The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Brick"
(some wording clarification; adding link) |
Johndoe123 (talk | contribs) (removed internal firmware) |
||
(32 intermediate revisions by 10 users not shown) | |||
Line 1: | Line 1: | ||
− | A '''bricked''' device is a device that does not work |
+ | A '''bricked''' device is a device that does not work. The direct metaphorical meaning is that the device is permanently damaged (making it as useless as a brick), but people use the term "bricked" for non-working conditions which range from easy to fix (such as a failed update) to impossible to fix (such as damaged baseband memory). A phone may be called "bricked" if it will not boot, will not respond to input, will not make calls, etc. |
− | == |
+ | == Difficulty of bricking an iOS device == |
− | One way to irreversibly brick your device in software is to flash an invalid [[Baseband Bootloader|baseband bootloader]], provided it has a baseband. Most other bad flash scenarios are recoverable some way or another. It is impossible to brick your device simply by [[jailbreak]]ing it and installing normal software via Cydia, since you can use [[DFU Mode]] to restore it. |
||
+ | Using a jailbreaking tool cannot put a device into an unusable state on its own - if something goes wrong while jailbreaking, putting the device into [[DFU Mode]] will allow you to restore it via iTunes. Installing software via Cydia also cannot cause an unrecoverable state (unless very specifically designed to do so by a malicious person, which has not been seen "in the wild"). Other than that specific exception, if something goes wrong, DFU mode will still work. |
||
− | If you purposefully erase / zero out your [[NOR]], then you will even have trouble doing a DFU restore because important information from the SysCfg section will not be available. [http://www.reddit.com/r/jailbreak/comments/1m3jo6/how_much_torture_kernel_user_based_etc_would_it/cc5g8nj See winocm's explanation of one way to brick a device.] |
||
− | == |
+ | == Types of "bricking" that can be easily fixed (not really "bricking") == |
+ | === Installing stock iOS on a device with a preserved baseband === |
||
− | Another recent way to brick the baseband is by installing baseband [[06.15.00]] on an incompatible device. [[redsn0w]] has an option to install this baseband on the [[N82ap|iPhone 3G]] or [[N88ap|iPhone 3GS]] in order to get a baseband version that is unlockable with [[ultrasn0w]]. This is a nice way to get an unlock, because the [[K48ap|iPad]], the [[N82ap|iPhone 3G]] and the [[N88ap|iPhone 3GS]] all share the same [[Baseband Device]], but the [[K48ap|iPad]] has a newer version number in its baseband. That way people can actually downgrade by installing a higher version (there are no [[APTicket]] checks in these devices). This has known side-effects, like losing [[GPS]] functionality (this baseband comes from an iPad which has [[GPS]] not or differently implemented). |
||
+ | Early unlock solutions could result in unusable (but recoverable) phones after installing an iOS update if you didn't take special steps. For people who used [[redsn0w]] to install the iPad baseband ([[06.15.00]]) on a compatible iPhone 3G or iPhone 3GS so that they could use [[ultrasn0w]] to carrier unlock it, upgrading or restoring iOS using "stock" (normal) IPSWs would make the phone unusable - until you made and restored a "custom" IPSW without a baseband update ([http://www.jailbreakqa.com/faq#32532 instructions]), and then reinstalled the iPad baseband using redsn0w. Avoiding doing a stock upgrade/restore (upgrading or restoring iOS using a "custom" IPSW) avoided this problem. |
||
− | Now bricking a [[N88ap|iPhone 3GS]] baseband is possible with this method. In fall 2011 Apple replaced the [[NOR]] flash. It is not clear if this was done intentionally to prevent this method. Previous type was 36my1ee and they changed it to 36my1eh, 36my1eg. (Please note that there was '''no''' switch to Toshiba baseband devices as some sources on the Internet still tell.) These new [[NOR]] flash chips seem to work with the newer baseband versions in the [[N88ap|iPhone 3GS]], but are not supported with the old [[06.15.00]] baseband. Therefore installing this version will brick your device if you have a new [[NOR]] flash, as you (currently) cannot go back and install anything else. To check before installation, check the version number, as it reveals the production year/week in the digits 3...5. Week 34/2011 appears safe so far, 35 seems iffy, 36 seems iffy, 37 is not safe. Or open the device and check the chip type. |
