https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=ChronicDevThe iPhone Wiki - User contributions [en]2026-04-29T13:56:11ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=Talk:Address_Mapping&diff=9960Talk:Address Mapping2010-10-06T04:50:40Z<p>ChronicDev: source?</p>
<hr />
<div>== source? ==<br />
<br />
any idea where these came from? they look awfully like the names of functions in an IDB that I made for the bootrom of ipt2 (the one used to analyze bootrom for 24kPwn) about 2 years ago, and I don't think I gave that out to anyone. just curious where you got all the function names. [[User:ChronicDev|Will Strafach]] 04:50, 6 October 2010 (UTC)</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=/Applications/iOS_Diagnostics.app&diff=9857/Applications/iOS Diagnostics.app2010-10-03T13:43:02Z<p>ChronicDev: </p>
<hr />
<div>[[Image:IOS-Diagnostics.png|250px|thumb|right]]<br />
This (hidden) application is an iOS version of an Apple Internal Mac application named "Behavior Scan", used at the Genius Bar to detect and test different aspects of the device. It was added so that users could be better helped over the phone instead of making them come in to an Apple Store for support.<br />
<br />
It sends data about the device to https://iosdiags.apple.com/MR3Server/MR3Post. The URL schema that it utilizes is <code>diags://<ticket number></code>, where <ticket number> is the support ticket number given to them by Apple over the phone to allow them to send tehir device's data over to Apple.<br />
<br />
<div style="clear:both;"></div><br />
==Localization strings==<br />
Extracting its English localization strings yields these:<br />
<pre style="word-wrap:break-word;"><br />
/* Privacy Information */<br />
"By clicking “Send to Apple” you agree that Apple may periodically collect diagnostic data from this device, including the device serial number, device name and daily count of call attempts. This data will be used to troubleshoot issues with your device and to improve our products and services. For information on Apple’s Privacy Policy, see <a href=\"http://www.apple.com/legal/privacy\">http://www.apple.com/legal/privacy</a>." = "By clicking “Send to Apple” you agree that Apple may periodically collect diagnostic data from this device, including the device serial number, device name and daily count of call attempts. This data will be used to troubleshoot issues with your device and to improve our products and services. For information on Apple’s Privacy Policy, see <a href=\"http://www.apple.com/legal/privacy\">http://www.apple.com/legal/privacy</a>.";<br />
<br />
/* Cancel */<br />
"Cancel" = "Cancel";<br />
<br />
/* Done */<br />
"Done" = "Done";<br />
<br />
/* App Title */<br />
"iOS Diagnostics" = "iOS Diagnostics";<br />
<br />
/* Last Sent: */<br />
"Last Sent:" = "Last Sent:";<br />
<br />
/* Never */<br />
"Never" = "Never";<br />
<br />
/* Next */<br />
"Next" = "Next";<br />
<br />
/* OK */<br />
"OK" = "OK";<br />
<br />
/* Send to Apple */<br />
"Send to Apple" = "Send to Apple";<br />
<br />
/* Sending to Apple... */<br />
"Sending to Apple..." = "Sending to Apple...";<br />
<br />
/* Ticket number is not valid error message */<br />
"The ticket number was not found. Verify the number and try again." = "The ticket number was not found. Verify the number and try again.";<br />
<br />
/* Submission error message */<br />
"There was an issue with your submission. Please make sure you are connected to the internet and try again." = "There was an issue with your submission. Please make sure you are connected to the internet and try again.";<br />
<br />
/* Ticket Number Placeholder */<br />
"Ticket Number" = "Ticket Number";<br />
<br />
/* Ticket Number: */<br />
"Ticket Number:" = "Ticket Number:";<br />
<br />
/* Ticket validation server is unavailable error message */<br />
"Ticket validation has failed. Please make sure you are connected to the internet and try again." = "Ticket validation has failed. Please make sure you are connected to the internet and try again.";<br />
<br />
/* Enter Ticket Number */<br />
"To receive support services, enter the ticket number you were given." = "To receive support services, enter the ticket number you were given.";<br />
<br />
/* Submission success message */<br />
"Your information has been received by Apple." = "Your information has been received by Apple.";<br />
</pre><br />
<br />
==Reference==<br />
[http://forums.macrumors.com/showthread.php?t=1008756 Analysis on MacRumors forums]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=/Applications/iOS_Diagnostics.app&diff=9856/Applications/iOS Diagnostics.app2010-10-03T13:42:29Z<p>ChronicDev: Added some information, removed other useless information along with false information.</p>
<hr />
<div>[[Image:IOS-Diagnostics.png|250px|thumb|right]]<br />
This (hidden) application is an iOS version of an Apple Internal Mac application named "Behavior Scan", used at the Genius Bar to detect and test different aspects of the device. It was added so that users could be better helped over the phone instead of making them come in to an Apple Store for support.<br />
<br />
It sends data about the device to https://iosdiags.apple.com/MR3Server/MR3Post. It's URL schema is <code>diags://<ticket number></code>, where <ticket number> is the support ticket number given to them by Apple over the phone to allow them to send tehir device's data over to Apple.<br />
<br />
<div style="clear:both;"></div><br />
==Localization strings==<br />
Extracting its English localization strings yields these:<br />
<pre style="word-wrap:break-word;"><br />
/* Privacy Information */<br />
"By clicking “Send to Apple” you agree that Apple may periodically collect diagnostic data from this device, including the device serial number, device name and daily count of call attempts. This data will be used to troubleshoot issues with your device and to improve our products and services. For information on Apple’s Privacy Policy, see <a href=\"http://www.apple.com/legal/privacy\">http://www.apple.com/legal/privacy</a>." = "By clicking “Send to Apple” you agree that Apple may periodically collect diagnostic data from this device, including the device serial number, device name and daily count of call attempts. This data will be used to troubleshoot issues with your device and to improve our products and services. For information on Apple’s Privacy Policy, see <a href=\"http://www.apple.com/legal/privacy\">http://www.apple.com/legal/privacy</a>.";<br />
<br />
/* Cancel */<br />
"Cancel" = "Cancel";<br />
<br />
/* Done */<br />
"Done" = "Done";<br />
<br />
/* App Title */<br />
"iOS Diagnostics" = "iOS Diagnostics";<br />
<br />
/* Last Sent: */<br />
"Last Sent:" = "Last Sent:";<br />
<br />
/* Never */<br />
"Never" = "Never";<br />
<br />
/* Next */<br />
"Next" = "Next";<br />
<br />
/* OK */<br />
"OK" = "OK";<br />
<br />
/* Send to Apple */<br />
"Send to Apple" = "Send to Apple";<br />
<br />
/* Sending to Apple... */<br />
"Sending to Apple..." = "Sending to Apple...";<br />
<br />
/* Ticket number is not valid error message */<br />
"The ticket number was not found. Verify the number and try again." = "The ticket number was not found. Verify the number and try again.";<br />
<br />
/* Submission error message */<br />
"There was an issue with your submission. Please make sure you are connected to the internet and try again." = "There was an issue with your submission. Please make sure you are connected to the internet and try again.";<br />
<br />
/* Ticket Number Placeholder */<br />
"Ticket Number" = "Ticket Number";<br />
<br />
/* Ticket Number: */<br />
"Ticket Number:" = "Ticket Number:";<br />
<br />
/* Ticket validation server is unavailable error message */<br />
"Ticket validation has failed. Please make sure you are connected to the internet and try again." = "Ticket validation has failed. Please make sure you are connected to the internet and try again.";<br />
<br />
/* Enter Ticket Number */<br />
"To receive support services, enter the ticket number you were given." = "To receive support services, enter the ticket number you were given.";<br />
<br />
/* Submission success message */<br />
"Your information has been received by Apple." = "Your information has been received by Apple.";<br />
</pre><br />
<br />
==Reference==<br />
[http://forums.macrumors.com/showthread.php?t=1008756 Analysis on MacRumors forums]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Kernel_Syscalls&diff=9829Kernel Syscalls2010-10-02T19:27:48Z<p>ChronicDev: /* CPU */</p>
<hr />
<div>== Note on these ==<br />
Args go in their normal registers, like arg1 in R0, as usual...<br />
<br />
== CPU ==<br />
'''Unconfirmed''': These may not work on iOS 4 and beyond.<br />
<br />
=== Usage ===<br />
<pre><br />
MOV R3, #x // number from list<br />
MOV IP, #0x80000000<br />
swi 0x80<br />
</pre><br />
<br />
=== List ===<br />
* '''Clear Instruction Cache''': 0<br />
* '''Flush Data Cache''': 1<br />
* '''_pthread_set_self''': 2<br />
* '''Unknown''': 3<br />
<br />
== Unix ==<br />
=== Usage ===<br />
<pre><br />
MOV IP, #x // number from list<br />
swi 0x80<br />
</pre><br />
<br />
=== List ===<br />
* '''exit''': 1<br />
* '''fork''': 2<br />
* '''read''': 3<br />
* '''write''': 4<br />
* '''open''': 5<br />
* '''close''': 6<br />
* '''wait4''': 7<br />
* '''link''': 9<br />
* '''unlink''': 10<br />
* '''chdir''': 12<br />
* '''fchdir''': 13<br />
* '''mknod''': 14<br />
* '''chmod''': 15<br />
* '''chown''': 16<br />
* '''getfsstat''': 18<br />
* '''getpid''': 20<br />
* '''setuid''': 23<br />
* '''getuid''': 24<br />
* '''geteuid''': 25<br />
* '''ptrace''': 26<br />
* '''recvmsg''': 27<br />
* '''sendmsg''': 28<br />
* '''recvfrom''': 29<br />
* '''accept''': 30<br />
* '''getpeername''': 31<br />
* '''getsockname''': 32<br />
* '''access''': 33<br />
* '''chflags''': 34<br />
* '''fchflags''': 35<br />
* '''sync''': 36<br />
* '''kill''': 37<br />
* '''getppid''': 39<br />
* '''dup''': 41<br />
* '''pipe''': 42<br />
* '''getegid''': 43<br />
* '''profil''': 44<br />
* '''sigaction''': 46<br />
* '''getgid''': 47<br />
* '''sigprocmask''': 48<br />
* '''getlogin''': 49<br />
* '''setlogin''': 50<br />
* '''acct''': 51<br />
* '''sigpending''': 52<br />
* '''signalstack''': 53<br />
* '''ioctl''': 54<br />
* '''reboot''': 55<br />
* '''revoke''': 56<br />
* '''symlink''': 57<br />
* '''readlink''': 58<br />
* '''execve''': 59<br />
* '''umask''': 60<br />
* '''chroot''': 61<br />
* '''msync''': 65<br />
* '''vfork''': 66<br />
* '''munmap''': 73<br />
* '''mprotect''': 74<br />
* '''madvise''': 75<br />
* '''mincore''': 78<br />
* '''getgroups''': 79<br />
* '''setgroups''': 80<br />
* '''getpgrp''': 81<br />
* '''setpgid''': 82<br />
* '''setitimer''': 83<br />
* '''swapon''': 85<br />
* '''getitimer''': 86<br />
* '''getdtablesize''': 89<br />
* '''dup2''': 90<br />
* '''fnctl''': 92<br />
* '''select''': 93<br />
* '''fsync''': 95<br />
* '''setpriority''': 96<br />
* '''socket''': 97<br />
* '''connect''': 98<br />
* '''getpriority''': 100<br />
* '''bind''': 104<br />
* '''setsockopt''': 105<br />
* '''listen''': 106<br />
* '''sigsuspend''': 111<br />
* '''gettimeofday''': 116<br />
* '''getrusage''': 117<br />
* '''getsockopt''': 118<br />
* '''readv''': 120<br />
* '''writev''': 121<br />
* '''settimeofday''': 122<br />
* '''fchown''': 123<br />
* '''fchmod''': 124<br />
* '''setreuid''': 126<br />
* '''setregid''': 127<br />
* '''rename''': 128<br />
* '''flock''': 131<br />
* '''mkfifo''': 132<br />
* '''sendto''': 133<br />
* '''shutdown''': 134<br />
* '''socketpair''': 135<br />
* '''mkdir''': 136<br />
* '''rmdir''': 137<br />
* '''utimes''': 138<br />
* '''futimes''': 139<br />
* '''adjtime''': 140<br />
* '''gethostuuid''': 142<br />
* '''setsid''': 145<br />
* '''getpgid''': 151<br />
* '''setprivexec''': 152<br />
* '''pread''': 153<br />
* '''pwrite''': 154<br />
* '''statfs''': 157<br />
* '''fstatfs''': 158<br />
* '''unmount''': 159<br />
* '''quotactl''': 165<br />
* '''mount''': 167<br />
* '''csops''': 169<br />
* '''waitid''': 173<br />
* '''add_profil''': 176<br />
* '''kdebug_trace''': 180<br />
* '''setgid''': 181<br />
* '''setegid''': 182<br />
* '''seteuid''': 183<br />
* '''sigreturn''': 184<br />
* '''chod''': 185<br />
* '''fdatasync''': 187<br />
* '''stat''': 188<br />
* '''fstat''': 189<br />
* '''lstat''': 190<br />
* '''pathconf''': 191<br />
* '''fpathconf''': 192<br />
* '''getrlimit''': 194<br />
* '''setrlimit''': 195<br />
* '''getdirentries''': 196<br />
* '''mmap''': 197<br />
* '''lseek''': 199<br />
* '''truncate''': 200<br />
* '''ftruncate''': 201<br />
* '''__sysctl''': 202<br />
* '''mlock''': 203<br />
* '''munlock''': 204<br />
* '''undelete''': 205<br />
* '''mkcomplex''': 216<br />
* '''statv''': 217<br />
* '''lstatv''': 218<br />
* '''fstatv''': 219<br />
* '''getattrlist''': 220<br />
* '''setattrlist''': 221<br />
* '''getdirentriesattr''': 222<br />
* '''exchangedata''': 223<br />
* '''fsgetpath''': 224<br />
* '''searchfs''': 225<br />
* '''delete''': 226<br />
* '''copyfile''': 227<br />
* '''fgetattrlist''': 228<br />
* '''fsetattrlist''': 229<br />
* '''poll''': 230<br />
* '''watchevent''': 231<br />
* '''waitevent''': 232<br />
* '''modwatch''': 233<br />
* '''getxattr''': 234<br />
* '''fgetxattr''': 235<br />
* '''setxattr''': 236<br />
* '''fsetxattr''': 237<br />
* '''removexattr''': 238<br />
* '''fremovexattr''': 239<br />
* '''listxattr''': 240<br />
* '''flistxattr''': 241<br />
* '''fsctl''': 242<br />
* '''initgroups''': 243<br />
* '''posix_spawn''': 244<br />
* '''ffsctl''': 245<br />
* '''minherit''': 250<br />
* '''shm_open''': 266<br />
* '''shm_unlink''': 267<br />
* '''sem_open''': 268<br />
* '''sem_close''': 269<br />
* '''sem_unlink''': 270<br />
* '''sem_wait''': 271<br />
* '''sem_trywait''': 272<br />
* '''sem_post''': 273<br />
* '''sem_getvalue''': 274<br />
* '''sem_init''': 275<br />
* '''sem_destroy''': 276<br />
* '''open_extended''': 277<br />
* '''umask_extended''': 278<br />
* '''stat_extended''': 279<br />
* '''lstat_extended''': 280<br />
* '''fstat_extended''': 281<br />
* '''chmod_extended''': 282<br />
* '''fchmod_extended''': 283<br />
