The iPhone Wiki - User contributions [en]

Scam Jailbreaks and Unlocks

2015-08-16T14:52:35Z

0x56: The term used here was "directs", which it does with multiple prominent banner ads and links. The target has changed however, updated to reflect this.

This is an ''incomplete'' list of community-reported '''scam sites''' that pretend to distribute or sell jailbreaking and unlocking tools/services. (There are many other scam sites not listed here yet.)

If you see a site selling jailbreaking or unlocking software (or asking you to do a survey before downloading), it's a scam. (Companies make money when you fill out surveys, so they promise a jailbreak to get you to fill them out.) Scam sites may also provide free fake tools that actually install adware or other kinds of malware in order to make money from you. Some legitimate forms of unlocking are not free - third-party IMEI unlocks and SIM interposer devices both cost money - but ultrasn0w is always free.

In general, please consider: '''is what the site promises too good to be true?''' Does it promise a new jailbreak for the latest iOS version, when nobody from trusted sources (such as well-known blogs or Reddit or developers on Twitter) is talking about this new jailbreak? When a real new jailbreak gets released, huge numbers of people talk about it - so if you find something people aren't talking about, be very skeptical and check trusted sources.

=== You can contribute to this list ===

Please contribute to this list if you find a scam site. By listing them here, we can help people find good information when they search Google for more information about these sites. If your site is listed here and you believe that's a mistake, you may contact an administrator to request removal.

Be sure not to link to these pages, as all links will boost their Google ranking.

== Jailbreak fakes ==
{| class="wikitable"
|-
! Domain !! Notes
|-
| 7evasi0n.com || Fake
|-
| 7jailbreak.com || On-device survey scam
|-
| 71jailbreak.com || Fake
|-
| 8jailbreak.net || Fake
|-
| alphajailbreak.com || Survey scam
|-
| alpinejb.blogspot.com || Fake
|-
| apps.appshed.com/[various #] || On-device fake, webclips and profiles
|-
| celtikios7.com || Survey scam
|-
| cyberelevat0r.net || Fake
|-
| cyberelevat0r.us || Fake
|-
| cydia8jailbreak.com || Fake has you download multiple free-to-play apps hoping for in-app purchases
|-
| cydia-download.us || On-device scam, cost is unknown as it wants to install a profile and I'm not willing to go that far ;p
|-
| cyrooting.com || Affiliated with cydia-download.us which installs a profile from cyrooting.com
|-
| downgradeios7.com || Fake on-device downgrade tool
|-
| downgradeiphone.com || Sells a false promise (universal iOS/baseband downgrade) for $29
|-
| ecydia.com || Sells an unspecified tool for $24.99
|-
| equsi0n.com || Survey scam
|-
| evad3rs.me || No survey, not selling anything, just has downloads of evasi0n 1.0.7, calling it 1.0.8 and saying it works on iOS 7.1.x. Pointless.
|-
| evad3rsdevteam.com || Survey scam, copy of evasi0n.com
|-
| evad3rs-devteam.com || Copy of evasi0n.com
|-
| evad3rsjb.com || Fake
|-
| evad3rsteam.com || Survey scam
|-
| evasi0nblog.com || Repackaged evasi0n
|-
| evasi0ndevteam.com || Sells evasi0n for $15
|-
| evasi0njb.net || Copy of evasi0n.com
|-
| evasion-jailbreak.com || Survey scam
|-
| evasion-jailbreak7.com || Survey scam
|-
| evasi0n-jailbreak.net || Survey scam, copy of evasi0n.com
|-
| evasi0njailbreak.com || Fake
|-
| evasion7.com || Fake
|-
| evasion7download.info/pangu || Malware. See http://bit.ly/1Jcl1hw
|-
| evasioniosjailbreak.com || Survey scam
|-
| evasionjailbreak.net || Survey scam, copy of evasi0n.com
|-
| evasionjailbreak.us || Copy of evasi0n.com
|-
| evasionjailbreak7.com || Survey scam
|-
| evasi0n-official.com || Survey scam, loosely copied from evasi0n.com
|-
| evasl0n.blogspot.com || Survey scam, copy of evasi0n.com
|-
| evasi0n7.com/pangu || Fake
|-
| evasion7download.info || Malware. See http://bit.ly/1Jcl1hw
|-
| evasion7download.info/geeksn0w || Malware. See http://bit.ly/1Jcl1hw
|-
| evasion7-jailbreak.com || Fake
|-
| evazi0n.net || Fake
|-
| ex0dus-jailbreak.com || Unspecified tool, claims to be developed by @planetbeing and @pimskeks. Survey scam after being strung along downloading a fake tool which requires a patch, said patch download requiring survey completion.
|-
| factory-directme.com || Sells redsn0w for $14.95
|-
| firest0rm.net || Survey scam
|-
| freed0md00r.com || Survey scam
|-
| future7ios7.com || Survey scam
|-
| geeksn0w.net || Copy of geeksn0w.it
|-
| geeksn0w.net/pangu || Fake
|-
| geeksn0wdownload.com || Copy of Geeksn0w.it
|-
| getthebest365.com || Sells unspecified tool for $27.00
|-
| greenpois0n-gc.blogspot.com || Survey scam
|-
| icysn0w.com || Survey scam
|-
| idowngrade.com || Survey scam
|-
| iemu.org || Fake; previous site for [[iEmu]]
|-
| ievad3rs.com || Survey scam
|-
| ijailbreak-iphone.com || Sells an unspecified tool for $19.95
|-
| ijailbreakpro.com || Sells an unspecified tool for $29.90, $39.90 and $49.90
|-
| ijailbreaktool.com || Sells an unspecified tool for $24.99
|-
| imessagewin.com || Claims to have iMessage for Windows platform; Survey scam
|-
| ineedjailbreak.com || Sells evasi0n / redsn0w for $24.95
|-
| inj3ct3d.klikkit.co.uk || asking for donations to publish a non-existent jailbreak
|-
| insanelyios.blogspot.com || Downgrade fake, survey scam
|-
| instajailbreaker.com || Sells unspecified tool(s) for $29.95
|-
| installcydia.mobi || Fake. Takes you to appial.com for freemium appstore games
|-
| ios-6-1-4-jailbreak.com || Survey scam
|-
| ios-jailbreak.com || Provides fake 8.4.1 jailbreak tool that includes malware
|-
| ios8jailbreak.org || Fake
|-
| ios8jailbreak.tk || Fake (alternate domain name is ios8-jailbreak.weebly.com)
|-
| ios8jailbreakdownload.net || Survey scam
|-
| ios8pangu.com || Fake, webclip. Wants to install unsigned profile that cannot be removed
|-
| ipadjailbreak3.com || Forwards to jailbreakunlock.org
|-
| ipangu.net || Fake. Passworded zip files
|-
| iphone5break.com || Sells unspecified tool for $49.99
|-
| iphonejailbreakplus.com || Sells evasi0n / redsn0w for $29.95
|-
| iphonejailbreak-unlock.com || Sells unspecified tool for $27.00
|-
| irevert.wordpress.com/ || Claims to be able to downgrade firmware
|-
| jailbreak.cc || Sells jailbreaking tools
|-
| jailbreak-7.com || App Store app download+play time required, artificially inflating its popularity
|-
| jailbreak-absinthe.com || Survey scam
|-
| jailbreak-ios-7.com || Tells people to go to thejailbreakshop.com
|-
| jailbreak-ios7.net || Sells unspecified tools for $29.95 and $39.95
|-
| jailbreak-my-ipad.org || Sells evasi0n / redsn0w for $29.95 '''per month'''
|-
| jailbreak-my-iphone.com || Sells unspecified tool for $29.97
|-
| jailbreak-team.com || Sells an unspecified tool for $29.99
|-
| jailbreak71.com || Fake
|-
| jailbreak7wizz.com || Links to jailbreakthings.com, which in turn links to instajailbreaker.com, which sells unspecified tools for $29.95
|-
| jailbreakandunlock1.pressdoc.com || Blog that is about jailbreak and unlock which uses fake tools.
|-
| jailbreakbj.com || Survey scam
|-
| jailbreakgenie.com || Scam. Sells unspecified jailbreak tool for $9.99
|-
| jailbreakios7untethered.com || Survey scam, all set up in advance for iOS 7
|-
| jailbreakiosnewversion.elitegamershub.com || Survey scam, copied/modified verion of evasi0n7
|-
| jailbreakiphone5s.com || Tells people to go to thejailbreakshop.com
|-
| jailbreakmenow.net || Sells unspecified tools for $19.95, $29.95, and $39.95
|-
| jailbreaknewiphone.com || Survey scam after being strung along downloading a fake tool
|-
| jailbreaktheipad2.com || Sells unspecified tool for $14.95
|-
| jailbreakthings.com || Exists solely to promote instajailbreaker.com, a scam site
|-
| jailbreakunlock.info || Sells unspecified tools for $19.95, $29.95, and $39.95
|-
| jailbreakunlock.org || Sells evasi0n / redsn0w for $14.95
|-
| jailbroke.info || Sells jailbreaking "solutions"
|-
| latestiphoneunlock.com || Sells an unspecified tool for $9.95 or $29.95
|-
| newios7jailbreak.com || Directs visitors to unlock-jailbreak.net
|-
| opensn0w.net || Survey scam
|-
| overcast7.com || Survey scam
|-
| pangu8.com || Fake. Installs webclip from semijb.com
|-
| pangudownload.com || Fake
|-
| pangu-jailbreak.com || Fake
|-
| pangujailbreak.info || Fake, survey scam, poor things can't even pay their hosting bill :)
|-
| pangujb.blogspot.com || Fake
|-
| pangunow.com || Fake
|-
| pod2gblog.blogspot.com || Copy of pod2g's blog
|-
| p0sixspwn.co || Windows version is a malware downloader that eventually downloads the real [[p0sixspwn]]
|-
| posixspwndownload.com || Copy of [[p0sixspwn]]
|-
| ppjailbreak.com || Copy of [[PPJailbreak]] and copyright infringement
|-
| premiumjailbreak.com || Sells jailbreaking tools
|-
| purpletools.wordpress.com || (and all the other sites/people offering similar stuff) Scam - Claims access to Apple's internal VPN
|-
| redpois0n.net || Survey scam
|-
| red-snow.com || Sells unspecified tools for $29.95 and $39.95
|-
| redsn0w-r9-new.blogspot.com || Survey scam, text is ripped from Dev-Team Blog
|-
| rocky-racoon.com || Survey scam, copy of Dev-Team Blog
|-
| safera1n.com || Sells an unspecified tool for $24.99
|-
| silv3rwind.com || Sells an unspecified tool for $20
|-
| semijb.com || Fake. Does not install "the cydia."
|-
| semirestore.org || Fake redistributions of SemiRestore and SemiRestore7
|-
| spirit-jb.com || Survey scam
|-
| spiritjb.net || Survey scam
|-
| synergyjailbreak.com || Survey scam
|-
| taigremote.com || On-device app-download scam, basically a survey scam
|-
| taig8.net || Fake
|-
| team7jailbreak.com || On-device survey scam (redirects to 7jailbreak.com). [https://twitter.com/search?q=It%27s%20easy.%20%20Follow%20this%20realy%20simple%20guide%20from%20%40teamjailbreak7&src=typd&f=realtime Known to spam on Twitter]
|-
| theios7jailbreaker.com || Directs people to scam sites (ijailbreakpro.com, appleunlocker.com, ijailbreaktool.com)
|-
| theios8jailbreak.com || Fake
|-
| thejailbreakshop.com || Sells an unspecified tool for $29.97 and $49.97
|-
| trianglejailbreak.com || Sells jailbreaking tool
|-
| u7xjailbreak.com || Survey scam
|-
| unja1l.com || Survey scam
|-
| untetheredjailbreakios8.com || Survey scam
|}

