The iPhone Wiki - User contributions [en]

Talk:IMG3 File Format

2009-07-30T00:33:10Z

James:

I don't think every iPhone/iPod touch has an ECID -- Isn't it only a 3GS thing? [[User:Iemit737|Iemit737]] 06:01, 27 July 2009 (UTC)

Put your iPhone or iPod Touch in Recovery Mode and look at the USB section in the System Profiler (if you're on Mac), then click on the "Apple Mobile Device...". In the detalis section (below the devices list) you will see a lot of IDs (also incl. the ECID).

But, it's very good question! I think that in spite of the fact that ECID is present on all devices, only on 3GS it is sigchecked on the bootrom. [[User:Rusmac|rusmac]]

When you say it's sigchecked by the bootrom - you mean the DFU mode of it? Not the normal one that's vulnerable to 24kpwn? [[User:Iemit737|Iemit737]] 09:07, 27 July 2009 (UTC)

actually the code to check ECID is in ipod2g bootrom as well, but the actual sigchecking depends on where the ECID tag is placed in the img3. But interestingly they don't check the TYPE tag in either ipod2g bootrom or 3gs bootrom. --[[User:Posixninja|posixninja]] 15:24, 29 July 2009 (UTC)

Can you tell us what the TYPE tag does? (or do you mean the type of tag) [[User:Iemit737|Iemit737]] 21:49, 29 July 2009 (UTC)

I believe the TYPE tag is used to verify that you're executing images in the correct manner; as in, you have to use bootx to boot the kernel, etc. --[[User:James|James]] 00:33, 30 July 2009 (UTC)

BCM4325

2009-07-14T17:53:21Z

James:

This chip is in the iPod2,1 (iPod touch 2G) and iPhone2,1 (iPhone 3GS) and combines Bluetooth/Wifi and a secret FM radio, presumably connected and ready to go on a future firmware release by Apple.

== FM Radio ==

The most peculiar thing is the inclusion of an FM radio. There is a product brief available from broadcom on this chip: {put link here} but it serves little purpose apart from the block diagram and interface hardware/software.

Interfacing the FM radio is done in two stages: Control via the bluetooth modules's UART or I2C and digital audio streaming over the module's I2S/PCM hardware.

most notably: the FM radio never physically leaves the sillicon die, except for the antenna (which may be connected directly to the BT/UMTS/everything else [:P lol] antenna) this means that the control/streaming will be an extension to the BT protocols currently implemented.

For control, the HCI over UART (/dev/uart.bluetooth) seems the most logical solution to turn the radio on/tune/search etc. but the vendor specific HCI commands will need to be *obtained* (or reversed, which could prove hard). A broadcom datasheet would have this information, but unfortunately you have to sign an NDA to obtain one.

For streaming, the i2s bus sounds good... interfacing this could be hard but playing on the stereo bluetooth profile of iphone OS 3 we could piggy back, at least to start with. however we do need the radio ON first...

Bluetooth

2009-07-14T17:53:05Z

James:

Bluetooth is a short-range, wireless technology, popular for its Personal Area Networking capability. Bluetooth hardware is provided on all iPhone platforms and the second generation iPod Touch platform. Apple has severely restricted the functions of Bluetooth to the end-user, for seemingly no reason, as the hardware supplied is capable of most if not all current bluetooth 2.0/2.1 functions.

With iPhoneOS 3.0, support for 3G internet bridging (PAN) and A2DP over Bluetooth has been added, however the file sharing OBEX protocol is notably still missing.

== Access ==

Developers have been able to successfully access and interface the Bluetooth hardware to achieve an OBEX solution, however this is still quite underground. The device nodes of relevance here, are
* /dev/uart.bluetooth
* /dev/cu.bluetooth
* /dev/tty.bluetooth

== iPhone/iPods with Bluetooth ==

* iPhone (iPhone1,1) (m68ap) - Bluetooth (r) 2.0 + EDR
* iPhone 3G (iPhone1,2) (n82ap) - Bluetooth (r) 2.0 + EDR - chip specific link [[Bluetooth iPhone2,1]]
* iPhone 3GS (iPhone2,1) (n88ap) - Bluetooth (r) 2.1 + EDR

* iPod Touch 2G (iPod2,1) (n72ap) - Bluetooth (r) 2.1 + EDR
* iPod Touch 3G (unreleased) - Bluetooth (r) 2.1 + EDR forcasted

== Unreleased iPod3,1 ==

As of iPhoneOS 3.0 an iPod3,1 is mentioned, with a BCM4329 WiFi/Bluetooth/FM wireless solution chip... this is strong evidence for a new iPod model in the near future

Kirkwood 7A341 (iPhone2,1)

2009-06-28T00:50:41Z

James: Added a bunch of decryption keys for various images.

== Decryption Keys ==

=== Root Filesystem ===
* '''VFDecrypt''': 7d779fed28961506ca9443de210224f211790192b2a2308b8bc0e7d4a2ca61a68e26200e

=== LLB ===
* '''Key''': 783970ed70d151e65cdd0f52019f026cbc0ece5c604603117d677b6a85ea4d95
* '''IV''': fc4efef9fd245dc038ecb26f25f795c7

=== iBoot ===
* '''Key''': c160ff26cf0cdb1c0b5d821e4102cab8a3e62687f39ab8c456907694e3c4834e
* '''IV''': 948a3d82419c9d4dde404cb4a788da70

=== DeviceTree ===
* '''Key''': 14370497f039b5caf3583cfa89cfd626147df4c37c63ab3a3fc110765d3d0585
* '''IV''': c6f3b155a71d2a61d14f78f6230bb20e

=== Kernel ===
* '''Key''': f49e50a630397ed72592f5c9874b33ca1e0e5a499d2a6a0f2746c8e7f1dbf470
* '''IV ''': cd41286890df601bfcd87f8a09b009c8

=== Logo ===
* '''Key''': d4598b90b842817d34f4eb2e741bfb965d73986ac0c1ec99f9d73c67fef787e3
* '''IV''': 02a124ab2522762fdb0e2dceebd69c4e

=== Recovery Logo ===
* '''Key''': da2324a7f8341c26b550a674a0d8566a9ebc9eda9c22cf37b1fc7d702ee6aab5
* '''IV''': 2e314503ca4f2bd03ac17c8b8eecf072

=== iBEC ===
* '''Key''': 711ffd7e4cc4ea56150749e085d065f6efe83bc40c506eb17648c3e68ac4ed6c
* '''IV''': 414cd466c85886181881880d66b9535a

=== iBEC ===
* '''Key''': ebc56070f923799c06fc696fe5b8335517eb2fc13d1e8fcdb16be784db6b4a36
* '''IV''': d7815d19a90b84677fc757aa4abf9343

=== Update Ramdisk - 018-5304-002.dmg ===
* '''Key''': 8ffbef98cc28b4aa14d18783faa6a8c95c94b1a4536fbfb7485f0d54cdec358b
* '''IV''': d9b8d8f798cd50ba72d434b271d2f181

=== Restore Ramdisk - 018-5306-002.dmg ===
* '''Key''': 44514633ce2aead62bcfa8836cda4a3c7bde483f8b1e9f19d22f9d8fdf753e02
* '''IV''': e345e23bb266fcc2ba23a2e0be77a3bf

S5L8900

2009-06-26T20:00:16Z

James: Added note since this processor is not used by any current device.

This is the Application Processor shared between the [[iPhone]], [[N45ap|iPod touch]], and the [[iPhone 3G]]. Not much is known about it through official sources. This processor is not used in any of the current devices, being replaced by the [[S5L8720]] and [[S5L8920]].

==Firmware File Formats==
See [[S5L File Formats|this page]] for more information on the types of firmware files it interprets

==Exploits==
===Userland===
* [[Restore Mode]] - Firmware v1.0.2 and below
* [[symlinks|Symlinks]] - Firmware v1.1.1 and below
* [[LibTiff|LibTIFF]] - Firmware v1.1.1 and below
* [[Mknod]] - Firmware v1.1.2 and below
* [[Dual Boot Exploit]] - Firmware 1.1.4 / v2.0b3 and below

===[[iBoot]] / [[Kernel]]===
* [[Ramdisk Hack|Ramdisk Exploit]] - Firmware v1.1.4 / v2.0b3 and below
* [[diags|Diags Exploit]] - Firmware v1.1.4 / v2.0b5 and below

===[[VROM (S5L8900)|Bootrom]]===
* [[pwnage|Pwnage 1.0 (Ramdisk + AppleImage2NORAccess)]]
* [[pwnage 2.0|Pwnage 2.0 (DFU + Malformed Certificate)]]

==Boot Chain==
[[VROM]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]

One of the [[iPhoneLinux]] goals are to replace that Boot Chain after iBoot :<br>
[[VROM]]->OpeniBoot->Linux Kernel->X Server->Window Manager

==Upgrade Process==

=== Restore mode ===
The common upgrade process chain is [[VROM]]->[[DFU]]->[[WTF]]->[[iBoot]]->[[Kernel]]->[[Ramdisk]]->[[Restore Mode|Restore]], also called [[Restore Mode|restore mode]].

== DFU mode ==
See full article [[DFU|here]]. To flash an older version of the iPhone software you have to let your phone reside in [[DFU]]. In iTunes you have to press the Alt-Key (Mac) or the shift-key (Windows) when pressing 'Restore' to be able to manually chose an update file (ipsw file).

=== Boot Chain ===
[[VROM]]-->[[DFU]]

Main Page

2009-06-26T19:58:05Z

James: Added 3GS to jailbreak section and mentioned 8920. Didn't know how to word it really, a bit awkward. Also cleaned up 3G S to 3GS.

<center>[[Image:Iptwiki.jpg‎]]</center>

{{:Main Page/Welcome}}
<table border=1 width=100%><tr>
<td style="background-color:yellow; text-align:center; width:25%;"><b>[[Jailbreak iPhone2,1|Break Chain of Trust (S5L8920x)]]</b></td>
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Unlock 2.0|Break Chain of Trust (X-Gold 608)]]</b></td>
</tr>
<tr>
<td colspan="4">
<center>[[Disclaimer]]</center>
</td>
</tr>
</table><br />
==Software==
* [[Filesystem]]
* [[Firmware]]
* [[Keys]]
* [[Protocols]]
* [[System Log]]

==Hardware==
=== iPhone ===
* [[m68ap|iPhone (m68ap)]]
* [[n82ap|iPhone 3G (n82ap)]]
* [[N88AP|iPhone 3GS (n88ap)]]

=== iPod touch ===
* [[n45ap|iPod touch (n45ap)]]
* [[n72ap|iPod touch 2nd Generation (n72ap)]]

==App Processor ([[Jailbreak]])==
The [[iPhone]], [[iPod touch]], and [[iPhone 3G]] makes use of the [[S5L8900]] platform as application processor. Current models, such as the [[iPod touch 2G]] and the [[N88AP|iPhone 3GS]], use newer processors. The [[S5L8720]] and [[S5L8920]] are used, respectively. Here is where the [[Jailbreak|jailbreak]] applies.

==Baseband ([[Unlock]])==
The [[Baseband Device]] is where the [[unlock]] applies.

==Application Development==
* [[Toolchain]] (Includes tutorials)
* [[Toolchain 2.0]] (Includes tutorials)
* [[Frameworks]]
* [[MobileDevice Library]]
* [[Apple Certification Process]]
* [[Bypassing iPhone Code Signatures]]
* [[Distribution Methods]]

==Application Copy Protection==
* [[Copy Protection Overview]]
* [[Application Structure and Signatures]]
* [[Mach-O Loading Process]]
* [[Bugging Debuggers]]

==Definitions==
* [[Jailbreak]]
* [[Activation]]
* [[Unlock]]
* [[Baseband Device|Baseband]]
* [[Baseband Bootloader|Bootloader]]
* [[DFU]]
* [[iBoot]]
* [[iBEC]]
* [[iBSS]]
* [[NORID]]
* [[CHIPID]]

==Other==
* [[Bluetooth]]
* [[Glossary]]
* [[Tutorials]]
* [[Useful Links]]

Jailbreak (S5L8920+)

2009-06-25T23:08:35Z

James: Edited geohot exploit section. Wording was terrible and didn't make sense.

