The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Bootrom"
m (→S5L8942, used in the iPad 2 (iPad2,4), Apple TV (3rd generation) (AppleTV3,1), iPod touch (5th generation), and iPad mini) |
m |
||
(24 intermediate revisions by 7 users not shown) | |||
Line 2: | Line 2: | ||
== Old & New bootrom == |
== Old & New bootrom == |
||
− | Certain models, including the [[N72AP|iPod touch (2nd generation)]] and [[N88AP|iPhone 3GS]], have different bootrom versions. These are most commonly referred to with the terms "old bootrom" and "new bootrom." These "new bootrom" devices were released after [[Timeline# |
+ | Certain models, including the [[N72AP|iPod touch (2nd generation)]] and [[N88AP|iPhone 3GS]], have different bootrom versions. These are most commonly referred to with the terms "old bootrom" and "new bootrom." These "new bootrom" devices were released after [[Timeline#September_13|{{date|2009|09|09}}]] and have the [[0x24000 Segment Overflow]] fixed. While the new bootrom revisions have an exploit, the exploit needs the assistance of a firmware-based exploit to achieve an [[untethered jailbreak]]. |
You might also be looking for [[iBoot (Bootloader)|Apple's stage 2 bootloader]], which also uses the "iBoot" name. |
You might also be looking for [[iBoot (Bootloader)|Apple's stage 2 bootloader]], which also uses the "iBoot" name. |
||
Line 45: | Line 45: | ||
* [[Limera1n Exploit]] up to 574.4 |
* [[Limera1n Exploit]] up to 574.4 |
||
* [[SHA-1 Image Segment Overflow|SHAtter]] up to 574.4 |
* [[SHA-1 Image Segment Overflow|SHAtter]] up to 574.4 |
||
+ | * [[Checkm8 Exploit]] up to 3401.0.0.1.16 |
||
== Revisions == |
== Revisions == |
||
Line 55: | Line 56: | ||
* [[Bootrom 574.4]] in [[S5L8930]] |
* [[Bootrom 574.4]] in [[S5L8930]] |
||
* [[Bootrom 838.3]] in [[S5L8940]] |
* [[Bootrom 838.3]] in [[S5L8940]] |
||
− | * [[ |
+ | * [[ROM]] in [[S5L8942]] |
* [[Bootrom 1062.2]] in [[S5L8945]] |
* [[Bootrom 1062.2]] in [[S5L8945]] |
||
* [[Bootrom 1413.8]] in [[S5L8747]] |
* [[Bootrom 1413.8]] in [[S5L8747]] |
||
Line 73: | Line 74: | ||
* [[Bootrom 3135.0.0.2.3]] in [[T8011]] |
* [[Bootrom 3135.0.0.2.3]] in [[T8011]] |
||
* [[Bootrom 3332.0.0.1.23]] in [[T8015]] |
* [[Bootrom 3332.0.0.1.23]] in [[T8015]] |
||
+ | * [[Bootrom 3401.0.0.1.16]] in [[T8012]] |
||
− | |||
+ | * [[Bootrom 3865.0.0.4.7]] in [[T8020]] |
||
+ | * [[Bootrom 3988.0.0.2.12]] in [[T8006]] |
||
+ | * [[Bootrom 4172.0.0.100.14]] in [[T8027]] |
||
+ | * [[Bootrom 4479.0.0.100.4]] in [[T8030]] |
||
+ | * [[Bootrom 5281.0.0.100.45]] in [[T8101]] |
||
+ | * [[Bootrom 5281.0.0.300.17]] in [[T8301]] |
||
+ | * [[Bootrom 5540.0.0.400.2]] in [[T8103]] |
||
+ | * [[Bootrom 6338.0.0.200.19]] in [[T8110]] |
||
===[[S5L8900]], used in the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]]=== |
===[[S5L8900]], used in the [[M68AP|iPhone]], [[N45AP|iPod touch]], and [[N82AP|iPhone 3G]]=== |
||
Line 122: | Line 131: | ||
* [[Bootrom 1704.10]] |
* [[Bootrom 1704.10]] |
||
− | ===[[T7000]], used in the [[J42dAP|Apple TV |
+ | ===[[T7000]], used in the [[J42dAP|Apple TV HD]], [[HomePod]], [[iPad mini 4]], [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]], and [[N102AP|iPod touch (6th generation)]]=== |
* [[Bootrom 1992.0.0.1.19]] |
* [[Bootrom 1992.0.0.1.19]] |
||
Line 134: | Line 143: | ||
* [[Bootrom 2234.0.0.3.3]] |
* [[Bootrom 2234.0.0.3.3]] |
||
− | ===[[S8001]], used in the [[iPad Pro]]=== |
+ | ===[[S8001]], used in the [[iPad Pro (12.9-inch)]] and [[iPad Pro (9.7-inch)]]=== |