== Scam jailbreak and unlock sites ==

{| class="wikitable"
|-
! Domain !! Notes
|-
| appleunlocker.com || Sells unspecified jailbreaking + unlocking software for $19.95
|-
| bestra1n.com || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| cheapestiphoneunlock.com || Sells unspecified jailbreaking + unlocking software for $9.99
|-
| deblocage-iphone-fr.com || Sells unspecified unlocking software for €29.99
|-
| desbloquear-iphone-pro.com || Sells unspecified unlocking software for €29.99
|-
| e-imeiunlock.com || Survey scam
|-
| easyiphoneunlocking.com || Sells unspecified jailbreaking + unlocking software for $24.95
|-
| easyunlockiphone.net || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| easyunlockingsolutions.com || Sells unspecified unlocking software for $19.99
|-
| how-jailbreak-iphone.com || Sells unspecified jailbreaking + unlocking software for $19.95
|-
| ijailbreakpro.com || Sells redsn0w for $29.90, $39.90, or $49.90
|-
| ijailbreaktool.com || Sells unspecified jailbreaking software for $24.99
|-
| ios7jailbreaker.net || Survey scam
|-
| ios7jailbreak.fr || Survey scam
|-
| iphone5break.com || Sells unspecified jailbreaking + unlocking software for $49.99
|-
| iphone-instant-unlock.com || Sells unspecified unlocking software for $14.95
|-
| iphone-unlock-pro.com || Redirects to unlock4iphone.com, desbloquear-iphone-pro.com, and deblocage-iphone-fr.com
|-
| iphone-unlocker-pro.com || Sells unspecified jailbreaking + unlocking software for $24.95
|-
| iphone-unlock-me.com || Sells unspecified unlocking software for $14.95
|-
| iphone-unlockme.com || Sells unspecified unlocking software for $14.95
|-
| iphoneunlocker.org.uk || Sells unspecified jailbreaking + unlocking software for £14.99
|-
| iphoneunlockersoftware.com || Sells unspecified jailbreaking + unlocking software for $24.97
|-
| iphoneunlockplus.com || Sells unspecified unlocking software for $22.99
|-
| iphoneunlockwiz.com || Sells unspecified jailbreaking + unlocking software for $29.97
|-
| jailbreakandunlockiphones.com || Glowing reviews of, and links to, scam sites which are mostly offline now
|-
| jailbreakiphone5express.com || Links to ijailbreakpro.com, appleunlocker.com and ijailbreaktool.com
|-
| myappledownload.com || Sells undefined non-existing jailbreaks, unlocks, downgrades for $19.99
|-
| mydowngrade.com || Sells undefined non-existing jailbreaks, unlocks, downgrades for $19.99
|-
| myunlocker.org || On-device survey / app download scam
|-
| phoneunlockguy.com || Sells unspecified jailbreaking + unlocking software for $14.95
|-
| solutions-directme.com || Sells unspecified jailbreaking software for $14.95
|-
| superiorsim.com || Sells SIM interposers, reported to be a scam by various websites
|-
| superunlockiphone.com || Sells unspecified jailbreaking + unlocking software for £14.99
|-
| tracyandmatt.co.uk || Refers victims to unlock-jailbreak.net
|-
| transx-solutions.com || Sells software for $14.95 which does not say what it is. Also requires a download
|-
| trusted-iphone-unlocker.com || Sells unspecified jailbreaking + unlocking software for $24.95
|-
| ultimateiphoneunlocker.com || Sells unspecified unlocking software for $19.95
|-
| unlock-your-phones.com || Sells evasi0n as an unlock for €8.99
|-
| unlock-apple-iphone.com || Sells unspecified jailbreaking + unlocking software for $29.99
|-
| unlock-appleiphone.com || Sells IMEI unlocks for ANY carrier (including Singtel, which is factory unlocked, and including Sprint, which is nearly impossible, and certainly not done for that price) for $29.95
|-
| unlock-ijailbreak.net || Added a letter to the URL, otherwise it's the same site as unlock-jailbreak.net
|-
| unlock-iphone.info || Fake. Claims that donating will expedite your request.
|-
| unlock-jailbreak.net || Sells unspecified unlocking software for $24.99
|-
| unlock-jailbreak-iphone.com || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| unlock-the-iphone.com || Sells unspecified jailbreaking + unlocking software for $29.95, $37.95, or $49
|-
| unlock4iphone.com || Sells unspecified unlocking software for $29.99
|-
| unlockimeiiphone.com || Sells unspecified jailbreaking + unlocking tool for $19.95
|-
| unlockiphone.net || Sells unspecified jailbreaking + unlocking tool
|-
| unlockiphone.org || Sells unspecified unlocking software for $24.95
|-
| unlockiphoneios5.com || Sells unspecified jailbreaking + unlocking software for $14.95
|-
| unlockiphonenow.org || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| unlockiphonepro.com || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| unlockjailbreaktool.com || Sells unspecified jailbreaking + unlocking software for $24.99
|-
| unlockmecentral.com || Sells jailbreaking "membership"
|-
| ultrasn0wtool.com || Claims to unlock via a GUI app
|-
| ziphone.org || Directs visitors to iphone-unlocker-pro.com
|}

Jailbreak Exploits

2015-06-26T19:35:06Z

0x56: more exploit description updates

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* the same kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/xpcd_cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis/xpcd_cache)
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit {{cve|2014-4496}} - used to recover the permutation value and addresses of kernel objects
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] (8.1.3 / 8.2 / 8.3) ===
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI
* enable-dylibs-to-override-cache - force loading of dynamic libraries from filesystem (where available) instead of the shared cache (overriding libmis)
* (rest currently unknown)

Jailbreak Exploits

2015-06-26T19:21:54Z

0x56: /* Pangu (7.1 / 7.1.1 / 7.1.2) */ copy/paste fail

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject info leak ({{cve|2014-4496}})
* IOSharedDataQueue notification port overwrite ({{cve|2014-4461}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit - to defeat KASLR {{cve|2014-4496}}
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] (8.1.3 / 8.2 / 8.3) ===
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
* (rest currently unknown)

Jailbreak Exploits

2015-06-26T19:19:54Z

0x56: /* Pangu (7.1 / 7.1.1 / 7.1.2) */ template formatting error

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{cve|2014-4422}})
* mach_port_kobject info leak ({{cve|2014-4496}})
* IOSharedDataQueue notification port overwrite ({{cve|2014-4487}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit - to defeat KASLR {{cve|2014-4496}}
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] (8.1.3 / 8.2 / 8.3) ===
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
* (rest currently unknown)

Jailbreak Exploits

2015-06-26T19:19:09Z

0x56: /* Pangu (7.1 / 7.1.1 / 7.1.2) */ update exploit list and descriptions

This page lists the '''exploits''' used in [[jailbreak]]s.

== Common exploits which are used in order to jailbreak different versions of iOS ==
* [[Pwnage]] + [[Pwnage 2.0]] (together to jailbreak the [[n82ap|iPhone 3G]])
* [[ARM7 Go]] (from iOS 2.1.1) (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])
* [[0x24000 Segment Overflow]] (for [[untethered jailbreak]] on [[n88ap|iPhone 3GS]] with [[Bootrom 359.3|old bootrom]] and [[n72ap|iPod touch 2G]] with [[Bootrom 240.4|old bootrom]]; another exploit as the [[limera1n Exploit]] is required)
* [[limera1n Exploit]] (for [[tethered jailbreak]] on [[n88ap|iPhone 3GS]], [[n18ap|iPod touch 3G]], [[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]] and [[k66ap|Apple TV 2G]])
* [[usb_control_msg(0xA1, 1) Exploit]] (also known as "steaks4uce") (for [[tethered jailbreak]] on [[n72ap|iPod touch 2G]])

== Programs which are used in order to jailbreak different versions of iOS ==
=== [[PwnageTool]] (2.0 - 5.1.1) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[redsn0w]] (3.0 - 6.0) ===
* uses different common exploits
* uses the same exploits as [[Absinthe|Absinthe]] and [[Absinthe|Absinthe 2.0]] to jailbreak iOS 5.0/5.0.1 and 5.1.1
* uses the exploits listed below to untether up to iOS 5.1.1

=== [[sn0wbreeze]] (3.1.3 - 6.1.3) ===
* uses different common exploits
* uses the exploits listed below to untether up to iOS 6.1.2

== Programs which are used in order to jailbreak 1.x ==
=== [[AppTapp Installer]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[iBrickr]] (1.0 / 1.0.1 / 1.0.2) ===
* iBoot <code>cp</code>-command exploit

=== [[AppSnapp]]/[[JailbreakMe|JailbreakMe 1.0]] (1.0 / 1.0.1 / 1.0.2 / 1.1.1) ===
* [[LibTiff|libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]]) ({{cve|2006-3459}})

=== [[mknod|OktoPrep]] (1.1.2) ===
"Upgrade" to 1.1.2 from a jailborken 1.1.1
* [[mknod]]

=== [[Soft Upgrade]] (1.1.3) ===
"Upgrade" to 1.1.3 from a running jailbroken 1.1.2

=== [[ZiPhone]] (1.1.3 / 1.1.4 /1.1.5) ===
* [[Ramdisk Hack]]