Because of the date the [[0x24000 Segment Overflow]] was leaked by [[NitroKey]], Apple may or may not have had the time to fix the bug in the [[S5L8920 (Bootrom)|iPhone 3G[s] Bootrom]]. If not, the following needs to be done:
* '''Find a new iBoot exploit''' - This will allow us to decrypt the platform iBoot and other firmware files in it's IPSW, as well as dump the bootrom to examine.
* '''Find a new bootrom exploit''' - After we have the bootrom dumped, we must look for a way to make SecureROM run our patched [[LLB]].

==ECID==
Apple added a new tag to the img3 format called ECID. The ECID is ''unique'' to each phone, and is being sigchecked. So no downgrades unless you have a dump of your unique old firmware's img3. Therefore, iBoot exploits won't be so useful for tethered JBs, because such exploits will be closed in new FWs. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html]

==Geohot's iBoot Exploit==
An undisclosed exploit has been discovered by geohot in the 7A341 firmware. [http://iphonejtag.blogspot.com/2009/06/no-sn0w-in-summer.html] With the help of this exploit, the hardware AES engine has been used to decrypt the the KBAG sections of each of the iPhone2,1 7A341 images. The exploit has also been used to dump the [[S5L8920 (Bootrom)|S5L8920 Bootrom]].

Talk:Kirkwood 7A341 (iPhone2,1)

2009-06-25T21:16:59Z

James:

Every time I try and vfdecrypt the 3GS file system, it always works but the resulted dmg is unmountable. Any help? Thanks!!
:If you're on Windows, I find that there is an extra step required to open the image. After decrypting the image with vfdecrypt, run the decrypted image through XPwn's dmg utility. I use "dmg extract decrypted.dmg out.dmg". The resulting disk image should be readable by most Windows programs. If you're on a Mac, I don't know what would help. I believe OS X ignores the junk that's left after decrypting the image, so it's most likely user fault. The key is correct though, as I've been able to decrypt the image. --[[User:James|James]] 18:01, 25 June 2009 (UTC)

== iBoot decryption ==

Is it just me, or does iBoot appear to decrypt incorrectly using the keys given? --[[User:Cool name|Cool name]] 20:15, 25 June 2009 (UTC)
:It appears to decrypt incorrectly for me too using xpwntool. Every other image decrypts correctly using it, so I assume it's a bad key. --[[User:James|James]] 21:16, 25 June 2009 (UTC)

Talk:Kirkwood 7A341 (iPhone2,1)

2009-06-25T18:01:51Z

James:

Talk:S5PC100

2009-06-16T00:35:20Z

James: Proposed move to new page S5L8920x.

Should be moved to S5L8920x, since we have clear evidence that this is not the processor used in the 3G S.
I don't get why this page was made in the first place, since the article that this particular model was taken from didn't even flat out say it would be used.
It clearly said under the picture that a ''derivative'' would be used. --[[User:James|James]] 00:35, 16 June 2009 (UTC)

Main Page

2009-06-16T00:29:37Z

James: Changed S5PC100 reference to 8920x.

<center>[[Image:Iptwiki.jpg‎]]</center>

{{:Main Page/Welcome}}
<table border=1 width=100%><tr>
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Jailbreak iPhone2,1|Break Chain of Trust (S5L8920x)]]</b></td>
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Unlock 2.0|Break Chain of Trust (X-Gold 608)]]</b></td>
</tr>
<tr>
<td colspan="4">
<center>[[Disclaimer]]</center>
</td>
</tr>
</table><br />
==Software==
* [[Filesystem]]
* [[Firmware]]
* [[Keys]]
* [[Protocols]]
* [[System Log]]

==Hardware==
=== iPhone ===
* [[m68ap|iPhone (m68ap)]]
* [[n82ap|iPhone 3G (n82ap)]]
* [[N88AP|iPhone 3G S (n88ap)]]

=== iPod touch ===
* [[n45ap|iPod touch (n45ap)]]
* [[n72ap|iPod touch 2nd Generation (n72ap)]]

==App Processor ([[Jailbreak]])==
The [[iPhone]], [[iPod touch]], and [[iPhone 3G]] makes use of the [[S5L8900]] platform as application processor, while the [[iPod touch 2G]] uses the [[S5L8720]]. Here is where the [[Jailbreak|jailbreak]] applies.

==Baseband ([[Unlock]])==
The [[Baseband Device]] is where the [[unlock]] applies.

==Application Development==
* [[Toolchain]] (Includes tutorials)
* [[Toolchain 2.0]] (Includes tutorials)
* [[Frameworks]]
* [[MobileDevice Library]]
* [[Apple Certification Process]]
* [[Bypassing iPhone Code Signatures]]
* [[Distribution Methods]]

==Application Copy Protection==
* [[Copy Protection Overview]]
* [[Application Structure and Signatures]]
* [[Mach-O Loading Process]]
* [[Bugging Debuggers]]

==Definitions==
* [[Jailbreak]]
* [[Activation]]
* [[Unlock]]
* [[Baseband Device|Baseband]]
* [[Baseband Bootloader|Bootloader]]
* [[DFU]]
* [[iBoot]]
* [[iBEC]]
* [[iBSS]]
* [[NORID]]
* [[CHIPID]]

==Other==
* [[Bluetooth]]
* [[Glossary]]
* [[Tutorials]]
* [[Useful Links]]

N88AP

2009-06-16T00:23:07Z

James: The 2,1_3.0 IPSW refers to 8920 all over with no sign of S5PC100 anywhere.

[[Image:IPhone3GS.jpg|right|thumb|iPhone 3G S, back and front.]]

This is the iPhone 3G S. It will be released on June 19, 2009 with a price tag of $199 for the 16GB model and $299 for the 32GB model, in the U.S., Canada and major European countries. Price varies depending on the operator selling it. It features the same design as the [[iPhone 3G]], but has also new features such as video recording, voice control, digital compass, faster CPU, increased RAM etc.

== Baseband ==
The iPhone 3G S uses the [[X-Gold 608]] baseband chip, same as in the iPhone 3G.

== Application Processor ==
It makes use of the [[S5L8920x]] application processor.

== Specifications ==
'''Color''': Black or white <br>
'''Size''': 4.5 inches (115.5 mm) (h) × 2.4 inches (62.1 mm) (w) × 0.48 inch (12.3 mm) (d) <br>
'''Weight''': 135 g (4.8 oz) <br>
'''Battery''': Up to 12 hours of 2G talk, 5 hours of 3G talk, 5 (3G) or 9 (Wi-Fi) hours of Internet use, 10 hours of video playback, and up to 30 hours of audio playback, lasting over 300 hours on standby. <br>
'''3G''': Broadband data speeds, supporting 7.2Mbps HSDPA <br>
'''Camera''': 3.15MP with Autofocus and manual focus (''Tap to focus''), supporting VGA video recording @ 30FPS

More specifications available in [http://www.gsmarena.com/apple_iphone_3g_s-2826.php GSMArena].

== See also ==
* [[Jailbreak iPhone2,1]]
* [[X-Gold 608 Unlock]]

==External Links==
* [http://www.anandtech.com/gadgets/showdoc.aspx?i=3579 AnandTech: The iPhone 3GS Hardware Exposed & Analyzed]

Toolchain 2.0

2009-04-18T12:59:28Z

James: Didn't notice this was already covered below, reverted.

This article explains how to build a tool chain for iPhone OS 2.0.

'''Please note that this section is under development.'''

__TOC__

== Mac OS X ==
Until a valid iPhone ARM toolchain installer can be legally distributed throughout the public (grr NDA), the alternative is simple. Install the Apple iPhone SDK, and use it's compiler, and specify the correct architecture, like so:

/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/gcc -arch armv6 -isysroot /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.1.sdk

For extra headers that you have either obtained from an external source, or dumped from the iphone or iphone simulator frameworks yourself, place them in a custom include directory and pass the -I option through the compiler like so:

..../gcc -I "YOUR INCLUDE DIRECTORY".......

Use saurik's codesign tool (ldid) to sign the binary like so:

ldid -S <binary>

More on this coming soon.

== Windows XP ==

=== Extraction of iPhone OS 2.0 SDK ===
''Please Note: As of 7-Zip 4.59 Beta, support is available for .DMG and XAR-format archives. 7-Zip is now capable of completely extracting iPhone 2.0 SDK Package.''
* Download the iPhone OS 2.0 SDK from [http://developer.apple.com/iphone/index.action Apple iPhone Dev Center].
* Download and install ''HFSExplorer'' from [http://hem.bredband.net/catacombae/hfsx.html catacombae software].
* Start ''HFSExplorer'' and choose the menu ''File→Open UDIF Disk Image (.dmg)...''
* Select the iPhone 2.0 SDK disk image ''iphone_sdk_final.dmg'' and press ''Open''
* When the tool asks ''Which partition to read'' leave it at ''"Mac_OS_X" (Apple_HFS)'' and press ''OK''
* Go to ''Packages'' and select the package you want to extract, e.g. ''iPhoneSDKHeadersAndLibs.pkg'' for the iPhone OS 2.0 header files.
* With right mouse button choose ''Extract data'' to extract an installation package.
* Please note that in order to extract this .pkg file on Windows, you must compile xar using Cygwin. Make sure you have libxml2, libxml2-devel, openssl and openssl-devel. You can then follow the instructions below.

== Linux ==
Currently we can only describe how to get the headers from the iPhone OS 2.0 SDK.

=== Extraction of iPhone OS 2.0 Installation Packages (.pkg) ===
* Extract <tt>iPhoneSDKHeadersAndLibs.pkg</tt> from iPhone OS 2.0 SDK:
mount -t hfs -o loop /path/to/iphone_sdk_final.dmg /somepath/somedir
:Copy <tt>iPhoneSDKHeadersAndLibs.pkg</tt> from <tt>/somepath/somedir</tt>
* Use the ''[http://code.google.com/p/xar/ eXtensible ARchiver]'' <tt>xar</tt> to extract the file <tt>Payload</tt> file containing the actual header files:
xar -xf iPhoneSDKHeadersAndLibs.pkg Payload
*Extract the contents of the resulting <tt>Payload</tt> file
zcat Payload | cpio -id
or
zcat Payload | cpio -id '*.h'
to extract only all header files included in the package.

=== Framework Headers ===
This section assumes that
zcat Payload | cpio -id '*.h'
got used in previous section.

If you want to move all Framework headers into an ''include'' directory continue
as follows:

* Remove the project XCode templates since they will not be required anymore:
rm -rf Platforms/iPhoneOS.platform/Developer/Library

* Create your target ''include'' directory:
mkdir include

* Get just the ''System'' and ''usr'' directories from the iPhone Os 2.0 SDK and remove the empty ''Platforms'' directory hierarchy:
mv Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.0.sdk/* .
rmdir -p Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.0.sdk/

* Move the Framework headers to current directory and clean-up empty directory hierarchy:
mv System/Library/Frameworks/* .
rmdir -p System/Library/Frameworks/

* Rename/move all Framework header directories into ''include'' directory and cleanup
mv AddressBook.framework/Headers include/AddressBook
mv AddressBookUI.framework/Headers include/AddressBookUI
mv AudioToolbox.framework/Headers include/AudioToolbox
mv AudioUnit.framework/Headers include/AudioUnit
mv CFNetwork.framework/Headers include/CFNetwork
mv CoreAudio.framework/Headers include/CoreAudio
mv CoreFoundation.framework/Headers include/CoreFoundation
mv CoreGraphics.framework/Headers include/CoreGraphics
mv CoreLocation.framework/Headers include/CoreLocation
mv Foundation.framework/Headers include/Foundation
mv MediaPlayer.framework/Headers include/MediaPlayer
mv OpenAL.framework/Headers include/OpenAL
mv OpenGLES.framework/Headers include/OpenGLES
mv QuartzCore.framework/Headers include/QuartzCore
mv Security.framework/Headers include/Security
mv SystemConfiguration.framework/Headers include/SystemConfiguration
mv UIKit.framework/Headers include/UIKit
rmdir -p *.framework

* The above commands can also be simplified (and can be applied to other versions of SDKs, for example, iPhone SDK 2.2) using a bash shell command:
for a in *.framework; do mv $a/Headers include/${a%.*}; done
rmdir -p *.framework

* The remaining directories are ''include'' with all Framework headers and ''usr'' with all system related headers.