||
+ | |||
+ | === Intentionally modifying key parts of iOS: changing NVRAM variables to invalid values === |
||
+ | |||
+ | In {{date|2015|02}}, [http://dayt0n.github.io/articles/dclr-override/ researchers released information] about how to change an [[NOR (NVRAM)|nvram]] variable called <code>DClr_override</code>. If this is changed to an invalid value for the device (valid values are not the same on all devices), and the device is rebooted, the device will not be able to boot. iOS 8.3 beta 4 (released in {{date|2015|03}}) [https://twitter.com/xerub/status/581744991229374464 removes the DClr_override variable], and later iOS versions will probably omit it as well. This means that restoring a device to iOS 8.3 beta 4 (or later) will fix the device, rendering it bootable once again. |
||
+ | |||
+ | === Wiping the iBoot Partition === |
||
+ | If you wipe the iBoot Partition, It will render the device unbootable. An easy way to do this is flash an [[InternalUI Builds|Internal UI Build]] and go to Settings/Internal Settings/CoreOS and press "Brick Device". This will wipe the iBoot Partition, along with the firmware. This is recoverable by restoring the device, as the device will be in DFU mode. |
||
+ | |||
+ | == Types of bricking that may be hard to fix == |
||
+ | |||
+ | === Changing MAC address to invalid address === |
||
+ | |||
+ | If you change your device's MAC address to something invalid (for example if you're attempting to change your [[UDID]]), your internet won't work again until you fix the MAC address (using MobileTerminal or similar). This persists even if you restore -- so you can make this really really hard to fix if you restore and there's no jailbreak available, if the available jailbreaks don't include afc2 and other workarounds aren't working, etc. [http://www.jailbreakqa.com/questions/277646/stuck-after-mac-address-change-can-i-revive-it Here's a JailbreakQA thread about this] and [http://www.jailbreakqa.com/questions/211048/how-to-install-afc2add-without-using-wi-fi-in-a-jailbroken-ipad-3-with-704 another one]. |
||
+ | |||
+ | === Intentionally modifying key parts of iOS: other ways === |
||
+ | |||
+ | If you purposefully erase / zero out your [[NOR]], then you will have trouble doing a DFU restore because important information from the [[NOR (SysCfg)|SysCfg]] section will not be available. |
||
+ | |||
+ | [http://www.reddit.com/r/jailbreak/comments/1m3jo6/how_much_torture_kernel_user_based_etc_would_it/cc5g8nj See winocm's explanation of several related ways to brick a device]: |
||
+ | |||
+ | <blockquote> |
||
+ | * Erase SysCfg/replace it with 0xFFs. |
||
+ | * Destroy the 'SrNm' tag in the SysCfg, it won't activate then. |
||
+ | * Set all clock gates enabled and set PLL frequencies to mad numbers, THIS WILL DAMAGE THE HARDWARE. |
||
+ | * Run constant NAND stress tests to wear out NAND pages. |
||
+ | * Set the 'display-timing' nvram variable to some other garbage. iPod touch (2nd generation)/(3rd generation) does weird things with that. |
||
+ | |||
+ | If you know how the hardware works, this can be done from an iBoot/kernel level. |
||
+ | </blockquote> |
||
+ | |||
+ | === Making the wrong modifications to the baseband === |
||
+ | |||
+ | One way to irreversibly brick a device in software is to flash an invalid [[Baseband Bootloader|baseband bootloader]], provided it has a baseband. Most other bad flash scenarios are recoverable some way or another. |
||
+ | |||
+ | Another way to brick the baseband is by installing baseband [[06.15.00]] on an incompatible device. [[redsn0w]] has an option to install this baseband on the [[N82AP|iPhone 3G]] or [[N88AP|iPhone 3GS]] in order to get a baseband version that is unlockable with [[ultrasn0w]]. This is a nice way to get an unlock, because the [[K48AP|iPad]], the [[N82AP|iPhone 3G]] and the [[N88AP|iPhone 3GS]] all share the same [[Baseband Device]], but the [[K48AP|iPad]] has a newer version number in its baseband. That way people can actually downgrade by installing a higher version (there are no [[APTicket]] checks in these devices). This has known side effects, like losing [[GPS]] functionality (this baseband comes from an iPad, which has a different GPS module). |