=== [[iLiberty+|iLiberty / iLiberty+]] (1.1.3 / 1.1.4 /1.1.5) ===

== Programs which are used in order to jailbreak 2.x ==
=== [[QuickPwn]] (2.0 - 2.2.1) ===
* uses [[Pwnage]] and [[Pwnage 2.0]]

=== [[Redsn0w Lite]] (2.1.1) ===
* [[ARM7 Go]] (for [[n72ap|iPod touch 2G]] only)

== Programs which are used in order to jailbreak 3.x ==
=== [[purplera1n]] (3.0) ===
* [[iBoot Environment Variable Overflow]] ({{cve|2009-2795}})
* uses [[0x24000 Segment Overflow]]

=== [[blackra1n]] (3.1.2) ===
* [[usb_control_msg(0x21, 2) Exploit]] ({{cve|2010-0038}})
* uses [[0x24000 Segment Overflow]]

=== [[Spirit]] (3.1.2 / 3.1.3 / 3.2) ===
* [[MobileBackup Copy Exploit]]
* [[Incomplete Codesign Exploit]]
* [[BPF_STX Kernel Write Exploit]]

=== [[Star|JailbreakMe 2.0 / Star]] (3.1.2 / 3.1.3 / 3.2 / 3.2.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / [[greenpois0n (jailbreak)|greenpois0n]] (3.2.2) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

== Programs which are used in order to jailbreak 4.x ==
=== [[Star|JailbreakMe 2.0 / Star]] (4.0 / 4.0.1) ===
* [[Malformed CFF Vulnerability]] ({{cve|2010-1797}})
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]] ({{cve|2010-2973}})

=== [[limera1n]] / (4.0 / 4.0.1 / 4.0.2 / 4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.1) ===
* uses different common exploits
* [[Packet Filter Kernel Exploit]]

=== [[greenpois0n (jailbreak)|greenpois0n]] (4.2.1) ===
* uses different common exploits
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.2.6 / 4.2.7 / 4.2.8) ===
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[HFS Legacy Volume Name Stack Buffer Overflow]]

=== [[Saffron|JailbreakMe 3.0 / Saffron]] (4.3 / 4.3.1 / 4.3.2 / 4.3.3) ===
Except for the [[n18ap|iPod touch 3G]] on iOS 4.3.1.
* [[T1 Font Integer Overflow]] ({{cve|2011-0226}})
* [[IOMobileFrameBuffer Privilege Escalation Exploit]] ({{cve|2011-0227}})

=== i0nic's Untether (4.3.1 / 4.3.2 / 4.3.3) ===
used in [[redsn0w]] to untether iOS 4.3.1 / 4.3.2 / 4.3.3
* [[ndrv_setspec() Integer Overflow]]

== Programs which are used in order to jailbreak 5.x ==
=== [[unthredera1n]] (5.0 / 5.0.1 / 5.1 / 5.1.1) ===
Except for the [[iPad 3]]
* MobileBackup2 Copy Exploit
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* [[AMFID code signing evasion]] ({{cve|2013-0977}})
* [[launchd.conf untether]]
* [[Timezone Vulnerability]]

=== [[Absinthe]] (5.0 on [[n94ap|iPhone 4S]] only / 5.0.1 on [[iPad 2]] and [[iPhone 4S]]) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}}) (used both for payload injection and untether)
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Corona|Corona Untether]] (5.0.1) ===
* [[Racoon String Format Overflow Exploit]] ({{cve|2012-0646}})
* [[HFS Heap Overflow]] ({{cve|2012-0642}})
* unknown exploit ({{cve|2012-0643}})

=== [[Absinthe|Absinthe 2.0]] and [[Rocky Racoon|Rocky Racoon Untether]] (5.1.1) ===
* a new Packet Filter Kernel Exploit ({{cve|2012-3728}})
* Racoon DNS4/WINS4 table buffer overflow ({{cve|2012-3727}})
* MobileBackup2 Copy Exploit

== Programs which are used in order to jailbreak 6.x ==
=== [[evasi0n]] (6.0 / 6.0.1 / 6.0.2 / 6.1 / 6.1.1 / 6.1.2) ===
* [[Symbolic Link Vulnerability]] ({{cve|2013-0979}})
* [[Timezone Vulnerability]]
* [[Shebang Trick]] ({{cve|2013-5154}})
* [[AMFID code signing evasion]]
* [[launchd.conf untether]]
* [[IOUSBDeviceFamily Vulnerability]] ({{cve|2013-0981}})
* [[ARM Exception Vector Info Leak]] ({{cve|2013-0978}})
* [[dynamic memmove() locating]]
* [[vm_map_copy_t corruption for arbitrary memory disclosure]]
* [[kernel memory write via ROP gadget]]
* [[Overlapping Segment Attack]] ({{cve|2013-0977}})

=== [[p0sixspwn]] (6.1.3 / 6.1.4 / 6.1.5 / 6.1.6) ===
* [[posix_spawn kernel information leak]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[posix_spawn kernel exploit]] ({{cve|2013-3954}}) (by [[i0n1c]])
* [[mach_msg_ool_descriptor_ts for heap shaping]] ({{cve|2013-3953}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* [[DeveloperDiskImage race condition]] (by [[comex]])
* [[launchd.conf untether]]

== Programs which are used in order to jailbreak 7.x ==
=== [[evasi0n7]] (7.0 / 7.0.1 / 7.0.2 / 7.0.3 / 7.0.4 / 7.0.5 / 7.0.6) ===
{{Section Stub}}
* [[Symbolic Link Vulnerability]] ({{cve|2013-5133}})
* [[AMFID_code_signing_evasi0n7]] ({{cve|2014-1273}})
* CrashHouseKeeping chmod vulnarability ({{cve|2014-1272}})
* ptmx_get_ioctl ioctl crafted call ({{cve|2014-1278}})

=== [[Geeksn0w]] (7.1 / 7.1.1 / 7.1.2) ===
* [[limera1n]]'s bootrom exploit ([[Tethered jailbreak]]) on [[iPhone 4]]

=== [[Pangu]] (7.1 / 7.1.1 / 7.1.2) ===
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) (Pangu v1.0.0)
* AppleKeyStore::initUserClient info leak ({{cve|2014-4407}}) (Pangu >v1.0.0)
* break_early_random (by [[i0n1c]] and Tarjei Mandt of Azimuth) ({{CVE|2014-4422}})
* mach_port_kobject info leak ({{cve|2014-4496}})
* IOSharedDataQueue notification port overwrite ({{cve|2014-4487}})
* "syslogd chown" vulnerability
* enterprise certificate (no real exploit, used for initial "unsigned" code execution)
* "foo_extracted" symlink vulnerability (used to write to /var) ({{cve|2014-4386}})
* /tmp/bigfile (a big file for improvement of the reliability of a race condition)
* VoIP backgrounding trick (used to auto restart the app)
* hidden segment attack

== Programs which are used in order to jailbreak 8.x ==
=== [[Pangu8]] (8.0 / 8.0.1 / 8.0.2 / 8.1) ===
* an exploit for a bug in /usr/libexec/neagent (source @iH8sn0w)
* enterprise certificate (inside the IPA)
* a kind of dylib injection into a system process (see IPA)
* a dmg mount command (looks like the Developer DMG) (syslog while jailbreaking)
* a sandboxing problem in debugserver ({{cve|2014-4457}})
* the same/a similar kernel exploit as used in [[Pangu|the first Pangu]] ({{cve|2014-4461}}) (source @iH8sn0w)
* enable-dylibs-to-override-cache
* a new ovelapping segment attack ({{cve|2014-4455}})
* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}})

=== [[TaiG]] and [[PPJailbreak]] (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2) ===
(See also details at [http://newosxbook.com/articles/TaiG.html newosxbook.com])
* A new AFC symlink attack ({{cve|2014-4480}}) - to get onto the device filesystem
* [[DeveloperDiskImage race condition]] (by [[comex]], also used in p0sixspwn) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* A new overlapping segment attack [in a modified version], dyld, ({{cve|2014-4455}}) - negative LC_SEGMENT - to allow libmis and xpcdcache to load
* libmis redirection of MISValidateSignature (as per evasion) to kCFEqual, with overlapping segment variant on TaiG (Segment at end of file, negative)
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
* MobileStorageMounter exploit ({{cve|2015-1062}})
* Backup exploit used to access restricted parts of the filesystem ({{cve|2015-1087}})

Kernel:

* Mach-O OSBundleHeaders info leak ({{cve|2014-4491}}) - leaks slid addresses
* mach_port_kobject exploit - to defeat KASLR {{cve|2014-4496}}
* IOHIDFamily Kernel exploit ({{cve|2014-4487}}) - to overwrite memory

=== [[TaiG]] (8.1.3 / 8.2 / 8.3) ===
* [[DeveloperDiskImage race condition]] (also used in TaiG for 8.0-8.1.2 but modified) - to mount a fake DDI and instantly overwrite (via union) libmis/libxpcd.cache
* enable-dylibs-to-override-cache - (not an exploit, a feature) - required to allow loading of xpcd/libmis from filesystem, because they are both in shared cache
* (rest currently unknown)

Memz create

2015-05-19T05:25:56Z

0x56:

{{DISPLAYTITLE:memz_create}}
==Decompilation==
#define kMemzImageContainer 0x4D656D7A

[[MemzDescriptor]]* memz_create(unsigned char* address, unsigned int size, unsigned int flags) {
[[MemzDescriptor]]* memz = ([[MemzDescriptor]]*) malloc(sizeof([[MemzDescriptor]]));
if(memz != NULL) {
memz->fileSize = size;
memz->imageSize = size;
memz->type = kMemzImageContainer;
memz->flags = flags;
memz->address = address;
}
return memz;
}

MemzDescriptor

2015-05-19T05:25:21Z

0x56: Undo revision 44801 by 5urd (talk)

==Structure==
typedef struct MemzDescriptor {
unsigned int fileSize;
unsigned int imageSize;
unsigned int dataSize;
unsigned int container;
unsigned int flags;
unsigned char* address;
unsigned int unk18;
};

Ramdisk (iBoot command)

2015-05-19T05:24:28Z

0x56: Undo revision 38946 by 5urd (talk)

== Description ==
A command found in [[iBoot]], [[iBSS]], and [[iBEC]] that verifies and preps a ramdisk image which has been previously uploaded.

