Ex-Chronic Dev Team member pod2g has just discovered another exploit (his fourth) that will pwn iPod touch 2Gfor life! It’s called the usb_control_msg(0xA1, 1) Exploit. The exploit is different from the SHAtterexploit which is expected to jailbreak iOS 4.1 on the newer iPhone 4 / iPod touch 4G and iPad. It is a buffer overflow that is triggered when a USB control message of the type 0xA1.. oh screw it, if you’re the techy type, you can just read the quote below to see how it works.
All I know is: it will pwn iPod touch 2G (MC Model) for here on till eternity, just like iPhone 3G and iPod touch 2G (Non-MC Model).
A heap overflow exists in the iPod touch 2G (both old and new) bootrom’s DFU Mode when sending a USB control message of request type 0xA1, request 0x1.
On newer devices, the same USB message triggers a double free() when the image upload is marked as finished, also rebooting the device (but that’s not exploitable because the double free() happens in a row). posixninja analyzed and explained this one.