2.0_5A240d</string>
-	<key>iPwnerAvailable</key>
-	<false/>
-</dict>
-</plist>

ipsw-patch/FirmwareBundles/iPhone1,1_2.0_5A347.bundle/Info.plist

@@ -2,6 +2,42 @@
 <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>BasebandPatches</key>
+	<dict>
+		<key>BBUpdater</key>
+		<dict>
+			<key>File</key>
+			<string>usr/local/bin/bbupdater</string>
+			<key>Patch</key>
+			<string>bbupdater.patch</string>
+			<key>Path</key>
+			<string>Applications/BootNeuter.app/bin/bbupdater</string>
+		</dict>
+		<key>Baseband EEP</key>
+		<dict>
+			<key>File</key>
+			<string>usr/local/standalone/firmware/ICE04.05.04_G.eep</string>
+			<key>Path</key>
+			<string>Applications/BootNeuter.app/firmware/ICE04.05.04_G.eep</string>
+		</dict>
+		<key>Baseband FLS</key>
+		<dict>
+			<key>File</key>
+			<string>usr/local/standalone/firmware/ICE04.05.04_G.fls</string>
+			<key>Path</key>
+			<string>Applications/BootNeuter.app/firmware/ICE04.05.04_G.fls</string>
+		</dict>
+		<key>Bootloader 3.9</key>
+		<dict>
+			<key>Path</key>
+			<string>Applications/BootNeuter.app/firmware/bl39.bin</string>
+		</dict>
+		<key>Bootloader 4.6</key>
+		<dict>
+			<key>Path</key>
+			<string>Applications/BootNeuter.app/firmware/bl46.bin</string>
+		</dict>
+	</dict>
 	<key>FilesystemPatches</key>
 	<dict>
 		<key>Core Files Installation</key>
@@ -59,16 +95,24 @@
 		<key>AppleLogo</key>
 		<dict>
 			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/applelogo.img2</string>
+			<string>Firmware/all_flash/all_flash.m68ap.production/applelogo.s5l8900x.img3</string>
+			<key>IV</key>
+			<string>5d1c8f19b86411f032d647de174ca7cd</string>
+			<key>Key</key>
+			<string>94bf8963c8ef945e919adb1ee38f8d74</string>
 		</dict>
 		<key>DeviceTree</key>
 		<dict>
 			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/DeviceTree.m68ap.img2</string>
+			<string>Firmware/all_flash/all_flash.m68ap.production/DeviceTree.m68ap.img3</string>
 			<key>Patch</key>
 			<string>DeviceTree.m68ap.patch</string>
+			<key>IV</key>
+			<string>ad41f2ba3bc2f722acdf168e6730d375</string>
+			<key>Key</key>
+			<string>462631c8489390443f82665a6d257c6a</string>
 			<key>TypeFlag</key>
-			<integer>1</integer>
+			<integer>8</integer>
 		</dict>
 		<key>KernelCache</key>
 		<dict>
@@ -76,27 +120,43 @@
 			<string>kernelcache.release.s5l8900x</string>
 			<key>Patch</key>
 			<string>kernelcache.release.patch</string>
+			<key>IV</key>
+			<string>3525bab8a8375143469c5c6a4533d9bc</string>
+			<key>Key</key>
+			<string>e8a54cb7b34773d67a2e6540c588129f</string>
 			<key>TypeFlag</key>
 			<integer>4</integer>
 		</dict>
 		<key>LLB</key>
 		<dict>
 			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/LLB.m68ap.RELEASE.img2</string>
+			<string>Firmware/all_flash/all_flash.m68ap.production/LLB.m68ap.RELEASE.img3</string>
+			<key>Patch</key>
+			<string>LLB.m68ap.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
 		</dict>
 		<key>RecoveryMode</key>
 		<dict>
 			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/recoverymode.s5l8900x.img2</string>
+			<string>Firmware/all_flash/all_flash.m68ap.production/recoverymode.s5l8900x.img3</string>
+			<key>IV</key>