* '''access_extended''': 284<br />
* '''settid''': 285<br />
* '''gettid''': 286<br />
* '''setsgroups''': 287<br />
* '''getsgroups''': 288<br />
* '''setwgroups''': 289<br />
* '''getwgroups''': 290<br />
* '''mkfifo_extended''': 291<br />
* '''mkdir_extended''': 292<br />
* '''identitysvc''': 293<br />
* '''shared_region_check_np''': 294<br />
* '''shared_region_map_np''': 295<br />
* '''vm_pressure_monitor''': 296<br />
* '''__pthread_mutex_destroy''': 301<br />
* '''__pthread_mutex_init''': 302<br />
* '''__pthread_mutex_lock''': 303<br />
* '''__pthread_mutex_trylock''': 304<br />
* '''__pthread_mutex_unlock''': 305<br />
* '''__pthread_cond_init''': 306<br />
* '''__pthread_cond_destroy''': 307<br />
* '''__pthread_cond_broadcast''': 308<br />
* '''__pthread_cond_signal''': 309<br />
* '''getsid''': 310<br />
* '''settid_with_pid''': 311<br />
* '''__pthread_cond_timedwait''': 312<br />
* '''aio_fsync''': 313<br />
* '''aio_return''': 314<br />
* '''aio_suspend''': 315<br />
* '''aio_cancel''': 316<br />
* '''aio_error''': 317<br />
* '''aio_read''': 318<br />
* '''aio_write''': 319<br />
* '''lio_listio''': 320<br />
* '''__pthread_cond_wait''': 321<br />
* '''iopolicysys''': 322<br />
* '''mlockall''': 324<br />
* '''munlockall''': 325<br />
* '''issetugid''': 327<br />
* '''__pthread_kill''': 328<br />
* '''__pthread_sigmask''': 329<br />
* '''__sigwait''': 330<br />
* '''__disable_threadsignal''': 331<br />
* '''__pthread_markcancel''': 332<br />
* '''__pthread_canceled''': 333<br />
* '''proc_info''': 336<br />
* '''stat64''': 338<br />
* '''fstat64''': 339<br />
* '''lstat64''': 340<br />
* '''stat64_extended''': 341<br />
* '''lstat64_extended''': 342<br />
* '''fstat64_extended''': 343<br />
* '''getdirectories64''': 344<br />
* '''statfs64''': 345<br />
* '''fstatfs64''': 346<br />
* '''getfsstat64''': 347<br />
* '''__pthread_chdir''': 348<br />
* '''__pthread_fchdir''': 349<br />
* '''kqueue''': 362<br />
* '''kevent''': 363<br />
* '''lchown''': 364<br />
* '''stack_snapshot''': 365<br />
* '''kevent64''': 369<br />
* '''__semwait_signal''': 370<br />
* '''__semwait_signal_nocancel''': 371<br />
* '''__mac_execve''': 380<br />
* '''__mac_syscall''': 381<br />
* '''__mac_get_file''': 382<br />
* '''__mac_set_file''': 383<br />
* '''__mac_get_link''': 384<br />
* '''__mac_set_link''': 385<br />
* '''__mac_get_proc''': 386<br />
* '''__mac_set_proc''': 387<br />
* '''__mac_get_fd''': 388<br />
* '''__mac_set_fd''': 389<br />
* '''__mac_get_pid''': 390<br />
* '''__mac_get_lcid''': 391<br />
* '''__mac_get_lctx''': 392<br />
* '''__mac_set_lctx''': 393<br />
* '''setlcid''': 394<br />
* '''getlcid''': 395<br />
* '''read_nocancel''': 396<br />
* '''write_nocancel''': 397<br />
* '''open_nocancel''': 398<br />
* '''close_nocancel''': 399<br />
* '''wait4_nocancel''': 400<br />
* '''recvmsg_nocancel''': 401<br />
* '''sendmsg_nocancel''': 402<br />
* '''recvfrom_nocancel''': 403<br />
* '''accept_nocancel''': 404<br />
* '''msync_nocancel''': 405<br />
* '''fnctl_nocancel''': 406<br />
* '''select_nocancel''': 407<br />
* '''fsync_nocancel''': 408<br />
* '''connect_nocancel''': 409<br />
* '''sigsuspend_nocancel''': 410<br />
* '''readv_nocancel''': 411<br />
* '''writev_nocancel''': 412<br />
* '''sendto_nocancel''': 413<br />
* '''pread_nocancel''': 414<br />
* '''pwrite_nocancel''': 415<br />
* '''waitid_nocancel''': 416<br />
* '''poll_nocancel''': 417<br />
* '''sem_wait_nocancel''': 420<br />
* '''aio_suspend_nocancel''': 421<br />
* '''__sigwait_nocancel''': 422<br />
* '''__mac_mount''': 423<br />
* '''__mac_get_mount''': 424<br />
* '''fsgetpath_1''': 425</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Talk:PurpleRestore&diff=9822Talk:PurpleRestore2010-10-02T14:43:46Z<p>ChronicDev: </p>
<hr />
<div>Where does the Reverse Engineer Information come from? From the original program ? --[[User:M2m|M2m]] 08:10, 1 October 2010 (UTC)<br />
<br />
:I just removed it. According to page history it came from [[User:EinCodierer|EinCodierer]], someone just beginning to learn assembler. These few assembler instructions weren't of any help understanding [[PurpleRestore]]. -- [[User:Http|http]] 10:35, 1 October 2010 (UTC)<br />
<br />
::Would just be interesting if this is some hidden code out fo itunes, the iphone kernel or wherever else... not just code without knowing here it came from .... --[[User:M2m|M2m]] 11:24, 1 October 2010 (UTC)<br />
<br />
:::That specific code that the user posted is from iTunes. It will detect if PurpleRestore is running so taht it does not interfere with any operations that PurpleRestore is performing. [[User:ChronicDev|Will Strafach]] 14:43, 2 October 2010 (UTC)</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=S5L8930&diff=9662S5L89302010-09-28T23:59:53Z<p>ChronicDev: /* Bootrom */</p>
<hr />
<div>An SoC developed by Apple in-house chip design department. It is currently used in [[k48ap|iPad]], [[N90ap|iPhone 4]], and [[N81ap|iPod Touch 4G]]. Publicly, Apple refers to this chip as the '''A4'''.<br />
<br />
== Exploits ==<br />
<br />
=== [[iBoot]] ===<br />
* [http://www.youtube.com/watch?v=0NValNoW5Rc Unreleased Untethered iBoot Exploit]<br />
<br />
=== [[S5L8930 (Bootrom)|Bootrom]] ===<br />
* Unreleased exploit (demonstrated by Geohot)<br />
* [[SHAtter]] ('''vuln''': [[posixninja]]; '''exploit''': [[pod2g]])<br />
<br />
=== [[Kernel]] ===<br />
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.2<br />
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 3.2.1 (and iOS 4.0 and 4.0.1)<br />
<br />
=== [[Userland]] ===<br />
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.2<br />
* [[PDF CFF Font Stack Overflow]] - Works up to [[iOS]] 3.2.1 (and iOS 4.0 and 4.0.1)<br />
<br />
== Boot Chain ==<br />
[[S5L8930 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]<br />
<br />
== Specifications ==<br />
* '''CPU''': ARM Cortex-A8<br />
* '''GPU''': PowerVR SGX 535<br />
* '''A/V Playback''': PowerVR VXD<br />
* '''RAM''': 256 MB ([[K48ap|iPad]] & [[N81ap|iPod touch 4G]]) or 512 MB ([[N90ap|iPhone 4]])<br />
<br />
Aside from the [[N90ap|iPhone 4]]'s additional RAM and an overall higher clock speed, these are the same specifications as the [[S5L8920]] and [[S5L8922]].<br />
<br />
== See also ==<br />
* [[S5L8930 (Bootrom)]]<br />
<br />
== Links ==<br />
* http://www.apple.com/ipad/specs/<br />
* http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=S5L8930&diff=9661S5L89302010-09-28T23:59:20Z<p>ChronicDev: /* Bootrom */ fixed credits and removed baseless note at the end</p>
<hr />
<div>An SoC developed by Apple in-house chip design department. It is currently used in [[k48ap|iPad]], [[N90ap|iPhone 4]], and [[N81ap|iPod Touch 4G]]. Publicly, Apple refers to this chip as the '''A4'''.<br />
<br />
== Exploits ==<br />
<br />
=== [[iBoot]] ===<br />
* [http://www.youtube.com/watch?v=0NValNoW5Rc Unreleased Untethered iBoot Exploit]<br />
<br />
=== [[S5L8930 (Bootrom)|Bootrom]] ===<br />
* Unreleased exploit (demonstrated by Geohot)<br />
* [[SHAtter]] (**vuln**: [[posixninja]]; **exploit**: [[pod2g]])<br />
<br />
=== [[Kernel]] ===<br />
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.2<br />
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 3.2.1 (and iOS 4.0 and 4.0.1)<br />
<br />
=== [[Userland]] ===<br />
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.2<br />
* [[PDF CFF Font Stack Overflow]] - Works up to [[iOS]] 3.2.1 (and iOS 4.0 and 4.0.1)<br />
<br />
== Boot Chain ==<br />
[[S5L8930 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]<br />
<br />
== Specifications ==<br />
* '''CPU''': ARM Cortex-A8<br />
* '''GPU''': PowerVR SGX 535<br />
* '''A/V Playback''': PowerVR VXD<br />
* '''RAM''': 256 MB ([[K48ap|iPad]] & [[N81ap|iPod touch 4G]]) or 512 MB ([[N90ap|iPhone 4]])<br />
<br />
Aside from the [[N90ap|iPhone 4]]'s additional RAM and an overall higher clock speed, these are the same specifications as the [[S5L8920]] and [[S5L8922]].<br />
<br />
== See also ==<br />
* [[S5L8930 (Bootrom)]]<br />
<br />
== Links ==<br />
* http://www.apple.com/ipad/specs/<br />
* http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=S5L8930&diff=9659S5L89302010-09-28T23:47:05Z<p>ChronicDev: Reverted edits by ChronicDev (Talk); changed back to last version by Dialexio</p>
<hr />
<div>An SoC developed by Apple in-house chip design department. It is currently used in [[k48ap|iPad]], [[N90ap|iPhone 4]], and [[N81ap|iPod Touch 4G]]. Publicly, Apple refers to this chip as the '''A4'''.<br />
<br />
== Exploits ==<br />
<br />
=== [[iBoot]] ===<br />
* [http://www.youtube.com/watch?v=0NValNoW5Rc Unreleased Untethered iBoot Exploit]<br />
<br />
=== [[S5L8930 (Bootrom)|Bootrom]] ===<br />
* Unreleased exploit (demonstrated by Geohot)<br />
* [[SHAtter]] (pod2g)<br />
(These are most likely the same exploit.)<br />
<br />
=== [[Kernel]] ===<br />
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.2<br />
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 3.2.1 (and iOS 4.0 and 4.0.1)<br />
<br />
=== [[Userland]] ===<br />
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.2<br />
* [[PDF CFF Font Stack Overflow]] - Works up to [[iOS]] 3.2.1 (and iOS 4.0 and 4.0.1)<br />
<br />
== Boot Chain ==<br />
[[S5L8930 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]<br />
<br />
== Specifications ==<br />
* '''CPU''': ARM Cortex-A8<br />
* '''GPU''': PowerVR SGX 535<br />
* '''A/V Playback''': PowerVR VXD<br />
* '''RAM''': 256 MB ([[K48ap|iPad]] & [[N81ap|iPod touch 4G]]) or 512 MB ([[N90ap|iPhone 4]])<br />
<br />
Aside from the [[N90ap|iPhone 4]]'s additional RAM and an overall higher clock speed, these are the same specifications as the [[S5L8920]] and [[S5L8922]].<br />
<br />
== See also ==<br />
* [[S5L8930 (Bootrom)]]<br />
<br />
== Links ==<br />
* http://www.apple.com/ipad/specs/<br />
* http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=S5L8930&diff=9658S5L89302010-09-28T23:37:34Z<p>ChronicDev: /* Bootrom */</p>
<hr />
<div>An SoC developed by Apple in-house chip design department. It is currently used in [[k48ap|iPad]], [[N90ap|iPhone 4]], and [[N81ap|iPod Touch 4G]]. Publicly, Apple refers to this chip as the '''A4'''.<br />
<br />
== Exploits ==<br />
<br />
=== [[iBoot]] ===<br />
* [http://www.youtube.com/watch?v=0NValNoW5Rc Unreleased Untethered iBoot Exploit]<br />
<br />
=== [[S5L8930 (Bootrom)|Bootrom]] ===<br />
* Unreleased exploit (demonstrated by Geohot)<br />
* [[SHAtter]] ([[pod2g]], [[posixninja]])<br />
(These are most likely the same exploit.)<br />
<br />
=== [[Kernel]] ===<br />
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.2<br />
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 3.2.1 (and iOS 4.0 and 4.0.1)<br />
<br />
=== [[Userland]] ===<br />
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.2<br />
* [[PDF CFF Font Stack Overflow]] - Works up to [[iOS]] 3.2.1 (and iOS 4.0 and 4.0.1)<br />
<br />
== Boot Chain ==<br />
[[S5L8930 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]<br />
<br />
== Specifications ==<br />
* '''CPU''': ARM Cortex-A8<br />
* '''GPU''': PowerVR SGX 535<br />
* '''A/V Playback''': PowerVR VXD<br />
* '''RAM''': 256 MB ([[K48ap|iPad]] & [[N81ap|iPod touch 4G]]) or 512 MB ([[N90ap|iPhone 4]])<br />
<br />
Aside from the [[N90ap|iPhone 4]]'s additional RAM and an overall higher clock speed, these are the same specifications as the [[S5L8920]] and [[S5L8922]].<br />
<br />
== See also ==<br />
* [[S5L8930 (Bootrom)]]<br />
<br />
== Links ==<br />
* http://www.apple.com/ipad/specs/<br />
* http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Main_Page&diff=9622Main Page2010-09-28T11:39:46Z<p>ChronicDev: Since there is no official names (besides with the iPhone lineup), I reclassified to make things easier, and added links to AppleTV</p>
<hr />
<div><!-- Logo by iHassan --><br />
[[Image:Iptwiki.png|center]]<br />
<!-- Added a split column information box- computid --><br />
{{:Main Page/Welcome}}<br />
{| border="1" class="wikitable" style="width:100%;"<br />
|-<br />
|style="background-color:lime; text-align:center; width:25%;"| '''[[Jailbreak (S5L8920+)|Find bootrom exploit allowing unsigned code exec via USB (S5L8920+)]]'''<br />
|style="background-color:orange; text-align:center; width:25%;"| '''[[Jailbreak (S5L8920+)|Find bootrom exploit allowing unsigned code exec on startup (S5L8920+)]]'''<br />
|style="background-color:orange; text-align:center; width:25%;"| '''[[X-Gold 608 Unlock|Break Chain of Trust (X-Gold 608)]]'''<br />
|style="background-color:orange; text-align:center; width:25%;"| '''[[X-Gold 618 Unlock|Break Chain of Trust (X-Gold 618)]]'''<br />
|}<br />
<br />
<br />
{{col-begin}}<br />
{{col-2}}<br />
{{HeadingA|Software}}<br />
* [[/|Filesystem]]<br />
* [[Firmware]]<br />
* [[iTunes]]<br />
** [[iTunes Errors]]<br />
** [[iTunes Modes]]<br />
* [[Keys]]<br />
** [[AES Keys]]<br />
** [[Apple Certificate]]<br />
** [[Baseband RSA Keys|RSA Keys]]<br />
** [[Baseband TEA Keys|TEA Keys]]<br />
** [[NCK]]<br />
* [[Protocols]]<br />
** [[Normal Mode]]<br />
** [[Recovery Mode (Protocols)|Recovery Mode]]<br />
** [[Restore Mode]]<br />
** [[DFU (Protocol)|DFU]]<br />
** [[Baseband Bootrom Protocol]]<br />
** [[Interactive Mode|Baseband Bootloader Protocol]]<br />
* [[System Log|System Log (syslog)]]<br />
<br />
====Jailbreak Software====<br />
* [[blackra1n]]<br />
* [[iBrickr]]<br />
* [[iLiberty / iLiberty+]]<br />
* [[iNdependence]]<br />
* [[JailbreakMe]]<br />
* [[purplera1n]]<br />
* [[PwnageTool]]<br />
* [[redsn0w]]<br />
* [[sn0wbreeze]]<br />
* [[Spirit]]<br />
* [[ZiPhone]]<br />
<br />
{{col-2}}<br />
{{HeadingB|Hardware}}<br />
====[[iPhone]]====<br />
* [[M68ap|iPhone (m68ap)]]<br />
* [[N82ap|iPhone 3G (n82ap)]]<br />
* [[N88ap|iPhone 3GS (n88ap)]]<br />
* [[N90ap|iPhone 4 (n90ap)]]<br />
<br />
====[[iPod touch]]====<br />
* [[N45ap|iPod1,1 (n45ap)]]<br />
* [[N72ap|iPod2,1 (n72ap)]]<br />
* [[N18ap|iPod3,1 (n18ap)]]<br />
* [[N81ap|iPod4,1 (n81ap)]]<br />
<br />
====[[iPad]]====<br />
* [[K48ap|iPad1,1]]<br />
<br />
====[[Apple TV]]====<br />
* [[K66ap|AppleTV2,1]]<br />
<br />
====Processors====<br />
* [[S5L8900]] ([[M68ap|iPhone]], [[N45ap|iPod1,1]], [[N82ap|iPhone 3G]])<br />