* Move the ''usr/include'' headers also into new ''include'' directory, remove ''usr/lib'' since gcc includes will not be needed (at least not on iPhone toolchain), and clean up:
mv usr/include/* include/
rm -rf usr/lib
rmdir -p usr/include/

* You may still remove the ''Payload'' file since we don't need it anymore:
rm Payload

* Create a tar file so that you can directly transfer to your iPhone:
tar --group 0 --owner 0 -cvf include.tar include

* You are done.

* Now you may transfer the ''include.tar'' to your iPhone (as user root), login to your iPhone via ssh and execute following commands to extract the header files (on your iPhone):
cd /var
tar xf /private/var/root/include.tar

== iPhone/iPod Touch ==
There is a tool chain available after jailbreak from the [[Cydia|Cydia installer]]. You just need to install
the '''GNU C Compiler''' from Cydia to get the development environment on your iPhone
or iPod Touch. BigBoss has some comments on this Toolchain on his
webpage ''[http://thebigboss.org/moreinfo/Toolchain2.php Toolchain 2.0]''.

If you want to use the header files from iPhone OS 2.0, you can obtain them from the
iPhone OS 2.0 SDK as described in section ''[[#Framework Headers|Framework Headers]]''.

'''NOTE:'''
When using iphone-gcc ( the native compiler ) to compile iPhone applications, you must do one of the following:
# Patch the SDK header files for use with the compiler ( stupid thing doesn't like the new headers! ) or
# Use the old header files ( which are great, but some things dont work/exist the same anymore! ) or
# Use the following settings in your Makefile to avoid warnings and errors during compilation and linking:
CC=/usr/bin/gcc

CFLAGS=-fsigned-char -g -ObjC -fobjc-exceptions \
-Wall -Wundeclared-selector -Wreturn-type -Wnested-externs \
-Wredundant-decls \
-Wbad-function-cast \
-Wchar-subscripts \
-Winline -Wswitch -Wshadow \
-I/var/include \
-I/var/include/gcc/darwin/4.0 \
-D_CTYPE_H_ \
-D_BSD_ARM_SETJMP_H \
-D_UNISTD_H_

CPPFLAGS=

LD=$(CC)

LDFLAGS=-lobjc \
-F/System/Library/Frameworks \
-framework CoreFoundation \
-framework Foundation \
-framework UIKit \
-framework CoreGraphics \
-L/usr/lib -lc /usr/lib/libgcc_s.1.dylib \
-bind_at_load \
-multiply_defined suppress

If you want to test the iPhone 2.0 Toolchain, you may use this [[HelloWorld on iPhone|HelloWorld]] example.

== Misc. Issues ==

For the iPhone 2.2 SDK headers, you might encounter an error about not finding the stdint.h file when compiling natively on the iPhone. In that case, try this:
cd /var/include
ls stdint.h # make sure it doesn't exist
ln -s gcc/darwin/4.0/stdint.h stdint.h

Toolchain 2.0

2009-04-18T11:37:49Z

James: Added AVFoundation

This article explains how to build a tool chain for iPhone OS 2.0.

'''Please note that this section is under development.'''

__TOC__

== Mac OS X ==
Until a valid iPhone ARM toolchain installer can be legally distributed throughout the public (grr NDA), the alternative is simple. Install the Apple iPhone SDK, and use it's compiler, and specify the correct architecture, like so:

/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/gcc -arch armv6 -isysroot /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.1.sdk

For extra headers that you have either obtained from an external source, or dumped from the iphone or iphone simulator frameworks yourself, place them in a custom include directory and pass the -I option through the compiler like so:

..../gcc -I "YOUR INCLUDE DIRECTORY".......

Use saurik's codesign tool (ldid) to sign the binary like so:

ldid -S <binary>

More on this coming soon.

== Windows XP ==

=== Extraction of iPhone OS 2.0 SDK ===
''Please Note: As of 7-Zip 4.59 Beta, support is available for .DMG and XAR-format archives. 7-Zip is now capable of completely extracting iPhone 2.0 SDK Package.''
* Download the iPhone OS 2.0 SDK from [http://developer.apple.com/iphone/index.action Apple iPhone Dev Center].
* Download and install ''HFSExplorer'' from [http://hem.bredband.net/catacombae/hfsx.html catacombae software].
* Start ''HFSExplorer'' and choose the menu ''File→Open UDIF Disk Image (.dmg)...''
* Select the iPhone 2.0 SDK disk image ''iphone_sdk_final.dmg'' and press ''Open''
* When the tool asks ''Which partition to read'' leave it at ''"Mac_OS_X" (Apple_HFS)'' and press ''OK''
* Go to ''Packages'' and select the package you want to extract, e.g. ''iPhoneSDKHeadersAndLibs.pkg'' for the iPhone OS 2.0 header files.
* With right mouse button choose ''Extract data'' to extract an installation package.
* Please note that in order to extract this .pkg file on Windows, you must compile xar using Cygwin. Make sure you have libxml2, libxml2-devel, openssl and openssl-devel. You can then follow the instructions below.

== Linux ==
Currently we can only describe how to get the headers from the iPhone OS 2.0 SDK.

=== Extraction of iPhone OS 2.0 Installation Packages (.pkg) ===
* Extract <tt>iPhoneSDKHeadersAndLibs.pkg</tt> from iPhone OS 2.0 SDK:
mount -t hfs -o loop /path/to/iphone_sdk_final.dmg /somepath/somedir
:Copy <tt>iPhoneSDKHeadersAndLibs.pkg</tt> from <tt>/somepath/somedir</tt>
* Use the ''[http://code.google.com/p/xar/ eXtensible ARchiver]'' <tt>xar</tt> to extract the file <tt>Payload</tt> file containing the actual header files:
xar -xf iPhoneSDKHeadersAndLibs.pkg Payload
*Extract the contents of the resulting <tt>Payload</tt> file
zcat Payload | cpio -id
or
zcat Payload | cpio -id '*.h'
to extract only all header files included in the package.

=== Framework Headers ===
This section assumes that
zcat Payload | cpio -id '*.h'
got used in previous section.

If you want to move all Framework headers into an ''include'' directory continue
as follows:

* Remove the project XCode templates since they will not be required anymore:
rm -rf Platforms/iPhoneOS.platform/Developer/Library

* Create your target ''include'' directory:
mkdir include

* Get just the ''System'' and ''usr'' directories from the iPhone Os 2.0 SDK and remove the empty ''Platforms'' directory hierarchy:
mv Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.0.sdk/* .
rmdir -p Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.0.sdk/

* Move the Framework headers to current directory and clean-up empty directory hierarchy:
mv System/Library/Frameworks/* .
rmdir -p System/Library/Frameworks/

* Rename/move all Framework header directories into ''include'' directory and cleanup
mv AddressBook.framework/Headers include/AddressBook
mv AddressBookUI.framework/Headers include/AddressBookUI
mv AudioToolbox.framework/Headers include/AudioToolbox
mv AudioUnit.framework/Headers include/AudioUnit
mv AVFoundation.framework/Headers include/AVFoundation
mv CFNetwork.framework/Headers include/CFNetwork
mv CoreAudio.framework/Headers include/CoreAudio
mv CoreFoundation.framework/Headers include/CoreFoundation
mv CoreGraphics.framework/Headers include/CoreGraphics
mv CoreLocation.framework/Headers include/CoreLocation
mv Foundation.framework/Headers include/Foundation
mv MediaPlayer.framework/Headers include/MediaPlayer
mv OpenAL.framework/Headers include/OpenAL
mv OpenGLES.framework/Headers include/OpenGLES
mv QuartzCore.framework/Headers include/QuartzCore
mv Security.framework/Headers include/Security
mv SystemConfiguration.framework/Headers include/SystemConfiguration
mv UIKit.framework/Headers include/UIKit
rmdir -p *.framework

* The above commands can also be simplified (and can be applied to other versions of SDKs, for example, iPhone SDK 2.2) using a bash shell command:
for a in *.framework; do mv $a/Headers include/${a%.*}; done
rmdir -p *.framework

* The remaining directories are ''include'' with all Framework headers and ''usr'' with all system related headers.

* Move the ''usr/include'' headers also into new ''include'' directory, remove ''usr/lib'' since gcc includes will not be needed (at least not on iPhone toolchain), and clean up:
mv usr/include/* include/
rm -rf usr/lib
rmdir -p usr/include/

* You may still remove the ''Payload'' file since we don't need it anymore:
rm Payload

* Create a tar file so that you can directly transfer to your iPhone:
tar --group 0 --owner 0 -cvf include.tar include

* You are done.

* Now you may transfer the ''include.tar'' to your iPhone (as user root), login to your iPhone via ssh and execute following commands to extract the header files (on your iPhone):
cd /var
tar xf /private/var/root/include.tar

== iPhone/iPod Touch ==
There is a tool chain available after jailbreak from the [[Cydia|Cydia installer]]. You just need to install
the '''GNU C Compiler''' from Cydia to get the development environment on your iPhone
or iPod Touch. BigBoss has some comments on this Toolchain on his
webpage ''[http://thebigboss.org/moreinfo/Toolchain2.php Toolchain 2.0]''.

If you want to use the header files from iPhone OS 2.0, you can obtain them from the
iPhone OS 2.0 SDK as described in section ''[[#Framework Headers|Framework Headers]]''.

'''NOTE:'''
When using iphone-gcc ( the native compiler ) to compile iPhone applications, you must do one of the following:
# Patch the SDK header files for use with the compiler ( stupid thing doesn't like the new headers! ) or
# Use the old header files ( which are great, but some things dont work/exist the same anymore! ) or
# Use the following settings in your Makefile to avoid warnings and errors during compilation and linking:
CC=/usr/bin/gcc

CFLAGS=-fsigned-char -g -ObjC -fobjc-exceptions \
-Wall -Wundeclared-selector -Wreturn-type -Wnested-externs \
-Wredundant-decls \
-Wbad-function-cast \
-Wchar-subscripts \
-Winline -Wswitch -Wshadow \
-I/var/include \
-I/var/include/gcc/darwin/4.0 \
-D_CTYPE_H_ \
-D_BSD_ARM_SETJMP_H \
-D_UNISTD_H_

CPPFLAGS=

LD=$(CC)

LDFLAGS=-lobjc \
-F/System/Library/Frameworks \
-framework CoreFoundation \
-framework Foundation \
-framework UIKit \
-framework CoreGraphics \
-L/usr/lib -lc /usr/lib/libgcc_s.1.dylib \
-bind_at_load \
-multiply_defined suppress

If you want to test the iPhone 2.0 Toolchain, you may use this [[HelloWorld on iPhone|HelloWorld]] example.

== Misc. Issues ==

For the iPhone 2.2 SDK headers, you might encounter an error about not finding the stdint.h file when compiling natively on the iPhone. In that case, try this:
cd /var/include
ls stdint.h # make sure it doesn't exist
ln -s gcc/darwin/4.0/stdint.h stdint.h

Talk:GenPass

2009-04-16T01:42:32Z

James:

== Compilation notes ==

=== Windows ===
If anyone is trying to compile this using MinGW on Windows, you'll run into some linking problems with libcrypto.
After searching around for awhile, I found that the problem can be solved by adding -lgdi32 to your linker flags.

I just needed the -lgdi32 What crap that a crypto lib linked to a graphics library

I don't know, it's screwy. I think a lot of OpenSSL is actually hacky on Windows (after reading the posts with corrections for this problem, it seems like their talking about some kind of pre-alpha program that barely works on anything besides Linux).
Also, I see that compiling works with just gdi, so I removed it from my initial suggestion.
Must have had ws2_32 first or something..

=== Mac compiling ===

Must have a recent copy of openssl installed. if you don't do this.

* download and extract openssl [http://www.openssl.org/source/openssl-0.9.8h.tar.gz]
* run './config' and then 'make' to build the lib.
* copy genpass.c into the openssl directory
* compile with 'gcc genpass.c libcrypto.a -o genpass -I./include/'

plz correct me if I'm wrong, as I'm no mac expert --[[User:Posixninja|posixninja]] 21:52, 6 April 2009 (UTC)

=== Linux compiling ===
What do you expect? Works fine with just -lcrypto.