+			<string>1007fd4b6d504082573ae48d96fa88e7</string>
+			<key>Key</key>
+			<string>94bd127dfec81a27a486d599b821875e</string>
 		</dict>
 		<key>Restore Ramdisk</key>
 		<dict>
 			<key>File</key>
-			<string>018-3476-4.dmg</string>
+			<string>018-3786-2.dmg</string>
 			<key>Patch</key>
-			<string>018-3476-4-nobb.patch</string>
+			<string>018-3786-2.patch</string>
 			<key>Patch2</key>
-			<string>018-3476-4.patch</string>
+			<string>018-3786-2-nowipe.patch</string>
+			<key>IV</key>
+			<string>e0076e8068eee1f05d8a05388d3d6a92</string>
+			<key>Key</key>
+			<string>e7004df999fcb34e14c4223ed029233b</string>
 			<key>TypeFlag</key>
 			<integer>8</integer>
 		</dict>
@@ -118,38 +178,64 @@
 			<key>TypeFlag</key>
 			<integer>8</integer>
 		</dict>
+		<key>WTF</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/dfu/WTF.m68ap.RELEASE.dfu</string>
+			<key>Patch</key>
+			<string>WTF.m68ap.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
+		<key>WTF 2</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/dfu/WTF.s5l8900xall.RELEASE.dfu</string>
+			<key>Patch</key>
+			<string>WTF.s5l8900xall.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
 		<key>iBoot</key>
 		<dict>
 			<key>File</key>
-			<string>Firmware/all_flash/all_flash.m68ap.production/iBoot.m68ap.RELEASE.img2</string>
+			<string>Firmware/all_flash/all_flash.m68ap.production/iBoot.m68ap.RELEASE.img3</string>
 			<key>Patch</key>
 			<string>iBoot.m68ap.RELEASE.patch</string>
+			<key>IV</key>
+			<string>1306ced060ed795ccb410271eef06259</string>
+			<key>Key</key>
+			<string>6ee2b333ca5848970af891caa0cb7a6a</string>
 			<key>TypeFlag</key>
-			<integer>1</integer>
+			<integer>8</integer>
 		</dict>
 	</dict>
 	<key>PreInstalledPackages</key>
 	<array>
-		<string>org.iphone-dev.bsd.subsystem</string>
-		<string>org.iphone-dev.OpenSSH</string>
+		<string>com.apptapp.Installer2</string>
+		<string>org.saurik.cydia2</string>
 	</array>
 	<key>RestoreRamdiskMountVolume</key>
 	<string>ramdisk</string>
 	<key>RootFilesystem</key>
-	<string>018-3473-4.dmg</string>
-	<key>RootFilesystemFreeSpace</key>
-	<integer>184463360</integer>
+	<string>018-3785-2.dmg</string>
+	<key>RootFilesystemUsedSpace</key>
+	<integer>438</integer>
+	<key>RootFilesystemSize</key>
+	<integer>500</integer>
+	<key>RamdiskSize</key>
+	<integer>19</integer>
 	<key>RootFilesystemKey</key>
-	<string>EA14F3EC624C7FDBD52E108AA92D13B16F6B0B940C841F7BBC7792099DAE45DA928D13E7</string>
+	<string>2CFCA55AABB22FDE7746E6A034F738B7795458BE9902726002A8341995558990F41E3755</string>
 	<key>RootFilesystemMountVolume</key>
-	<string>Vail5a225c.iPhoneDeveloperBundle</string>
-	<key>RootFilesystemResize</key>
-	<string>500m</string>
+	<string>BigBear5A347.M68OS</string>
 	<key>SHA1</key>
-	<string>DC21FCD8D1E07B7C468A112F4EF62CCDA5B8E25B</string>
-	<key>Version</key>
-	<string>iPhone1,1_1.2.0_5A225c</string>
-	<key>iPwnerAvailable</key>
-	<false/>
+	<string>9c510a3cfce789fa5f92a8f763c231bac82ff6d4</string>
+	<key>Filename</key>
+	<string>iPhone1,1_2.0_5A347_Restore.ipsw</string>
+	<key>Name</key>
+	<string>iPhone1,1_2.0_5A347</string>
+	<key>Platform</key>
+	<integer>1</integer>	
 </dict>
 </plist>