* [[S5L8720]] ([[N72ap|iPod2,1]])<br />
* [[S5L8920]] ([[N88ap|iPhone 3GS]])<br />
* [[S5L8922]] ([[N18ap|iPod3,1]])<br />
* [[S5L8930]] ([[k48ap|iPad]], [[n90ap|iPhone 4]], [[n81ap|iPod4,1]], [[K66ap|AppleTV2,1]])<br />
* [[Baseband Device]]<br />
<br />
====Other====<br />
* [[Bluetooth]]<br />
{{col-end}}<br />
<br />
{{col-begin}}<br />
{{col-2}}<br />
{{HeadingA|Development}}<br />
<br />
====iPhone Hackers====<br />
* [[User:Planetbeing|planetbeing]]<br />
* [[User:MuscleNerd|MuscleNerd]]<br />
* [[User:Comex|comex]]<br />
* [[User:Geohot|geohot]]<br />
<br />
====iPhone Hacker Teams====<br />
* [[iPhone Dev Team]]<br />
* [[Chronic Dev (team)|Chronic Dev]]<br />
<br />
====Application Development====<br />
* [[Toolchain]] (Includes tutorials)<br />
* [[Toolchain 2.0]] (Includes tutorials)<br />
* [[Frameworks]]<br />
* [[MobileDevice Library]]<br />
* [[Apple Certification Process]]<br />
* [[Bypassing iPhone Code Signatures]]<br />
* [[Distribution Methods]]<br />
<br />
====Application Copy Protection====<br />
* [[Copy Protection Overview]]<br />
* [[Application Structure and Signatures]]<br />
* [[Mach-O Loading Process]]<br />
* [[Bugging Debuggers]]<br />
* [[Defeating Cracks]]<br />
{{col-2}}<br />
{{HeadingB|Help}}<br />
<br />
====Guides====<br />
* [[Tutorials]]<br />
* [[Useful Links]]<br />
<br />
====Definitions====<br />
* [[Activation]]<br />
* [[Baseband Device|Baseband]]<br />
* [[Baseband Bootloader|Bootloader]]<br />
* [[Bootrom]] / [[VROM]]<br />
* [[CHIPID]]<br />
* [[CPID]]<br />
* [[DFU Mode]]<br />
* [[ECID]]<br />
* [[iBEC]]<br />
* [[iBoot]]<br />
* [[iBSS]]<br />
* [[Jailbreak]]<br />
** [[Tethered jailbreak]]<br />
** [[Untethered jailbreak]]<br />
* [[Kernel]]<br />
* [[LLB]]<br />
* [[NAND]]<br />
* [[NOR]]<br />
* [[NORID]]<br />
* [[SHSH]]<br />
* [[Unlock]]<br />
{{col-end}}<br />
<br />
{| border="1" class="wikitable" style="background-color:orange; width:100%;"<br />
|-<br />
|colspan="4" style="background-color:orange; text-align:center;"| [[Disclaimer]]<br />
|}<br />
<br />
__NOTOC____NOEDITSECTION__</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=BurnIn&diff=5713BurnIn2009-12-10T23:52:18Z<p>ChronicDev: </p>
<hr />
<div>[[Image:Burnin2.jpg|thumb|left|"Drag To Unlock" screen. Text is "Drag To Unlock" and "Shut Down"|150px]]<br />
[[Image:Burnin1.jpg|thumb|After "Drag To Unlock" screen, when you "Drag To Unlock", you get this screen. In order, "Start Burnin", "Reset Test Enviroment", and "Quit"|150px]]<br />
[[Image:Burnin3.jpg|thumb|left|boot logo|150px]]<br />
'''BurnIn''' is codename for a tool used by Apple. Nothing is really known about it, but somebody on Hackint0sh got their iPhone back with [[BurnIn]] on it, suggesting that it is a diagnotstics or a repair tool.<br />
<br />
== What it does ==<br />
Leftover strings on firmware 2.1 have told me this; Apple restores a special firmware to the iPhone, but it is based on a regular firmware. At boot, /AppleInternal/Applications/SwitchBoard/BurnIn.app/BurnIn will run. It checks /AppleInternal/Diags/purpleskank/config.plist for configuration information, such as version (v3.0 in this case), where to store the logs (/Library/Logs/BurnIn/ in this case), what level to set the backlight to, and also, some kind of cleanup script is defined (/AppleInternal/Diags/Utilities/burnin_cleanup.sh). What it actually does is still not known though. Two log files are also left by it, by doing whatever is done. They are /Library/Logs/BurnIn/burning_log.xml and /Library/Logs/BurnIn/burnin_log.txt.<br />
<br />
On the old iPhone prototypes, BurnIn is launched by the /AppleInternal/Applications/SkankPhone.app/SkankPhone, a SpringBoard replacement. It starts the /AppleInternal/Diags/purpleskank/factoryharness, which loads the configuration from config.plist file in the same directory. Factoryharness loads the index.plist file from location specified in config.plist (default is /AppleInternal/Diags/purpleskank/tables/index.plist) and begins to execute the tests specified in index.plist ("Burnin process"). When tests are successful, logs from burnin process are saved to /AppleInternal/Diags/Logs/ (or to other directory that can be set in config.plist). In case of failure, a failures.plist file is created in Logs directory. If Burnin process has not been completed, file state.plist is parsed by factoryharness and it continues the burnin process. If burnin process has failed, Skankphone.app shows a FAILURE screen and displays contents of burnin_log.txt. To get rid of that screen, user must select the Reset Test Environment option in SkankPhone - it executes the /AppleInternal/Diags/Utilities/burnin_cleanup.sh.<br />
<br />
==BurnIn on iPod touch==<br />
The day of the launch, numerous iPod touches shipped with BurnIn on it. In order to get it off them, you just did a restore. A few of these were sold on eBay.<br />
<br />
<div style="clear:both;"></div><br />
<br />
<gallery caption="BurnIn on iPod touch" widths="100px" heights="100px" perrow="5"><br />
Image:0.jpg|boot logo<br />
Image:1.jpg|The main menu.<br />
Image:2.jpg|Wi-Fi antenna test.<br />
Image:3.jpg|The "Bluetooth" screen.<br />
Image:4.jpg|The "Battery" screen.<br />
Image:5.jpg|The "Accelerometer" menu.<br />
Image:6.jpg|The "Buttons" menu.<br />
Image:7.jpg|Speaker screen.<br />
Image:8.jpg|"Touch" screen.<br />
Image:9.jpg|The "Serial Number" screen.<br />
Image:10.jpg|Tests the ambient light sensor.<br />
Image:11.jpg|A test for any connected headphones.<br />
Image:12.jpg|The temperature inside the device.<br />
</gallery><br />
<br />
== External Links ==<br />
* '''Definition''': http://en.wikipedia.org/wiki/Burn-in<br />
* '''Video Demonstration (iPod touch - 1.1.0 - Pressing random options)''': http://www.youtube.com/watch?v=nVMY1aC1kk4</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=NitroKey&diff=5709NitroKey2009-12-09T02:28:34Z<p>ChronicDev: </p>
<hr />
<div>[[NitroKey]] was a product released in late February of 2009, by the company "NitroKey," in order to aid those with a tethered jailbroken [[N72ap|iPod touch 2G]] to boot their iPods. It consisted of a small dongle that looked EXACTLY like the end of an iPod cable, with no cord on it. The product was being sold for an outrageous price of $55.00 to those unfortunate enough to have made the decision to purchase one, as it went obsolete not two weeks after its release.<br />
<br />
They also released a stolen version of the [[24kPwn]] untethered [[N72ap|iPod Touch 2G]] jailbreak, giving Apple enough time to fix the 3rd generation iPod Touch so that it CANNOT be directly jailbroken from its release. In addition, NitroKey's irresponsible handling gave Apple enough time to add the [[ECID]] tag to the [[IMG3 File Format|IMG3 format]] in the [[N88AP|iPhone 3GS]], preventing a permanent untethered [[jailbreak]] without a new [[iBoot]] exploit in every firmware exploit.<br />
<br />
NitroKey has also leaked a [[baseband]] hole which was meant to be kept in secret - [[AT+FNS]]. [http://nitrokey.com/Hash.html] The hash was posted by NitroKey one day after the exploit was found and shared with the [[dev team]] by [[Oranav]], making things very suspicious. Apple has now patched the hole, needlessly burning an exploit that could have been used as an unlock vector for a future firmware.<br />
<br />
May those bastards burn in hell for all eternity.</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=57080x24000 Segment Overflow2009-12-09T02:25:38Z<p>ChronicDev: /* Timing Impact */</p>
<hr />
<div>Also known by its codename, 24kPwn, this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
As of October 2009, seven months after the exposure of this hole, Apple is now selling updated [[iPhone 3GS]] and [[N72ap|iPod Touch 2G]] units with a new bootrom, erasing the vulnerability used by this exploit.<br />
<br />
==Credit==<br />
A "hybrid" dev team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', '''MuscleNerd''', '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] and [[S5L8920]] SoC have a MIU configuration which maps the [[VROM (S5L8720)|Secure ROM]] to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000 for the [[S5L8720]], and 0x84000000 for the [[S5L8920]]. Statically allocated variables, heap, and stack must use the SRAM, as "[[VROM (S5L8720)|Secure ROM]]" is unwritable. A region of memory starting from (SRAM Start)+0x24000 is used for this purpose. The region of memory from the start of SRAM to (SRAM Start)+0x24000 is used as a buffer for loading the [[LLB|next stage bootloader]] code. The [[LLB]] code is stored in [[NOR]], along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at (SRAM Start)+0x24000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from [[VROM (S5L8720)|Secure ROM]].<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] [[img3]] firmware file from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of the [[img3]] header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation. The method described below uses the SHA1 register addresses.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] [[img3]], so that the payload code can be placed within the [[LLB]] [[img3]].<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the [[SecureROM (S5L8720)|bootrom]] had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the [[img3]] DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] [[img3]] would replace sub_5E54's LR. This is because this is the first dword of the [[img3]] that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the [[SecureROM (S5L8720)|bootrom]] would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the [[img3]], and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a sizeable portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit [[img3]] was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular [[Img3]] with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
== Deployment ==<br />
<br />
Although the exploitable [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary [[img3]]s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the [[img3]] is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitable total size.<br />
<br />
==Timing Impact==<br />
This exploit would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's [[SecureROM (S5L8920)|bootrom]]. Even though it was too late to patch the bootrom, it was not too late for Apple to repair the restore process in the stock IPSW, removing the method used to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they were able to prioritize a fix for this oversight thus making the permanent [[pwnage]] of future devices significantly more difficult.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party company known as [[NitroKey]] who was interested in making financial gain from the work of others, this eventuality became a near-certainty and pretty much erased the possibility of a day-of-release jailbreak for the [[iPhone 3GS]] and the third-generation [[N18AP|iPod touch]]. In addition, to counteract the exploit, with the early exposure of the exploit, Apple was able to add the [[ECID]] tag to the [[IMG3 File Format|IMG3 format]] in the [[N88AP|iPhone 3GS]]. The early leak of the exploit allowed Apple to understand that an [[iBoot]] exploit would be necessary to flash the required oversized [[LLB]] and through doing so, Apple have prevented this exploit from allowing the [[N88AP|iPhone 3GS]] to be permanently jailbroken through this exploit unless new [[iBoot]] exploits (allowing unsigned code to be run) can be found in every firmware release or a signed copy of an (older) vulnerable version of [[iBoot]] is stored.<br />
<br />
May the bastards of [[NitroKey]] burn in hell for all eternity.<br />
<br />
==3GS Implementation==<br />
<br />
The exploit remains the same in spirit.<br />
<br />
The call tree and stacks analysis is very similar although a few bytes here and there changed it slightly. It was again done manually but afterward, and out of fun, an IDA Python Script was written to automate the process. The new static analysis can be seen here [http://pastie.org/551212], and the IDA Python Script for it there [http://github.com/iZsh/IDA-Python-Scripts/].<br />
<br />
The main differences are:<br />
<br />
* the SRAM is at 0x84000000 instead of 0x22000000<br />
* the Original value of the first DATA dword is written back to 0x84000040 (which was overwritten by the LR address)<br />
* the SHA1 register original value is written back to 0x840241CC<br />
* '''The decrypt flag is not held in R5 anymore''', but in a local variable of the function "my_process_module" (sub_2564). An extra static analysis tells us this variable is held at 0x84033F30, thus that's where you have to store your 0x0 value before returning to this function.<br />
<br />
[[Category:Bootrom Exploits]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=57070x24000 Segment Overflow2009-12-09T02:22:36Z<p>ChronicDev: /* Deployment */</p>
<hr />
<div>Also known by its codename, 24kPwn, this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
As of October 2009, seven months after the exposure of this hole, Apple is now selling updated [[iPhone 3GS]] and [[N72ap|iPod Touch 2G]] units with a new bootrom, erasing the vulnerability used by this exploit.<br />
<br />
==Credit==<br />