== Decompilation ==
iPhone 3GS 8920x from iBoot-636.66
#define kLoadAddress 0x41000000
#define kRamdiskMaxSize 0x2000000
#define kRamdiskAddress 0x44000000
#define kRamdiskImageType 0x7264736B

unsigned int* gRamdiskSize;
unsigned char** gRamdiskAddr;

int cmd_ramdisk(int argc, [[CmdArg]]* argv) {
if(argc > 3 || !strcmp("help", argv[1].string)) {
printf("usage:\n\t%s [<len>] [<address>]\n", argv[0].string);
return -1;
}

unsigned int filesize = (unsigned int) [[nvram_getint]]("filesize", 0);
unsigned char* loadaddr = (unsigned char*) [[nvram_getint]]("loadaddr", kLoadAddress);
if(filesize == 0) {
printf("filesize variable invalid or not set, aborting\n");
return -1;
}

if(range_check(loadaddr, filesize) == 0) {
printf("Permission Denied\n");
return -1;
}

[[MemzDescriptor]]* memz = [[memz_create]](loadaddr, filesize, 0);
if(memz == NULL) {
printf("Ramdisk image not valid\n");
return -1;
}

if(memz->imageSize > kRamdiskMaxSize) {
printf("Ramdisk too large\n");
return -1;
}

*gRamdiskAddr = kRamdiskAddress;
*gRamdiskSize = memz->imageSize;
if(image_load(memz, kRamdiskImageType, gRamdiskAddr, gRamdiskSize) >= 0) {
printf("creating ramdisk at 0x%x of size 0x%x, from image at 0x%x\n", gRamdiskAddr, gRamdiskSize, loadaddr);
return 0;
}

*gRamdiskAddr = 0;
*gRamdiskSize = 0;
return -1;
}

Talk:MemzDescriptor

2015-05-19T05:23:53Z

0x56: Reason for removing deletion markers from a few pages

== What is this? ==
What is this content? If it is useless we should delete it. --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 13:13, 9 July 2013 (UTC)
:Look at "What links here". Like the related pages; it's possible to merge them. Or just leave it. --[[User:Http|http]] ([[User talk:Http|talk]]) 17:54, 9 July 2013 (UTC)
::We could make [[Memz]] and do headings for these two similar pages. What do you think? --[[User:IAdam1n|iAdam1n]] ([[User talk:IAdam1n|talk]]) 18:43, 9 July 2013 (UTC)
:::There are five very related pages: [[Ramdisk (iBoot command)]], [[memz_create]], [[MemzDescriptor]], [[nvram_getint]], [[NvramVar]]. It all started, with this: [http://theiphonewiki.com/w/index.php?title=Ramdisk_(iBoot_command)&oldid=5879 Ramdisk (iBoot command)] by [[User:Dimo|Dimo]]. Then [[User:Posixninja|p0sixninja]] came along and cleaned it up to these five pages and the comment "please try to keep command entries more like this". Of course you could put everything onto the page [[Ramdisk (iBoot command)]] and delete the others, but we could also simply leave it as it is. There's nothing bad with the current pages. But don't create a "Memz" page. --[[User:Http|http]] ([[User talk:Http|talk]]) 23:33, 10 July 2013 (UTC)
:Not everything needs to be deleted just because its purpose isn't known. Something like this could be a reverse engineered structure. In that case, we ''should'' keep it. --[[User:5urd|5urd]] ([[User talk:5urd|talk]]) 20:41, 9 July 2013 (UTC)
:These pages are documenting various bits of iBoot functionality that afaik is not recorded elsewhere. They don't contain much information overall, and should probably be condensed into one or two more generic pages. Leaving them marked for deletion until this happens however seems a bit like leaving important documents on top of the trash can for safekeeping, --[[User:0x56|0x56]] ([[User talk:0x56|talk]]) 05:23, 19 May 2015 (UTC)

Bluefreeze

2013-11-13T04:50:46Z

0x56: removed contradictory information, clarified why this method is /not/ compatible with an untethered jailbreak

[[iFaith]] has a protection that you don't use it on the wrong firmware to protect you. '''Bluefreeze''', a tool written by a group called The Private Dev Team, modifies the firmware version (and firmware checksum) in the iFaith certificate file, so that this check gets disabled. By doing so, you can install any firmware version on your device, even without having saved the [[SHSH]] files. The problem by doing so is that you actually install a firmware without signatures, with all consequences.

Bluefreeze asks you to build and browse to two ipsw's one signed properly and one not signed. Then Bluefreeze swaps the properly signed img3 files in the properly signed firmware file with the incorrectly signed img3 files in the unsigned ipsw thus resulting in an ipsw file with properly signed img3 files. This firmware file is used for the downgrade.

Having an incorrectly signed firmware installed won't let you boot of course. But because the limera1n exploit ignores incorrect signatures we can use the limera1n exploit (DFU mode, then using redsn0w) to boot up your device. The problem is only that you have to repeat this every time (similar to a tethered jailbreak), so it's not a downgrade you would want. This should be your last resort, and only if you absolutely need a downgrade.

This way a downgrade to [[iOS]] 4.3, 4.3.5, or 5.0 from 5.0.1 is possible. Supported devices are iPhone 3GS, iPod touch 3G, and all [[S5L8930|A4]] devices.

Installing a firmware version using this method (without valid SHSH blobs) is incompatible with an untethered jailbreak. Each time the device boots, the bootrom validates the SHSH blobs for LLB, LLB for iBoot, and so on. Therefore, the image validation function must be patched or bypassed with an appropriate bootrom exploit payload on every boot or the device will be forced into DFU mode.

== Purpose ==
With this method you can install a firmware for which you don't have [[SHSH]] saved for some tests, for example if you're a software developer and need to do some tests on a specific version.

== Alternative ==
A much easier way to do a "tethered downgrade" (unsure if this still works):
* 1. Patch ASR on the Ramdisk (you can just create a custom IPSW and use that.)
* 2. Replace the Rootfs-DMG of the currently signed Firmware with the decrypted Rootfs-DMG of the older Firmware
* 3. After the Filesystem of the old Firmware is installed, use iRecovery and upload a pwned iBSS, iBEC and Kernel from the old Firmware
* 4. Send the device the "bootx"-Command using iRecovery.
* 5. Done! Remember your device will always need to boot tethered.

== Download ==
* [http://www.mediafire.com/?9olh9qd8v1q4xm7 Windows]

== External Links ==
* [https://github.com/ThePrivateDevTeam/Bluefreeze GitHub]
* [http://www.youtube.com/watch?v=UpZKxqLqK7A Guide]
* [http://bluefreeze.weebly.com/index.html Home Page]

[[Category:GUI Tools]]

Template:Latest beta firmware

2013-09-18T23:32:32Z

0x56: two build IDs for 7.0.1, adding the highest

{{#switch: {{{1}}}
| Apple TV 2G
| Apple TV 3G
| Apple TV 3G Rev A = [[BrightonTide 10B809 ({{{1}}})|5.3/6.1.3 (10B809)]]
| iPhone 5c GSM
| iPhone 5c Global
| iPhone 5s GSM
| iPhone 5s Global = [[Innsbruck 11A471 ({{{1}}})|7.0.1 (11A471)]]
| #default = [[Innsbruck 11A465 ({{{1}}})|7.0 (11A465)]]
}}

Template:Latest firmware

2013-09-18T23:32:08Z

0x56: two build IDs for 7.0.1, adding the highest

{{#switch: {{{1}}}
| Apple TV 2G
| Apple TV 3G
| Apple TV 3G Rev A = [[InnsbruckVailPrime 11A4449a ({{{1}}})|5.4b4/7.0b5 (11A4449a)]]
| iPhone 5c GSM
| iPhone 5c Global
| iPhone 5s GSM
| iPhone 5s Global = [[Innsbruck 11A471 ({{{1}}})|7.0.1 (11A471)]]
| #default = [[Innsbruck 11A465 ({{{1}}})|7.0 (11A465)]]
}}

Talk:Main Page

2013-09-12T03:52:48Z

0x56: /* Adding vulnerability to main page */ new section

{{Talk Archive}}

== Baseband Chip Page Titles ==
For the baseband chip page titles, I think we should stick with the model number despite the marketing name. Pages:
* [[S-Gold 2|PMB8876]] marketed "S-Gold 2"
* [[X-Gold 608|PMB8878]] marketed "X-Gold 608"
* [[XMM 6180]] marketed "X-Gold 618"
* [[MDM6600]] (unknown marketing name)
* [[MDM6610]] (unknown marketing name)
* [[MDM9x00]] (unknown marketing name)
--[[User:5urd|5urd]] 21:35, 8 May 2012 (MDT)
:I'm leaning more towards the marketing names, since I think people are more familiar with them and they've been in use for a long time. We've always referred to the iPhone 2G's baseband as the "S-Gold 2" and the iPhone 3G/3GS's baseband as the "X-Gold 608." (By the way, it sounds like Qualcomm "markets" their chips by model number. [http://www.qualcomm.com/media/releases/2011/02/14/qualcomm-announces-commercial-availability-gobi3000-modules]) --[[User:Dialexio|Dialexio]] 00:11, 9 May 2012 (MDT)
:I created most of these newer pages and always used the model number (without space). So I agree with that in general. Changing old ones is a totally different story though, where we need more consent. I would be for it (and create a redirect on the marketing names). --[[User:Http|http]] 01:52, 9 May 2012 (MDT)

== Baseband downgrade possibility: Attempt for 04.11.08/04.12.01 to 04.10.01 ==
'''0x1''' There is no downgrade possibility; according to the most basis of fact in how baseband works as explained by dear MuscleNerd and there is signature checks as well as bootloader's chain of trust that I'm not going to repeat them again, but for this topic I start from iTunes error 1,-1,11

'''0x2''' iTunes error 1,-1,11 :
We will get this error whenever we want to do something with BB which is not allowed by apple. you can read about these error in detail from here[http://theiphonewiki.com/wiki/index.php?title=ITunes_Errors].
Going deeper, this error raise by baseband's bootloader whenever you attempt to downgrade BB (in this case), this happens inside the NOR so this is why we can not exploit it easily from the outside.
Another reason for this error (and in here the most important one that I wanted to discuss) is that apple no longer signing that firmware.