* [[Bootrom 2481.0.0.2.1]] |
* [[Bootrom 2481.0.0.2.1]] |
||
− | ===[[T8002]], used in the [[Apple Watch Series 1]] |
+ | ===[[T8002]], used in the [[Apple Watch Series 1]], [[Apple Watch Series 2]] and T1 MacBook Pros=== |
* [[Bootrom 2651.0.0.1.31]] |
* [[Bootrom 2651.0.0.1.31]] |
||
− | ===[[S8003]], used in the [[N71mAP|iPhone 6s]], [[N66mAP|iPhone 6s Plus]] and [[N69AP|iPhone SE]]=== |
+ | ===[[S8003]], used in the [[iPad (5th generation)]], [[N71mAP|iPhone 6s]], [[N66mAP|iPhone 6s Plus]] and [[N69AP|iPhone SE]]=== |
* [[Bootrom 2234.0.0.2.22]] |
* [[Bootrom 2234.0.0.2.22]] |
||
Line 146: | Line 155: | ||
* [[Bootrom 2651.0.0.3.3]] |
* [[Bootrom 2651.0.0.3.3]] |
||
− | ===[[ |
+ | ===[[T8006]], used in the [[Apple Watch Series 4]], [[Apple Watch Series 5]] and [[Apple Watch SE (1st generation)|Apple Watch SE]]=== |
+ | * [[Bootrom 3988.0.0.2.12]] |
||
+ | |||
+ | ===[[T8010]], used in the [[iPad (6th generation)]], [[iPad (7th generation)]], [[iPhone 7]], [[iPhone 7 Plus]] and [[iPod touch (7th generation)]]=== |
||
* [[Bootrom 2696.0.0.1.33]] |
* [[Bootrom 2696.0.0.1.33]] |
||
− | ===[[T8011]], used in the [[iPad Pro (10.5-inch)]], [[iPad Pro (12.9-inch |
+ | ===[[T8011]], used in the [[iPad Pro (10.5-inch)]], [[iPad Pro (12.9-inch) (2nd generation)]] and [[Apple TV 4K]]=== |
* [[Bootrom 3135.0.0.2.3]] |
* [[Bootrom 3135.0.0.2.3]] |
||
===[[T8015]], used in the [[iPhone 8]], [[iPhone 8 Plus]], and [[iPhone X]]=== |
===[[T8015]], used in the [[iPhone 8]], [[iPhone 8 Plus]], and [[iPhone X]]=== |
||
* [[Bootrom 3332.0.0.1.23]] |
* [[Bootrom 3332.0.0.1.23]] |
||
+ | |||
+ | ===[[T8012]], used in the iMac Pro and other T2 based Macs === |
||
+ | * [[Bootrom 3401.0.0.1.16]] |
||
+ | |||
+ | ===[[T8020]], used in the [[iPad (8th generation)]], [[iPad Air (3rd generation)]], [[iPad mini (5th generation)]], [[N841AP|iPhone XR]], [[D321AP|iPhone XS]] and [[iPhone XS Max]]=== |
||
+ | * [[Bootrom 3865.0.0.4.7]] |
||
+ | |||
+ | ===[[T8027]], used in the [[iPad Pro (11-inch)]], [[iPad Pro (12.9-inch) (3rd generation)]], [[iPad Pro (11-inch) (2nd generation)]] and [[iPad Pro (12.9-inch) (4th generation)]]=== |
||
+ | * [[Bootrom 4172.0.0.100.14]] |
||
+ | |||
+ | ===[[T8030]], used in the [[iPad (9th generation)]], [[iPhone 11]], [[iPhone 11 Pro]], [[iPhone 11 Pro Max]] and [[D79AP|iPhone SE (2nd generation)]]=== |
||
+ | * [[Bootrom 4479.0.0.100.4]] |
||
+ | |||
+ | ===[[T8101]], used in the [[iPad Air (4th generation)]], [[D52gAP|iPhone 12 mini]], [[D53gAP|iPhone 12]], [[D53pAP|iPhone 12 Pro]] and [[D54pAP|iPhone 12 Pro Max]]=== |
||
+ | * [[Bootrom 5281.0.0.100.45]] |
||
+ | |||
+ | ===[[T8301]], used in the [[Apple Watch Series 6]] and [[Apple Watch Series 7]]=== |
||
+ | * [[Bootrom 5281.0.0.300.17]] |
||
+ | |||
+ | ===[[T8103]], used in the [[iPad Pro (11-inch) (3rd generation)]], [[iPad Pro (12.9-inch) (5th generation)]] and [[List of Macs with Apple Silicon|M1 Macs]]=== |
||
+ | * [[Bootrom 5540.0.0.400.2]] |
||
+ | |||
+ | ===[[T8110]], used in the [[iPad mini (6th generation)]], [[D16AP|iPhone 13 mini]], [[D17AP|iPhone 13]], [[D63AP|iPhone 13 Pro]] and [[D64AP|iPhone 13 Pro Max]]=== |
||
+ | * [[Bootrom 6338.0.0.200.19]] |
||
== References == |
== References == |
Latest revision as of 00:50, 13 September 2022
The bootrom (called "SecureROM" by Apple) is the first significant code that runs on an iDevice. The bootrom is read-only. Finding exploits in the bootrom level is a big achievement since Apple won't be able to fix it without a hardware revision.