A "hybrid" dev team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', '''MuscleNerd''', '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] and [[S5L8920]] SoC have a MIU configuration which maps the [[VROM (S5L8720)|Secure ROM]] to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000 for the [[S5L8720]], and 0x84000000 for the [[S5L8920]]. Statically allocated variables, heap, and stack must use the SRAM, as "[[VROM (S5L8720)|Secure ROM]]" is unwritable. A region of memory starting from (SRAM Start)+0x24000 is used for this purpose. The region of memory from the start of SRAM to (SRAM Start)+0x24000 is used as a buffer for loading the [[LLB|next stage bootloader]] code. The [[LLB]] code is stored in [[NOR]], along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at (SRAM Start)+0x24000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from [[VROM (S5L8720)|Secure ROM]].<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] [[img3]] firmware file from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of the [[img3]] header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation. The method described below uses the SHA1 register addresses.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] [[img3]], so that the payload code can be placed within the [[LLB]] [[img3]].<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the [[SecureROM (S5L8720)|bootrom]] had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the [[img3]] DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] [[img3]] would replace sub_5E54's LR. This is because this is the first dword of the [[img3]] that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the [[SecureROM (S5L8720)|bootrom]] would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the [[img3]], and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a sizeable portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit [[img3]] was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular [[Img3]] with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
== Deployment ==<br />
<br />
Although the exploitable [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary [[img3]]s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the [[img3]] is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitable total size.<br />
<br />
==Timing Impact==<br />
This exploit would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's bootrom. Even though it was too late to patch the bootrom, it was not too late for Apple to repair the restore process in the stock IPSW, removing the method used to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they were able to prioritize a fix for this oversight thus making the permanent [[pwnage]] of future devices significantly more difficult.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party company known as [[NitroKey]] who were interested in making financial gain from the work of others, this eventuality became a near-certainty and pretty much erased the possibility of a day-of-release jailbreak for the [[iPhone 3GS]] and the third-generation iPod touch. In addition, to counteract the exploit, with the early exposure of the exploit, Apple were able to add the [[ECID]] tag to the [[IMG3 File Format|IMG3 format]] in the iPhone 3GS. The early leak of the exploit allowed Apple to understand that an iBoot exploit would be necessary to flash the required oversized LLB and through doing so, Apple have prevented this exploit from allowing the iPhone 3GS to be permanently jailbroken through this exploit unless new iBoot exploits (allowing unsigned code to be run) can be found in every firmware release or a signed copy of an (older) vulnerable version of iBoot is stored.<br />
<br />
May the bastards of NitroKey burn in hell for all eternity.<br />
<br />
==3GS Implementation==<br />
<br />
The exploit remains the same in spirit.<br />
<br />
The call tree and stacks analysis is very similar although a few bytes here and there changed it slightly. It was again done manually but afterward, and out of fun, an IDA Python Script was written to automate the process. The new static analysis can be seen here [http://pastie.org/551212], and the IDA Python Script for it there [http://github.com/iZsh/IDA-Python-Scripts/].<br />
<br />
The main differences are:<br />
<br />
* the SRAM is at 0x84000000 instead of 0x22000000<br />
* the Original value of the first DATA dword is written back to 0x84000040 (which was overwritten by the LR address)<br />
* the SHA1 register original value is written back to 0x840241CC<br />
* '''The decrypt flag is not held in R5 anymore''', but in a local variable of the function "my_process_module" (sub_2564). An extra static analysis tells us this variable is held at 0x84033F30, thus that's where you have to store your 0x0 value before returning to this function.<br />
<br />
[[Category:Bootrom Exploits]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=57060x24000 Segment Overflow2009-12-09T02:17:45Z<p>ChronicDev: /* Exploit */</p>
<hr />
<div>Also known by its codename, 24kPwn, this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
As of October 2009, seven months after the exposure of this hole, Apple is now selling updated [[iPhone 3GS]] and [[N72ap|iPod Touch 2G]] units with a new bootrom, erasing the vulnerability used by this exploit.<br />
<br />
==Credit==<br />
A "hybrid" dev team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', '''MuscleNerd''', '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] and [[S5L8920]] SoC have a MIU configuration which maps the [[VROM (S5L8720)|Secure ROM]] to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000 for the [[S5L8720]], and 0x84000000 for the [[S5L8920]]. Statically allocated variables, heap, and stack must use the SRAM, as "[[VROM (S5L8720)|Secure ROM]]" is unwritable. A region of memory starting from (SRAM Start)+0x24000 is used for this purpose. The region of memory from the start of SRAM to (SRAM Start)+0x24000 is used as a buffer for loading the [[LLB|next stage bootloader]] code. The [[LLB]] code is stored in [[NOR]], along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at (SRAM Start)+0x24000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from [[VROM (S5L8720)|Secure ROM]].<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] [[img3]] firmware file from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of the [[img3]] header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation. The method described below uses the SHA1 register addresses.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] [[img3]], so that the payload code can be placed within the [[LLB]] [[img3]].<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the [[SecureROM (S5L8720)|bootrom]] had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the [[img3]] DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] [[img3]] would replace sub_5E54's LR. This is because this is the first dword of the [[img3]] that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the [[SecureROM (S5L8720)|bootrom]] would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the [[img3]], and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a sizeable portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit [[img3]] was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular [[Img3]] with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
==Deployment==<br />
<br />
Although the exploitive [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary img3s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the img3 is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitive total size.<br />
<br />
==Timing Impact==<br />
This exploit would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's bootrom. Even though it was too late to patch the bootrom, it was not too late for Apple to repair the restore process in the stock IPSW, removing the method used to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they were able to prioritize a fix for this oversight thus making the permanent [[pwnage]] of future devices significantly more difficult.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party company known as [[NitroKey]] who were interested in making financial gain from the work of others, this eventuality became a near-certainty and pretty much erased the possibility of a day-of-release jailbreak for the [[iPhone 3GS]] and the third-generation iPod touch. In addition, to counteract the exploit, with the early exposure of the exploit, Apple were able to add the [[ECID]] tag to the [[IMG3 File Format|IMG3 format]] in the iPhone 3GS. The early leak of the exploit allowed Apple to understand that an iBoot exploit would be necessary to flash the required oversized LLB and through doing so, Apple have prevented this exploit from allowing the iPhone 3GS to be permanently jailbroken through this exploit unless new iBoot exploits (allowing unsigned code to be run) can be found in every firmware release or a signed copy of an (older) vulnerable version of iBoot is stored.<br />
<br />
May the bastards of NitroKey burn in hell for all eternity.<br />
<br />
==3GS Implementation==<br />
<br />
The exploit remains the same in spirit.<br />
<br />
The call tree and stacks analysis is very similar although a few bytes here and there changed it slightly. It was again done manually but afterward, and out of fun, an IDA Python Script was written to automate the process. The new static analysis can be seen here [http://pastie.org/551212], and the IDA Python Script for it there [http://github.com/iZsh/IDA-Python-Scripts/].<br />
<br />
The main differences are:<br />
<br />
* the SRAM is at 0x84000000 instead of 0x22000000<br />
* the Original value of the first DATA dword is written back to 0x84000040 (which was overwritten by the LR address)<br />
* the SHA1 register original value is written back to 0x840241CC<br />
* '''The decrypt flag is not held in R5 anymore''', but in a local variable of the function "my_process_module" (sub_2564). An extra static analysis tells us this variable is held at 0x84033F30, thus that's where you have to store your 0x0 value before returning to this function.<br />
<br />
[[Category:Bootrom Exploits]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=57050x24000 Segment Overflow2009-12-09T02:14:19Z<p>ChronicDev: /* Vulnerability */</p>
<hr />
<div>Also known by its codename, 24kPwn, this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
As of October 2009, seven months after the exposure of this hole, Apple is now selling updated [[iPhone 3GS]] and [[N72ap|iPod Touch 2G]] units with a new bootrom, erasing the vulnerability used by this exploit.<br />
<br />
==Credit==<br />
A "hybrid" dev team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', '''MuscleNerd''', '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] and [[S5L8920]] SoC have a MIU configuration which maps the [[VROM (S5L8720)|Secure ROM]] to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000 for the [[S5L8720]], and 0x84000000 for the [[S5L8920]]. Statically allocated variables, heap, and stack must use the SRAM, as "[[VROM (S5L8720)|Secure ROM]]" is unwritable. A region of memory starting from (SRAM Start)+0x24000 is used for this purpose. The region of memory from the start of SRAM to (SRAM Start)+0x24000 is used as a buffer for loading the [[LLB|next stage bootloader]] code. The [[LLB]] code is stored in [[NOR]], along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at (SRAM Start)+0x24000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from [[VROM (S5L8720)|Secure ROM]].<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] [[img3]] firmware file from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of the [[img3]] header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation. The method described below uses the SHA1 register addresses.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] img3, so that the payload code can be placed within the [[LLB]] img3.<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the bootrom had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the img3 DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] img3 would replace sub_5E54's LR. This is because this is the first dword of the img3 that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the bootrom would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the img3, and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a sizeable portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit img3 was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular Img3 with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
==Deployment==<br />
<br />
Although the exploitive [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary img3s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the img3 is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitive total size.<br />
<br />
==Timing Impact==<br />
This exploit would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's bootrom. Even though it was too late to patch the bootrom, it was not too late for Apple to repair the restore process in the stock IPSW, removing the method used to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they were able to prioritize a fix for this oversight thus making the permanent [[pwnage]] of future devices significantly more difficult.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party company known as [[NitroKey]] who were interested in making financial gain from the work of others, this eventuality became a near-certainty and pretty much erased the possibility of a day-of-release jailbreak for the [[iPhone 3GS]] and the third-generation iPod touch. In addition, to counteract the exploit, with the early exposure of the exploit, Apple were able to add the [[ECID]] tag to the [[IMG3 File Format|IMG3 format]] in the iPhone 3GS. The early leak of the exploit allowed Apple to understand that an iBoot exploit would be necessary to flash the required oversized LLB and through doing so, Apple have prevented this exploit from allowing the iPhone 3GS to be permanently jailbroken through this exploit unless new iBoot exploits (allowing unsigned code to be run) can be found in every firmware release or a signed copy of an (older) vulnerable version of iBoot is stored.<br />
<br />
May the bastards of NitroKey burn in hell for all eternity.<br />
<br />
==3GS Implementation==<br />
<br />
The exploit remains the same in spirit.<br />
<br />
The call tree and stacks analysis is very similar although a few bytes here and there changed it slightly. It was again done manually but afterward, and out of fun, an IDA Python Script was written to automate the process. The new static analysis can be seen here [http://pastie.org/551212], and the IDA Python Script for it there [http://github.com/iZsh/IDA-Python-Scripts/].<br />
<br />
The main differences are:<br />
<br />
* the SRAM is at 0x84000000 instead of 0x22000000<br />
* the Original value of the first DATA dword is written back to 0x84000040 (which was overwritten by the LR address)<br />
* the SHA1 register original value is written back to 0x840241CC<br />