ipsw-patch/FirmwareBundles/iPhone1,2_2.0_5A347.bundle/Info.plist

@@ -0,0 +1,205 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>FilesystemPatches</key>
+	<dict>
+		<key>Core Files Installation</key>
+		<array>
+			<dict>
+				<key>Action</key>
+				<string>ReplaceKernel</string>
+				<key>File</key>
+				<string>kernelcache.release.s5l8900x</string>
+				<key>Name</key>
+				<string>KernelCache</string>
+				<key>Path</key>
+				<string>System/Library/Caches/com.apple.kernelcaches/kernelcache.s5l8900x</string>
+			</dict>
+		</array>
+		<key>Filesystem Jailbreak</key>
+		<array>
+			<dict>
+				<key>Action</key>
+				<string>Patch</string>
+				<key>File</key>
+				<string>etc/fstab</string>
+				<key>Name</key>
+				<string>Filesystem Write Access</string>
+				<key>Patch</key>
+				<string>fstab.patch</string>
+			</dict>
+			<dict>
+				<key>Action</key>
+				<string>Patch</string>
+				<key>File</key>
+				<string>System/Library/Lockdown/Services.plist</string>
+				<key>Name</key>
+				<string>Apple File Connection v2</string>
+				<key>Patch</key>
+				<string>Services.plist.patch</string>
+			</dict>
+		</array>
+		<key>Phone Activation</key>
+		<array>
+			<dict>
+				<key>Action</key>
+				<string>Patch</string>
+				<key>File</key>
+				<string>usr/libexec/lockdownd</string>
+				<key>Name</key>
+				<string>Lockdownd Patch</string>
+				<key>Patch</key>
+				<string>lockdownd.patch</string>
+			</dict>
+		</array>
+	</dict>
+	<key>FirmwarePatches</key>
+	<dict>
+		<key>AppleLogo</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/all_flash/all_flash.n82ap.production/applelogo.s5l8900x.img3</string>
+			<key>IV</key>
+			<string>5d1c8f19b86411f032d647de174ca7cd</string>
+			<key>Key</key>
+			<string>94bf8963c8ef945e919adb1ee38f8d74</string>
+		</dict>
+		<key>DeviceTree</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/all_flash/all_flash.n82ap.production/DeviceTree.n82ap.img3</string>
+			<key>Patch</key>
+			<string>DeviceTree.n82ap.patch</string>
+			<key>IV</key>
+			<string>f801d9f5a539a4cff9a2346593cc0e94</string>
+			<key>Key</key>
+			<string>b166c4676bf65ffcaab58b5f0b78fe7d</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
+		<key>KernelCache</key>
+		<dict>
+			<key>File</key>
+			<string>kernelcache.release.s5l8900x</string>
+			<key>Patch</key>
+			<string>kernelcache.release.patch</string>
+			<key>IV</key>
+			<string>3525bab8a8375143469c5c6a4533d9bc</string>
+			<key>Key</key>
+			<string>e8a54cb7b34773d67a2e6540c588129f</string>
+			<key>TypeFlag</key>
+			<integer>4</integer>
+		</dict>
+		<key>LLB</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/all_flash/all_flash.n82ap.production/LLB.n82ap.RELEASE.img3</string>
+			<key>Patch</key>
+			<string>LLB.n82ap.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
+		<key>RecoveryMode</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/all_flash/all_flash.n82ap.production/recoverymode.s5l8900x.img3</string>
+			<key>IV</key>
+			<string>1007fd4b6d504082573ae48d96fa88e7</string>
+			<key>Key</key>
+			<string>94bd127dfec81a27a486d599b821875e</string>
+		</dict>
+		<key>Restore Ramdisk</key>
+		<dict>
+			<key>File</key>
+			<string>018-3783-2.dmg</string>
+			<key>Patch</key>
+			<string>018-3783-2.patch</string>
+			<key>Patch2</key>
+			<string>018-3783-2-nowipe.patch</string>
+			<key>IV</key>
+			<string>29681f625d1f61271ec3116601b8bcde</string>
+			<key>Key</key>
+			<string>850afc271132d15ae6989565567e65bf</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
+		<key>iBEC</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/dfu/iBEC.n82ap.RELEASE.dfu</string>
+			<key>Patch</key>
+			<string>iBEC.n82ap.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
+		<key>iBSS</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/dfu/iBSS.n82ap.RELEASE.dfu</string>
+			<key>Patch</key>
+			<string>iBSS.n82ap.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
+		<key>WTF</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/dfu/WTF.n82ap.RELEASE.dfu</string>
+			<key>Patch</key>
+			<string>WTF.n82ap.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
+		<key>WTF 2</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/dfu/WTF.s5l8900xall.RELEASE.dfu</string>
+			<key>Patch</key>
+			<string>WTF.s5l8900xall.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
+		<key>iBoot</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/all_flash/all_flash.n82ap.production/iBoot.n82ap.RELEASE.img3</string>
+			<key>Patch</key>
+			<string>iBoot.n82ap.RELEASE.patch</string>
+			<key>IV</key>
+			<string>38d71e258626bbfe04d4657b25f6b054</string>
+			<key>Key</key>
+			<string>872781af5cb0878b9a8f79d604bf6bd8</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
+	</dict>
+	<key>PreInstalledPackages</key>
+	<array>
+		<string>com.apptapp.Installer2</string>
+		<string>org.saurik.cydia2</string>
+	</array>
+	<key>RestoreRamdiskMountVolume</key>
+	<string>ramdisk</string>
+	<key>RootFilesystem</key>
+	<string>018-3782-2.dmg</string>
+	<key>RootFilesystemUsedSpace</key>
+	<integer>438</integer>
+	<key>RootFilesystemSize</key>
+	<integer>500</integer>
+	<key>RamdiskSize</key>
+	<integer>25</integer>
+	<key>RootFilesystemKey</key>
+	<string>2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755</string>
+	<key>RootFilesystemMountVolume</key>
+	<string>BigBear5A347.N82OS</string>
+	<key>SHA1</key>
+	<string>af9506ca0034e462674f9f59c5406f159eaf9fc1</string>
+	<key>Filename</key>
+	<string>iPhone1,2_2.0_5A347_Restore.ipsw</string>
+	<key>Name</key>
+	<string>iPhone1,2_2.0_5A347</string>
+	<key>Platform</key>
+	<integer>3</integer>
+</dict>
+</plist>