'''0x3''' The situation that there is no BB installed on iPhone! :
I could restore my iPhone4 in the case of there will be no BB at all. I called it reset my BB. There will be no Wifi, no BT.
At the first time (a few months since I've started to work on) I thought it is dead (as apple confirmed this also). But I could restore it only to stock firmware with the latest one.
So for who stays in 04.11.08 it may lead to do upgrade to 04.12.01 permanently with the latest iOS, now is 5.1.1 and before for me was 5.0.1, so be sure what you are doing and then go to reset the BB.
So back to the game, if there was no BB then there is no bootloeader inside the NOR to stuck BB update process but I do not know that in this case what happened to "sectable" also known as "locktable" which is the master accountable to unlock the carrier, any way I think so only firmware signature checking by apple will be remain in "restore verify process" by iTunes. because as mentioned earlier, "currentBB"(BB to be updated) is allowed to be update by "comingBB" (BB to be updating to) only if :
1. "currentBB" < "comingBB" (= are you the most recent/lastest BB?)
2. "comingBB" is now signing by apple (=if so, does apple sign you? Are you eligible?)
Huum... What happens if "currentBB"="null/zero/no matter"? Could we eliminate option (1) from the security check above in this case? So what next?

'''0x4''' Track back to the issue lead us inside the bbfw file (ICE3_04.11.08_BOOT_02.13.Release) which contains four .fls files inside, and the most important one is psi_flash.fls who is in charge of security checks before handover the routines to stack.fls which is responsible for updating the baseband. This file does like NOR bootloader but fortunately it's outside the device so it is accessible but not such easy format to be understand by programmers. They are raw ROM based images for XMM6180 chip, ARM based and programmed in Thread-X, but the compiler is unknown; I will write about some disassembly notes using ida pro 6.1; by the way I leave my iPhone with no BB trying to find out and break the trust chains in the above files in order to bypass the bootloader security checks which may let us to downgrade to 04.10.01 which is currently unlocked by Gevey.
Keep in mind that if this solution works..., it will need the SHSH for downgrading the iOS firmware to do reset the BB.
I heard that iPhoneDevTeam are going to release the new version of Redsn0w which there will be no need to restore by iTunes but I do not know if the baseband approaches supposed to be addressed or it will work like iFaith that is basically bypass (preserve) BB, any way if I found this article useful I will note about disassembly and possibility approach as well as BB reset to share with any followers.
'''--[[User:Kambiz|Kambiz]] 07:49, 13 May 2012 (MDT)K.N'''

== Bluetooth Chip on [[iPhone 5]] ==
Is there any confirmation of the Bluetooth chip used in the iPhone 5? If there is, can we edit this page and add it? --[[User:5urd|5urd]] 10:04, 8 October 2012 (MDT)
:Chipworks [http://www.chipworks.com/blog/recentteardowns/2012/10/02/apple-iphone-5-the-rf/ analyzed the iPhone 5's Murata Wi-Fi module] and determined it uses the [[BCM4334]]. I'll add it to the Main Page now. --[[User:Dialexio|Dialexio]] 20:35, 8 October 2012 (MDT)

== [[iPad 4]] and [[iPad mini]] ==
Can we add the new iPads to the list? The A6X is 8955 as per the heat sink cover on it. --[[User:5urd|5urd]] 09:43, 25 October 2012 (MDT)
:If you mean [http://images.apple.com/ipad/specs/images/specs_chip.jpg the badge Apple depicts the A6X as], the depiction actually still says "APL5498" (which translates to the S5L8945/A5X… yeah, Apple got lazy with this badge as well). The A6X probably will be S5L8955, but I haven't seen any sort of confirmation yet. --[[User:Dialexio|Dialexio]] 09:56, 25 October 2012 (MDT)
::Yeah the badge. Derp. Anyways, the [[wikipedia:File:Apple A6X chip.jpg|A6X badge]] is <code>APL5598</code> which translates to <code>S5L8955/A6X</code>. Maybe it actually is 5598 (little endian?) but that is unlikely. --[[User:5urd|5urd]] 10:17, 25 October 2012 (MDT)
:::The description of that image clearly states that it's an enhanced version of the A5X image on Wikipedia (i.e. it's edited). --[[User:Dialexio|Dialexio]] 10:57, 25 October 2012 (MDT)
::::Oh derp. From the [http://cdn.arstechnica.net/wp-content/uploads/2012/10/apple_pschiller_a6.jpg keynote], it appears to be <code>APL5498</code> which is <code>8945</code> ([[S5L8945|A5X]]). But I am sure it will be <code>S5L8955</code>. The <code>[[S5L8942]]</code> was a revised A5, not A5X. It appears Apple just opened their Photoshop document and changed the <code>A5X</code> to <code>A6X</code>. Guess we'll find out for sure from a Geekbench or the teardown. We can at least for sure add the iPad mini to the page. --[[User:5urd|5urd]] 11:36, 25 October 2012 (MDT)

== Adding vulnerability to main page ==

The page [[CVE-2013-0964]] is currently orphaned. I think it would fit under the "Vulnerabilities and Exploits" subheading. Can someone with adequate permission make the change? [[User:0x56|0x56]] ([[User talk:0x56|talk]]) 03:52, 12 September 2013 (UTC)

User:0x56

2013-09-12T03:45:42Z

0x56: contact info

Twitter: @0x56

IRC: x56 on Freenode, #openjailbreak or #jailbreakqa

Hoodoo 9B176 (iPod4,1)

2012-03-08T14:45:55Z

0x56: fixed oops

{{keys
| version = 5.1
| build = 9B176
| device = ipod41
| codename = Hoodoo
| downloadurl = http://appldnld.apple.com/iOS5/041-1542.20120307.Jyknq/iPod4,1_5.1_9B176_Restore.ipsw

| rootfsdmg = 038-1765-165
| rootfskey = TODO

| updatedmg = 038-1813-172
| updateiv = 78a5b5e905b90e50c0cdfa4f0859540e
| updatekey = e9a0754c02f259651587f150ee7a1e093429b9948c32157c58fb5619b0f9ee49

| restoredmg = 038-1800-166
| restoreiv = 25feaf8c2844ef2201a95fd28272e10a
| restorekey = b4ba159740f7572420b01a4a3c9e752e7d074f1b0e7ffe7732ac427f242779d5

| AppleLogoIV = 9d8c3366e67a76fba95288c2da08f677
| AppleLogoKey = b165b5f5eaa3f9c4caa1ead70db3075f80f2d9ad86be84cfa42188fac3ef3c09

| BatteryCharging0IV = TODO
| BatteryCharging0Key = TODO

| BatteryCharging1IV = TODO
| BatteryCharging1Key = TODO

| BatteryFullIV = TODO
| BatteryFullKey = TODO

| BatteryLow0IV = TODO
| BatteryLow0Key = TODO

| BatteryLow1IV = TODO
| BatteryLow1Key = TODO

| DeviceTreeIV = TODO
| DeviceTreeKey = TODO

| GlyphChargingIV = TODO
| GlyphChargingKey = TODO

| GlyphPluginIV = TODO
| GlyphPluginKey = TODO

| iBECIV = c8c8b3eba9a257c4ce0227098e431f23
| iBECKey = 0f6e9c878784f3b2ce6fa248cbf256dbfc77ca771c202f8c27e461ea4aa9e1aa

| iBootIV = 16641c07fe97051c445d21258722f3d1
| iBootKey = d302a0ba7253453bce4431dd5a2a04fbf4da9868c340eae633a0202fe0995155

| iBSSIV = ecd5bd9e4762aaae35637063420d54d1
| iBSSKey = a8ef6d02fa5958099fc58fbcc160066faafda0053916905c0009d33ef53c7d0d

| KernelcacheIV = 54f4e3ccb841cd9dcdd9d863534f73ee
| KernelcacheKey = c1223786e83a731e3302e8b8226577428710db176e46a741582c2479cc6d61eb

| LLBIV = 3f6f5128ae1198f57adf559123b1da1c
| LLBKey = 28dde68d793c8fa7abae54b479da5ce75369ae8cece745f7a435a5bf3b22e6bb

| RecoveryModeIV = TODO
| RecoveryModeKey = TODO
}}

Hoodoo 9B176 (iPod4,1)

2012-03-08T14:44:11Z

0x56: Created page with "{{keys | version = 5.1 | build = 9B176 | device = ipod41 | codename = Hoodoo | downloadurl = http://appldnld.apple...."

{{keys
| version = 5.1
| build = 9B176
| device = ipod41
| codename = Hoodoo
| downloadurl = http://appldnld.apple.com/iOS5/041-1542.20120307.Jyknq/iPod4,1_5.1_9B176_Restore.ipsw

| rootfsdmg = 038-1765-165
| rootfskey = TODO

| updatedmg = 038-1813-172
| updatedmgiv = 78a5b5e905b90e50c0cdfa4f0859540e
| updatedmgkey = e9a0754c02f259651587f150ee7a1e093429b9948c32157c58fb5619b0f9ee49

| restoredmg = 038-1800-166
| restoredmgiv = 25feaf8c2844ef2201a95fd28272e10a
| restoredmgkey = b4ba159740f7572420b01a4a3c9e752e7d074f1b0e7ffe7732ac427f242779d5

| AppleLogoIV = 9d8c3366e67a76fba95288c2da08f677
| AppleLogoKey = b165b5f5eaa3f9c4caa1ead70db3075f80f2d9ad86be84cfa42188fac3ef3c09

| BatteryCharging0IV = TODO
| BatteryCharging0Key = TODO

| BatteryCharging1IV = TODO
| BatteryCharging1Key = TODO

| BatteryFullIV = TODO
| BatteryFullKey = TODO

| BatteryLow0IV = TODO
| BatteryLow0Key = TODO

| BatteryLow1IV = TODO
| BatteryLow1Key = TODO

| DeviceTreeIV = TODO
| DeviceTreeKey = TODO

| GlyphChargingIV = TODO
| GlyphChargingKey = TODO

| GlyphPluginIV = TODO
| GlyphPluginKey = TODO

| iBECIV = c8c8b3eba9a257c4ce0227098e431f23
| iBECKey = 0f6e9c878784f3b2ce6fa248cbf256dbfc77ca771c202f8c27e461ea4aa9e1aa

| iBootIV = 16641c07fe97051c445d21258722f3d1
| iBootKey = d302a0ba7253453bce4431dd5a2a04fbf4da9868c340eae633a0202fe0995155

| iBSSIV = ecd5bd9e4762aaae35637063420d54d1
| iBSSKey = a8ef6d02fa5958099fc58fbcc160066faafda0053916905c0009d33ef53c7d0d

| KernelcacheIV = 54f4e3ccb841cd9dcdd9d863534f73ee
| KernelcacheKey = c1223786e83a731e3302e8b8226577428710db176e46a741582c2479cc6d61eb

| LLBIV = 3f6f5128ae1198f57adf559123b1da1c
| LLBKey = 28dde68d793c8fa7abae54b479da5ce75369ae8cece745f7a435a5bf3b22e6bb

| RecoveryModeIV = TODO
| RecoveryModeKey = TODO
}}

The iPhone Wiki:Community portal

2012-03-05T14:00:33Z

0x56:

{{Talk Archive|2010|2011|2012}}
This is the place to post tasks that need to be done on the wiki. Also this is the place for proposed changes. I heard about people wanting a favicon and arranging the main page into categories.