* '''The decrypt flag is not held in R5 anymore''', but in a local variable of the function "my_process_module" (sub_2564). An extra static analysis tells us this variable is held at 0x84033F30, thus that's where you have to store your 0x0 value before returning to this function.<br />
<br />
[[Category:Bootrom Exploits]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=57040x24000 Segment Overflow2009-12-09T02:10:49Z<p>ChronicDev: /* Background */</p>
<hr />
<div>Also known by its codename, 24kPwn, this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
As of October 2009, seven months after the exposure of this hole, Apple is now selling updated [[iPhone 3GS]] and [[N72ap|iPod Touch 2G]] units with a new bootrom, erasing the vulnerability used by this exploit.<br />
<br />
==Credit==<br />
A "hybrid" dev team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', '''MuscleNerd''', '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] and [[S5L8920]] SoC have a MIU configuration which maps the [[VROM (S5L8720)|Secure ROM]] to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000 for the [[S5L8720]], and 0x84000000 for the [[S5L8920]]. Statically allocated variables, heap, and stack must use the SRAM, as "[[VROM (S5L8720)|Secure ROM]]" is unwritable. A region of memory starting from (SRAM Start)+0x24000 is used for this purpose. The region of memory from the start of SRAM to (SRAM Start)+0x24000 is used as a buffer for loading the [[LLB|next stage bootloader]] code. The [[LLB]] code is stored in [[NOR]], along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at (SRAM Start)+0x24000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from [[VROM (S5L8720)|Secure ROM]].<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] img3 from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of its img3 header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation. The method described below uses the SHA1 register addresses.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] img3, so that the payload code can be placed within the [[LLB]] img3.<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the bootrom had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the img3 DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] img3 would replace sub_5E54's LR. This is because this is the first dword of the img3 that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the bootrom would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the img3, and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a sizeable portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit img3 was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular Img3 with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
==Deployment==<br />
<br />
Although the exploitive [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary img3s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the img3 is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitive total size.<br />
<br />
==Timing Impact==<br />
This exploit would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's bootrom. Even though it was too late to patch the bootrom, it was not too late for Apple to repair the restore process in the stock IPSW, removing the method used to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they were able to prioritize a fix for this oversight thus making the permanent [[pwnage]] of future devices significantly more difficult.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party company known as [[NitroKey]] who were interested in making financial gain from the work of others, this eventuality became a near-certainty and pretty much erased the possibility of a day-of-release jailbreak for the [[iPhone 3GS]] and the third-generation iPod touch. In addition, to counteract the exploit, with the early exposure of the exploit, Apple were able to add the [[ECID]] tag to the [[IMG3 File Format|IMG3 format]] in the iPhone 3GS. The early leak of the exploit allowed Apple to understand that an iBoot exploit would be necessary to flash the required oversized LLB and through doing so, Apple have prevented this exploit from allowing the iPhone 3GS to be permanently jailbroken through this exploit unless new iBoot exploits (allowing unsigned code to be run) can be found in every firmware release or a signed copy of an (older) vulnerable version of iBoot is stored.<br />
<br />
May the bastards of NitroKey burn in hell for all eternity.<br />
<br />
==3GS Implementation==<br />
<br />
The exploit remains the same in spirit.<br />
<br />
The call tree and stacks analysis is very similar although a few bytes here and there changed it slightly. It was again done manually but afterward, and out of fun, an IDA Python Script was written to automate the process. The new static analysis can be seen here [http://pastie.org/551212], and the IDA Python Script for it there [http://github.com/iZsh/IDA-Python-Scripts/].<br />
<br />
The main differences are:<br />
<br />
* the SRAM is at 0x84000000 instead of 0x22000000<br />
* the Original value of the first DATA dword is written back to 0x84000040 (which was overwritten by the LR address)<br />
* the SHA1 register original value is written back to 0x840241CC<br />
* '''The decrypt flag is not held in R5 anymore''', but in a local variable of the function "my_process_module" (sub_2564). An extra static analysis tells us this variable is held at 0x84033F30, thus that's where you have to store your 0x0 value before returning to this function.<br />
<br />
[[Category:Bootrom Exploits]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Baseband_Bootrom_Protocol&diff=5695Baseband Bootrom Protocol2009-11-25T21:47:19Z<p>ChronicDev: </p>
<hr />
<div>This is the protocol used to talk to the old, and probably the new baseband, at the bootrom level. The old bootrom didn't have an sig checking, the new one does.<br />
<br />
==Protocol==<br />
AT<br />
0x30<br />
2 byte length<br />
n byte data<br />
2 byte checksum<br />
sends A5 on success, 5A on failure<br />
<br />
===3G===<br />
Correct me if I am wrong, but on the [[iPhone 3G]] bootrom, the "protocol" section is pretty much identical, besides the last line, which is instead this:<br />
sends 01 on success, FF on failure<br />
<br />
==Implementations==<br />
[http://lpahome.com/geohot/gbootloader.rar bootrom.h in gbootloader]<br />
<br />
[[Category:Protocols (Baseband)]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Spam&diff=5648The iPhone Wiki:Spam2009-11-10T20:21:10Z<p>ChronicDev: </p>
<hr />
<div>How do we combat this recent spamming of this wiki? I suggest a possible invite system or similar? --[[User:Srts|Srts]] 02:24, 9 November 2009 (UTC)<br />
<br />
I have already blocked account signup, they must have had this account for a while. --[[User:Geohot|geohot]] 02:29, 9 November 2009 (UTC)<br />
<br />
Well if they don't stop, we can't have account creation disabled forever, defeats the purpose of the wiki. People like him are sad. Great work to all the sysops et all. keeping disruption to a minimal :D --[[User:Srts|Srts]] 02:34, 9 November 2009 (UTC)<br />
<br />
Yea thanks a lot guys for putting up with this. We'll give a bit of time, and if they continue, we'll figure something out. This kid keep trying to reset my password for hosting and the wiki. Too bad he doesn't have a life. --[[User:Geohot|geohot]] 03:10, 9 November 2009 (UTC)<br />
<br />
An invite system might not be a bad idea actually [[User:ChronicDev|Will Strafach]] 03:16, 9 November 2009 (UTC)<br />
<br />
feel free to post their IP addresses, lol --[[User:Posixninja|posixninja]] 04:08, 9 November 2009 (UTC)<br />
<br />
Well, if you need an extra admin to block them (and delete spam pages), I volunteer. --[[User:Dranfi|Dranfi]] Congrats, you're an admin --[[User:Geohot|geohot]] 13:22, 9 November 2009 (UTC)<br />
<br />
How many different IPs are we dealing with? Is it within a specific range? For the time being, it may be possible to blacklist an entire subnet if they are all coming from the same place. But if a botnet is doing this, may be more difficult. Is it possible for MediaWiki to require admin approval of an edit prior to it being commited? Not well versed with MediaWiki administration, just thossing out some ideas. --[[User:Tsuehpsyde|tsuehpsyde]] 17:29, 9 November 2009 (UTC)<br />
<br />
We could figure out where they come rom and do the same to them. Secondly, we could create a filter that unless your part of a specific group you cannot do more than this many edits in this amount of time. We could try making a period where the admins have to approve the users. Lastly, we could make it so that in the first 12 hours of a user account that user could not edit pages so it would give time for the sysops to ban the users. [[User:Revolution|Revolution]] 00:02, 10 November 2009 (UTC)<br />
<br />
If the ones you refer to as 'they' are the [http://code.google.com/p/pois0nhack pois0nhack] group then 'they' don't really seem to pose much of a threat in my opinion. I agree that for the time being we could impose some kind of 12/24 hr posting limitation (maybe no more than +-300 char changes?), but no more than that since this is, after all, a public wiki. Sorry if I'm intruding on some kind of admin/mod meeting, just figured I should have my say. --[[User:Rekoil|adriaaan]] 00:27, 10 November 2009 (UTC)<br />
<br />
I am in favor of a 12hr limit for new users, but since it's a public wiki, during this time, contributions would have to be approved by sysops. --Untagged<br />
<br />
Personally I think it would be good to have it so that all edits by new users a thrown into a moderation pool, then once a good amount of worthwhile contributions, that user can be "whitelisted".</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Spam&diff=5627The iPhone Wiki:Spam2009-11-09T03:16:27Z<p>ChronicDev: </p>
<hr />
<div>How do we combat this recent spamming of this wiki? I suggest a possible invite system or similar? --[[User:Srts|Srts]] 02:24, 9 November 2009 (UTC)<br />
<br />
I have already blocked account signup, they must have had this account for a while. --[[User:Geohot|geohot]] 02:29, 9 November 2009 (UTC)<br />
<br />
Well if they don't stop, we can't have account creation disabled forever, defeats the purpose of the wiki. People like him are sad. Great work to all the sysops et all. keeping disruption to a minimal :D --[[User:Srts|Srts]] 02:34, 9 November 2009 (UTC)<br />
<br />
Yea thanks a lot guys for putting up with this. We'll give a bit of time, and if they continue, we'll figure something out. This kid keep trying to reset my password for hosting and the wiki. Too bad he doesn't have a life. --[[User:Geohot|geohot]] 03:10, 9 November 2009 (UTC)<br />
<br />
An invite system might not be a bad idea actually [[User:ChronicDev|Will Strafach]] 03:16, 9 November 2009 (UTC)</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=VROM_(S5L8720)&diff=5395VROM (S5L8720)2009-11-04T21:09:48Z<p>ChronicDev: VROM (S5L8720) moved to SecureROM (S5L8720)</p>
<hr />
<div>#REDIRECT [[SecureROM (S5L8720)]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=S5L8720&diff=5393S5L87202009-11-04T21:08:38Z<p>ChronicDev: /* iBoot / Kernel Level */</p>
<hr />
<div>This is the Application Processor used on the [[n72ap|iPod Touch 2G]].<br />
<br />
==Exploits==<br />
===[[iBoot]] / [[Kernel]] Level===<br />
'''Note''': [[iBoot]] on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares<br />
<br />
* [[ARM7 Go]] - Firmware v2.1.1<br />
* [[iBoot Environment Variable Overflow]] - 3.1 beta 3 and below<br />
* [[usb_control_msg(0x21, 2) Exploit]] - 3.1.2 and below<br />
<br />
===[[VROM (S5L8720)|Bootrom]]===<br />
* [[0x24000 Segment Overflow]]<br />
<br />
==Boot Chain==<br />
[[VROM (S5L8720)|VROM]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]<br />
<br />
It is definitely worthy to note that the [[Pwnage]] exploit is fixed because the images are now flashed to the [[NOR]] in their encrypted [[IMG3]] containers, and the [[S5L8720 Bootrom|bootrom]] can properly sigcheck [[LLB]]. That being said, unsigned images can still be run using the [[0x24000 Segment Overflow]].<br />
<br />
==See Also==<br />
* [[S5L8720 (Hardware)]]<br />
* [[S5L File Formats]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Timeline&diff=5392Timeline2009-11-04T21:08:09Z<p>ChronicDev: /* September */</p>
<hr />
<div>==2009==<br />
===November===<br />
*November 3 -- [[Geohot]] releases [[blackra1n]] RC3, A software jailbreak for all devices, that now only takes 15 Seconds! Includes a new unlock for the baseband 5.11.07 called [[blacksn0w|blacksn0w]].<br />
<br />
===October===<br />
*October 11 -- [[Geohot]] releases [[blackra1n]] RC1, a 30 second software jailbreak for all devices, including a tethered jailbreak for the [[iPod touch 3G]].<br />
<br />
===September===<br />
* September 24 -- [[ih8sn0w|ih8sn0w]] Discovers the [[AT+XEMN|AT+XEMN]] Vulnerability used in [[blacksn0w|blacksn0w]] independently.<br />
* September 9 -- The [[iPod touch 3G]] w/ [[S5L8922]] processor is released, as well as an "MC Model" [[n72ap|iPod touch 2G]]. Both are no longer vulnerable to [[24kPwn]].<br />
* Firmware 3.1/3.1.1 (7C144/7C145) Released to the Public. Firmware closes [[iBoot Environment Variable Overflow|iBoot Environment Variable Overflow]] and [[AT+XLOG Vulnerability|AT+XLOG]] + [[AT+FNS|AT+FNS]] Baseband Exploits.<br />
<br />
===July===<br />
* July 14 -- [[Geohot]] releases [[purplesn0w]], a software unlock for the [[iPhone 3GS]] using [[AT+XLOG Vulnerability|the same exploit as ultrasn0w]], but handled differently. Minutes later, an explanation and source code was posted.<br />
* July 7 -- [[The dev team]] updates [[redsn0w]] and [[ultrasn0w]] to version 0.8, now with [[iPhone 3GS]] support. Saurik also updates Winterboard to support the [[iPhone 3GS]].<br />
* July 3 -- [[Geohot]] releases [[purplera1n]], a software jailbreak for the [[iPhone 3GS]].<br />
<br />
===June===<br />
* June 28 -- [[Geohot]] posts pictures on his blog of the first fully jailbroken [[iPhone 3GS]].<br />
* June 25 -- It's discovered that [[iPhone 3GS]] is vulnerable to [[0x24000 Segment Overflow|24kpwn]] exploit.<br />