== How to use? ==

Well, I tried to get the key for beta 2 for the 3g, I never could.
I asked on #iPhone and they told me that
Platform is s5l8***x (s5l8900x) for the iPhones and ipt1g.
Ramdisk is the path to a MOUNTED (decrypted) ramdisk file (not mount path). They didn't know wether it was the restore or update or both ramdisk.
Main is the path to the big dmg file (the rootfs > 100 mb).
Well this didn't work : I got different keys.
Please correct what is wrong in the above. dranfi

:It shouldn't matter which ramdisk you use, however, you cannot use GenPass to extract correct keys from anything >b2 without decompressing the ramdisk first. Apparently, this is a Snow Leopard only feature for now. You could also (in theory) compile GenPass on your device and use iPhone OS' tools to mount the ramdisk (since they must know how to understand them), although I haven't gotten around to try this yet.

::The compression is affecting beta 3 at this point or beta 1 and 2?
::And, since I have snow leopard beta, how do you decompres it under snow leopard? And is this a new feature of snow leopard (in a recent build or from the begening, just that at the moment I have a slow connection making it hard to upgrade snow leopard)?

:::This compression affects betas 2 & 3, but not beta 1. And unfortunately I do not know how to decompress it under any system :( --[[User:Cool name|Cool name]] 01:12, 16 April 2009 (UTC)

::::I assume that simply mounting a decrypted ramdisk under Snow Leopard would decompress it. --[[User:James|James]] 01:42, 16 April 2009 (UTC)

Talk:GenPass

2009-04-15T20:40:50Z

James:

== Compilation notes ==

=== Windows ===
If anyone is trying to compile this using MinGW on Windows, you'll run into some linking problems with libcrypto.
After searching around for awhile, I found that the problem can be solved by adding -lgdi32 to your linker flags.

I just needed the -lgdi32 What crap that a crypto lib linked to a graphics library

I don't know, it's screwy. I think a lot of OpenSSL is actually hacky on Windows (after reading the posts with corrections for this problem, it seems like their talking about some kind of pre-alpha program that barely works on anything besides Linux).
Also, I see that compiling works with just gdi, so I removed it from my initial suggestion.
Must have had ws2_32 first or something..

=== Mac compiling ===

Must have a recent copy of openssl installed. if you don't do this.

* download and extract openssl [http://www.openssl.org/source/openssl-0.9.8h.tar.gz]
* run './config' and then 'make' to build the lib.
* copy genpass.c into the openssl directory
* compile with 'gcc genpass.c libcrypto.a -o genpass -I./include/'

plz correct me if I'm wrong, as I'm no mac expert --[[User:Posixninja|posixninja]] 21:52, 6 April 2009 (UTC)

=== Linux compiling ===
What do you expect? Works fine with just -lcrypto.

== How to use? ==

Well, I tried to get the key for beta 2 for the 3g, I never could.
I asked on #iPhone and they told me that
Platform is s5l8***x (s5l8900x) for the iPhones and ipt1g.
Ramdisk is the path to a MOUNTED (decrypted) ramdisk file (not mount path). They didn't know wether it was the restore or update or both ramdisk.
Main is the path to the big dmg file (the rootfs > 100 mb).
Well this didn't work : I got different keys.
Please correct what is wrong in the above. dranfi

::It shouldn't matter which ramdisk you use, however, you cannot use GenPass to extract correct keys from anything >b2 without decompressing the ramdisk first. Apparently, this is a Snow Leopard only feature for now. You could also (in theory) compile GenPass on your device and use iPhone OS' tools to mount the ramdisk (since they must know how to understand them), although I haven't gotten around to try this yet.

Talk:Research: Pwnage Patches

2009-04-14T03:00:18Z

James:

== Kernel and ramdisk patches ==
Anyone care to share what is patched?

== yup ==

'''ramdisk''':

'''asr''' - patch out rootfs SHA1 check

'''restored_external''' - patch wiping routine

'''kernel''':

haven't looked into this, but there are four patches, at least some of them are for codesign and apparently one of them has to do with virtual memory mapping.

== Thanks ==
Do you know how the new codesign is added yet?
I notice you think they didn't use ldid.
It seems that the second patches to asr and restored are codesign (from what I can tell when 2.1 and 2.2 files are compared), but I don't see any in the kernel, they're all simple.

== patches ==

patches to asr and restored are the patches i listed above, and patches for the hashes so that they will run. when i say in the kernel codesign is patch, then it wil patch out the need for code to be signed, but apparently it was determined that the sha1 hash check was too annoying to patched as it would always be changing, so they just rehashed asr and restored, not codesign, just rehashed.

== hashes ==

What are you taking the hash of?
For example, I extracted asr from a stock 018-4378-1.dmg from 2.2 and compared it to one from a custom disk image; diffing them shows two patches; the first I assume to be the SHA1 check (at 0x12F16).
The second at 0x27C7A confuses me though, because I think this must be the hash (I'm new to this stuff, so forgive me if I'm just missing something incredibly obvious).
If I take the hash of the stock asr (9146c06d34b4fa9fc3cb3c7490851fabb875e3c8) and compare it to the hash within the file, it doesn't match (6350E8890FD7217152F72B3EA3285B6D7E617020).
The hash of the custom asr doesn't match the internal hash either, and the same goes for restored.

== isha / ldid ==

it is rehashed with isha or ldid -s, i don't really know the nitty gritty of that stuff.

== 2G DeviceTree ==

It seems that this was never patched until redsn0w QuickPwn.
What exactly is the patch made--[[User:Cool name|Cool name]] 02:24, 14 April 2009 (UTC)--[[User:Cool name|Cool name]] 02:24, 14 April 2009 (UTC) to allow LogoMe to work?
I tried old patches (function-disable_keys -> xxxxxxxx-disable_keys, secure-root-prefix doesn't exist at all), but they don't seem to work.

:disable keys and secure root patches should have worked, afaik, are u sure u decrypted it correctly? [[User:ChronicDev|ChronicDev]] 23:44, 13 April 2009 (UTC)

::I believe I did, all names are visible. I notice at 0x0 - 0x10, there seems to be secure-root-prefix, but it is garbled (*junk*oot-prefix), I don't know what this is about..
::I patched function-disable_keys at 0x3534, though.--[[User:James|James]] 00:10, 14 April 2009 (UTC)

:::you somehow used the wrong IV probably, double check that [[User:ChronicDev|ChronicDev]] 02:00, 14 April 2009 (UTC)

::::I used the IV from ChronicDev GoogleCode, is it correct? I actually don't have a 2G so I cannot verify it. --[[User:James|James]] 02:03, 14 April 2009 (UTC)

:::::Err, James. How do you know the DeviceTree patches are not working if you do not have a 2G to get the keys from?--[[User:Cool name|Cool name]] 02:24, 14 April 2009 (UTC)

::::::I've had other people test them for me. I always thought it was fishy that there was what was seemingly garbage at the beginning of the file, but went with it anyways and made the patch I could. The resulting image would never work, so I knew there must be either another patch or I did it wrong. --[[User:James|James]] 02:29, 14 April 2009 (UTC)

:::::::Ahh ok. You should have someone independently verify the keys of that DeviceTree, because as chronic said that IV is most likely incorrect.--[[User:Cool name|Cool name]] 02:39, 14 April 2009 (UTC)

::::::::I most certainly remember there being a slip up with the devtree key, my bad, we never fixed that. if you can, in the meantime, use planet's crypto bundle to get the right IV

:::::::::Yeah, that's what I plan on having someone do. It's really weird though, we correctly decrypted 3.0b2 keys on the device with a seemingly bad DeviceTree flashed. It only had disable_keys patched out and garbage at the beginning iirc. Weird stuff. I'll comment the page with the correct IV when it's found though so you can edit it in. I'm kind of making this wiki a chat though, so I'll stop the edits. --[[User:James|James]] 03:00, 14 April 2009 (UTC)

Talk:Research: Pwnage Patches

2009-04-14T02:29:22Z

James:

Talk:Research: Pwnage Patches

2009-04-14T02:03:23Z

James: /* 2G DeviceTree */

Talk:Research: Pwnage Patches

2009-04-14T00:11:35Z

James: Formatting.

Talk:Research: Pwnage Patches

2009-04-14T00:10:55Z

James: /* 2G DeviceTree */

Talk:Research: Pwnage Patches

2009-04-13T21:14:30Z

James:

Talk:Obtaining IMG3 Keys

2009-04-10T04:00:05Z

James:

Hey, thats my "exploit" ;-) Dev used openiboot.

Much easier, just use iran to download the modified iBoot directly, no reason to pwn with it. I was originally strapping this with the diags exploit.

And thanks for writing this up.

~geohot

I adapted this method from your write-up earlier, because CPICH and Chronic were wanting to decrypt IMG3 keys, and the openiboot method has quite a bit of setup overhead, and requires modifying my C source, and I thought helping them fill out the missing pieces for your method would be simpler. I just slightly modified your assembly to do stack/register cleanup (and combined that mw into protected memory) and had them put a direct BX from a random iBoot function, since explaining how to patch the permissions bits is more conceptually difficult, and I wasn't sure how easy it would be to make "go" behave the way we want it to (I didn't have access to IDA when I was helping them). I asked them to write it up after they got it to work. Hope that's okay. :)

I've since made something easier: http://www.iphone-dev.org/planetbeing/crypto.tar.gz

--[[User:Planetbeing|Planetbeing]] 03:20, 7 August 2008 (UTC)

== iBoot ==

Why do you need a modified iBoot? Doesn't Pwnage Tool/xpwn/winpwn already patch/modify iBoot?

== no ==

yeah. their iboot is simply patched so the pwned ipsw wil work. there is soooooo much more you can do to the iboot :)

== iBoot ==

Ok, but does the iBoot need to be patched more than Pwnage already does for the userland AES KBAG decryption to work (using the program linked to by planetbeing?)

== no...no... ==

this is...different. not like that at all. just trust planetbeing :)

== Got it ==

Ok, thanks Chronic...and good idea, I will trust planetbeing.

== of course ==

pb is very talented and prolific dev team member, what's not to trust? :)

== 2.0.2 ==

Is there any way to use planetbeing's utility on 2.0.2?
It seems like something about the kernel has changed, since Pwnage doesn't decrypt it before patching.
Is it as simple as patching it in a hex editor or modifying crypto binary? --[[User:James|James]] 06:34, 1 September 2008 (UTC)

== uh..==
planetbeing's thing works fine in 2.0.2. just edit the script so it doesnt require a key and IV. if you dont know how to do that, no offense, but maybe its a sign you should not be doing this, only because it can majorly screw up your iPhone and require a DFU restore if you mess up.

== re:uh... ==
That's exactly why I asked, because I don't know exactly what I'm doing.
I edited the script but didn't want to boot with the resulting kernel, fearing that it'd cause problems.
I use my iPod anyways so I don't lose any information, even if I do have to restore.
Thanks for the answer though. :)

== np ==

no prob

good luck

== chronics modified script for 2.0.2 crypto ==

#!/bin/bash
XPWNTOOL=./xpwntool
PATCHKERNEL=./patch-kernel-crypto
KERNEL=/System/Library/Caches/com.apple.kernelcaches/kernelcache.s5l8900x

${XPWNTOOL} ${KERNEL} /tmp/a
${PATCHKERNEL} /tmp/a
${XPWNTOOL} /tmp/a /tmp/b -t ${KERNEL}
rm /tmp/a
cp ${KERNEL} /kernel.backup
cp /tmp/b ${KERNEL}
rm /tmp/b

there u go :)

James: what did you to fix this problem?

The DeviceTree wasn't patched, since QuickPwn flashed a stock one over it. After patching it, all was fine. --[[User:James|James]] 04:00, 10 April 2009 (UTC)

Talk:Obtaining IMG3 Keys

2009-04-10T00:07:47Z

James: Nevermind, my bad.

Talk:Obtaining IMG3 Keys

2009-04-09T23:53:03Z

James:

Hey, thats my "exploit" ;-) Dev used openiboot.

Much easier, just use iran to download the modified iBoot directly, no reason to pwn with it. I was originally strapping this with the diags exploit.

And thanks for writing this up.