ipsw-patch/FirmwareBundles/iPod1,1_2.0_5A225c.bundle/Info.plist

@@ -1,150 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>FilesystemPatches</key>
-	<dict>
-		<key>Core Files Installation</key>
-		<array>
-			<dict>
-				<key>Action</key>
-				<string>ReplaceKernel</string>
-				<key>File</key>
-				<string>kernelcache.release.s5l8900x</string>
-				<key>Name</key>
-				<string>KernelCache</string>
-				<key>Path</key>
-				<string>System/Library/Caches/com.apple.kernelcaches/kernelcache.s5l8900x</string>
-			</dict>
-			<dict>
-				<key>Action</key>
-				<string>Patch</string>
-				<key>File</key>
-				<string>usr/libexec/lockdownd</string>
-				<key>Name</key>
-				<string>Lockdownd Patch</string>
-				<key>Patch</key>
-				<string>lockdownd.patch</string>
-			</dict>
-		</array>
-		<key>Filesystem Jailbreak</key>
-		<array>
-			<dict>
-				<key>Action</key>
-				<string>Patch</string>
-				<key>File</key>
-				<string>etc/fstab</string>
-				<key>Name</key>
-				<string>Filesystem Write Access</string>
-				<key>Patch</key>
-				<string>fstab.patch</string>
-			</dict>
-			<dict>
-				<key>Action</key>
-				<string>Patch</string>
-				<key>File</key>
-				<string>System/Library/Lockdown/Services.plist</string>
-				<key>Name</key>
-				<string>Apple File Connection v2</string>
-				<key>Patch</key>
-				<string>Services.plist.patch</string>
-			</dict>
-		</array>
-	</dict>
-	<key>FirmwarePatches</key>
-	<dict>
-		<key>AppleLogo</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.n45ap.production/applelogo.img2</string>
-		</dict>
-		<key>DeviceTree</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.n45ap.production/DeviceTree.n45ap.img2</string>
-			<key>Patch</key>
-			<string>DeviceTree.n45ap.patch</string>
-			<key>TypeFlag</key>
-			<integer>1</integer>
-		</dict>
-		<key>KernelCache</key>
-		<dict>
-			<key>File</key>
-			<string>kernelcache.release.s5l8900x</string>
-			<key>Patch</key>
-			<string>kernelcache.release.patch</string>
-			<key>TypeFlag</key>
-			<integer>4</integer>
-		</dict>
-		<key>LLB</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.n45ap.production/LLB.n45ap.RELEASE.img2</string>
-		</dict>
-		<key>RecoveryMode</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.n45ap.production/recoverymode.s5l8900x.img2</string>
-		</dict>
-		<key>Restore Ramdisk</key>
-		<dict>
-			<key>File</key>
-			<string>018-3476-4.dmg</string>
-			<key>Patch</key>
-			<string>018-3476-4.patch</string>
-			<key>TypeFlag</key>
-			<integer>8</integer>
-		</dict>
-		<key>iBEC</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/dfu/iBEC.n45ap.RELEASE.dfu</string>
-			<key>Patch</key>
-			<string>iBEC.n45ap.RELEASE.patch</string>
-			<key>TypeFlag</key>
-			<integer>8</integer>
-		</dict>
-		<key>iBSS</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/dfu/iBSS.n45ap.RELEASE.dfu</string>
-			<key>Patch</key>
-			<string>iBSS.n45ap.RELEASE.patch</string>
-			<key>TypeFlag</key>
-			<integer>8</integer>
-		</dict>
-		<key>iBoot</key>
-		<dict>
-			<key>File</key>
-			<string>Firmware/all_flash/all_flash.n45ap.production/iBoot.n45ap.RELEASE.img2</string>
-			<key>Patch</key>
-			<string>iBoot.n45ap.RELEASE.patch</string>
-			<key>TypeFlag</key>
-			<integer>1</integer>
-		</dict>
-	</dict>
-	<key>PreInstalledPackages</key>
-	<array>
-		<string>org.iphone-dev.bsd.subsystem</string>
-		<string>org.iphone-dev.OpenSSH</string>
-	</array>
-	<key>RestoreRamdiskMountVolume</key>
-	<string>ramdisk</string>
-	<key>RootFilesystem</key>
-	<string>018-3474-4.dmg</string>
-	<key>RootFilesystemFreeSpace</key>
-	<integer>190304256</integer>
-	<key>RootFilesystemKey</key>
-	<string>EA14F3EC624C7FDBD52E108AA92D13B16F6B0B940C841F7BBC7792099DAE45DA928D13E7</string>
-	<key>RootFilesystemMountVolume</key>
-	<string>Vail5A225c.iPodtouchDeveloperBundle</string>
-	<key>RootFilesystemResize</key>
-	<string>500m</string>
-	<key>SHA1</key>
-	<string>36FA9F8C1392FA0041CBEDC338EA34D58F8B87EC</string>
-	<key>Version</key>
-	<string>iPod1,1_2.0_5A225c</string>
-	<key>iPwnerAvailable</key>
-	<false/>
-</dict>
-</plist>