* June 24 -- [[The dev team]] release [[ultrasn0w]] unlock for [[iPhone 3G]] thanks to [[AT+XLOG Vulnerability|a new exploit]] discovered by [[User:Oranav|Oranav]].<br />
* June 23 -- [[Geohot]] announces he's found a new exploit in [[iBoot]] he calls purplera1n.<br />
* June 19 -- Release of [[iPhone2,1|iPhone 3GS]] to the public and the release of [[PwnageTool|Pwnage Tool 3.0]] and [[RedSn0w|Redsn0w]] for jailbreaking devices running firmware 3.0<br />
* June 17 -- Release of firmware 3.0 to the public.<br />
* June 8 -- Apple announces the [[iPhone2,1|iPhone 3GS]].<br />
<br />
===March===<br />
* March 10 -- The [[0x24000 Segment Overflow|untethered jailbreak]] for the [[iPod touch 2G]] is released thanks to the combined work of chronic, CPICH, posixninja, pod2g, ius, planetbeing, MuscleNerd, and co after being leaked and sold by [[NitroKey]]. To prevent users wasting their money on a stolen exploit, the Hybrid DevTeam decided to release it immediately.<br />
<br />
===January===<br />
* January 31 -- The [[iPhone Dev Team]] released a [[redsn0w Lite]], a tethered jailbreak for the [[N72ap|iPod touch 2G]]. It combines the [[ARM7 Go]] vulnerability with the well-established pwnage flow for other Apple mobile devices. It was bundled in a way that will allow usage on the 2.2.1 firmware through uploading the [[ARM7 Go]] vulnerable 2.1.1 iBoot to the device while in DFU mode.<br />
<br />
* January 25 -- [[0wnboot]] is released to chronicdev google code page, thanks to AriX, chronic, CPICH, westbaer, ius, pod2g, the rest of the iPod devel crew on IRC, and to the #iphone-hax lab rats. Within days, the AriX and the chronic dev team got a ramdisk booting for a tethered jailbreak.<br />
<br />
* January 17 -- MuscleNerd of the [[iPhone Dev Team]] [http://twitter.com/MuscleNerd/status/1127346766 shows a video demo] of the first jailbroken iPod Touch 2G.<br />
<br />
* January 16 -- [[ARM7 Go]] hole disclosed where else but here on The iPhone Wiki, for developers to poke and prod at<br />
<br />
* January 15 -- The [[iPhone Dev Team]] [http://twitter.com/iphone_dev/status/1120595069 tweets the vfdecrypt key] for the [[iPod touch 2G]] 2.2 firmware, demonstrating for the first time that unsigned code can now be run on that device.<br />
<br />
* January 1 -- The [[iPhone Dev Team]] releases [[yellowsn0w]] 0.9 beta for baseband 02.28.00.<br />
<br />
==2008==<br />
<br />
===December===<br />
* December 21 -- [[MuscleNerd]], of [[the dev team]] does a live demo of the 3G unlock, dubbed as 'yellowsn0w': http://qik.com/video/729275<br />
<br />
===August===<br />
* August 18 -- [[The dev team]] releases [http://wikee.iphwn.org/news:pwnage20announcement QuickPwn], a 2.x [[pwnage]]/ramdisk combination exploit that allows jailbreaking without needing to create custom IPSWs.<br />
<br />
===July===<br />
* July 22 -- [[TA_Mobile]] hardware dumps the 3G baseband (bootloader 5.8 & FW 1.45.00) by desoldering the [[NOR]].<br />
* July 19 -- [[The dev team]] releases [[PwnageTool]] 2.0, jailbreaking and unlocking the 2.0 software on the iPhone 2G and jailbreaking the 2.0 software on the iPhone 3G.<br />
* July 11 -- [[iPhone 3G]] is released.<br />
<br />
===June===<br />
* June 9 - [[iPhone 3G]] is announced at [[WWDC]] '08.<br />
<br />
===April===<br />
* April 3 -- Dev team releases [[PwnageTool]] 1.0, making use of the pmdx exploit (to patch RSA checks out of the [[kernel]], to write unsigned to [[NOR]])<br />
<br />
===March===<br />
* March 12 -- Dev team releases dual-boot jailbreak method, only to be silently fixed in 2.0.<br />
* March 4 -- [[User:N000b|George Zhu (n000b)]] releases [[ILiberty / ILiberty%2B]].<br />
<br />
===February===<br />
* February 28 -- [[Cydia]] is released as an open-source alternative to Installer.app, and prepares to take over the jailbreak application scene upon 2.0's release.<br />
* February 11 -- [[Zibri]] releases [[ZiPhone]], the first all-in-one unlock, activate, jailbreak solution.<br />
* February 8 -- [[User:Geohot|geohot]] releases software unlock for 4.6, Apple states 25% of phones were never activated with AT&T.<br />
<br />
===January===<br />
* January 28 -- Dev team releases soft upgrade jailbreak for 1.1.3.<br />
* January 18 -- Geohot and his friends [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html unlocked 1.1.2 OTB 4.6 by test point], the unbeatable version at that time.<br />
* January 18 -- Dev team posts YouTube video of a jailbroken 1.1.3, which was made possible by the dual boot jailbreak from bgm.<br />
<br />
== 2007 ==<br />
===November===<br />
* November 15 -- New baseband [[Bootloader 4.6|bootloader (4.6)]] comes out, new iPhones can't be unlocked.<br />
* November 2 -- [[Jailbreakme]] is released, bringing jailbreaking to the mainstream iPhone user.<br />
<br />
===October===<br />
* October 23 -- iPhone-Elite Team releases the [[Virginizer]].<br />
* October 14 -- AriX releases iJailBreak, the first automated iPod touch jailbreak for the Mac.<br />
* October 12 -- planetbeing releases touchFree, the first automated iPod touch jailbreak.<br />
* October 10 -- niacin, cmw, and dre release the [[LibTiff]] exploit to jailbreak the iPod touch, which is later adapted for use in [[Jailbreakme]].<br />
<br />
===September===<br />
* September 11 -- [[The dev team]] releases [[iUnlock]], first free software unlock.<br />
* September 10 -- [[IPSF]] releases first paid software unlock.<br />
* September 9 -- Apple announces the [[iPod touch]] at a media event.<br />
<br />
===August===<br />
* August 23 -- [[User:Geohot|geohot]] and team release [[hardware unlock]] method.<br />
* August 21 -- Installer.app is released by Nullriver, first GUI apps are distributed.<br />
<br />
===July===<br />
* July 23 -- First phones are used with other carriers by means of [[SIM hacks]].<br />
* July 20 -- nightwatch adapts a [[toolchain]] to the iPhone. The first apps are compiled.<br />
* July 9 -- [[The dev team]] releases a [[jailbreak]] method. The first use of this is ringtones.<br />
* July 3 -- DVD Jon first cracks [[activation]]. People can use the apps on the phone without a subscription.<br />
<br />
===June===<br />
* June 29 -- [[iPhone]] is released. World's most hyped consumer product.</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=IRecovery&diff=5357IRecovery2009-11-04T01:02:28Z<p>ChronicDev: /* Features */</p>
<hr />
<div>iRecovery is a libusb-based commandline utility for Mac OS X , Linux ,and Windows . It is able to talk to the iBoot/iBSS in Apple's iPhone/iPod touch via USB. <br />
<br />
It's completely open-source, the source-code is released under the terms of the GNU General Public License version 3.<br />
The full license text can be found in the LICENSE file on github.<br />
<br />
It currently connects to 0x1281 (iPhone, iPhone 3G, iPod touch, iPod touch 2G: Recovery Mode/iBSS), 0x1227 (iPhone, <br />
iPhone 3G, iPod touch: WTF Mode; iPod touch 2G: DFU Mode).<br />
<br />
==Credits==<br />
westbaer<br />
<br />
==Features==<br />
<br />
===DFU 2.0 (0x1227)===<br />
It can upload a file, such as an iBSS, so that you can unplug and spawn a shell with 0x1281.<br />
<br />
===Recovery 2.0 (0x1281)===<br />
====File Uploading====<br />
You can upload a file to 0x9000000 with the following syntax:<br />
./iRecovery -f file<br />
<br />
====Two-Way Shell====<br />
You can spawn a shell to do all sorts of neat things with the syntax:<br />
./iRecovery -s<br />
Once it has spawned, you can type 'help' and iBoot will respond with its built-in command list.<br />
<br />
====Single Command====<br />
./iRecovery -c "command"<br />
Sends a single command to the device *without* spawning a shell.<br />
<br />
====usb_control_msg(0x21, 2) Exploit Command====<br />
./iRecovery -k <br />
Sends Chronic Dev's + Geohot's latest usb exploit. Implemented into blackra1n.<br />
This was just updated a few days ago. (10/17/09) [http://github.com/posixninja/irecovery posixninja's fork]<br />
<br />
==Download==<br />
[http://github.com/westbaer/irecovery Offical Repository / Download here]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=AT%2BXEMN_Heap_Overflow&diff=5331AT+XEMN Heap Overflow2009-10-31T16:16:30Z<p>ChronicDev: </p>
<hr />
<div>AT+XEMN is a command on baseband 5.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a coveted Software SIM Unlock on the official 3.1(.2) firmware running 5.11.07<br />
<br />
== Credit ==<br />
'''Vulnerability''': [[Oranav]] (July) and ih8sn0w (September) (discovered independently)<br />
'''Exploit''': [[geohot]]<br />
<br />
== Implementation ==<br />
This exploit is used in [[blacksn0w]].<br />
<br />
== Exception Dump == <br />
+XLOG: Exception Number: 1<br />
Trap Class: 0xDDDD (SW GENERATED TRAP)<br />
Identification: 140 (0x008C)<br />
Date: 22.10.2009<br />
Time: 00:30<br />
File: atform/text/_malloc.c<br />
Line: 1036<br />
Logdata:<br />
2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc<br />
20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D.. <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20<br />
<br />
== Timeline ==<br />
=== July 2009 ===<br />
*[[User:Oranav|Oranav]] discovers this crash.<br />
*Shortly after discovered, The [[iPhone Dev Team]], confirms that the crash is non-exploitable.<br />
<br />
=== September 2009 ===<br />
*iH8sn0w discovered this command independently but kept it a secret for about a month. [http://twitter.com/iH8sn0w/status/4353547726 ]<br />
<br />
=== October 2009 ===<br />
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [http://twitter.com/iH8sn0w/status/4954333558]<br />
*Shortly after, Oranav posted his Hash from July. [http://pastebin.ca/1485104]<br />
*MuscleNerd tells iHacker that the crash was received awhile ago and was non-exploitable. [http://twitter.com/MuscleNerd/status/4978871033][http://twitter.com/iHacker/status/4978821448]<br />
*[[User:Geohot|Geohot]] attempts to exploit this crash, but later finds out as well that it is non-exploitable. [http://twitter.com/geohot/status/4979506974]<br />
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.<br />
*Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [http://twitter.com/geohot/status/5196861045]<br />
*Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html]<br />
*Geohot posts a video of an unlocked 05.11.07 device. [http://www.youtube.com/watch?v=g23e9e9zOVI]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=IBoot_IRQs&diff=5286IBoot IRQs2009-10-25T03:29:26Z<p>ChronicDev: </p>
<hr />
<div>{{DISPLAYTITLE:iBoot IRQs}}<br />
== [[iPhone 3G]] ==<br />
=== [[LLB]] irq table: 22010280 ===<br />
IRQ 0: 22001EE1 6 0<br />
IRQ 1: 22001EE1 5 0<br />
IRQ 2: 22001EE1 4 0<br />
IRQ 3: 22001EE1 3 0<br />
IRQ 7: 220033D5 1 0<br />
IRQ 9: 22002ED9 0 0<br />
IRQ A: 22002ED9 1 0<br />
IRQ B: 22002ED9 2 0<br />
IRQ 18: 22003E2D 0 0<br />
IRQ 19: 22003E2D 1 0<br />
IRQ 1A: 22003E2D 2 0<br />
IRQ 1B: 22003E2D 3 0<br />
IRQ 1C: 22003E2D 4 0<br />
IRQ 1F: 22001EE1 2 0<br />
IRQ 20: 22001EE1 1 0<br />
IRQ 21: 22001EE1 0 0<br />
<br />
=== [[iBoot]] irq table: 18028D60 ===<br />
IRQ 0: 1800C301 6 0<br />
IRQ 1: 1800C301 5 0<br />
IRQ 2: 1800C301 4 0<br />
IRQ 3: 1800C301 3 0<br />
IRQ* 7: 1800D7D5 1 0 timer<br />
IRQ* 9: 1800D2D9 0 0 spi flash<br />
IRQ* A: 1800D2D9 1 0 spi flash<br />
IRQ* B: 1800D2D9 2 0 spi flash<br />
IRQ*10: 1800B8D1 1 0 dma thing<br />
IRQ*11: 1800B8D1 2 0 dma thing<br />
IRQ*13: 1800F289 0 0 usb<br />
IRQ*18: 1800E26D 0 0 uart stuff<br />
IRQ*19: 1800E26D 1 0 uart stuff<br />
IRQ*1A: 1800E26D 2 0 uart stuff<br />
IRQ*1B: 1800E26D 3 0 uart stuff<br />
IRQ*1C: 1800E26D 4 0 uart stuff<br />
IRQ 1F: 1800C301 2 0<br />
IRQ 20: 1800C301 1 0<br />
IRQ 21: 1800C301 0 0<br />
<br />
== [[iPhone 3G S]] ==<br />
=== [[LLB]] irq table: 8400F360 ===<br />
IRQ 6: 84000DD9 0 0<br />
IRQ 11: 8400101D 8400F090 0<br />
IRQ 13: 8400101D 8400F000 0<br />
IRQ 14: 840041B1 4 0<br />
IRQ 15: 840041B1 3 0<br />
IRQ 16: 840041B1 2 0<br />
IRQ 17: 840041B1 1 0<br />
IRQ 18: 840041B1 0 0<br />
IRQ 19: 840036DD 4 0<br />
IRQ 1A: 840036DD 3 0<br />
IRQ 1B: 840036DD 2 0<br />
IRQ 1C: 840036DD 1 0<br />
IRQ 1D: 840036DD 0 0<br />
<br />
=== [[iBoot]] irq table: 4FF2B4E0 ===<br />
IRQ 6: 4FF04915 0 0<br />
IRQ E: 4FF13469 0 0<br />
IRQ 11: 4FF04B59 4FF2A100 0<br />
IRQ 13: 4FF04B59 4FF2A070 0<br />
IRQ 14: 4FF12471 4 0 uart stuff<br />
IRQ 15: 4FF12471 3 0 uart stuff<br />
IRQ 16: 4FF12471 2 0 uart stuff<br />
IRQ 17: 4FF12471 1 0 uart stuff<br />
IRQ 18: 4FF12471 0 0 uart stuff<br />
IRQ 19: 4FF1197D 4 0 nor, i think<br />
IRQ 1A: 4FF1197D 3 0 nor, i think<br />
IRQ 1B: 4FF1197D 2 0 nor, i think<br />
IRQ 1C: 4FF1197D 1 0 nor, i think<br />
IRQ 1D: 4FF1197D 0 0 nor, i think(this needed to load iboot)<br />
IRQ 1E: 4FF0354D 4FF2DDD0 0 H2fmi misc stuff<br />
IRQ 1F: 4FF0354D 4FF2DC70 0 H2fmi misc stuff<br />
IRQ 2F: 4FF01655 5 0 dma_int_handler<br />
IRQ 30: 4FF01655 6 0 dma_int_handler<br />
IRQ 31: 4FF01655 7 0 dma_int_handler<br />
IRQ 32: 4FF01655 8 0 dma_int_handler<br />
<br />
== [[iPod touch 3G]] ==<br />
=== [[LLB]] IRQ table: ===<br />
IRQ 6: 84003039 0 0<br />
IRQ 11: 8400327D 8401209C 0<br />
IRQ 13: 8400327D 8401200C 0<br />
IRQ 14: 84005681 4 0<br />
IRQ 15: 84005681 3 0<br />
IRQ 16: 84005681 2 0<br />
IRQ 17: 84005681 1 0<br />
IRQ 18: 84005681 0 0<br />
IRQ 1E: 840021B9 84014360 0<br />
IRQ 1F: 840021B9 84014200 0<br />
<br />
=== [[iBoot]] IRQ table ===<br />
IRQ 6: 4FF04DF5 0 0<br />
IRQ E: 4FF12AED 0 0 synopsys_otg_handle_endpoint_out<br />
IRQ 11: 4FF05039 4FF29100 0 i2c related<br />
IRQ 13: 4FF05039 4FF29070 0 i2c related<br />
IRQ 14: 4FF11AF5 4 0 uart stuff<br />
IRQ 15: 4FF11AF5 3 0 uart stuff<br />
IRQ 16: 4FF11AF5 2 0 uart stuff<br />
IRQ 17: 4FF11AF5 1 0 uart stuff<br />
IRQ 18: 4FF11AF5 0 0 uart stuff<br />
IRQ 1E: 4FF039A9 4FF2CBB0 0 H2fmi misc stuff<br />
IRQ 1F: 4FF039A9 4FF2CA50 0 H2fmi misc stuff<br />
IRQ 2F: 4FF01655 5 0 dma_int_handler<br />
IRQ 30: 4FF01655 6 0 dma_int_handler<br />
IRQ 31: 4FF01655 7 0 dma_int_handler<br />
IRQ 32: 4FF01655 8 0 dma_int_handler</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=IBoot_Environment_Variable_Overflow&diff=5262IBoot Environment Variable Overflow2009-10-21T20:22:23Z<p>ChronicDev: /* Implementation in purplera1n */ yes it should be there, the first one sets the env var and the second, the one you said shouldnt be there, actually performs th eexploit ;)</p>