~geohot

I adapted this method from your write-up earlier, because CPICH and Chronic were wanting to decrypt IMG3 keys, and the openiboot method has quite a bit of setup overhead, and requires modifying my C source, and I thought helping them fill out the missing pieces for your method would be simpler. I just slightly modified your assembly to do stack/register cleanup (and combined that mw into protected memory) and had them put a direct BX from a random iBoot function, since explaining how to patch the permissions bits is more conceptually difficult, and I wasn't sure how easy it would be to make "go" behave the way we want it to (I didn't have access to IDA when I was helping them). I asked them to write it up after they got it to work. Hope that's okay. :)

I've since made something easier: http://www.iphone-dev.org/planetbeing/crypto.tar.gz

--[[User:Planetbeing|Planetbeing]] 03:20, 7 August 2008 (UTC)

== iBoot ==

Why do you need a modified iBoot? Doesn't Pwnage Tool/xpwn/winpwn already patch/modify iBoot?

== no ==

yeah. their iboot is simply patched so the pwned ipsw wil work. there is soooooo much more you can do to the iboot :)

== iBoot ==

Ok, but does the iBoot need to be patched more than Pwnage already does for the userland AES KBAG decryption to work (using the program linked to by planetbeing?)

== no...no... ==

this is...different. not like that at all. just trust planetbeing :)

== Got it ==

Ok, thanks Chronic...and good idea, I will trust planetbeing.

== of course ==

pb is very talented and prolific dev team member, what's not to trust? :)

== 2.0.2 ==

Is there any way to use planetbeing's utility on 2.0.2?
It seems like something about the kernel has changed, since Pwnage doesn't decrypt it before patching.
Is it as simple as patching it in a hex editor or modifying crypto binary? --[[User:James|James]] 06:34, 1 September 2008 (UTC)

== uh..==
planetbeing's thing works fine in 2.0.2. just edit the script so it doesnt require a key and IV. if you dont know how to do that, no offense, but maybe its a sign you should not be doing this, only because it can majorly screw up your iPhone and require a DFU restore if you mess up.

== re:uh... ==
That's exactly why I asked, because I don't know exactly what I'm doing.
I edited the script but didn't want to boot with the resulting kernel, fearing that it'd cause problems.
I use my iPod anyways so I don't lose any information, even if I do have to restore.
Thanks for the answer though. :)

== np ==

no prob

good luck

== chronics modified script for 2.0.2 crypto ==

#!/bin/bash
XPWNTOOL=./xpwntool
PATCHKERNEL=./patch-kernel-crypto
KERNEL=/System/Library/Caches/com.apple.kernelcaches/kernelcache.s5l8900x

${XPWNTOOL} ${KERNEL} /tmp/a
${PATCHKERNEL} /tmp/a
${XPWNTOOL} /tmp/a /tmp/b -t ${KERNEL}
rm /tmp/a
cp ${KERNEL} /kernel.backup
cp /tmp/b ${KERNEL}
rm /tmp/b

there u go :)

== iPod 2G ==
Doesn't seem to work, even with function-disable_keys patched in the DeviceTree (can't seem to find secure-root-prefix).
It returns bogus keys..

Talk:GenPass

2009-04-06T20:50:19Z

James: Too many justs.

Talk:GenPass

2009-04-06T20:49:58Z

James:

Talk:Ramdisk

2009-04-06T07:17:14Z

James:

==Compression in 3.x==
I'm sure you guys are getting to posting it (well, maybe not, because you may want to keep something secret), but how would one go about decompressing a decrypted ramdisk?
I tried using a decrypted b2 ramdisk with genpass just to realize that it was still compressed, so I kept getting incorrect keys.

:snow leopard
:[[User:ChronicDev|ChronicDev]] 02:01, 6 April 2009 (UTC)
::snow leopard is the only way? :(
::--[[User:Cool name|Cool name]] 02:03, 6 April 2009 (UTC)
:::yea, either snow leopard, running genpass on a already jailbroken iphone 3.0b2, or adding the new compression to xpwn. take your pick =P
:::--[[User:Posixninja|posixninja]] 06:31, 6 April 2009 (UTC)
::::Well, adding it to XPwn will come eventually, but what do you mean by running genpass on a jailbroken phone? Using hfs tools on the phone to extract the ramdisk (since they must understand the compression) and rebuilding the ramdisk?
::::--[[User:James|James]] 07:17, 6 April 2009 (UTC)

Talk:GenPass

2009-04-06T02:46:11Z

James: Added a Windows/MinGW compilation note.

==Windows compilation note==
If anyone is trying to compile this using MinGW on Windows, you'll run into some linking problems with libcrypto.
After searching around for awhile, I found that the problem can be solved by adding -lgdi32 -lws2_32 to your linker flags.

Talk:Ramdisk

2009-04-06T01:57:44Z

James: New page: ==Compression in 3.x== I'm sure you guys are getting to posting it (well, maybe not, because you may want to keep something secret), but how would one go about decompressing a decrypted ra...

Firmware Keys

2009-04-03T19:24:48Z

James:

== Introduction ==
These keys are for use with the 'vfdecrypt' tool to decrypt the main filesystem DMG found in every iPhone/iPhone 3G/iPod touch .ipsw file. Every key will work on the main filesystem DMG for that build, regardless if it is for the iPhone or iPod touch unless specified. The DMG that you are after is the bigger one, in the case of current builds of 2.0, it can sometimes be 200+ MB!

== VFDecrypt Usage ==
./vfdecrypt -i <dmg> -o decrypted_fs.dmg -k <key>

== Gaps ==
As you will notice, there may be a gap or two, or a key for a current build that is not there. Please feel free to add them, but please be sure that it is only the key for a User or Developer build, as if you gave the key for another type of build that might or may not be out there '''people could get in trouble, and we do not want that'''. Thanks for contributing!

== Downloads ==

* http://rgov.org/files/vfdecrypt-mac.zip (Mac OS X Universal)
* http://iphoneelite.googlecode.com/files/vfdecrypt.zip (Windows)

* Source Credit: http://lorenzo.yellowspace.net/corrupt-sparseimage.html

== 1.0 (Build 1A543a) ==
28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090ecccc15e82d

== 1.0.1 (Build 1C25) ==
7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5

== 1.0.2 (Build 1C28) ==
7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5

== 1.1.1 (Build 3A109a) ==
f45de7637a62b200950e550f4144696d7ff3dc5f0b19c8efdf194c88f3bc2fa808fea3b3

== 1.1.1 (Build 3A110a) ==
d45b837ddd85bdae0ec82a033ba00ea03ceb8c827040034f7554c65d6376472844b8dc6a

== 1.1.2 (Build 3B48b) ==
70e11d7209602ada5b15fbecc1709ad4910d0ad010bb9a9125b78f9f50e25f3e05c595e2

== 1.1.3 (Build 4A93) ==
11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816

== 1.1.4 (Build 4A102) ==
d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe

== 1.1.5 (Build 4B1) ==
c7973558e8f6af22e38d4573737d1533f1d5eec202bf86a32d941975d76f8906c7f0afe4

== 1.2 (Beta 1) (Build 5A147p) ==
86bec353ddfbe3fb750e9d7905801f79791e69acf65d16930d288e697644c76f16c4f16d

== 2.0 (Beta 2) (Build 5A225c) ==
ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7

== 2.0 (Beta 3) (Build 5A240d) ==
e24bfab40a2e5d3dc25e089291846e5615b640897ae8b424946c587bcf53b201a1041d36

== 2.0 (Beta 4) (Build 5A258f) ==
198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

== 2.0 (Beta 5) (Build 5a274d) ==
589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb72cf130f40e15e00bcf2fc7

== 2.0 (Beta 6 Pre-Release) (Build 5a292g) ==
890b1fbf22975e0d4be2ea3f9bc5c87f38fd8158394fd31cf80a43ad25547573bbd0ec4e

== 2.0 (Beta 6 Final) (Build 5a308) ==
3964ca8d8bf5d3715cdc172986f2d9606672c54d5e0aa3f3a892166b4e54e4cefef21279

== 2.0 (Beta 7) (Build 5a331) ==
3d9a9832a108fc5084fc9329d6e84e38edf06e380554c49376b70e951f8a8d1ed943f819

== 2.0 (Build 5a347) ==
Ramdisk Key: 85 0A FC 27 11 32 D1 5A E6 98 95 65 56 7E 65 BF
Ramdisk IV: 29 68 1F 62 5D 1F 61 27 1E C3 11 66 01 B8 BC DE
2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755

== 2.0.1 (Build 5B108) ==
Ramdisk Key: 21 9E AC 3E 01 27 6C 7E C5 04 32 12 3F 50 97 1A
Ramdisk IV: 02 4f DB BA 71 EB F3 4D F5 B5 25 CD 97 5A EF E8
2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755

== 2.0.2 (Build 5C1) ==
Ramdisk Key: CC 02 8F D2 9D C2 7F 89 5E 40 1D 98 65 E7 21 00
Ramdisk IV: 53 7E B4 E7 12 9E A8 1F 57 2E C2 3D BE C4 2B 80
31e3ff09ff046d5237187346ee893015354d2135e3f0f39480be63dd2a18444961c2da5d

== 2.1 (Beta 1) (Build 5F90) ==
Ramdisk Key: 78 29 32 89 1F 0D 76 DB 49 0F DD CA 02 7A 13 B2
Ramdisk IV: 6B EA 32 6D 0F 41 10 51 59 F0 AE A8 F9 9F E7 77
f61c14aa0d53386dd42c49163686e8ccdeb86d14aafdecfe99c2e12c41a7f9f2811daa3d

== 2.1 (Build 5F136) ==
Ramdisk Key: 42 B4 F3 99 76 AF A5 9F 9E C6 80 FC CD 2C 7D 04
Ramdisk IV: FD 53 0C 4C F8 A8 78 F1 63 87 43 29 88 B1 99 B8
562ca0f7963eafb462da74a9c1f01a45c30a7eb5f1f493feceecae03ee6521a334f4ff68

== 2.1 (Build 5F137) ==
Ramdisk Key: 7C 80 7F 65 65 01 5D AA 6D 18 2D FF 79 5E 10 91
Ramdisk IV: 5C B7 FA 82 E8 FC 42 B9 DB 6C 02 7D 8F 4C 7C 39
9714f2cb955afa550d6287a1c7dd7bd0efb3c26cf74b948de7c43cf934913df69fc5a05f

==2.1.1 (Build 5F138)==
Ramdisk Key: 6D 4A 00 C0 A0 8E 90 A3 B0 24 88 5F 45 BC B7 20
Ramdisk IV: 2F 44 81 85 5C A3 9E 67 DF BF 3D 19 B8 AD E6 0E
d1b957a0a5e56903adc523c5fa99f5d165c3963aea48274770b766b44ecdebab7b5a8f30

== 2.2 (Build 5G77) ==
Ramdisk Key: EE A6 E8 78 24 A3 C0 B0 BE 86 E8 E2 BB D8 CF E9
Ramdisk IV: 18 2C DD A9 0A 38 87 0D E9 68 80 EE 7F F5 BB BC
dc39d88afe4cbd8a3f36824b8fd68acf04ac72718c09100816c5cb89889b8079e96802f0

== 2.2 (Build 5G77a) ==
Ramdisk Key: 77 8B 48 88 33 CA DA 94 0A 10 A7 C4 4C AC 74 13
Ramdisk IV: 47 9C 46 F2 7F 5B 18 AC 5F A0 18 85 CF 2B 06 F9
148025cde5c51d51d7733e74c6857dfca70d7240287d6eb039a1ed835413120b0af1e296

== 2.2.1 (Build 5H11) ==
Ramdisk Key: DA 01 0F 69 B0 E2 03 4B 4C E7 B7 C9 0B 63 BA D5
Ramdisk IV: 29 FF 3D 43 C4 00 1B 97 89 63 DE E4 37 E2 53 86
ee4eeeb62240c1378c739696dff9fef2c88834e98877f55a29c147e7d5b137967197392a

== 2.2.1 (Build 5H11a) ==
Ramdisk Key: 78 4F 13 3C 28 82 37 63 41 B9 E2 76 DA 96 6C 0F
Ramdisk IV: C9 8F 1D 8E 26 F0 4F 89 01 3E 9C 61 49 9C D1 FE
2611c9f73504344fb22c93791659ec92e65f914025c5814d708b2023ab67229d89c39791

== 3.0 Beta 2 (Build 7A259g) ==
Ramdisk Key: B1 11 BD B4 F4 A4 5E B2 BE 94 F4 3B DF C5 79 6F
Ramdisk IV: FA 01 C6 EC FC 18 6A 09 86 E2 31 1D 20 D9 6A C4

== See also ==

* [[System]] - a page with links to download the firmware images

PMB8878

2009-03-18T01:38:40Z

James: Added 3.0 beta 1 baseband.