||
+ | |||
+ | It was possible to brick an [[N88AP|iPhone 3GS]] with this method. In fall 2011, Apple replaced the [[NOR]] flash, which rendered the aforementioned 06.15.00 trick useless. The previous type of NOR was marked 36MY1EE, and they switched to 36MY1EG and 36MY1EH. These new [[NOR]] flash chips seem to work with the newer baseband versions in the [[N88AP|iPhone 3GS]], but are not supported with the old [[06.15.00]] baseband. Therefore installing this version will brick your device if you have a newer [[NOR]] flash, as you (currently) cannot go back and install anything else. To check before installation, you can try checking the serial number, which reveals the production year/week in the first 3-5 digits. 2011 week 34 appears safe, while weeks 35 and 36 seem iffy, and week 37 is not safe. Ultimately, the most sure-fire way would be to open the device and check the chip type. |
||
+ | |||
+ | === Changing the system time to the Unix epoch === |
||
+ | |||
+ | Setting the system time to the Unix epoch ({{date|1970|01|01}}) and attempting to reboot the device almost irreversibly bricks it. Normally, without a jailbreak, setting the time like this isn't possible with the Settings app, although it used to be possible before iOS 9.3.1. However, as the root user or with the com.apple.timed key set to "YES" in an executable's entitlements, using the settimeofday() system call in unsandboxed software allows the system time to be changed to the Unix epoch by setting tv_sec and tv_usec in a timeval struct (which is passed as the first argument) to 0. When the device attempts to boot with the time set, it will fail to boot. This cannot be fixed normally with [[Recovery Mode]] or [[DFU Mode]]. Disconnecting and then reconnecting the battery resets the time which fixes this. Another way to fix this, is by waiting for the battery to fully deplete, which also resets the time. |
Latest revision as of 13:38, 24 September 2021
A bricked device is a device that does not work. The direct metaphorical meaning is that the device is permanently damaged (making it as useless as a brick), but people use the term "bricked" for non-working conditions which range from easy to fix (such as a failed update) to impossible to fix (such as damaged baseband memory). A phone may be called "bricked" if it will not boot, will not respond to input, will not make calls, etc.
Contents
Difficulty of bricking an iOS device
Using a jailbreaking tool cannot put a device into an unusable state on its own - if something goes wrong while jailbreaking, putting the device into DFU Mode will allow you to restore it via iTunes. Installing software via Cydia also cannot cause an unrecoverable state (unless very specifically designed to do so by a malicious person, which has not been seen "in the wild"). Other than that specific exception, if something goes wrong, DFU mode will still work.
Types of "bricking" that can be easily fixed (not really "bricking")
Installing stock iOS on a device with a preserved baseband
Early unlock solutions could result in unusable (but recoverable) phones after installing an iOS update if you didn't take special steps. For people who used redsn0w to install the iPad baseband (06.15.00) on a compatible iPhone 3G or iPhone 3GS so that they could use ultrasn0w to carrier unlock it, upgrading or restoring iOS using "stock" (normal) IPSWs would make the phone unusable - until you made and restored a "custom" IPSW without a baseband update (instructions), and then reinstalled the iPad baseband using redsn0w. Avoiding doing a stock upgrade/restore (upgrading or restoring iOS using a "custom" IPSW) avoided this problem.
Intentionally modifying key parts of iOS: changing NVRAM variables to invalid values
In February 2015, researchers released information about how to change an nvram variable called DClr_override
. If this is changed to an invalid value for the device (valid values are not the same on all devices), and the device is rebooted, the device will not be able to boot. iOS 8.3 beta 4 (released in March 2015) removes the DClr_override variable, and later iOS versions will probably omit it as well. This means that restoring a device to iOS 8.3 beta 4 (or later) will fix the device, rendering it bootable once again.