== Site Related Requests ==
=== AcidSn0w ===
Can I propose a page for acidsn0w? I heard that there was stolen code, so I haven't posted. --[[User:Dylan Laws|Dylan Laws]] 17:02, 17 January 2012 (MST)
:The first beta did use stolen code, but the second beta fixed that. As it is still in beta, a page may not be a good idea. It does have a good user-base as shown in their blog comments, but it is up to the sysops. If you are in the Pwn Dev Team, then NO. --[[User:5urd|5urd]] 17:09, 17 January 2012 (MST)
:: I am not in their team. :P I'll wait till/if they release it. --[[User:Dylan Laws|Dylan Laws]] 17:37, 17 January 2012 (MST)
:::I want to make something clear about this wiki, it's called "The iPhone Wiki", not "The iPhone Community Wiki", or even "The Jailbreaking Wiki". This site exists to document the iPhone, not who made what GUI. A jailbreak tool that doesn't introduce exploits or isn't very widely used isn't notable. To clarify, the [[Limera1n_Exploit]] page is far more valuable than the [[limera1n]] page. Please focus on adding technical content instead of thinly veiled advertisements. For example, it's appalling we don't have a page documenting [[ASLR]] --[[User:Geohot|geohot]] 23:16, 17 January 2012 (MST)
:::I would also like to see the Baseband ticket system documented --[[User:Geohot|geohot]] 14:48, 18 January 2012 (MST)

=== 2.2b1 ===
Is 2.2b1 5G26 or 5G27, because on [[Beta Firmware]], it says 5G27 while on the previous revisions of [[VFDecrypt Keys]] is said 5G26 --[[User:balloonhead66|5urd]] 18:47, 14 January 2012 (MST)

=== IMG3 File Key Grabbing ===
How does one grab the keys for the IMG3 files if they have a decrypted ramdisk? I have genpass, xpwn, and vfdecrypt, but what do I use to get keys for IMG3 files? --[[User:5urd|5urd]] 17:17, 2 February 2012 (MST)
:Unlike the vfdecrypt key, the keys for decrypting the [[IMG3_File_Format#Tags | IMG3]] are stored encrypted in the [[KBAG]] section of the IMG3 file itself, not the ramdisk. These keys are encrypted using the [[GID-key]], so access to the AES engine is required. On a device compatible with greenpois0n or openiBoot, this process is (loosely) documented [[AES_Keys#Running_The_Engine | here]]. I am working on implementing a method that can be performed on a jailbroken 4S or iPad 2 (is that is what you're looking for?) and will release when finished --[[User:0x56|0x56]] 20:12, 1 March 2012 (MST)
::Yah, running greenpois0n is my problem. I cant find the program. --[[User:5urd|5urd]] 21:02, 1 March 2012 (MST)
:::I was mistaken, I won't be able to accomplish this for the 4S or iPad 2 due to a limitation that was not documented here --[[User:0x56|0x56]] 07:00, 5 March 2012 (MST)

AES Keys

2012-03-02T15:45:02Z

0x56: made keys themselves subheadings of "Derived Keys"

The {{wp|System-on-a-chip|SoC}} in each device have an {{wp|Advanced_Encryption_Standard|AES}} coprocessor with the [[GID-key]] and [[UID-key]] built in.

==Running The Engine==
Currently, there are several ways to run the hardware AES engine:
* Patch [[iBoot (Bootloader)|iBoot]] to jump to aes_decrypt.
* Use [http://github.com/planetbeing/iphonelinux/tree/master OpenIBoot].
* Use the crypto bundle provided in [[XPwn]] to utilize it via userland. This method requires a kernel patch.
* Use [[Greenpois0n (toolkit)|Greenpois0n]] console.

If you want to decrypt [[IMG3 File Format|IMG3]] files you need to use this. The [[GID-key]] currently has not been extracted from the phone, so the only way to use it is on the phone itself.

See [[Grabbing IMG3 Keys]] for an [[iBoot (Bootloader)|iBoot]] patch.

==Derived keys==

Some derived keys are computed by the IOAESAccelerator kernel service at boot. These keys are generated by encrypting static values either with the UID key (0x7D0 identifier) or the GID key (0x3E8 identifier). The values defined in the iPhone 4 5.0 kernel are :
<pre>
__text:807E3000 keys_to_compute DCD 0x835,0x7D0,0x1010101,0x1010101,0x1010101,0x1010101
__text:807E3018 DCD 0x899,0x7D0,0xB5FCE8D1,0x8DBF3739,0xD14CC7EF,0xB0D4F1D0
__text:807E3030 DCD 0x89B,0x7D0,0x67993E18,0x543CB06B,0xF568A46F,0x49BD0C1C
__text:807E3048 DCD 0x89A,0x7D0,0x335B1FDB,0x1C5F6C60,0x66AA3419,0x61069C58
</pre>

===Key 0x835===

Generated by encrypting 01010101010101010101010101010101 with the [[UID-key]]. Used for data protection.

===Key 0x837===
Generated by encrypting 345A2D6C5050D058780DA431F0710E15 with the [[S5L8900]] [[GID-key]], resulting in 188458A6D15034DFE386F23B61D43774.

It is used as the encryption key for [[S5L File Formats#IMG2|IMG2 files]]. With the introduction of [[IMG3 File Format|IMG3]] in iOS 2.0, [[KBAG]]s are now used instead of the 0x837 key. Because iOS versions 1.x were used only on the [[M68ap|iPhone]] and [[N45ap|iPod touch]] (both use the [[S5L8900]]) the encrypted values for other processors don't matter.

===Key 0x89A===
For A4 devices:
Generated by encrypting DB1F5B33606C5F1C1934AA66589C0661 with the [[UID-key]], getting a device-specific key.

It is used to encrypt the [[SHSH]] blobs on the device.

===Key 0x89B===

Generated by encrypting 183E99676BB03C546FA468F51C0CBD49 with the [[UID-key]]. It is used the encrypt the data partition key.

===Key 0x899===

Generated by encrypting D1E8FCB53937BF8DEFC74CD1D0F1D4B0 with the [[UID-key]]. Usage unknown.

==Using [[Greenpois0n (toolkit)|greenpois0n]] to get the keys==
* Run steps 1 thru 5 from [[PwnStrap]]
* Use 'xpwntool file.img3 /dev/null' to extract the KBAG hex string from ''file.img3''
* Start greenpois0n console: irecovery -s
* Execute 'go aes dec _KBAG_STRING_' in irecovery console

==Resources==
[http://wikee.iphwn.org/s5l8900:encryption_keys Dev Team wiki]

Kernel Syscalls

2012-03-02T03:15:44Z

0x56: fixed markup

== Note on these ==
Args go in their normal registers, like arg1 in R0, as usual. Syscall # goes in IP (that's intra-procedural, not instruction pointer!), a.k.a R12.

As in all ARM (i.e. also on Android) the kernel entry is accomplished by the SVC command (SWI in some debuggers and ARM dialects). On the kernel end, a low level CPU exception handler (fleh_swi) is installed as part of the ExceptionVectorsBase, and - upon issuing a SWI/SVC - control is transferred to that address. This handler can check the syscall number to distinguish between POSIX calls (non negative) and Mach traps (negative).

== Unix ==

=== Usage ===
<pre>
MOV IP, #x // number from following list into Intraprocedural, a.k.a. r12
SVC 0x80 // Formerly, SWI (software interrupt)
</pre>

For example:
<pre>

(gdb) disass chown
0x30d2ad54 <chown>: mov r12, #16 ; 0x10, being # of chown
0x30d2ad58 <chown+4>: svc 0x00000080
</pre>

Most of these are the same as you would find in the XNU open source kernel, with ARM idiosyncrasies aside (and #372, ledger)