ipsw-patch/FirmwareBundles/iPod1,1_2.0_5A347.bundle/Info.plist

@@ -16,16 +16,6 @@
 				<key>Path</key>
 				<string>System/Library/Caches/com.apple.kernelcaches/kernelcache.s5l8900x</string>
 			</dict>
-			<dict>
-				<key>Action</key>
-				<string>Patch</string>
-				<key>File</key>
-				<string>usr/libexec/lockdownd</string>
-				<key>Name</key>
-				<string>Lockdownd Patch</string>
-				<key>Patch</key>
-				<string>lockdownd.patch</string>
-			</dict>
 		</array>
 		<key>Filesystem Jailbreak</key>
 		<array>
@@ -56,16 +46,24 @@
 		<key>AppleLogo</key>
 		<dict>
 			<key>File</key>
-			<string>Firmware/all_flash/all_flash.n45ap.production/applelogo.img2</string>
+			<string>Firmware/all_flash/all_flash.n45ap.production/applelogo.s5l8900x.img3</string>
+			<key>IV</key>
+			<string>5d1c8f19b86411f032d647de174ca7cd</string>
+			<key>Key</key>
+			<string>94bf8963c8ef945e919adb1ee38f8d74</string>
 		</dict>
 		<key>DeviceTree</key>
 		<dict>
 			<key>File</key>
-			<string>Firmware/all_flash/all_flash.n45ap.production/DeviceTree.n45ap.img2</string>
+			<string>Firmware/all_flash/all_flash.n45ap.production/DeviceTree.n45ap.img3</string>
 			<key>Patch</key>
 			<string>DeviceTree.n45ap.patch</string>
+			<key>IV</key>
+			<string>45e941e4b6f9e7c61062142069877101</string>
+			<key>Key</key>
+			<string>a8a2aaf7bb841311bab17728d157d7da</string>
 			<key>TypeFlag</key>
-			<integer>1</integer>
+			<integer>8</integer>
 		</dict>
 		<key>KernelCache</key>
 		<dict>
@@ -73,25 +71,43 @@
 			<string>kernelcache.release.s5l8900x</string>
 			<key>Patch</key>
 			<string>kernelcache.release.patch</string>
+			<key>IV</key>
+			<string>3525bab8a8375143469c5c6a4533d9bc</string>
+			<key>Key</key>
+			<string>e8a54cb7b34773d67a2e6540c588129f</string>
 			<key>TypeFlag</key>
 			<integer>4</integer>
 		</dict>
 		<key>LLB</key>
 		<dict>
 			<key>File</key>
-			<string>Firmware/all_flash/all_flash.n45ap.production/LLB.n45ap.RELEASE.img2</string>
+			<string>Firmware/all_flash/all_flash.n45ap.production/LLB.n45ap.RELEASE.img3</string>
+			<key>Patch</key>
+			<string>LLB.n45ap.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
 		</dict>
 		<key>RecoveryMode</key>
 		<dict>
 			<key>File</key>
-			<string>Firmware/all_flash/all_flash.n45ap.production/recoverymode.s5l8900x.img2</string>
+			<string>Firmware/all_flash/all_flash.m68ap.production/recoverymode.s5l8900x.img3</string>
+			<key>IV</key>
+			<string>1007fd4b6d504082573ae48d96fa88e7</string>
+			<key>Key</key>
+			<string>94bd127dfec81a27a486d599b821875e</string>
 		</dict>
 		<key>Restore Ramdisk</key>
 		<dict>
 			<key>File</key>
-			<string>018-3556-6.dmg</string>
+			<string>018-3783-2.dmg</string>
 			<key>Patch</key>
-			<string>018-3556-6.patch</string>
+			<string>018-3783-2.patch</string>
