The iPhone Wiki - User contributions [en]

Talk:BootNeuter

2012-09-11T18:44:14Z

J: /* Flashing the Boot Loader */ new section

=== Fakeblank ===
It is not quite clear if fakeblank is a sort of bootloader (same level as 3.9 or 4.6, say a 'blank' bootloader) or if it is just a piece of code which is needed to run a serial payload at will '''and / or''' boots the normal bootloader (3.9 or 4.6) if no serial payload is run. The article itself is inconsistent regarding this point.

Besides there is a page [[Fakeblank]] and resorting / linking information would be a good idea, IMHO.

== Change bootloader? ==

How does BootNeuter does change the bootloader?
I suppose that BootNeuter use Gbootloader (see GeoHotz post : [http://iphonejtag.blogspot.com/2008/02/look-at-things-to-come.html] ) for changing the bootloader 4.6 stock/neutered.
I suppose that BooNeuter use 112otb (see GeoHotz post : [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html] ) for changing a fakeblanked bootloader.
But for the Bootloader 3.9, we don't know (maybe an upgrade to 4.6 first via bbupdater??) ? -- dranfi

BootNeuter does use geohot's extended secpack erase for erasing the 4.6 BL (as stated in its credits). For actually changing the "locked-down" NOR status of both the 3.9 and 4.6 bootloaders, BootNeuter uses the GPIO hack found by the dev team (and credited to the dev team by geohot within gbootloader/main-bleraser.c. Search that source code for the credit). The neuter patch is actually another matter, and is another (still uncredited and unmentioned (until now)) dev team discovery. And no, 3.9 is not upgraded to 4.6 before being neutered :) The 3.9 and 4.6 neuters are similar but distinct.-- MuscleNerd

Can you tell us more about the GPIO hack, I only see this in Gehot code : "//deassert WP#, thanks dev team
GPIO=0x700;" -- dranfi

That GPIO adds an extra layer of write protection for the bootloader blocks. Without deasserting WP# via that GPIO (using that particular address and data value), any attempt to erase or reprogram those blocks is ignored. It's one of the critical components in the software-based unlock, found by the dev team and shared with geohot. -- MuscleNerd

Muscle, I get it. the dev team figured out how to toggle the GPIO line, and figured out that it's connected to the WP line on the flash. 2 times in one page is sufficient to drill that into one's head. -Scotty2

LOL you do realize I was responding to dranfi's second question? - MuscleNerd

== Neuter Patch ==

MuscleNerd--can you elaborate on what exactly the "neuter patch" is?
I saw a post about this before BootNeuter actually being released, but I don't think I'll be able to find it. -- dranfi

Use a nordumper. ~geohot

== Flashing the Boot Loader ==

How exactly does Boot Neuter flash the bootloader (3.9/4.6). I have a iPhone 2g that appears to have a broken/currupted BootLoader on it so BootNeuter wont run, it just hangs at Determing current settings. I can get SSH access to the device and would love to be able to manually flash the firmware to it and recover the device.

Thanks,
J

User:J

2012-04-20T13:17:33Z

J: /* Projects */

I'm J. Currently I know Java and VB. I'm part of the Private Dev Team and Chronic Dev

==Projects==
Bluefreeze

Ph0enix Semi-tether

User:J

2012-04-20T13:14:53Z

I'm J. Currently I know Java and VB. I'm part of the Private Dev Team and Chronic Dev

==Projects==
Bluefreeze
Ph0enix Semi-tether

User:J

2012-03-08T02:55:01Z

J: Created page with "I'm J. Currently I know java and VB User:Phyrrus9 is teaching me C++. I'm part of the Private Dev Team and am the one who found the blueJay/blueFreeze "exploit.""

I'm J. Currently I know java and VB [[User:Phyrrus9]] is teaching me C++. I'm part of the Private Dev Team and am the one who found the blueJay/blueFreeze "exploit."

S5L8945

2012-03-08T01:12:26Z

J: Created page with "== S5L8940 == right The '''S5L8945''' is the Apple A5X processor currently used in the "The New iPad" aka iPad 3."

== S5L8940 ==

[[Image:A5X.png|right]]
The '''S5L8945''' is the Apple A5X processor currently used in the "The New iPad" aka iPad 3.

File:A5X.png

2012-03-08T01:11:12Z

Bluefreeze

2011-12-23T14:57:14Z

[[iFaith]] has a protection that you don't use it on the wrong firmware to protect you. '''Bluefreeze''' modifies the firmware version (and firmware checksum) in the iFaith certificate file, so that this check gets disabled. By doing so, you can install any firmware version on your device, even without having saved the [[SHSH]] files. The problem by doing so is that you actually install a firmware without signatures.