This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the [[PMB8878]]

==Datasheet==
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.

==Secpack 2.0==
This is the security region in the files sent to the [[X-Gold 608]]. This is the first 0xCF8 is new fls and eep files.

===Layout===
0x634--Memory Map
0x714--Descriptor
0xCD4--Post secpack pointer to name
0xCEC--Data length

==Endpack==
The fls and eep files also have a footer tacked onto the end containing the loader and signature.

==Memory Map==
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

==MMU relocation table==
===Bootloader===
[[Image:Bltbl.png]]

===Firmware===
[[Image:Bbmmu.png]]

==Complete memory dump==
[http://depositfiles.com/files/i5119hpzm 0x00000000-0x0001FFFF]

[http://depositfiles.com/files/mxslfu4dp 0x20000000-0x20FFFFFF]

[http://depositfiles.com/files/6wiet73wn 0x40000000-0x407FFFFF]

[http://depositfiles.com/files/fioppsphe 0xFFFF0000-0xFFFFFFFF]

== Known Firmware Versions ==
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)
[[1.48.02]] 2.0.1 (Build 5B108)
[[2.04.03]] 2.1 (Build 5F90)
[[2.08.01]] 2.0.2 (Build 5C1)
[[2.11.07]] 2.1 (Build 5F136)
[[2.28.00]] 2.2 (Build 5G77)
[[2.30.03]] 2.2.1 (Build 5H11)
[[4.20.01]] 3.0 beta 1 (Build 7A238j)

==Accessing Interactive Mode==
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset

Talk:BurnIn

2009-03-13T01:51:50Z

James:

Where did these pictures come from? ~geohot

Chronic found these pictures from a guy at hackint0sh who sent in his 3G for repair. -wEsTbAeR--

geohot, the only flaw with your ramdisk hypothosis is that someone got their iphone back with that on it. plus, could all the needed frameworks for a GUI application fit on a ramdisk?
[[User:ChronicDev|ChronicDev]]

Chronic, maybe on a 32MB Zibri ZramdiskZ. :P
Actually this is a really bad-ass GUI, so it should fit in these 32MB or something.

-wEsTbAeR--

== nah ==

even this. you need new frameworks that dont come on a vanilla ramdisk

== geohot ==

Actually, I wonder what this does to the baseband. Something has to set up each baseband from the factory, and that something contains the private keys!!!

Only the baseband private keys, not the IPSW private keys. But who cares about the IPSW ones.

== well ==

don't get your hopes up. according to a friend, even builds that are seeded directly to people that work for carriers don't even get this, so this is for people way way way way WAY high up. If only that guy on hackintosh took the iPhone home, the devteam could have helped him pwn and extract the BurnIn application :( I doubt a phone like this will ever be seen in the wild again.

In other words, the likelyhood of us getting this is as likely as us getting the key that Apple uses to sign their ipsws, unless there is another factory slip up.

geohot, as a side note since I am already kind of talking to you :P, would you mind sharing the 114 iboot patches you used to get AES access? thanks to your post, I know how to do it, but I have been trying and I am just not skilled enough to find the correct patches :( I posted them last week, check the page about it ~geohot

== Data recovery? ==

It's a stretch, I know, but what about data recovery? If some (all?) devices have this firmware initially, then it is replaced, could some data still be recovered from the device? Or is it zeroed out before it leaves? I guess the real question is, does an OOTB device have data still on-disk other than actual inodes? --[[User:Haldo|Haldo]] 23:22, 5 August 2008 (UTC)

It would surprise me if the phones had anything on disk. I still believe it is a ramdisk. Although, lets assume I'm wrong. A dump is very easy to do, and if we do it at the iBoot level, I believe we can recover the out of band data too. ~geohot

== 100% ==

its an application dude. talk to me on IRC about it for more info. trust me.

and i saw the page, but I get permission denied errors if i use just what is there unfortunately :(

== Any more? ==

Ah, very nice to see those iPod Touch pictures... I remember them being posted to hackint0sh a while back. Beyond the 3G and iPod Touch, has *anyone* else ever had this happen? While it's rare, it seems to not be impossible.

== does drag to unlock actually unlock ==

well does it? this would be a miracle :) i'll see if i can get someone to lend me a brand new device and maybe we can look to to see if it's there assuming apple doesnt zero out everyone iphone

== Can I try it? ==

I really want to try this out on my iPhone 3G with jailbroken 2.2.1 firmware. Is it possible? Please send me an email: [mailto:drumthrasher109@gmail.com]

--[[User:Drumthrasher109|Drumthrasher109]] 13:27, 10 March 2009 (UTC)

== Buy one on eBay! ==

I know we're not the richest group of folks here, but one (or two) iPhone proto units is selling on eBay. It appears to be running burn-in from early 2007.

Seller of that protos has posted the filesystem dump of that proto at MacRumors, so it's not necessary to spend the cash on this. --[[User:Pjakuszew|Pjakuszew]] 08:00, 12 March 2009 (UTC)

Link to the MacRumors post?

Link to post with NOR dump: http://forums.macrumors.com/showpost.php?p=7249071&postcount=85

Talk:0wnboot

2009-03-11T23:38:40Z

James: New page: ==Compiling== I can't seem to ever compile a good copy on Windows.. I'm using WinARM (http://tinyurl.com/d5nyhy); specifically arm-elf-as and arm-elf-objcopy. The resulting .bin is ~200 by...

==Compiling==
I can't seem to ever compile a good copy on Windows..
I'm using WinARM (http://tinyurl.com/d5nyhy); specifically arm-elf-as and arm-elf-objcopy.
The resulting .bin is ~200 bytes too large, it is compiled as follows:
arm-elf-as -o 0wnboot 0wnboot.S && arm-elf-objcopy -O binary 0wnboot 0wnboot.bin

Is there something wrong with WinARM or am I just missing flags?
Also, any word on kbag support?
I personally don't own a 2G yet, so I haven't been able to try planetbeing's crypto utility (I assume it works, but you never know), but it would be useful.

PMB8878

2009-02-04T18:26:24Z

James: Added 2.30.03.

This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the [[PMB8878]]

==Datasheet==
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.

==Memory Map==
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

==MMU relocation table==
===Bootloader===
[[Image:Bltbl.png]]

===Firmware===
[[Image:Bbmmu.png]]

==Complete memory dump==
[http://depositfiles.com/files/i5119hpzm 0x00000000-0x0001FFFF]

[http://depositfiles.com/files/mxslfu4dp 0x20000000-0x20FFFFFF]

[http://depositfiles.com/files/6wiet73wn 0x40000000-0x407FFFFF]

[http://depositfiles.com/files/fioppsphe 0xFFFF0000-0xFFFFFFFF]

== Known Firmware Versions ==
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)
[[1.48.02]] 2.0.1(Build 5B108)
[[2.04.03]] 2.1 (Build 5F90)
[[2.08.01]] 2.0.2 (Build 5C1)
[[2.11.07]] 2.1 (Build 5F136)
[[2.28.00]] 2.2 (Build 5G77)
[[2.30.03]] 2.2.1 (Build 5H11)

==Accessing Interactive Mode==
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset

Talk:Restore Mode

2009-02-01T10:22:34Z

James: /* Verbose mode, again */

==Verbose mode==
Anyone care to elaborate on how to enable a verbose restore like in [http://qik.com/video/932215 this video]?

===RE: Verbose mode===
you need to patch iBoot to redirect the pointer of the ramdisk boot-args string somewhere else, where you have a string that is the ramdisk boot-args as well as the -v arg. kinda hacky, but that's what I did and it worked :)

====RE: RE: Verbose mode====
That is hacky indeed, but I'll try and figure out how to. Thanks Chronic.

=====Verbose mode, again=====
Now that the source of 0wnboot is public, I see what you did to enable -v ramdisks.
However, how would I convert this to something that can be run on a device other than a 2G (aka some simple mw's)?
I know, it's kind of a n00by question to ask, but -v looks useful and I know almost nothing about ASM.

Also, another question that will make me look stupid; how do you boot from a ramdisk on 2.x?
I remember doing it on 1.x, but obviously things have changed.
I tried looking at what QuickPwn does, but it's not completely obvious..
It sends iBSS and iBoot (well, it looks like it, from it's temp files that it creates), and boots into them (?, doing this actually boots into iPhone OS), then sends the ramdisk, kernel, and DeviceTree.
After this, they must execute the ramdisk.
If I were to try to emulate this process using a tool such as iRecovery, what exactly would I do?
I've tried setenv boot-args rd=md0, but from what I remember, boot-args are ignored on 2.x..
Any help would be appreciated.

Talk:Restore Mode

2009-02-01T09:17:16Z

James:

Firmware

2009-01-31T02:12:55Z

James: Added iPhone1,2_2.2.1 SHA1.

This is the iPhone OS system the iPhone runs. Latest Apple download links can be found [http://www.itunes.com/version here].

==Comparison of firmware versions==

===[[iPhone]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! [[Baseband]]
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! Can be [[unlock|unlocked]]?
! File Size
|-
| 1.0.0
| Heavenly 1A543a
| 03.12.06_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]
| fb8bb3ee2e9a997affbb97868599f2995c78209c
| Initial US shipment.
| {{yes}}
| {{yes}}
| 95.604.348
|-
| 1.0.1
| Heavenly 1C25
| 03.12.06_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]
| a00b85a7a55d62a94be5fbf5effbc42fd63f3097
|
| {{yes}}
| {{yes}}
| 95.627.958
|-
| 1.0.2
| Heavenly 1C28
| 03.14.08_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]
| 7f5c0ff1f84a0202b75a55c3fcb362e415334d1e
|
| {{yes}}
| {{yes}}
| 95.627.324
|-
| 1.1.1
| Snowbird 3A109a
| 04.01.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]
| d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c
|
| {{yes}}
| {{yes}}
| 159.668.150
|-
| 1.1.2
| Oktoberfest 3B48a
| 04.02.13_G
| No download available
|
| Initial Euro shipment.
| {{yes}}
| {{yes}}
|
|-
| 1.1.2
| Oktoberfest 3B48b
| 04.02.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]
| 797c02e7d660940e8d9a16cc7229ccf3f67dd8b1
|
| {{yes}}
| {{yes}}
| 167.927.501
|-
| 1.1.3
| Little Bear 4A93
| 04.03.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]
| b3dec7580bd00dc4faf28449d9618ef40aeacc96
|
| {{yes}}
| {{yes}}
| 169.950.551
|-
| 1.1.4
| Little Bear 4A102
| 04.04.05_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]
| 000811bac096011b50ebf6ec1ec2285b62fda4cb
|
| {{yes}}
| {{yes}}
| 169.946.442
|-
| 2.0
| Big Bear 5A347
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]
| 9c510a3cfce789fa5f92a8f763c231bac82ff6d4
|
| {{yes}}
| {{yes}}
| 228.768.637
|-
| 2.0.1
| Big Bear 5B108
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]
| 61de6a2bd6ceddc9ecabad1671b91a59b3824bc4
|
| {{yes}}
| {{yes}}
| 254.048.068
|-
| 2.0.2
| Big Bear 5C1
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]
| b84b57bea919bdc720287ec908c1378e7d7b5e1b
|
| {{yes}}
| {{yes}}
| 253.589.000
|-
| 2.1
| Sugar Bowl 5F136
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]
| 353b7745767b85932e14e262e69463620939bdf7
|
| {{yes}}
| {{yes}}
| 242.171.241
|-
| 2.2
| Timberline 5G77
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]
| cbfc6ff886ce89868a55547b9fb980dbf92e6418
|
| {{yes}}
| {{yes}}
| 257.576.980
|-
| 2.2.1
| SUTimberline 5H11
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]
| 43b95ebe1e51f8d30eae916053396595c08440d3
|
| {{yes}}
| {{yes}}
| 257,593,705
|}