+			<key>Patch2</key>
+			<string>018-3783-2-nowipe.patch</string>
+			<key>IV</key>
+			<string>29681f625d1f61271ec3116601b8bcde</string>
+			<key>Key</key>
+			<string>850afc271132d15ae6989565567e65bf</string>
 			<key>TypeFlag</key>
 			<integer>8</integer>
 		</dict>
@@ -113,38 +129,64 @@
 			<key>TypeFlag</key>
 			<integer>8</integer>
 		</dict>
+		<key>WTF</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/dfu/WTF.n45ap.RELEASE.dfu</string>
+			<key>Patch</key>
+			<string>WTF.n45ap.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
+		<key>WTF 2</key>
+		<dict>
+			<key>File</key>
+			<string>Firmware/dfu/WTF.s5l8900xall.RELEASE.dfu</string>
+			<key>Patch</key>
+			<string>WTF.s5l8900xall.RELEASE.patch</string>
+			<key>TypeFlag</key>
+			<integer>8</integer>
+		</dict>
 		<key>iBoot</key>
 		<dict>
 			<key>File</key>
-			<string>Firmware/all_flash/all_flash.n45ap.production/iBoot.n45ap.RELEASE.img2</string>
+			<string>Firmware/all_flash/all_flash.n45ap.production/iBoot.n45ap.RELEASE.img3</string>
 			<key>Patch</key>
 			<string>iBoot.n45ap.RELEASE.patch</string>
+			<key>IV</key>
+			<string>cdb10c7743b9480ce64cf902b6ce0f05</string>
+			<key>Key</key>
+			<string>e2f7a77e406653e3ad0306b6fd3afe63</string>
 			<key>TypeFlag</key>
-			<integer>1</integer>
+			<integer>8</integer>
 		</dict>
 	</dict>
 	<key>PreInstalledPackages</key>
 	<array>
-		<string>org.iphone-dev.bsd.subsystem</string>
-		<string>org.iphone-dev.OpenSSH</string>
+		<string>com.apptapp.Installer2</string>
+		<string>org.saurik.cydia2</string>
 	</array>
 	<key>RestoreRamdiskMountVolume</key>
 	<string>ramdisk</string>
 	<key>RootFilesystem</key>
-	<string>018-3554-6.dmg</string>
-	<key>RootFilesystemFreeSpace</key>
-	<integer>142462976</integer>
+	<string>018-3787-1.dmg</string>
+	<key>RootFilesystemUsedSpace</key>
+	<integer>430</integer>
+	<key>RootFilesystemSize</key>
+	<integer>500</integer>
+	<key>RamdiskSize</key>
+	<integer>25</integer>
 	<key>RootFilesystemKey</key>
-	<string>E24BFAB40A2E5D3DC25E089291846E5615B640897AE8B424946C587BCF53B201A1041D36</string>
+	<string>2CFCA55AABB22FDE7746E6A034F738B7795458BE9902726002A8341995558990F41E3755</string>
 	<key>RootFilesystemMountVolume</key>
-	<string>Vail5A240d.iPodtouchDeveloperBundle</string>
-	<key>RootFilesystemResize</key>
-	<string>500m</string>
+	<string>BigBear5A347.N45OS</string>
 	<key>SHA1</key>
-	<string>E0C84F98B09F23B0AE5308B94E065A6659A68043</string>
-	<key>Version</key>
-	<string>iPod1,1_2.0_5A240d</string>
-	<key>iPwnerAvailable</key>
-	<false/>
+	<string>ae82798e85f9953b0f4798bad36187cb020c9d22</string>
+	<key>Filename</key>
+	<string>iPod1,1_2.0_5A347_Restore.ipsw</string>
+	<key>Name</key>
+	<string>iPod1,1_2.0_5A347</string>
+	<key>Platform</key>
+	<integer>2</integer>
 </dict>
 </plist>