=== List ===
* '''exit''': 1
* '''fork''': 2
* '''read''': 3
* '''write''': 4
* '''open''': 5
* '''close''': 6
* '''wait4''': 7
* '''link''': 9
* '''unlink''': 10
* '''chdir''': 12
* '''fchdir''': 13
* '''mknod''': 14
* '''chmod''': 15
* '''chown''': 16
* '''getfsstat''': 18
* '''getpid''': 20
* '''setuid''': 23
* '''getuid''': 24
* '''geteuid''': 25
* '''ptrace''': 26
* '''recvmsg''': 27
* '''sendmsg''': 28
* '''recvfrom''': 29
* '''accept''': 30
* '''getpeername''': 31
* '''getsockname''': 32
* '''access''': 33
* '''chflags''': 34
* '''fchflags''': 35
* '''sync''': 36
* '''kill''': 37
* '''getppid''': 39
* '''dup''': 41
* '''pipe''': 42
* '''getegid''': 43
* '''profil''': 44
* '''sigaction''': 46
* '''getgid''': 47
* '''sigprocmask''': 48
* '''getlogin''': 49
* '''setlogin''': 50
* '''acct''': 51
* '''sigpending''': 52
* '''signalstack''': 53
* '''ioctl''': 54
* '''reboot''': 55
* '''revoke''': 56
* '''symlink''': 57
* '''readlink''': 58
* '''execve''': 59
* '''umask''': 60
* '''chroot''': 61
* '''msync''': 65
* '''vfork''': 66
* '''munmap''': 73
* '''mprotect''': 74
* '''madvise''': 75
* '''mincore''': 78
* '''getgroups''': 79
* '''setgroups''': 80
* '''getpgrp''': 81
* '''setpgid''': 82
* '''setitimer''': 83
* '''swapon''': 85
* '''getitimer''': 86
* '''getdtablesize''': 89
* '''dup2''': 90
* '''fnctl''': 92
* '''select''': 93
* '''fsync''': 95
* '''setpriority''': 96
* '''socket''': 97
* '''connect''': 98
* '''getpriority''': 100
* '''bind''': 104
* '''setsockopt''': 105
* '''listen''': 106
* '''sigsuspend''': 111
* '''gettimeofday''': 116
* '''getrusage''': 117
* '''getsockopt''': 118
* '''readv''': 120
* '''writev''': 121
* '''settimeofday''': 122
* '''fchown''': 123
* '''fchmod''': 124
* '''setreuid''': 126
* '''setregid''': 127
* '''rename''': 128
* '''flock''': 131
* '''mkfifo''': 132
* '''sendto''': 133
* '''shutdown''': 134
* '''socketpair''': 135
* '''mkdir''': 136
* '''rmdir''': 137
* '''utimes''': 138
* '''futimes''': 139
* '''adjtime''': 140
* '''gethostuuid''': 142
* '''setsid''': 145
* '''getpgid''': 151
* '''setprivexec''': 152
* '''pread''': 153
* '''pwrite''': 154
* '''statfs''': 157
* '''fstatfs''': 158
* '''unmount''': 159
* '''quotactl''': 165
* '''mount''': 167
* '''csops''': 169
* '''waitid''': 173
* '''add_profil''': 176
* '''kdebug_trace''': 180
* '''setgid''': 181
* '''setegid''': 182
* '''seteuid''': 183
* '''sigreturn''': 184
* '''chod''': 185
* '''fdatasync''': 187
* '''stat''': 188
* '''fstat''': 189
* '''lstat''': 190
* '''pathconf''': 191
* '''fpathconf''': 192
* '''getrlimit''': 194
* '''setrlimit''': 195
* '''getdirentries''': 196
* '''mmap''': 197
* '''lseek''': 199
* '''truncate''': 200
* '''ftruncate''': 201
* '''__sysctl''': 202
* '''mlock''': 203
* '''munlock''': 204
* '''undelete''': 205
* '''mkcomplex''': 216
* '''statv''': 217
* '''lstatv''': 218
* '''fstatv''': 219
* '''getattrlist''': 220
* '''setattrlist''': 221
* '''getdirentriesattr''': 222
* '''exchangedata''': 223
* '''fsgetpath''': 224
* '''searchfs''': 225
* '''delete''': 226
* '''copyfile''': 227
* '''fgetattrlist''': 228
* '''fsetattrlist''': 229
* '''poll''': 230
* '''watchevent''': 231
* '''waitevent''': 232
* '''modwatch''': 233
* '''getxattr''': 234
* '''fgetxattr''': 235
* '''setxattr''': 236
* '''fsetxattr''': 237
* '''removexattr''': 238
* '''fremovexattr''': 239
* '''listxattr''': 240
* '''flistxattr''': 241
* '''fsctl''': 242
* '''initgroups''': 243
* '''posix_spawn''': 244
* '''ffsctl''': 245
* '''minherit''': 250
* '''shm_open''': 266
* '''shm_unlink''': 267
* '''sem_open''': 268
* '''sem_close''': 269
* '''sem_unlink''': 270
* '''sem_wait''': 271
* '''sem_trywait''': 272
* '''sem_post''': 273
* '''sem_getvalue''': 274
* '''sem_init''': 275
* '''sem_destroy''': 276
* '''open_extended''': 277
* '''umask_extended''': 278
* '''stat_extended''': 279
* '''lstat_extended''': 280
* '''fstat_extended''': 281
* '''chmod_extended''': 282
* '''fchmod_extended''': 283
* '''access_extended''': 284
* '''settid''': 285
* '''gettid''': 286
* '''setsgroups''': 287
* '''getsgroups''': 288
* '''setwgroups''': 289
* '''getwgroups''': 290
* '''mkfifo_extended''': 291
* '''mkdir_extended''': 292
* '''identitysvc''': 293
* '''shared_region_check_np''': 294
* '''shared_region_map_np''': 295
* '''vm_pressure_monitor''': 296
* '''__pthread_mutex_destroy''': 301
* '''__pthread_mutex_init''': 302
* '''__pthread_mutex_lock''': 303
* '''__pthread_mutex_trylock''': 304
* '''__pthread_mutex_unlock''': 305
* '''__pthread_cond_init''': 306
* '''__pthread_cond_destroy''': 307
* '''__pthread_cond_broadcast''': 308
* '''__pthread_cond_signal''': 309
* '''getsid''': 310
* '''settid_with_pid''': 311
* '''__pthread_cond_timedwait''': 312
* '''aio_fsync''': 313
* '''aio_return''': 314
* '''aio_suspend''': 315
* '''aio_cancel''': 316
* '''aio_error''': 317
* '''aio_read''': 318
* '''aio_write''': 319
* '''lio_listio''': 320
* '''__pthread_cond_wait''': 321
* '''iopolicysys''': 322
* '''mlockall''': 324
* '''munlockall''': 325
* '''issetugid''': 327
* '''__pthread_kill''': 328
* '''__pthread_sigmask''': 329
* '''__sigwait''': 330
* '''__disable_threadsignal''': 331
* '''__pthread_markcancel''': 332
* '''__pthread_canceled''': 333
* '''proc_info''': 336
* '''stat64''': 338
* '''fstat64''': 339
* '''lstat64''': 340
* '''stat64_extended''': 341
* '''lstat64_extended''': 342
* '''fstat64_extended''': 343
* '''getdirectories64''': 344
* '''statfs64''': 345
* '''fstatfs64''': 346
* '''getfsstat64''': 347
* '''__pthread_chdir''': 348
* '''__pthread_fchdir''': 349
* '''kqueue''': 362
* '''kevent''': 363
* '''lchown''': 364
* '''stack_snapshot''': 365
* '''kevent64''': 369
* '''__semwait_signal''': 370
* '''__semwait_signal_nocancel''': 371
* '''ledger''': 372 - This Syscall exists only in iOS, having been taken out of OS X a while ago.

The following syscalls are for BSD's Mandatory Access Control, on top of which Apple's "SandBox" (sandbox.kext) is implemented

* '''__mac_execve''': 380
* '''__mac_syscall''': 381
* '''__mac_get_file''': 382
* '''__mac_set_file''': 383
* '''__mac_get_link''': 384
* '''__mac_set_link''': 385
* '''__mac_get_proc''': 386
* '''__mac_set_proc''': 387
* '''__mac_get_fd''': 388
* '''__mac_set_fd''': 389
* '''__mac_get_pid''': 390
* '''__mac_get_lcid''': 391
* '''__mac_get_lctx''': 392
* '''__mac_set_lctx''': 393

---------

* '''setlcid''': 394
* '''getlcid''': 395

The "nocancel"s are the same as their cancellable counterparts. In most cases, the latter are just wrappers, with a call to __pthread_testcancel(1);

* '''read_nocancel''': 396
* '''write_nocancel''': 397
* '''open_nocancel''': 398
* '''close_nocancel''': 399
* '''wait4_nocancel''': 400
* '''recvmsg_nocancel''': 401
* '''sendmsg_nocancel''': 402
* '''recvfrom_nocancel''': 403
* '''accept_nocancel''': 404
* '''msync_nocancel''': 405
* '''fnctl_nocancel''': 406
* '''select_nocancel''': 407
* '''fsync_nocancel''': 408
* '''connect_nocancel''': 409
* '''sigsuspend_nocancel''': 410
* '''readv_nocancel''': 411
* '''writev_nocancel''': 412
* '''sendto_nocancel''': 413
* '''pread_nocancel''': 414
* '''pwrite_nocancel''': 415
* '''waitid_nocancel''': 416
* '''poll_nocancel''': 417
* '''sem_wait_nocancel''': 420
* '''aio_suspend_nocancel''': 421
* '''__sigwait_nocancel''': 422
* '''__semwait_signal_nocancel''': 423
---------------------------------------------------------------------
* '''__mac_mount''': 424
* '''__mac_get_mount''': 425
* '''__mac_getfsstat''': 426
* '''fsgetpath_1''': 427
* '''_audit_session_self''': 428
* '''audit_session_join''': 429
* '''fileport_makeport''': 430
* '''fileport_makefd''': 431
* '''audit_session_port''': 432
* '''pid_suspend''': 433
* '''pid_resume''': 434
* '''pid_hibernate''': 435
* '''pid_shutdown_sockets''': 436
* '''(unused)''': 437
* '''shared_region_map_and_slide_np''': 438 (used in ASLR)

== CPU ==
'''Note: the following are probably incorrect. These are carried out by ARM control registers (MRC, MCR commands)'''
Who put these in, in the first place?
=== Usage ===
<pre>
MOV R12, #x // number from list
swi 0x80
bx lr
</pre>
<del>
=== List ===
* '''Clear Instruction Cache''': 0
* '''Flush Data Cache''': 1
* '''_pthread_set_self''': 2
* '''Unknown''': 3
</del>

The iPhone Wiki:Community portal

2012-03-02T03:12:31Z

0x56: RE: IMG3 File Key Grabbing

Apex 8A2062a

2011-10-12T08:43:28Z

0x56: added link to usbmux page

'''Inferno 8A2062a''' is, apparently, an internal [[firmware]] used for testing. It was discovered on an [[N90ap|iPhone 4]] (GSM), but may be in use for other iDevices.

== Legacy ==
Although Inferno comes in an [[IPSW File Format|IPSW]], flashing it via [[iTunes]] causes an error. Inferno is flashed using [[PurpleRestore]].

== Interface ==
All tests are performed via a [[Usbmux | usbmux]] interface. During that time the iPhone displays a picture of a fireball. Partial output is displayed at the bottom.

However when display tests are run, different output is produced.

== Media ==
*[http://www.csmonitor.com/var/ezflow_site/storage/images/media/images/0512-iphone-4g-vietnam/7883588-1-eng-US/0512-iPhone-4G-vietnam_full_600.jpg Photo 1]
*[http://www.handyfreakz.info/wp-content/uploads/2010/05/Iphone-4G-Vietnam.jpg Photo 2]
*[http://www.youtube.com/watch?v=6AAnUHePbe4 YouTube video]

== Source ==
This has been seen on the second leaked iPhone 4 from Vietnam.

== See Also ==
* [[Inferno (utility)]]

Normal Mode

2011-10-12T08:40:37Z

0x56: moved usbmux related links to usbmux page

This is the protocol [[iTunes]] uses to talk to the booted iPhone. It uses [[Usbmux | usbmux]] to provide TCP like connectivity over a USB port using SSL. There is a pairing process iTunes uses to establish the secure channel. File transfer is provided by [[AFC]].