===[[iPhone 3G]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! [[Baseband]]
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! Can be [[unlock|unlocked]]?
! File Size
|-
| 2.0
| Big Bear 5A345
| 01.45.00
| No download available
|
| Initial iPhone 3G shipment.
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
|
|-
| 2.0
| Big Bear 5A347
| 01.45.00
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]
| af9506ca0034e462674f9f59c5406f159eaf9fc1
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 235,957,125
|-
| 2.0.1
| Big Bear 5B108
| 01.48.02
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]
| e81c7ac7e334a3e9d81b3b47894bfaa1ec495482
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 261,224,227
|-
| 2.0.2
| Big Bear 5C1
| 02.08.01
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]
| bef7fef954293046420fbcf947379839178a195b
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 260,761,030
|-
| 2.1
| Sugar Bowl 5F136
| 02.11.07
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]
| c6957dcbf2a95ccfd6dce374a727b1b7700a9043
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 249,341,655
|-
| 2.2
| Timberline 5G77
| 02.28.00
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]
| f67f8b2b842428bf89456cda0c2d5cf954d111a4
|
| {{yes}}
| {{yes}}
| 258,342,348
|-
| 2.2.1
| SUTimberline 5H11
| 02.30.03
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]
| e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c
|
| {{yes}}
| {{no}}
| 258,359,073
|}

===[[N45ap|iPod touch (1st generation)]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! File Size
|-
| 1.1.0
| Snowbird 3A100a
| No download available
|
| Initial shipment.
| {{yes}}
|
|-
| 1.1.0
| Snowbird 3A101a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]
| 9b0d83c7f8b4328174a3f31e0e93f60e591ae143
|
| {{yes}}
| 157,890,186
|-
| 1.1.1
| Snowbird 3A110a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]
| 84bbc6ea8bf29745195bc9926c1874f7c2a36f32
|
| {{yes}}
| 157,906,686
|-
| 1.1.2
| Oktoberfest 3B48b
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]
| 108d8ffe9ea75e61cd5e57170ad388b7fa00d923
|
| {{yes}}
| 165,567,897
|-
| 1.1.3
| Little Bear 4A93
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]
| 8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6
|
| {{yes}}
| 173,511,411
|-
| 1.1.4
| Little Bear 4A102
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]
| c148d1eb1c979bb6434175411d4a372103a4fdd2
|
| {{yes}}
| 173,519,589
|-
| 1.1.5
| Little Bear 4B1
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]
| 1b818911316e4248ee01d3ec67f9d39afc3db240
|
| {{yes}}
| 173,519,637
|-
| 2.0
| Big Bear 5A347
| Download Link Prohibited
| ae82798e85f9953b0f4798bad36187cb020c9d22
| 2.0+ is a paid upgrade series
| {{yes}}
| 233,409,573
|-
| 2.0.1
| Big Bear 5B108
| Download Link Prohibited
| a81b6e7af4b85ef436d047f9da57c0f694d8964a
|
| {{yes}}
| 258,660,321
|-
| 2.0.2
| Big Bear 5C1
| Download Link Prohibited
| c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2
|
| {{yes}}
| 258,201,218
|-
| 2.1
| Sugar Bowl 5F137
| Download Link Prohibited
| fc7f6d0972927df502ffca47438ca75dcccffaf3
|
| {{yes}}
| 251,155,156
|-
| 2.2
| Timberline 5G77
| Download Link Prohibited
| 081a7de363230fb38d0ce092cbbe42f2a50c8a5f
|
| {{yes}}
| 260,186,851
|-
| 2.2.1
| SUTimberline 5H11
| Download Link Prohibited
| fc69be9e421bc0630567184506ab771f6b7ef68b
|
| {{yes}}
| 260,166,688
|}

===[[N72ap|iPod touch (2nd generation)]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! File Size
|-
| 2.1.1
| Sugar Bowl 5F138
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]
| c3c700be49ad227d1152188e7c1e46b8958fd1e4
|
| {{yes|Yes (but not yet released)}}
| 282,083,944
|-
| 2.2
| Timberline 5G77a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]
| 34a0a489605f34d6cc6c9954edcaaf9a050deedc
|
| {{yes|Yes (but not yet released)}}
| 291,123,491
|-
| 2.2.1
| SUTimberline 5H11a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]
| 9af5625ea34acdd8abeb6fce71a72651d0c815d5
|
| {{yes|Yes (but not yet released)}}
| 291,140,244
|}

==See also==
* [[VFDecrypt Keys]]

==Resources==
*[http://www.trejan.com/projects/ipod/ Firmware List]
*[http://www.iphones.ru/forum/index.php?showtopic=7115 iPhone FW's Links (Russian)]
*[http://www.iphones.ru/forum/index.php?showtopic=13934 iPod Touch FW's Links (Russian)]
*[http://pastebin.ca/1209360 A link of interest...]

Firmware Keys

2009-01-29T20:38:56Z

James: Added 2.2.1 5H11a ramdisk key and IV and RootFS key. Thanks AriX.

== Introduction ==
These keys are for use with the 'vfdecrypt' tool to decrypt the main filesystem DMG found in every iPhone/iPhone 3G/iPod touch .ipsw file. Every key will work on the main filesystem DMG for that build, regardless if it is for the iPhone or iPod touch unless specified. The DMG that you are after is the bigger one, in the case of current builds of 2.0, it can sometimes be 200+ MB!

== VFDecrypt Usage ==
./vfdecrypt -i <dmg> -o decrypted_fs.dmg -k <key>

== Gaps ==
As you will notice, there may be a gap or two, or a key for a current build that is not there. Please feel free to add them, but please be sure that it is only the key for a User or Developer build, as if you gave the key for another type of build that might or may not be out there '''people could get in trouble, and we do not want that'''. Thanks for contributing!

== Downloads ==

* http://rgov.org/files/vfdecrypt.zip (Mac OS X Universal) (link is broken)
* http://iphoneelite.googlecode.com/files/vfdecrypt.zip (Windows)

* Source Credit: http://lorenzo.yellowspace.net/corrupt-sparseimage.html

== 1.0 (Build 1A543a) ==
28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090ecccc15e82d

== 1.0.1 (Build 1C25) ==
7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5

== 1.0.2 (Build 1C28) ==
7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5

== 1.1.1 (Build 3A109a) ==
f45de7637a62b200950e550f4144696d7ff3dc5f0b19c8efdf194c88f3bc2fa808fea3b3

== 1.1.1 (Build 3A110a) ==
d45b837ddd85bdae0ec82a033ba00ea03ceb8c827040034f7554c65d6376472844b8dc6a

== 1.1.2 (Build 3B48b) ==
70e11d7209602ada5b15fbecc1709ad4910d0ad010bb9a9125b78f9f50e25f3e05c595e2

== 1.1.3 (Build 4A93) ==
11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816

== 1.1.4 (Build 4A102) ==
d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe

== 1.1.5 (Build 4B1) ==
c7973558e8f6af22e38d4573737d1533f1d5eec202bf86a32d941975d76f8906c7f0afe4

== 1.2 (Beta 1) (Build 5A147p) ==
86bec353ddfbe3fb750e9d7905801f79791e69acf65d16930d288e697644c76f16c4f16d

== 2.0 (Beta 2) (Build 5A225c) ==
ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7

== 2.0 (Beta 3) (Build 5A240d) ==
e24bfab40a2e5d3dc25e089291846e5615b640897ae8b424946c587bcf53b201a1041d36

== 2.0 (Beta 4) (Build 5A258f) ==
198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

== 2.0 (Beta 5) (Build 5a274d) ==
589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb72cf130f40e15e00bcf2fc7

== 2.0 (Beta 6 Pre-Release) (Build 5a292g) ==
890b1fbf22975e0d4be2ea3f9bc5c87f38fd8158394fd31cf80a43ad25547573bbd0ec4e

== 2.0 (Beta 6 Final) (Build 5a308) ==
3964ca8d8bf5d3715cdc172986f2d9606672c54d5e0aa3f3a892166b4e54e4cefef21279

== 2.0 (Beta 7) (Build 5a331) ==
3d9a9832a108fc5084fc9329d6e84e38edf06e380554c49376b70e951f8a8d1ed943f819

== 2.0 (Build 5a347) ==
Ramdisk Key: 85 0A FC 27 11 32 D1 5A E6 98 95 65 56 7E 65 BF
Ramdisk IV: 29 68 1F 62 5D 1F 61 27 1E C3 11 66 01 B8 BC DE
2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755

== 2.0.1 (Build 5B108) ==
Ramdisk Key: 21 9E AC 3E 01 27 6C 7E C5 04 32 12 3F 50 97 1A
Ramdisk IV: 02 4f DB BA 71 EB F3 4D F5 B5 25 CD 97 5A EF E8
2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755

== 2.0.2 (Build 5C1) ==
Ramdisk Key: CC 02 8F D2 9D C2 7F 89 5E 40 1D 98 65 E7 21 00
Ramdisk IV: 53 7E B4 E7 12 9E A8 1F 57 2E C2 3D BE C4 2B 80
31e3ff09ff046d5237187346ee893015354d2135e3f0f39480be63dd2a18444961c2da5d

== 2.1 (Beta 1) (Build 5F90) ==
Ramdisk Key: 78 29 32 89 1F 0D 76 DB 49 0F DD CA 02 7A 13 B2
Ramdisk IV: 6B EA 32 6D 0F 41 10 51 59 F0 AE A8 F9 9F E7 77
f61c14aa0d53386dd42c49163686e8ccdeb86d14aafdecfe99c2e12c41a7f9f2811daa3d

== 2.1 (Build 5F136) ==
Ramdisk Key: 42 B4 F3 99 76 AF A5 9F 9E C6 80 FC CD 2C 7D 04
Ramdisk IV: FD 53 0C 4C F8 A8 78 F1 63 87 43 29 88 B1 99 B8
562ca0f7963eafb462da74a9c1f01a45c30a7eb5f1f493feceecae03ee6521a334f4ff68

== 2.1 (Build 5F137) ==
Ramdisk Key: 7C 80 7F 65 65 01 5D AA 6D 18 2D FF 79 5E 10 91
Ramdisk IV: 5C B7 FA 82 E8 FC 42 B9 DB 6C 02 7D 8F 4C 7C 39
9714f2cb955afa550d6287a1c7dd7bd0efb3c26cf74b948de7c43cf934913df69fc5a05f

==2.1.1 (Build 5F138)==
Ramdisk Key: 6D 4A 00 C0 A0 8E 90 A3 B0 24 88 5F 45 BC B7 20
Ramdisk IV: 2F 44 81 85 5C A3 9E 67 DF BF 3D 19 B8 AD E6 0E
d1b957a0a5e56903adc523c5fa99f5d165c3963aea48274770b766b44ecdebab7b5a8f30

== 2.2 (Build 5G77) ==
Ramdisk Key: EE A6 E8 78 24 A3 C0 B0 BE 86 E8 E2 BB D8 CF E9
Ramdisk IV: 18 2C DD A9 0A 38 87 0D E9 68 80 EE 7F F5 BB BC
dc39d88afe4cbd8a3f36824b8fd68acf04ac72718c09100816c5cb89889b8079e96802f0

== 2.2 (Build 5G77a) ==
Ramdisk Key: 77 8B 48 88 33 CA DA 94 0A 10 A7 C4 4C AC 74 13
Ramdisk IV: 47 9C 46 F2 7F 5B 18 AC 5F A0 18 85 CF 2B 06 F9
148025cde5c51d51d7733e74c6857dfca70d7240287d6eb039a1ed835413120b0af1e296

== 2.2.1 (Build 5H11) ==
Ramdisk Key: DA 01 0F 69 B0 E2 03 4B 4C E7 B7 C9 0B 63 BA D5
Ramdisk IV: 29 FF 3D 43 C4 00 1B 97 89 63 DE E4 37 E2 53 86
ee4eeeb62240c1378c739696dff9fef2c88834e98877f55a29c147e7d5b137967197392a

== 2.2.1 (Build 5H11a) ==
Ramdisk Key: 78 4F 13 3C 28 82 37 63 41 B9 E2 76 DA 96 6C 0F
Ramdisk IV: C9 8F 1D 8E 26 F0 4F 89 01 3E 9C 61 49 9C D1 FE
2611c9f73504344fb22c93791659ec92e65f914025c5814d708b2023ab67229d89c39791

== See also ==

* [[System]] - a page with links to download the firmware images

Talk:Restore Mode

2009-01-28T23:16:58Z

James:

==Verbose mode==
Anyone care to elaborate on how to enable a verbose restore like in [http://qik.com/video/932215 this video]?