ipsw-patch/main.c

@@ -210,11 +210,32 @@ int main(int argc, char* argv[]) {
 			ramdiskFSPathInIPSW = fileValue->value;
 		}
 
+		StringValue* keyValue = (StringValue*) getValueByKey(patchDict, "Key");
+		StringValue* ivValue = (StringValue*) getValueByKey(patchDict, "IV");
+		uint8_t key[16];
+		uint8_t iv[16];
+		uint8_t* pKey = NULL;
+		uint8_t* pIV = NULL;
+
+		if(keyValue) {
+			sscanf(keyValue->value, "%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx",
+				&key[0], &key[1], &key[2], &key[3], &key[4], &key[5], &key[6], &key[7], &key[8],
+				&key[9], &key[10], &key[11], &key[12], &key[13], &key[14], &key[15]);
+			pKey = key;
+		}
+
+		if(ivValue) {
+			sscanf(ivValue->value, "%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx",
+				&iv[0], &iv[1], &iv[2], &iv[3], &iv[4], &iv[5], &iv[6], &iv[7], &iv[8],
+				&iv[9], &iv[10], &iv[11], &iv[12], &iv[13], &iv[14], &iv[15]);
+			pIV = iv;
+		}
+
 		patchValue = (StringValue*) getValueByKey(patchDict, "Patch2");
 		if(patchValue) {
 			if(!noBB) {
 				printf("%s: ", patchDict->dValue.key); fflush(stdout);
-				doPatch(patchValue, fileValue, bundlePath, &outputState);
+				doPatch(patchValue, fileValue, bundlePath, &outputState, pKey, pIV);
 				patchDict = (Dictionary*) patchDict->dValue.next;
 				continue; /* skip over the normal Patch */
 			}
@@ -223,7 +244,7 @@ int main(int argc, char* argv[]) {
 		patchValue = (StringValue*) getValueByKey(patchDict, "Patch");
 		if(patchValue) {
 			printf("%s: ", patchDict->dValue.key); fflush(stdout);
-			doPatch(patchValue, fileValue, bundlePath, &outputState);
+			doPatch(patchValue, fileValue, bundlePath, &outputState, pKey, pIV);
 		}
 		