Bluefreeze asks you to build and browse to two ipsw's one signed properly and one not signed. Then Bluefreeze swaps the properly signed img3 files in the properly signed firmware file with the incorrectly signed img3 files in the unsigned ipsw thus resulting in an ipsw file with properly signed img3 files. This firmware file is used for the downgrade.

Having an incorrectly signed firmware installed won't let you boot of course. But because the limera1n exploit ignores incorrect signitures we can use the limera1n exploit (DFU mode, then using redsn0w) to boot up your device. The problem is only that you have to repeat this every time (similar to a tethered jailbreak), so it's not a downgrade you would want. This should be your last resort, and only if you absolutely need a downgrade.

This way a downgrade to [[iOS]] 4.3, 4.3.5, or 5.0 from 5.0.1 is possible. Supported devices are iPhone 3GS, iPod touch 3G, and all [[S5L8930|A4]] devices.

One common misconception about this downgrade solution is that it may conflict with an untethered jailbreak. This is completely false. If proper exploits are used (anything but a userland one ex: Jailbreakme 3.0) and properly jailbroken this tethered downgrade would become an untethered downgrade.

== Purpose ==
With this method you can install a firmware for which you don't have [[SHSH]] saved for some tests, for examle if you're a software developer and need to do some tests on a specific version.

== Download ==
* [http://www.mediafire.com/?zzkfhpmca950wk7 Windows]

== External Links ==
* [https://github.com/ThePrivateDevTeam/Bluefreeze GitHub]
* [http://www.youtube.com/watch?v=UpZKxqLqK7A Guide]

[[Category:GUI Tools]]

Bluefreeze

2011-12-23T13:47:12Z

[[iFaith]] has a protection that you don't use it on the wrong firmware to protect you. '''Bluefreeze''' modifies the firmware version (and firmware checksum) in the iFaith certificate file, so that this check gets disabled. By doing so, you can install any firmware version on your device, even without having saved the [[SHSH]] files. The problem by doing so is that you actually install a firmware without signatures.

Bluefreeze asks you to build and browse to two ipsw's one signed properly and one not signed. Then Bluefreeze swaps the properly signed img3 files in the properly signed firmware file with the incorrectly signed img3 files in the unsigned ipsw thus resulting in an ipsw file with properly signed img3 files. This firmware file is used for the downgrade.

Having an incorrectly signed firmware installed won't let you boot of course. But using the limera1n exploit (DFU mode, then using redsn0w) you can still boot your device up. The problem is only that you have to repeat this every time (similar to a tethered jailbreak), so it's not a downgrade you would want. This should be your last resort, and only if you absolutely need a downgrade.

This way a downgrade to [[iOS]] 4.3, 4.3.5, or 5.0 from 5.0.1 is possible. Supported devices are iPhone 3GS, iPod touch 3G, and all [[S5L8930|A4]] devices.

One common misconception about this downgrade solution is that it may conflict with an untethered jailbreak. This is completely false. If proper exploits are used (anything but a userland one ex: Jailbreakme 3) and properly jailbroken this tethered downgrade would become an untethered downgrade.

== Purpose ==
With this method you can install a firmware for which you don't have [[SHSH]] saved for some tests, for examle if you're a software developer and need to do some tests on a specific version.

== Download ==
* [http://www.mediafire.com/?zzkfhpmca950wk7 Windows]

== External Links ==
* [https://github.com/ThePrivateDevTeam/Bluefreeze GitHub]
* [http://www.youtube.com/watch?v=UpZKxqLqK7A Guide]

[[Category:GUI Tools]]

Firmware Keys

2011-11-11T12:29:12Z

'''VFDecrypt Keys''' are the keys which can decrypt the files that come with the [[firmware]]. Apple uses a public-private key encryption to ensure the safety of their files. Over time Apple has changed the way to encrypt firmware files, thus the way to decrypt files as well as the way to get the VFDecrypt Keys has also.

[[S5L File Formats#IMG2|IMG2]] was the file format used prior to iOS 2.0. For iOS 1.1.x, IMG2 files were encrypted with Key 0x837.