Contents
- 1 Old & New bootrom
- 2 Finding bootrom version
- 3 Dumping the bootrom
- 4 Bootrom Exploits
- 5 Revisions
- 5.1 S5L8900, used in the iPhone, iPod touch, and iPhone 3G
- 5.2 S5L8720, used in the iPod touch (2nd generation)
- 5.3 S5L8747, used in the Haywire
- 5.4 S5L8920, used in the iPhone 3GS
- 5.5 S5L8922, used in the iPod touch (3rd generation)
- 5.6 S5L8930, used in the iPad, iPhone 4, Apple TV (2nd generation), and iPod touch (4th generation)
- 5.7 S5L8940, used in the iPad 2 and iPhone 4S
- 5.8 S5L8942, used in the iPad 2 (iPad2,4), Apple TV (3rd generation) (AppleTV3,1), iPod touch (5th generation), and iPad mini
- 5.9 S5L8945, used in the iPad (3rd generation)
- 5.10 S5L8947, used in the Apple TV (3rd generation) (AppleTV3,2)
- 5.11 S5L8950, used in the iPhone 5 and iPhone 5c
- 5.12 S5L8955, used in the iPad (4th generation)
- 5.13 S5L8960/S5L8965, used in the iPhone 5s, iPad Air, iPad mini 2, and iPad mini 3
- 5.14 T7000, used in the Apple TV HD, HomePod, iPad mini 4, iPhone 6, iPhone 6 Plus, and iPod touch (6th generation)
- 5.15 T7001, used in the iPad Air 2
- 5.16 S7002, used in the Apple Watch (1st generation)
- 5.17 S8000, used in the iPad (5th generation), iPhone 6s, iPhone 6s Plus and iPhone SE
- 5.18 S8001, used in the iPad Pro (12.9-inch) and iPad Pro (9.7-inch)
- 5.19 T8002, used in the Apple Watch Series 1, Apple Watch Series 2 and T1 MacBook Pros
- 5.20 S8003, used in the iPad (5th generation), iPhone 6s, iPhone 6s Plus and iPhone SE
- 5.21 T8004, used in the Apple Watch Series 3
- 5.22 T8006, used in the Apple Watch Series 4, Apple Watch Series 5 and Apple Watch SE
- 5.23 T8010, used in the iPad (6th generation), iPad (7th generation), iPhone 7, iPhone 7 Plus and iPod touch (7th generation)
- 5.24 T8011, used in the iPad Pro (10.5-inch), iPad Pro (12.9-inch) (2nd generation) and Apple TV 4K
- 5.25 T8015, used in the iPhone 8, iPhone 8 Plus, and iPhone X
- 5.26 T8012, used in the iMac Pro and other T2 based Macs
- 5.27 T8020, used in the iPad (8th generation), iPad Air (3rd generation), iPad mini (5th generation), iPhone XR, iPhone XS and iPhone XS Max
- 5.28 T8027, used in the iPad Pro (11-inch), iPad Pro (12.9-inch) (3rd generation), iPad Pro (11-inch) (2nd generation) and iPad Pro (12.9-inch) (4th generation)
- 5.29 T8030, used in the iPad (9th generation), iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max and iPhone SE (2nd generation)
- 5.30 T8101, used in the iPad Air (4th generation), iPhone 12 mini, iPhone 12, iPhone 12 Pro and iPhone 12 Pro Max
- 5.31 T8301, used in the Apple Watch Series 6 and Apple Watch Series 7
- 5.32 T8103, used in the iPad Pro (11-inch) (3rd generation), iPad Pro (12.9-inch) (5th generation) and M1 Macs
- 5.33 T8110, used in the iPad mini (6th generation), iPhone 13 mini, iPhone 13, iPhone 13 Pro and iPhone 13 Pro Max
- 6 References
Old & New bootrom
Certain models, including the iPod touch (2nd generation) and iPhone 3GS, have different bootrom versions. These are most commonly referred to with the terms "old bootrom" and "new bootrom." These "new bootrom" devices were released after 9 September 2009 and have the 0x24000 Segment Overflow fixed. While the new bootrom revisions have an exploit, the exploit needs the assistance of a firmware-based exploit to achieve an untethered jailbreak.
You might also be looking for Apple's stage 2 bootloader, which also uses the "iBoot" name.