<hr />
<div>{{DISPLAYTITLE:iBoot Environment Variable Overflow}}<br />
This is an exploit in the iBoot parsing of commands and environment variables.<br />
<br />
== Credit ==<br />
[[User:Geohot|geohot]]<br />
<br />
== Explanation ==<br />
This is a heap overflow in 3.0's [[iBoot]]. I'm really tired right now and will write more tomorrow.<br />
<br />
My implementation saves the first 8 bytes in overruns(important or phone crashes), and overwrites the first 8 bytes of the '?' environment variable in the ring buffer. When the ring buffer is freed, it attempts to close the ring. In doing so, it changes the command table to have an entry at 0x41000000, where I then(must be done after or else cmd pointer gets overwritten) upload the geohot command. Run it and enjoy.<br />
<br />
== Implementation in purplera1n ==<br />
setenv a bbbbbbbbb1bbbbbbbbb2bbbbbbbbb3bbbbbbbbb4bbbbbbbbb5bbbbbbbbb6bbbbbbbbb7bbbbbbbbb8bbbbbbbbb9bbbbbbbbbAbbbbbbbbbBbbbbbbbbbCbbbbbbbbbDbbbbbbbbbEbbbbbbbbbbbbtbbbbbbbbbubbbbbbbbbvbbbbbbbbbwbbbbbbbbbxbbbbbbbbbybbbbbbbbbzbbbbbbbbbHbbbbbbbbbIbbbbbbbbbJbbbbgeohotbbbbbbbbbLbbbbbbbbbMbbbbbbbbbNbbbbbbbbbObbbbbbbbbPbbbbbbbbbbQbbbbbbbbbRbbbbbbbbbSbbbbbbbbbTbbbbbbbbbUbbbbbbbbbVbbbbbbbbbWbbbbbbb<br />
<br />
xxxx $a $a $a $a geohotaaaa \"\x04\x01\" \\ \"\x0c\" \\ \\ \\ \\ \\ \"\x41\x04\xA0\x02\" \\ \\ \\ \\ wwww;echo copyright;echo geohot<br />
[[Category:Exploits]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Talk:Tethered_jailbreak&diff=5173Talk:Tethered jailbreak2009-10-16T05:02:13Z<p>ChronicDev: </p>
<hr />
<div>I suggest no work should be done on making it untethered until the iphone 3,1 is released. {{unsigned|Revolution|01:01, October 15, 2009 (EST)}}<br />
<br />
No work done until iPhone3,1? That's a stretch. How about no public-work / for release until iPhone 3,1. If no jailbreakable iPhone3,1 in July, then no upgrade (for me) from iPhone2,1 :) . [[User:Iemit737|Iemit737]] 02:49, 16 October 2009 (UTC)<br />
<br />
thats probably what revolution implied :P [[User:ChronicDev|ChronicDev]] 03:05, 16 October 2009 (UTC)<br />
<br />
Really I think no work at all since nitrokey published the exploit being kept in secret I think no work should be done so there is no risk of any compromise. and secondly if nitrokey got access to an unpublished exploit twice I think that there should be more security about all of this. Since nitrokey stole the a baseband exploit and a bootrom exploit. Soz about my rambling Im very tired [[User:Revolution|Revolution]] 04:02, 16 October 2009 (UTC)<br />
<br />
actually [[NitroKey]] stole 2 baseband exploits from devteam and then 1 boootrom exploit from us, so they burned a potential unlock vector making them bigger douches :P<br />
<br />
anyway, info was a bit more "loose" at the time, and we have definitely taken measures to secure all of our private information. If you were implying that any new secret info that we find will be seen by nitrokey, then we are already screwed by that logic. [[User:ChronicDev|ChronicDev]] 05:02, 16 October 2009 (UTC)</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Talk:Tethered_jailbreak&diff=5167Talk:Tethered jailbreak2009-10-16T03:05:29Z<p>ChronicDev: </p>
<hr />
<div>I suggest no work should be done on making it untethered until the iphone 3,1 is released. {{unsigned|Revolution|01:01, October 15, 2009 (EST)}}<br />
<br />
No work done until iPhone3,1? That's a stretch. How about no public-work / for release until iPhone 3,1. If no jailbreakable iPhone3,1 in July, then no upgrade (for me) from iPhone2,1 :) . [[User:Iemit737|Iemit737]] 02:49, 16 October 2009 (UTC)<br />
<br />
thats probably what revolution implied :P [[User:ChronicDev|ChronicDev]] 03:05, 16 October 2009 (UTC)</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Talk:Tethered_jailbreak&diff=5166Talk:Tethered jailbreak2009-10-16T03:05:18Z<p>ChronicDev: </p>
<hr />
<div>I suggest no work should be done on making it untethered until the iphone 3,1 is released. {{unsigned|Revolution|01:01, October 15, 2009 (EST)}}<br />
<br />
No work done until iPhone3,1? That's a stretch. How about no public-work / for release until iPhone 3,1. If no jailbreakable iPhone3,1 in July, then no upgrade (for me) from iPhone2,1 :) . [[User:Iemit737|Iemit737]] 02:49, 16 October 2009 (UTC)<br />
<br />
thats probably what revolution implied :P</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Tethered_jailbreak&diff=5165Tethered jailbreak2009-10-16T03:04:52Z<p>ChronicDev: </p>
<hr />
<div>A tethered jailbreak is one that requires your computer to boot the device.<br />
<br />
== Tethered Devices ==<br />
These are devices that a tethered jailbreak must be used for in all current public tools<br />
* [[iPod touch 3G]]<br />
* [[iPhone 3G S]] w/ updated bootrom</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Bootrom_240.5.1&diff=5146Bootrom 240.5.12009-10-14T23:28:14Z<p>ChronicDev: New page: Second revision of the S5L8720 bootrom. Found on iPod touch 2G devices sold after September 9, 2009. '''This is not vulnerable to the 24kPwn exploit'''.</p>
<hr />
<div>Second revision of the [[S5L8720]] bootrom. Found on [[iPod touch 2G]] devices sold after September 9, 2009.<br />
<br />
'''This is not vulnerable to the [[24kPwn]] exploit'''.</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Bootrom_240.4&diff=5145Bootrom 240.42009-10-14T23:26:40Z<p>ChronicDev: New page: S5L8720 bootrom revision for the iPod touch 2G's sold between September 2008 and September 2009. '''Vulnerable to the 24kPwn exploit.'''</p>
<hr />
<div>[[S5L8720]] bootrom revision for the iPod touch 2G's sold between September 2008 and September 2009. '''Vulnerable to the [[24kPwn]] exploit.'''</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Bootrom&diff=5144Bootrom2009-10-14T23:25:41Z<p>ChronicDev: New page: == Revisions == * iBoot-240.4 (S5L8720 Revision 1) * iBoot-240.5.1 (S5L8720 Revision 2, 24kPwn fixed)</p>
<hr />
<div>== Revisions ==<br />
* [[iBoot-240.4]] ([[S5L8720]] Revision 1)<br />
* [[iBoot-240.5.1]] ([[S5L8720]] Revision 2, 24kPwn fixed)</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=IBoot_(Bootloader)&diff=5143IBoot (Bootloader)2009-10-14T23:24:39Z<p>ChronicDev: /* Revisions */</p>
<hr />
<div>{{DISPLAYTITLE:iBoot}}<br />
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial.<br />
<br />
== Revisions ==<br />
* [[iBoot-99]] (1A420 a.k.a. Prototype)<br />
* [[iBoot-159]] (1.0.x)<br />
* [[iBoot-204]] (1.1 and 1.1.1 3A109a)<br />
* [[iBoot-204.0.2]] (1.1.1 3A110a)<br />
* [[iBoot-204.2.9]] (1.1.2)<br />
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4)<br />
* [[iBoot-204.3.16]] (1.1.5)<br />
* [[iBoot-320.20]] (2.0.x)<br />
* [[iBoot-385.22]] (2.1 and 2.1.1)<br />
* [[iBoot-385.49]] (2.2 and 2.2.1)<br />
* [[iBoot-596.24]] (3.0 and 3.0.1)<br />
* [[iBoot-636.65]] (3.1 and 3.1.1)<br />
* [[iBoot-636.66]] (3.1.1 7C146 and 3.1.2)<br />
<br />
==Commands used as an exploit vector==<br />
* Until 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at written to 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.<br />
* In the iPod Touch 2G firmware 2.1.1 iBoot (iBoot version 385.22), the [[ARM7 Go]] command could be used to run a payload on the ARM7 in the iPod Touch 2G.<br />
* The [[iBoot Environment Variable Overflow]] exists in 3.0 iBoot, and is being used by [[purplera1n]] and [[redsn0w]] (as of version 0.8) in order to flash the oversized [[LLB]] which utilizes the [[24kPwn]] exploit to the iPhone 3GS. While this exploit is present on iPod Touch 2nd Gen, it is not used in favour of the [[ARM7 Go]] exploit.<br />
* The [[usb_control_msg(0x21, 2) Exploit]] exists in 3.1 and 3.1.1 iBoot and is being used by [[greenpois0n]] in order to flash the oversized [[LLB]] which utilizes the [[24kPwn]] exploit to the iPhone 3GS and iPod Touch 3G. While this exploit is present on iPod Touch 2nd Gen, it is not used in favour of the [[ARM7 Go]] exploit.<br />
<br />
<br />
==OpeniBoot==<br />
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.<br />
<br />
==Remappings==<br />
<pre><br />
// n88<br />
0x4FF00000 => 0x0<br />
0x40000000 => 0xC0000000<br />
</pre><br />
<br />
== See also ==<br />
* [[iBoot (Enums)]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Main_Page&diff=5116Main Page2009-10-13T01:04:28Z<p>ChronicDev: </p>
<hr />
<div><!-- Logo by iHassan --><br />
<center>[[Image:Iptwiki.jpg]]</center><br />
<!-- Added a split column information box- computid --><br />
{{:Main Page/Welcome}}<br />
<table border="1" width="100%"><tr><br />
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Jailbreak iPhone2,1 / iPod3,1|Find bootrom exploit allowing unsigned code exec via USB (S5L8920+)]]</b></td><br />
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Unlock 2.0|Break Chain of Trust (X-Gold 608)]]</b></td><br />
</tr><br />
<tr><br />
<td colspan="4"><br />
<center>[[Disclaimer]]</center><br />
</td><br />
</tr><br />
</table><br /><br />
==Software==<br />
* [[/|Filesystem]]<br />
* [[Firmware]]<br />
* [[Keys]]<br />
* [[Protocols]]<br />
* [[System Log]]<br />
<br />
==Hardware==<br />
=== iPhone ===<br />
* [[m68ap|iPhone (m68ap)]]<br />
* [[n82ap|iPhone 3G (n82ap)]]<br />
* [[N88AP|iPhone 3GS (n88ap)]]<br />
<br />
=== iPod touch ===<br />
* [[n45ap|iPod touch (n45ap)]]<br />
* [[n72ap|iPod touch 2nd Generation (n72ap)]]<br />
* [[N18ap|iPod touch 3rd Generation (n18ap)]]<br />
<br />
==App Processor ([[Jailbreak]])==<br />
The [[iPhone]], [[iPod touch]], and [[iPhone 3G]] makes use of the [[S5L8900]] platform as application processor. Current models, such as the [[iPod touch 2G]] and the [[N88AP|iPhone 3GS]], use newer processors. The [[S5L8720]] and [[S5L8920]] are used, respectively. The [[N18ap|iPod Touch 3G]] operates using the [[S5L8922]] application processor. Here is where the [[Jailbreak|jailbreak]] applies.<br />
<br />
==Baseband ([[Unlock]])==<br />
The [[Baseband Device]] is where the [[unlock]] applies.<br />
<br />
==Application Development==<br />
* [[Toolchain]] (Includes tutorials)<br />
* [[Toolchain 2.0]] (Includes tutorials)<br />
* [[Frameworks]]<br />
* [[MobileDevice Library]]<br />
* [[Apple Certification Process]]<br />
* [[Bypassing iPhone Code Signatures]]<br />
* [[Distribution Methods]]<br />
<br />
==Application Copy Protection==<br />
* [[Copy Protection Overview]]<br />
* [[Application Structure and Signatures]]<br />
* [[Mach-O Loading Process]]<br />
* [[Bugging Debuggers]]<br />
<br />
==Definitions==<br />
* [[Jailbreak]]<br />
* [[Activation]]<br />
* [[Unlock]]<br />
* [[Baseband Device|Baseband]]<br />
* [[Baseband Bootloader|Bootloader]]<br />
* [[DFU]]<br />
* [[iBoot]]<br />
* [[iBEC]]<br />
* [[iBSS]]<br />
* [[NORID]]<br />
* [[CHIPID]]<br />
<br />
==Other==<br />
* [[Bluetooth]]<br />
* [[Glossary]]<br />
* [[Tutorials]]<br />
* [[Useful Links]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=VROM_(S5L8900)&diff=5115VROM (S5L8900)2009-10-13T01:04:02Z<p>ChronicDev: </p>
<hr />
<div>The VROM, or Virtual Read Only Memory, is said to be the earliest significant code that runs on the [[S5L8900]]. It is mapped to 0x20000000, and is believed to be copied from ROM and put there. It either boots the device or runs [[DFU]]. On 1.x, it was jumped to for RSA checking, although now in 2.x onward, [[iBoot]] and friends do that on their own.<br />
<br />
The [[pwnage]] exploit resides here.<br />
<br />
[[Category:VROM]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=VROM_(S5L8900)&diff=5114VROM (S5L8900)2009-10-13T01:03:15Z<p>ChronicDev: </p>
<hr />
<div>The VROM, or Virtual Read Only Memory, is said to be the earliest significant code that runs on the [[S5L8900]]. It is mapped to 0x20000000, and is believed to be copied from ROM and put there. It either boots the device or runs the [[DFU]]. On 1.x, it was jumped to for RSA checking, although now in 2.x iBoot and friends do that on their own.<br />
<br />
The [[pwnage]] exploit resides here.<br />
<br />
[[Category:VROM]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=ARM7_Go&diff=5113ARM7 Go2009-10-13T00:57:59Z<p>ChronicDev: /* Payload */</p>
<hr />
<div>This vulnerability is exclusive to the [[iPod touch 2G]]. It is present in the device's 2.1.1 firmware, as well as the [[iBEC]] / [[iBSS]] if you choose to upload it via DFU. It allows the running of unsigned code on the ARM7 coprocessor.<br />
<br />
==Credit==<br />
[[User:ChronicDev|Chronic]] and [[iPhone Dev Team]] (independently)<br />
<br />
==Exploit==<br />
There is an ARM7 coprocessor in the iPod Touch 2G in addition to the main processor, the ARM11. Like the [[Audio DSP Module|ADM]] in the [[S5L8900]] devices, it has access to everything the ARM11 has access to, such as the AES engine, the PKE accelerator, and such. The actual vulnerability is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands from what was presumably a debug [[iBoot]]: arm7_stop and arm7_go. They were promptly removed in 2.2, but in 2.1.1 it would read the environmental variable "loadaddr" and have the ARM7 coprocessor execute whatever code was at that address. There was no signature or range checks in place for the command.<br />
<br />
==Payload==<br />
The command gives the ARM7 the load address (default is 0x09000000) of an "image" you sent it, and it will jump to it. The limitation is, unlike the [[diags]] exploit you cannot just pass a patched [[iBoot]] or [[iBEC]]. You must write a payload for it to run, but one that patches [[iBEC]] or [[iBoot]] in memory would do fine.<br />
<br />
==Implementations==<br />
Two released payloads are [[RedSn0w]] and [[0wnboot]]<br />
<br />
==How to use==<br />
* Enter device in [[DFU]] mode.<br />
* Upload iBSS 2.1.1.<br />
* Unplug and then replug the device.<br />
* Upload payload you wish to execute.<br />
* Run arm7_go command to execute payload.<br />
* Run arm7_stop to stop ARM7, needed if you plan on sending anything else to 0x09000000<br />
<br />
[[Category:Exploits]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=IPhone_Dev_Team&diff=5112IPhone Dev Team2009-10-13T00:56:09Z<p>ChronicDev: /* Current members */</p>
<hr />
<div>{{DISPLAYTITLE:iPhone Dev Team}}<br />
==Blog==<br />