Wiping the iBoot Partition
If you wipe the iBoot Partition, It will render the device unbootable. An easy way to do this is flash an Internal UI Build and go to Settings/Internal Settings/CoreOS and press "Brick Device". This will wipe the iBoot Partition, along with the firmware. This is recoverable by restoring the device, as the device will be in DFU mode.
Types of bricking that may be hard to fix
Changing MAC address to invalid address
If you change your device's MAC address to something invalid (for example if you're attempting to change your UDID), your internet won't work again until you fix the MAC address (using MobileTerminal or similar). This persists even if you restore -- so you can make this really really hard to fix if you restore and there's no jailbreak available, if the available jailbreaks don't include afc2 and other workarounds aren't working, etc. Here's a JailbreakQA thread about this and another one.
Intentionally modifying key parts of iOS: other ways
If you purposefully erase / zero out your NOR, then you will have trouble doing a DFU restore because important information from the SysCfg section will not be available.
See winocm's explanation of several related ways to brick a device:
- Erase SysCfg/replace it with 0xFFs.
- Destroy the 'SrNm' tag in the SysCfg, it won't activate then.
- Set all clock gates enabled and set PLL frequencies to mad numbers, THIS WILL DAMAGE THE HARDWARE.
- Run constant NAND stress tests to wear out NAND pages.
- Set the 'display-timing' nvram variable to some other garbage. iPod touch (2nd generation)/(3rd generation) does weird things with that.
If you know how the hardware works, this can be done from an iBoot/kernel level.
Making the wrong modifications to the baseband
One way to irreversibly brick a device in software is to flash an invalid baseband bootloader, provided it has a baseband. Most other bad flash scenarios are recoverable some way or another.
Another way to brick the baseband is by installing baseband 06.15.00 on an incompatible device. redsn0w has an option to install this baseband on the iPhone 3G or iPhone 3GS in order to get a baseband version that is unlockable with ultrasn0w. This is a nice way to get an unlock, because the iPad, the iPhone 3G and the iPhone 3GS all share the same Baseband Device, but the iPad has a newer version number in its baseband. That way people can actually downgrade by installing a higher version (there are no APTicket checks in these devices). This has known side effects, like losing GPS functionality (this baseband comes from an iPad, which has a different GPS module).
It was possible to brick an iPhone 3GS with this method. In fall 2011, Apple replaced the NOR flash, which rendered the aforementioned 06.15.00 trick useless. The previous type of NOR was marked 36MY1EE, and they switched to 36MY1EG and 36MY1EH. These new NOR flash chips seem to work with the newer baseband versions in the iPhone 3GS, but are not supported with the old 06.15.00 baseband. Therefore installing this version will brick your device if you have a newer NOR flash, as you (currently) cannot go back and install anything else. To check before installation, you can try checking the serial number, which reveals the production year/week in the first 3-5 digits. 2011 week 34 appears safe, while weeks 35 and 36 seem iffy, and week 37 is not safe. Ultimately, the most sure-fire way would be to open the device and check the chip type.
Changing the system time to the Unix epoch
Setting the system time to the Unix epoch (1 January 1970) and attempting to reboot the device almost irreversibly bricks it. Normally, without a jailbreak, setting the time like this isn't possible with the Settings app, although it used to be possible before iOS 9.3.1. However, as the root user or with the com.apple.timed key set to "YES" in an executable's entitlements, using the settimeofday() system call in unsandboxed software allows the system time to be changed to the Unix epoch by setting tv_sec and tv_usec in a timeval struct (which is passed as the first argument) to 0. When the device attempts to boot with the time set, it will fail to boot. This cannot be fixed normally with Recovery Mode or DFU Mode. Disconnecting and then reconnecting the battery resets the time which fixes this. Another way to fix this, is by waiting for the battery to fully deplete, which also resets the time.