[[IMG3 File Format|IMG3]] encrypted files contain encrypted versions of the VFDecrypt Keys as part of the [[KBAG]] (key bag). These can be decrypted with the [[GID-key]]. For jailbroken iDevices the VFDecrypt keys can be retrieved with the devices [[AES Keys|hardware AES engine]]. The VFDecrypt key for the root filesystem image of an iDevice (~500 MB to 800MB in the case of iOS 5) requires either a decrypted [[Restore Ramdisk]] or [[Update Ramdisk]]. Once you have a decrypted Restore or Update Ramdisk, [[GenPass]] or [[iKeyHelper]] can be used to gather the keys for the root filesystem.
For the root filesystem there is one key per device model, with no IV. You can mount this once it has been decrypted using your program of choice. (For example, 7-zip on Windows (after extracting the DMG on Windows, extract the biggest file with {{wp|7-Zip}})

== Notes ==
The Update Ramdisk and Restore Ramdisks share the same IV and key per type of Application Processor. The current models are:

{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! width="200" | Application Processor
! width="200" | iDevice
|-
| [[S5L8900]]
| [[M68ap|iPhone]], [[N82ap|iPhone 3G]], [[N45ap|iPod touch]]
|-
| [[S5L8720]]
| [[M68ap|iPhone]], [[N72ap|iPod touch 2G]]
|-
| [[S5L8920]]
| [[N88ap|iPhone 3GS]]
|-
| [[S5L8922]]
| [[N18ap|iPod touch 3G]]
|-
| [[S5L8930]] (A4)
| [[K48ap|iPad]], [[iPhone 4]], [[N81ap|iPod touch 4G]], [[K66ap|Apple TV 2G]]
|-
| [[S5L8940]] (A5)
| [[iPad 2]], [[N94ap|iPhone 4S]]
|}

You can use [[img3decrypt]][http://code.google.com/p/img3decrypt/] or [[xpwntool]][http://github.com/planetbeing/xpwn/tree/master] to decrypt these as described in [[Ramdisk Decryption]]. Once done, mount or extract using the tool of your choice.

When posting a key page, please use the [[Template:Keys|key template]] ('''IN THE CORRECT ORDER''') and do '''NOT''' {{wp|WP:SUBST|substitute}} it.

For the VFDecrypt Keys of each firmware please check the builds listed at the appropiate firmware version page.

== Firmware versions ==
{{main|Firmware|Beta Firmware}}
== [[Apple TV]] ==
{{:Firmware/Apple TV 2G}}

== [[iPad]] ==
{{:Firmware/iPad}}
=== [[iPad 2]] ===
{{:Firmware/iPad 2 Wi-Fi}}
{{:Firmware/iPad 2 GSM}}
{{:Firmware/iPad 2 CDMA}}

== [[iPhone]] ==
{{:Firmware/iPhone}}
{{:Firmware/iPhone 3G}}
{{:Firmware/iPhone 3GS}}
=== [[iPhone 4]] ===
{{:Firmware/iPhone 4 GSM}}
{{:Firmware/iPhone 4 CDMA}}
{{:Firmware/iPhone 4S}}

== [[iPod touch]] ==
{{:Firmware/iPod touch}}
{{:Firmware/iPod touch 2G}}
{{:Firmware/iPod touch 3G}}
{{:Firmware/iPod touch 4G}}

==BETA==
== [[Apple TV]] ==
{{:Beta Firmware/Apple TV 2G}}

== [[iPad]] ==
{{:Beta Firmware/iPad}}
=== [[iPad 2]] ===
{{:Beta Firmware/iPad 2 Wi-Fi}}
{{:Beta Firmware/iPad 2 GSM}}
{{:Beta Firmware/iPad 2 CDMA}}

== [[iPhone]] ==
{{:Beta Firmware/iPhone}}
{{:Beta Firmware/iPhone 3G}}
{{:Beta Firmware/iPhone 3GS}}
=== [[iPhone 4]] ===
{{:Beta Firmware/iPhone 4}}
{{:Beta Firmware/iPhone 4 CDMA}}
{{:Beta Firmware/iPhone 4S}}

== [[iPod touch]] ==
=== [[N45ap|iPod touch (1st generation)]] ===
{{:Beta Firmware/iPod touch}}
=== [[N72ap|iPod touch (2nd generation)]] ===
{{:Beta Firmware/iPod touch 2G}}
{{:Beta Firmware/iPod touch 3G}}
{{:Beta Firmware/iPod touch 4G}}

== Gaps ==
As you will notice, there may be a gap or two, or a key for a current build that is not there. Please feel free to add them, but please be sure that it is only the key for a User or Developer build, as if you gave the key for another type of build that might or may not be out there '''people could get in trouble, and we do not want that'''. Thanks for contributing!

[[Category:VFDecrypt]]