[http://blog.iphone-dev.org Dev Team blog]<br />
<br />
==Current members== <br />
asap18, bgm, Bugout, bushing, c1de0x, chris, CPICH, dinopio, Fred_, ghost_000, gray, iZsh, jim–, marcan, MuscleNerd, netkas, planetbeing, pr3d4t0r, pumpkin, pytey, roxfan, saurik, Turbo, w___, wizdaz, Zf<br />
<br />
==Previous Members==<br />
drudge, [[geohot]], gj, kroo, Nate True, NerveGas, sam, Whiterat, [[Zibri]]<br />
<br />
==See also==<br />
* [[PwnageTool]]<br />
* [[pwnage]]<br />
* [[pwnage 2.0]]<br />
* [[yellowsn0w]]<br />
* [[redsn0w]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Pwnage_2.0&diff=5111Pwnage 2.02009-10-13T00:55:26Z<p>ChronicDev: </p>
<hr />
<div>This exploit in the [[S5L8900]] [[VROM (S5L8900)|bootrom]] is really the ultimate exploit, since it allows unsigned code to be run at the lowest level. It is available in all devices that use the [[S5L8900]] - [[iPhone]], [[iPod Touch]] and [[iPhone 3G]].<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
There is a stack overflow in the certificate parsing code. By passing a malformed certificate, unsigned code can be run.<br />
<br />
==Implementations==<br />
*[[PwnageTool]]<br />
*[[QuickPwn]]<br />
*[[WinPwn]]<br />
*[[redsn0w]]<br />
*[http://lpahome.com/geohot/iran.rar iran]<br />
<br />
[[Category:Exploits]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Pwnage&diff=5110Pwnage2009-10-13T00:53:51Z<p>ChronicDev: /* 2.0+ (S5L8720 and on) */</p>
<hr />
<div>This exploit is in the [[S5L8900]] bootrom, thus available in the iPhone, iPod Touch and iPhone 3G. The exploit is that the bootrom doesn't signature check [[LLB]].<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
===Pre-2.0 ([[S5L8900]])===<br />
The [[NOR]] was set up in a way that when the firmware images were flashed there, the RSA signatures were dropped along with the rest of the firmware container. So although [[iBoot]] signature checked the [[kernel]], [[LLB]] did not signature check [[iBoot]], and the [[VROM]] did not signature check [[LLB]].<br />
<br />
===2.0+ ([[S5L8900]])===<br />
The [[VROM (S5L8900)|VROM]] doesn't sig check the stuff it jumps to in the [[NOR]]. So to use the exploit, one finds a way of writing to the [[NOR]] unsigned, either with [[iBoot]] hacks or kernel patches. While images are now written to [[NOR]] in a way that one can verify the other, like [[LLB]] verifying [[iBoot]], the [[VROM (S5L8900)|bootrom]] cannot be written to, so it still defaults to just reading [[LLB]] normally, un-signature checked.<br />
<br />
===2.0+ ([[S5L8720]] and on)===<br />
This exploit has been fixed on the [[n72ap|iPod Touch 2G]] and all devices released after it. The [[VROM (S5L8720)|bootrom]] sigchecks [[LLB]] before jumping to it now, and if the [[LLB]] is patched, it will default to [[DFU]] mode. The [[24kPwn]] exploit was later found in the [[iPod touch 2G]] [[VROM (S5L8900)|bootrom]] allowing the device to be fully jailbroken.<br />
<br />
==Implementation==<br />
* [[PwnageTool]]<br />
* [[iPhoneLinux]]<br />
<br />
[[Category:Jailbreaks]]<br />
[[Category:Exploits]]<br />
[[Category:VROM]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Pwnage&diff=5109Pwnage2009-10-13T00:52:20Z<p>ChronicDev: /* 2.0+ (S5L8720 and on) */</p>
<hr />
<div>This exploit is in the [[S5L8900]] bootrom, thus available in the iPhone, iPod Touch and iPhone 3G. The exploit is that the bootrom doesn't signature check [[LLB]].<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
===Pre-2.0 ([[S5L8900]])===<br />
The [[NOR]] was set up in a way that when the firmware images were flashed there, the RSA signatures were dropped along with the rest of the firmware container. So although [[iBoot]] signature checked the [[kernel]], [[LLB]] did not signature check [[iBoot]], and the [[VROM]] did not signature check [[LLB]].<br />
<br />
===2.0+ ([[S5L8900]])===<br />
The [[VROM (S5L8900)|VROM]] doesn't sig check the stuff it jumps to in the [[NOR]]. So to use the exploit, one finds a way of writing to the [[NOR]] unsigned, either with [[iBoot]] hacks or kernel patches. While images are now written to [[NOR]] in a way that one can verify the other, like [[LLB]] verifying [[iBoot]], the [[VROM (S5L8900)|bootrom]] cannot be written to, so it still defaults to just reading [[LLB]] normally, un-signature checked.<br />
<br />
===2.0+ ([[S5L8720]] and on)===<br />
This exploit has been fixed on the [[n72ap|iPod Touch 2G]] and the [[n82ap|iPhone 3GS]]. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU mode. The [[24kpwn]] bootrom exploit was later found allowing the device to be fully jailbroken.<br />
<br />
==Implementation==<br />
* [[PwnageTool]]<br />
* [[iPhoneLinux]]<br />
<br />
[[Category:Jailbreaks]]<br />
[[Category:Exploits]]<br />
[[Category:VROM]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Pwnage&diff=5108Pwnage2009-10-13T00:52:05Z<p>ChronicDev: /* 2.0+ (S5L8720) */</p>
<hr />
<div>This exploit is in the [[S5L8900]] bootrom, thus available in the iPhone, iPod Touch and iPhone 3G. The exploit is that the bootrom doesn't signature check [[LLB]].<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
===Pre-2.0 ([[S5L8900]])===<br />
The [[NOR]] was set up in a way that when the firmware images were flashed there, the RSA signatures were dropped along with the rest of the firmware container. So although [[iBoot]] signature checked the [[kernel]], [[LLB]] did not signature check [[iBoot]], and the [[VROM]] did not signature check [[LLB]].<br />
<br />
===2.0+ ([[S5L8900]])===<br />
The [[VROM (S5L8900)|VROM]] doesn't sig check the stuff it jumps to in the [[NOR]]. So to use the exploit, one finds a way of writing to the [[NOR]] unsigned, either with [[iBoot]] hacks or kernel patches. While images are now written to [[NOR]] in a way that one can verify the other, like [[LLB]] verifying [[iBoot]], the [[VROM (S5L8900)|bootrom]] cannot be written to, so it still defaults to just reading [[LLB]] normally, un-signature checked.<br />
<br />
===2.0+ ([[S5L8720 and on]])===<br />
This exploit has been fixed on the [[n72ap|iPod Touch 2G]] and the [[n82ap|iPhone 3GS]]. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU mode. The [[24kpwn]] bootrom exploit was later found allowing the device to be fully jailbroken.<br />
<br />
==Implementation==<br />
* [[PwnageTool]]<br />
* [[iPhoneLinux]]<br />
<br />
[[Category:Jailbreaks]]<br />
[[Category:Exploits]]<br />
[[Category:VROM]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=Pwnage&diff=5107Pwnage2009-10-13T00:51:46Z<p>ChronicDev: /* 2.0+ (S5L8900) */</p>
<hr />
<div>This exploit is in the [[S5L8900]] bootrom, thus available in the iPhone, iPod Touch and iPhone 3G. The exploit is that the bootrom doesn't signature check [[LLB]].<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
===Pre-2.0 ([[S5L8900]])===<br />
The [[NOR]] was set up in a way that when the firmware images were flashed there, the RSA signatures were dropped along with the rest of the firmware container. So although [[iBoot]] signature checked the [[kernel]], [[LLB]] did not signature check [[iBoot]], and the [[VROM]] did not signature check [[LLB]].<br />
<br />
===2.0+ ([[S5L8900]])===<br />
The [[VROM (S5L8900)|VROM]] doesn't sig check the stuff it jumps to in the [[NOR]]. So to use the exploit, one finds a way of writing to the [[NOR]] unsigned, either with [[iBoot]] hacks or kernel patches. While images are now written to [[NOR]] in a way that one can verify the other, like [[LLB]] verifying [[iBoot]], the [[VROM (S5L8900)|bootrom]] cannot be written to, so it still defaults to just reading [[LLB]] normally, un-signature checked.<br />
<br />
===2.0+ ([[S5L8720]])===<br />
This exploit has been fixed on the [[n72ap|iPod Touch 2G]] and the [[n82ap|iPhone 3GS]]. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU mode. The [[24kpwn]] bootrom exploit was later found allowing the device to be fully jailbroken.<br />
<br />
==Implementation==<br />
* [[PwnageTool]]<br />
* [[iPhoneLinux]]<br />
<br />
[[Category:Jailbreaks]]<br />
[[Category:Exploits]]<br />
[[Category:VROM]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=S5L8900&diff=5106S5L89002009-10-13T00:49:19Z<p>ChronicDev: /* iBoot / Kernel */</p>
<hr />
<div>This is the Application Processor shared between the [[M68ap|iPhone]], [[N45ap|iPod touch]], and the [[N82ap|iPhone 3G]]. Not much is known about it through official sources. This processor is not used in any of the newest devices, being replaced by the [[S5L8720]] and [[S5L8920]].<br />
<br />
==[[S5L File Formats|Firmware File Formats]]==<br />
<br />
==Exploits==<br />
===[[System|Userland]]===<br />
* [[Restore Mode]] - Firmware v1.0.2 and below<br />
* [[Symlinks]] - Firmware v1.1.1 and below<br />
* [[LibTiff|LibTIFF]] - Firmware v1.1.1 and below<br />
* [[Mknod]] - Firmware v1.1.2 and below<br />
* [[Dual Boot Exploit]] - Firmware 1.1.4 / v2.0b3 and below<br />
<br />
===[[iBoot]] / [[Kernel]]===<br />
* [[Ramdisk Hack]] - 1.1.4 / 2.0 beta 3 and below<br />
* [[diags|Diags Exploit]] - 1.1.4 / v2.0 beta 5 and below<br />
* [[iBoot Environment Variable Overflow]] - 3.1 beta 1 and below<br />
* [[usb_control_msg(0x21, 2) Exploit]] - 3.1.2 and below<br />
<br />
===[[VROM (S5L8900)|Bootrom]]===<br />
* [[pwnage|Pwnage 1.0 (Ramdisk + AppleImage2NORAccess)]]<br />
* [[Pwnage 2.0|Pwnage 2.0 (DFU + Malformed Certificate)]]<br />
<br />
==Boot Chain==<br />
[[VROM]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]<br />
<br />
One of the [[iPhoneLinux]] goals are to replace that Boot Chain after iBoot:<br /><br />
[[VROM]]->OpeniBoot->Linux Kernel->X Server->Window Manager<br />
<br />
==Upgrade Process==<br />
<br />
=== [[Restore Mode]] ===<br />
The common upgrade process chain is [[VROM]]->[[DFU]]->[[WTF]]->[[iBoot]]->[[Kernel]]->[[Ramdisk]]->[[Restore Mode]].<br />
<br />
=== [[DFU|DFU Mode]] ===<br />
To flash an older version of the iPhone software you have to let your phone reside in [[DFU]]. In iTunes you have to press the option key (Mac) or the shift key (Windows) when pressing 'Restore' to be able to manually chose an [[IPSW File Format|IPSW]].<br />
<br />
==== Boot Chain ====<br />
[[VROM]]->[[DFU]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=S5L8720&diff=5105S5L87202009-10-13T00:48:11Z<p>ChronicDev: /* iBoot / Kernel Level */</p>
<hr />
<div>This is the Application Processor used on the [[n72ap|iPod Touch 2G]].<br />
<br />
==Exploits==<br />
===[[iBoot]] / [[Kernel]] Level===<br />
'''Note''': [[iBoot]] on the S5l8720 can be downgraded, allowing any of these exploits to be used on future firmwares<br />
<br />
* [[ARM7 Go]] - Firmware v2.1.1<br />
* [[iBoot Environment Variable Overflow]] - 3.1 beta 3 and below<br />
* [[usb_control_msg(0x21, 2) Exploit]] - 3.1.2 and below<br />
<br />
===[[VROM (S5L8720)|Bootrom]]===<br />
* [[0x24000 Segment Overflow]]<br />
<br />
==Boot Chain==<br />
[[VROM (S5L8720)|VROM]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]<br />
<br />
It is definitely worthy to note that the [[Pwnage]] exploit is fixed because the images are now flashed to the [[NOR]] in their encrypted [[IMG3]] containers, and the [[S5L8720 Bootrom|bootrom]] can properly sigcheck [[LLB]]. That being said, unsigned images can still be run using the [[0x24000 Segment Overflow]].<br />
<br />
==See Also==<br />
* [[S5L8720 (Hardware)]]<br />
* [[S5L File Formats]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=S5L8720&diff=5104S5L87202009-10-13T00:47:54Z<p>ChronicDev: /* iBoot / Kernel Level */</p>
<hr />
<div>This is the Application Processor used on the [[n72ap|iPod Touch 2G]].<br />
<br />
==Exploits==<br />
===[[iBoot]] / [[Kernel]] Level===<br />
'''Note''': [[iBoot]] on the S5l8720 can be downgraded, allowing either exploit to be used on future firmwares<br />
<br />
* [[ARM7 Go]] - Firmware v2.1.1<br />
* [[iBoot Environment Variable Overflow]] - 3.1 beta 3 and below<br />
* [[usb_control_msg(0x21, 2) Exploit]] - 3.1.2 and below<br />
<br />
===[[VROM (S5L8720)|Bootrom]]===<br />
* [[0x24000 Segment Overflow]]<br />
<br />
==Boot Chain==<br />
[[VROM (S5L8720)|VROM]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]<br />
<br />
It is definitely worthy to note that the [[Pwnage]] exploit is fixed because the images are now flashed to the [[NOR]] in their encrypted [[IMG3]] containers, and the [[S5L8720 Bootrom|bootrom]] can properly sigcheck [[LLB]]. That being said, unsigned images can still be run using the [[0x24000 Segment Overflow]].<br />
<br />
==See Also==<br />
* [[S5L8720 (Hardware)]]<br />
* [[S5L File Formats]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=S5L8920&diff=5103S5L89202009-10-13T00:46:26Z<p>ChronicDev: /* iBoot / Kernel */</p>
<hr />
<div>This is the processor used in the [[iPhone 3GS]].<br />
<br />
S5L8920 using [http://www.arm.com/products/CPUs/archi-thumb2.html THUMB-2] instruction set as much as ARM and THUMB ones. So the compiled binaries are not compatible with older CPUs.<br />
<br />
== Exploits ==<br />
=== [[iBoot]] / [[Kernel]] ===<br />
* [[iBoot Environment Variable Overflow]] - Firmware 3.1b3 and below (Note: [[iBoot]] on the S5L8920 can be downgraded allowing the exploit to be used on future firmwares, but ''only if'' a backup of the device-specific Apple-signed 3.0 iBSS with unique [[ECID]] was made.)<br />
* [[usb_control_msg(0x21, 2) Exploit]] - 3.1.2 and below.<br />
<br />
=== [[S5L8920 (Bootrom)|Bootrom]] ===<br />
* [[0x24000 Segment Overflow]]<br />
<br />
== Boot Chain ==<br />
[[S5L8920 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]<br />
<br />
== See also ==<br />
* [[S5L8920 (Bootrom)]]<br />
* [[S5L8920 (Hardware)]]<br />
* [[S5L8920 (Hardware - Quick Notes)]]</div>ChronicDevhttps://www.theiphonewiki.com/w/index.php?title=S5L8922&diff=5102S5L89222009-10-13T00:46:06Z<p>ChronicDev: /* Exploits */</p>
<hr />
<div>This is the processor used in the [[N18ap|iPod Touch 3G]].<br />
<br />
== Exploits ==<br />
=== [[iBoot]] / [[Kernel]] ===<br />
* [[usb_control_msg(0x21, 2) Exploit]] - 3.1.2 and below.<br />
<br />
=== [[S5L8922 (Bootrom)|Bootrom]] ===<br />
<br />
== Boot Chain ==<br />
[[S5L8922 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]<br />
<br />
== See also ==<br />
* [[S5L8922 (Bootrom)]]<br />
* [[S5L8922 (Hardware)]]</div>ChronicDev