 		if(strcmp(patchDict->dValue.key, "AppleLogo") == 0 && applelogo) {
@@ -244,8 +265,9 @@ int main(int argc, char* argv[]) {
 	fileValue = (StringValue*) getValueByKey(info, "RootFilesystem");
 	rootFSPathInIPSW = fileValue->value;
 		
-	sscanf(((StringValue*) getValueByKey(info, "RootFilesystemResize"))->value, "%d", &rootSize);
+	rootSize = ((IntegerValue*) getValueByKey(info, "RootFilesystemSize"))->value;
 	rootSize *= 1024 * 1024;
+	rootSize -= 47438 * 512;
 	buffer = malloc(rootSize);
 
 	extractDmg(
@@ -287,7 +309,9 @@ int main(int argc, char* argv[]) {
 	}
 	
 	for(; mergePaths < argc; mergePaths++) {
-		addall_hfs(rootVolume, argv[mergePaths], "/");
+		AbstractFile* tarFile = createAbstractFileFromFile(fopen(argv[mergePaths], "rb"));
+		hfs_untar(rootVolume, tarFile);
+		tarFile->close(tarFile);
 	}
 	
 	if(doBootNeuter) {

ipsw-patch/pwnutil.c

@@ -113,7 +113,7 @@ Dictionary* parseIPSW(const char* inputIPSW, const char* bundleRoot, char** bund
 	return info;
 }
 
-int doPatch(StringValue* patchValue, StringValue* fileValue, const char* bundlePath, OutputState** state) {
+int doPatch(StringValue* patchValue, StringValue* fileValue, const char* bundlePath, OutputState** state, uint8_t* key, uint8_t* iv) {
 	char* patchPath;
 	size_t bufferSize;
 	void* buffer;
@@ -135,9 +135,17 @@ int doPatch(StringValue* patchValue, StringValue* fileValue, const char* bundleP
 	
 	bufferSize = 0;
 
-	out = duplicateAbstractFile(getFileFromOutputState(state, fileValue->value), createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize));
-	
-	file = openAbstractFile(getFileFromOutputState(state, fileValue->value));
+	if(key != NULL) {
+		out = duplicateAbstractFile2(getFileFromOutputState(state, fileValue->value), createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize), key, iv, NULL);
+	} else {
+		out = duplicateAbstractFile(getFileFromOutputState(state, fileValue->value), createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize));
+	}
+
+	if(key != NULL) {
+		file = openAbstractFile2(getFileFromOutputState(state, fileValue->value), key, iv);
+	} else {
+		file = openAbstractFile(getFileFromOutputState(state, fileValue->value));
+	}
 	
 	if(!patchFile || !file || !out) {
 		printf("file error\n");
@@ -148,6 +156,13 @@ int doPatch(StringValue* patchValue, StringValue* fileValue, const char* bundleP
 		printf("patch failed\n");
 		exit(0);
 	}
+
+	if(strstr(fileValue->value, "WTF.s5l8900xall.RELEASE")) {
+		printf("Exploiting 8900 vulnerability... ;)\n");
+		AbstractFile* exploited = createAbstractFileFrom8900(createAbstractFileFromMemoryFile((void**)&buffer, &bufferSize));
+		exploit8900(exploited);
+		exploited->close(exploited);
+	}
 	
 	printf("writing... "); fflush(stdout);