Usually also looking at the CPRV (Chip Revision) tag will also tell you whether the device is new unit or not also.
Finding bootrom version
From the model number (iPod touch (2nd generation))
If the second character of your Model Number is "B" (e.g.- FB533, MB533, or PB533), your iPod has the old bootrom. If the second character is "C" (FC086, MC086 or PC086), your iPod has the new bootrom.
From the serial number (iPhone 3GS)
The third digit of the serial number identifies the year of manufacture (9=2009, 0=2010, 1=2011, 2=2012), while the fourth and the fifth indicate the week. There is a gray area between week 40 of 2009 (??940??????) and week 45 of 2009 (??945??????) where some devices have new bootrom whilst others have old bootrom. . Any iPhone made after Week 45 of 2009 (??945?????? and higher or ??0???????? serials) has the new bootrom.
From the DFU Device descriptors (all devices except S5L8900)
Windows
- Connect Device & Enter DFU Mode
- Open Device Manager, find USB controller, subitem Apple Mobile Device USB Driver
- Right-Click & click Properties
- Go to Details tab & select Device Instance Path in the dropdown box
- The end of the info string will show the bootrom version
Mac OS X
- Connect Device & Enter DFU Mode
- Go to System Profiler, and under the Hardware category, go to USB, and click on Apple Mobile Device (DFU Mode)
- The end of the Serial Number string will show the bootrom version in brackets (ie: [iBoot-574.4])
Linux
- Make sure your distribution has usbutils installed. (most distributions have it by default)
- Connect Device & Enter DFU Mode
- In terminal, run sudo lsusb -v
- Find the line that says iSerial and your bootrom version will be at the end of the line.
Dumping the bootrom
You can use Bootrom Dumper Utility by pod2g to dump the bootrom on devices that are vulnerable to the Limera1n Exploit.
Bootrom Exploits
- Pwnage 1.0 (Ramdisk + AppleImage2NORAccess) up to Rev.2
- Pwnage 2.0 (DFU + Malformed Certificate) up to Rev.2
- usb_control_msg(0xA1, 1) Exploit (also called "steaks4uce" exploit) only for 240.4 and 240.5.1
- 0x24000 Segment Overflow only for 240.4 and 359.3
- alloc8 Exploit only for 359.3 and 359.3.2
- Limera1n Exploit up to 574.4
- SHAtter up to 574.4
- Checkm8 Exploit up to 3401.0.0.1.16
Revisions
- Bootrom Rev.2 in S5L8900
- Bootrom 240.4 in S5L8720 (old version only)
- Bootrom 359.3 in S5L8920 (old version only)
- Bootrom 240.5.1 in S5L8720 (new version only)
- Bootrom 359.3.2 in S5L8920 (new version only)
- Bootrom 359.5 in S5L8922
- Bootrom 574.4 in S5L8930
- Bootrom 838.3 in S5L8940
- ROM in S5L8942
- Bootrom 1062.2 in S5L8945
- Bootrom 1413.8 in S5L8747
- Bootrom 1458.2 in S5L8947
- Bootrom 1145.3 in S5L8950
- Bootrom 1145.3.3 in S5L8955
- Bootrom 1704.10 in S5L8960 and S5L8965
- Bootrom 1992.0.0.1.19 in T7000
- Bootrom 1991.0.0.2.16 in T7001
- Bootrom 2098.0.0.2.4 in S7002
- Bootrom 2234.0.0.3.3 in S8000
- Bootrom 2234.0.0.2.22 in S8003
- Bootrom 2481.0.0.2.1 in S8001
- Bootrom 2651.0.0.1.31 in T8002
- Bootrom 2651.0.0.3.3 in T8004
- Bootrom 2696.0.0.1.33 in T8010
- Bootrom 3135.0.0.2.3 in T8011
- Bootrom 3332.0.0.1.23 in T8015
- Bootrom 3401.0.0.1.16 in T8012
- Bootrom 3865.0.0.4.7 in T8020
- Bootrom 3988.0.0.2.12 in T8006
- Bootrom 4172.0.0.100.14 in T8027
- Bootrom 4479.0.0.100.4 in T8030
- Bootrom 5281.0.0.100.45 in T8101
- Bootrom 5281.0.0.300.17 in T8301
- Bootrom 5540.0.0.400.2 in T8103
- Bootrom 6338.0.0.200.19 in T8110
S5L8900, used in the iPhone, iPod touch, and iPhone 3G
see also VROM (S5L8900)
S5L8720, used in the iPod touch (2nd generation)
- Bootrom 240.4 "old bootrom"
- Bootrom 240.5.1 "new bootrom"
S5L8747, used in the Haywire
S5L8920, used in the iPhone 3GS
- Bootrom 359.3 "old bootrom"
- Bootrom 359.3.2 "new bootrom"