==Device IDs==
It appears that it uses different device IDs:
* [[M68ap|iPhone]] - 0x1290
* [[N82ap|iPhone 3G]] - 0x1292
* [[N88ap|iPhone 3GS]] - 0x1294
* [[N90ap|iPhone 4 GSM]] - 0x1297
* [[N92ap|iPhone 4 CDMA]] - 0x129c

* [[N45ap|iPod touch]] - 0x1291
* [[N72ap|iPod touch 2G]] - 0x1293
* [[N18ap|iPod touch 3G]] - 0x1299
* [[N81ap|iPod touch 4G]] - 0x129e

* [[K48ap|iPad]] - 0x129a
* [[K93ap|iPad 2 Wi-Fi]] - 0x129f
* [[K94ap|iPad 2 GSM]] - 0x12a2
* [[K95ap|iPad 2 CDMA]] - 0x12a3

* [[K66ap|Apple TV 2G]] -

==Patch: Disable SSL==
There is a way to disable SSL encyption during iTunes communication on jailbroken devices by patching lockdownd binary:

:(#) Disable SSL protection
:(#) FW 2.1
:(#) binary /usr/libexec/lockdownd
:-0x1000
'''Offset''' 000112F8: 0C 30 98 E5 > 00 30 A0 E3 ; Conn.UseSSL = false

After applying the patch all packets between iPhone and iTunes become plain and clear. Musthave for R&D ppl.

[[Category:Protocols (S5L)]]

Usbmux

2011-10-12T08:37:15Z

0x56: added resources links

During normal operations, iTunes communicates with the iPhone using something called “usbmux” – this is a system for multiplexing several “connections” over one USB pipe. Conceptually, it provides a TCP-like system – processes on the host machine open up connections to specific, numbered ports on the mobile device. (This resemblance is more than superficial – on the mobile device, usbmuxd actually makes TCP connections to localhost using the port number you give it.)

On the Mac, this is handled by /System/Library/PrivateFrameworks/MobileDevice.framework/Resources/usbmuxd, a daemon that is started by launchd (see /System/Library/LaunchDaemons/ com.apple.usbmuxd.plist). It creates a listening UNIX Domain Socket at /var/run/usbmuxd. usbmuxd then watches for iPhone connections via USB; when it detects an iPhone running in normal user mode (as opposed to recovery mode), it will connect to it and then start relaying requests that it receives via /var/run/usbmuxd – this is to say, usbmuxd is the only thing that actually speaks USB to the iPhone. This means that third-party applications which wish to talk to the iPhone must either do so through usbmuxd, or usbmuxd must be replaced.

== Layered Communications ==

Communications between the host (generally, iTunes running on a Mac or Windows machine) and the device (an iPhone or iPod Touch) take place using a complicated scheme of nested layers. From lowest level to highest, they are:

* USB protocol: multiplexes multiple data streams over one pair of bulk endpoints
* usbmuxd protocol: provides a way of opening connections to TCP ports on the device
* lockdownd protocol: tbd
* iTunesHelper?
* AFC?

== Client to usbmuxd ==

When a process on the host machine wants to talk to the iPhone, it opens up a connection to /var/run/usbmuxd. It then performs an initial handshake; after this handshake, the data in the socket is transparently tunneled to the specified TCP port on the phone. An easy way to watch this happen is to use socat, like so:

sudo mv /var/run/usbmuxd /var/run/usbmuxx
sudo socat -t100 -x -v UNIX-LISTEN:/var/run/usbmuxd,mode=777,reuseaddr,fork UNIX-CONNECT:/var/run/usbmuxx

=== Data structures ===

All data structures are little-endian

struct usbmux_header {
u32 length; // length of message, including header
u32 reserved; // always zero
u32 type; // message type
u32 tag; // responses to this query will echo back this tag
};

struct usbmux_result {
struct usbmux_header header;
u32 result;
};

struct usbmux_connect_request {
struct usbmux_header header;
u32 device_id;
u16 port; // TCP port number
};

enum {
usbmux_result = 1,
usbmux_connect = 2,
usbmux_hello = 3,
};

=== Sequence of Events ===

1) Client opens connection to /var/run/usbmuxd

2) Client sends "Hello" packet:
10000000 00000000 03000000 02000000
(length = 0x10, reserved = 0, type = 3, tag = 2)

3) Client receives "Hello" response:
14000000 00000000 01000000 02000000 00000000
(length = 0x14, type = 1, tag = 2, result = 0)

4) Client receives device ID:
1c 01 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
19 00 00 00 91 12 31 33 31 34 64 66 34 61 30 30 ......1314df4a00
65 37 31 37 35 35 62 31 32 30 31 66 64 36 34 34 e71755b1201fd644
35 34 63 63 35 38 36 39 39 63 30 31 66 64 00 00 54cc58699c01fd..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...]
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 10 fd ............
(length=0x1c1, type = 4, tag = 0, device_id = 0x19, usb_product_id = 0x1291, serial number string = "1314.....01fd".... ?)

5) Client sends TCP connect request:
18000000 00000000 02000000 03000000 19000000 00160000
(length = 0x18, type = 2, tag = 3, device_id = 0x19, port = 0x0016 (big-endian) = 22)

6) Client receives ACK:

* Connection refused:
14000000 00000000 01000000 03000000 03000000
(length = 0x14, type = 1, tag = 3, result = 3 -- connection refused?)

* Connection established:
14000000 00000000 01000000 03000000 00000000
(length = 0x14, type = 1, tag = 3, result = 0 -- no error)

From this point on, data is piped directly between the unix socket on the host and the TCP port on the device.

== lockdownd protocol ==

lockdownd uses port 62078. It uses a simple packet format - each packet is a 32-bit big-endian word indicating the size of the payload of the packet. Packets are in XML plist format, unless otherwise stated; the first two packets are shown in full, and the rest are abbreviated for the sake of readability.

Example: plug iTouch into iTunes

1. request: {Label=iTunesHelper, Request=QueryType}
0000011d (length of request, now in big-endian!)

ASCII payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>iTunesHelper</string>
<key>Request</key>
<string>QueryType</string>
</dict>
</plist>

2. response: {Request=QueryType, Result=Success, Type=com.apple.mobile.lockdown}
00000156 (length)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Request</key>
<string>QueryType</string>
<key>Result</key>
<string>Success</string>
<key>Type</key>
<string>com.apple.mobile.lockdown</string>
</dict>
</plist>

3. request: {Label=iTunesHelper, PairRecord={DeviceCertificate=xxxx,HostCertificate=xxxx,HostID=xxxx,RootCertificate=xxxx}, Request=ValidatePair}

<dict>
<key>Label</key>
<string>iTunesHelper</string>
<key>PairRecord</key>
<dict>
<key>DeviceCertificate</key>
<data>
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNOVENDQVIyZ0F3SUJB
[...]
RVJUSUZJQ0FURS0tLS0tCg==
</data>
<key>HostCertificate</key>
<data>
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1akNDQWFLZ0F3SUJB
[...]
UlRJRklDQVRFLS0tLS0K
</data>
<key>HostID</key>
<string>D7......-....-....-....-........4EFE</string>
<key>RootCertificate</key>
<data>
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNyVENDQVpXZ0F3SUJB
[...]
NUVPRitjZVFNcUovZHBFdz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
</data>
</dict>
<key>Request</key>
<string>ValidatePair</string>
</dict>

4. response: {Request=ValidatePair, Result=Success}

<dict>
<key>Request</key>
<string>ValidatePair</string>
<key>Result</key>
<string>Success</string>
</dict>

5. request: {HostID=xxx, Label=iTunesHelper, Request=StartSession}

<dict>
<key>HostID</key>
<string>D7......-....-....-....-........4EFE</string>
<key>Label</key>
<string>iTunesHelper</string>
<key>Request</key>
<string>StartSession</string>
</dict>

6. response: {EnableSessionSSL=true, Request=StartSession, Result=Success, SessionID=xxx}

<dict>
<key>EnableSessionSSL</key>
<true/>
<key>Request</key>
<string>StartSession</string>
<key>Result</key>
<string>Success</string>
<key>SessionID</key>
<string>DE622607-91A9-4DA7-A38C-F6DC1F8EF24F</string>
</dict>

== usbmuxd to iPhone ==

(TBD …)

== Acknowledgements ==

This document was originally part of wikee.iphwn.org, which no longer seems to exist. This version was pulled from archive.org on 12 Oct 2011, and was last edited on 13 Jul 2008. All credit for this document should go to the iPhone Dev Team.

== Resources ==

* [[MobileDevice Library]]
* [http://libimobiledevice.org/docs/html/files.html Protocol Documentation]
* [http://libimobiledevice.org/ iFuse]

Normal Mode

2011-10-12T08:33:35Z

0x56: /* Resources */ updated usbmux link to point to new page

This is the protocol [[iTunes]] uses to talk to the booted iPhone. It uses usbmux to provide TCP like connectivity over a USB port using SSL. There is a pairing process iTunes uses to establish the secure channel. File transfer is provided by [[AFC]].

==Device IDs==
It appears that it uses different device IDs:
* [[M68ap|iPhone]] - 0x1290
* [[N82ap|iPhone 3G]] - 0x1292
* [[N88ap|iPhone 3GS]] - 0x1294
* [[N90ap|iPhone 4 GSM]] - 0x1297
* [[N92ap|iPhone 4 CDMA]] - 0x129c

* [[N45ap|iPod touch]] - 0x1291
* [[N72ap|iPod touch 2G]] - 0x1293
* [[N18ap|iPod touch 3G]] - 0x1299
* [[N81ap|iPod touch 4G]] - 0x129e

* [[K48ap|iPad]] - 0x129a
* [[K93ap|iPad 2 Wi-Fi]] - 0x129f
* [[K94ap|iPad 2 GSM]] - 0x12a2
* [[K95ap|iPad 2 CDMA]] - 0x12a3

* [[K66ap|Apple TV 2G]] -

==Patch: Disable SSL==
There is a way to disable SSL encyption during iTunes communication on jailbroken devices by patching lockdownd binary:

:(#) Disable SSL protection
:(#) FW 2.1
:(#) binary /usr/libexec/lockdownd
:-0x1000
'''Offset''' 000112F8: 0C 30 98 E5 > 00 30 A0 E3 ; Conn.UseSSL = false

After applying the patch all packets between iPhone and iTunes become plain and clear. Musthave for R&D ppl.
==USBMux Protocol==

===Resources===
* [[MobileDevice Library]]
* [[Usbmux | usbmux - iPhone Dev Team]]
* [http://libimobiledevice.org/docs/html/files.html Protocol Documentation]
* [http://libimobiledevice.org/ iFuse]

[[Category:Protocols (S5L)]]

Usbmux

2011-10-12T08:29:24Z

0x56: iPhone Dev Team writeup on usbmux