==RE: Verbose mode==
you need to patch iBoot to redirect the pointer of the ramdisk boot-args string somewhere else, where you have a string that is the ramdisk boot-args as well as the -v arg. kinda hacky, but that's what I did and it worked :)

==RE: RE: Verbose mode==
That is hacky indeed, but I'll try and figure out how to. Thanks Chronic.

Talk:Restore Mode

2009-01-28T22:23:44Z

James: New page: ==Verbose mode== Anyone care to elaborate on how to enable a verbose restore like in [http://qik.com/video/932215 this video]?

==Verbose mode==
Anyone care to elaborate on how to enable a verbose restore like in [http://qik.com/video/932215 this video]?

Firmware Keys

2009-01-28T02:54:26Z

James: Added 2.2.1 5H11 ramdisk key and IV and RootFS key.

== Introduction ==
These keys are for use with the 'vfdecrypt' tool to decrypt the main filesystem DMG found in every iPhone/iPhone 3G/iPod touch .ipsw file. Every key will work on the main filesystem DMG for that build, regardless if it is for the iPhone or iPod touch unless specified. The DMG that you are after is the bigger one, in the case of current builds of 2.0, it can sometimes be 200+ MB!

== VFDecrypt Usage ==
./vfdecrypt -i <dmg> -o decrypted_fs.dmg -k <key>

== Gaps ==
As you will notice, there may be a gap or two, or a key for a current build that is not there. Please feel free to add them, but please be sure that it is only the key for a User or Developer build, as if you gave the key for another type of build that might or may not be out there '''people could get in trouble, and we do not want that'''. Thanks for contributing!

== Downloads ==

* http://rgov.org/files/vfdecrypt.zip (Mac OS X Universal) (link is broken)
* http://iphoneelite.googlecode.com/files/vfdecrypt.zip (Windows)

* Source Credit: http://lorenzo.yellowspace.net/corrupt-sparseimage.html

== 1.0 (Build 1A543a) ==
28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090ecccc15e82d

== 1.0.1 (Build 1C25) ==
7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5

== 1.0.2 (Build 1C28) ==
7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5

== 1.1.1 (Build 3A109a) ==
f45de7637a62b200950e550f4144696d7ff3dc5f0b19c8efdf194c88f3bc2fa808fea3b3

== 1.1.1 (Build 3A110a) ==
d45b837ddd85bdae0ec82a033ba00ea03ceb8c827040034f7554c65d6376472844b8dc6a

== 1.1.2 (Build 3B48b) ==
70e11d7209602ada5b15fbecc1709ad4910d0ad010bb9a9125b78f9f50e25f3e05c595e2

== 1.1.3 (Build 4A93) ==
11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816

== 1.1.4 (Build 4A102) ==
d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe

== 1.1.5 (Build 4B1) ==
c7973558e8f6af22e38d4573737d1533f1d5eec202bf86a32d941975d76f8906c7f0afe4

== 1.2 (Beta 1) (Build 5A147p) ==
86bec353ddfbe3fb750e9d7905801f79791e69acf65d16930d288e697644c76f16c4f16d

== 2.0 (Beta 2) (Build 5A225c) ==
ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7

== 2.0 (Beta 3) (Build 5A240d) ==
e24bfab40a2e5d3dc25e089291846e5615b640897ae8b424946c587bcf53b201a1041d36

== 2.0 (Beta 4) (Build 5A258f) ==
198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

== 2.0 (Beta 5) (Build 5a274d) ==
589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb72cf130f40e15e00bcf2fc7

== 2.0 (Beta 6 Pre-Release) (Build 5a292g) ==
890b1fbf22975e0d4be2ea3f9bc5c87f38fd8158394fd31cf80a43ad25547573bbd0ec4e

== 2.0 (Beta 6 Final) (Build 5a308) ==
3964ca8d8bf5d3715cdc172986f2d9606672c54d5e0aa3f3a892166b4e54e4cefef21279

== 2.0 (Beta 7) (Build 5a331) ==
3d9a9832a108fc5084fc9329d6e84e38edf06e380554c49376b70e951f8a8d1ed943f819

== 2.0 (Build 5a347) ==
Ramdisk Key: 85 0A FC 27 11 32 D1 5A E6 98 95 65 56 7E 65 BF
Ramdisk IV: 29 68 1F 62 5D 1F 61 27 1E C3 11 66 01 B8 BC DE
2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755

== 2.0.1 (Build 5B108) ==
Ramdisk Key: 21 9E AC 3E 01 27 6C 7E C5 04 32 12 3F 50 97 1A
Ramdisk IV: 02 4f DB BA 71 EB F3 4D F5 B5 25 CD 97 5A EF E8
2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755

== 2.0.2 (Build 5C1) ==
Ramdisk Key: CC 02 8F D2 9D C2 7F 89 5E 40 1D 98 65 E7 21 00
Ramdisk IV: 53 7E B4 E7 12 9E A8 1F 57 2E C2 3D BE C4 2B 80
31e3ff09ff046d5237187346ee893015354d2135e3f0f39480be63dd2a18444961c2da5d

== 2.1 (Beta 1) (Build 5F90) ==
Ramdisk Key: 78 29 32 89 1F 0D 76 DB 49 0F DD CA 02 7A 13 B2
Ramdisk IV: 6B EA 32 6D 0F 41 10 51 59 F0 AE A8 F9 9F E7 77
f61c14aa0d53386dd42c49163686e8ccdeb86d14aafdecfe99c2e12c41a7f9f2811daa3d

== 2.1 (Build 5F136) ==
Ramdisk Key: 42 B4 F3 99 76 AF A5 9F 9E C6 80 FC CD 2C 7D 04
Ramdisk IV: FD 53 0C 4C F8 A8 78 F1 63 87 43 29 88 B1 99 B8
562ca0f7963eafb462da74a9c1f01a45c30a7eb5f1f493feceecae03ee6521a334f4ff68

== 2.1 (Build 5F137) ==
Ramdisk Key: 7C 80 7F 65 65 01 5D AA 6D 18 2D FF 79 5E 10 91
Ramdisk IV: 5C B7 FA 82 E8 FC 42 B9 DB 6C 02 7D 8F 4C 7C 39
9714f2cb955afa550d6287a1c7dd7bd0efb3c26cf74b948de7c43cf934913df69fc5a05f

==2.1.1 (Build 5F138)==
Ramdisk Key: 6D 4A 00 C0 A0 8E 90 A3 B0 24 88 5F 45 BC B7 20
Ramdisk IV: 2F 44 81 85 5C A3 9E 67 DF BF 3D 19 B8 AD E6 0E
d1b957a0a5e56903adc523c5fa99f5d165c3963aea48274770b766b44ecdebab7b5a8f30

== 2.2 (Build 5G77) ==
Ramdisk Key: EE A6 E8 78 24 A3 C0 B0 BE 86 E8 E2 BB D8 CF E9
Ramdisk IV: 18 2C DD A9 0A 38 87 0D E9 68 80 EE 7F F5 BB BC
dc39d88afe4cbd8a3f36824b8fd68acf04ac72718c09100816c5cb89889b8079e96802f0

== 2.2 (Build 5G77a) ==
Ramdisk Key: 77 8B 48 88 33 CA DA 94 0A 10 A7 C4 4C AC 74 13
Ramdisk IV: 47 9C 46 F2 7F 5B 18 AC 5F A0 18 85 CF 2B 06 F9
148025cde5c51d51d7733e74c6857dfca70d7240287d6eb039a1ed835413120b0af1e296

== 2.2.1 (Build 5H11) ==
Ramdisk Key: DA 01 0F 69 B0 E2 03 4B 4C E7 B7 C9 0B 63 BA D5
Ramdisk IV: 29 FF 3D 43 C4 00 1B 97 89 63 DE E4 37 E2 53 86
ee4eeeb62240c1378c739696dff9fef2c88834e98877f55a29c147e7d5b137967197392a

== See also ==

* [[System]] - a page with links to download the firmware images

Firmware

2009-01-28T02:52:00Z

James: This is not true, it can be jailbroken, but it is tethered. Also added 2.2.1 RootFS disk name.

This is the iPhone OS system the iPhone runs. Latest Apple download links can be found [http://www.itunes.com/version here].

==Comparison of firmware versions==

===[[iPhone]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! [[Baseband]]
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! Can be [[unlock|unlocked]]?
! File Size
|-
| 1.0.0
| Heavenly 1A543a
| 03.12.06_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]
| fb8bb3ee2e9a997affbb97868599f2995c78209c
| Initial US shipment.
| {{yes}}
| {{yes}}
| 95.604.348
|-
| 1.0.1
| Heavenly 1C25
| 03.12.06_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]
| a00b85a7a55d62a94be5fbf5effbc42fd63f3097
|
| {{yes}}
| {{yes}}
| 95.627.958
|-
| 1.0.2
| Heavenly 1C28
| 03.14.08_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]
| 7f5c0ff1f84a0202b75a55c3fcb362e415334d1e
|
| {{yes}}
| {{yes}}
| 95.627.324
|-
| 1.1.1
| Snowbird 3A109a
| 04.01.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]
| d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c
|
| {{yes}}
| {{yes}}
| 159.668.150
|-
| 1.1.2
| Oktoberfest 3B48a
| 04.02.13_G
| No download available
|
| Initial Euro shipment.
| {{yes}}
| {{yes}}
|
|-
| 1.1.2
| Oktoberfest 3B48b
| 04.02.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]
| 797c02e7d660940e8d9a16cc7229ccf3f67dd8b1
|
| {{yes}}
| {{yes}}
| 167.927.501
|-
| 1.1.3
| Little Bear 4A93
| 04.03.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]
| b3dec7580bd00dc4faf28449d9618ef40aeacc96
|
| {{yes}}
| {{yes}}
| 169.950.551
|-
| 1.1.4
| Little Bear 4A102
| 04.04.05_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]
| 000811bac096011b50ebf6ec1ec2285b62fda4cb
|
| {{yes}}
| {{yes}}
| 169.946.442
|-
| 2.0
| Big Bear 5A347
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]
| 9c510a3cfce789fa5f92a8f763c231bac82ff6d4
|
| {{yes}}
| {{yes}}
| 228.768.637
|-
| 2.0.1
| Big Bear 5B108
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]
| 61de6a2bd6ceddc9ecabad1671b91a59b3824bc4
|
| {{yes}}
| {{yes}}
| 254.048.068
|-
| 2.0.2
| Big Bear 5C1
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]
| b84b57bea919bdc720287ec908c1378e7d7b5e1b
|
| {{yes}}
| {{yes}}
| 253.589.000
|-
| 2.1
| Sugar Bowl 5F136
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]
| 353b7745767b85932e14e262e69463620939bdf7
|
| {{yes}}
| {{yes}}
| 242.171.241
|-
| 2.2
| Timberline 5G77
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]
| cbfc6ff886ce89868a55547b9fb980dbf92e6418
|
| {{yes}}
| {{yes}}
| 257.576.980
|-
| 2.2.1
| SUTimberline 5H11
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]
| 43b95ebe1e51f8d30eae916053396595c08440d3
|
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| {{yes|Yes (by updating from an unlocked state)}}
| 257,593,705
|}

===[[iPhone 3G]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! [[Baseband]]
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! Can be [[unlock|unlocked]]?
! File Size
|-
| 2.0
| Big Bear 5A345
| 01.45.00
| No download available
|
| Initial iPhone 3G shipment.
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
|
|-
| 2.0
| Big Bear 5A347
| 01.45.00
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]
| af9506ca0034e462674f9f59c5406f159eaf9fc1
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 235.957.125
|-
| 2.0.1
| Big Bear 5B108
| 01.48.02
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]
| e81c7ac7e334a3e9d81b3b47894bfaa1ec495482
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 261.224.227
|-
| 2.0.2
| Big Bear 5C1
| 02.08.01
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]
| bef7fef954293046420fbcf947379839178a195b
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 260.761.030
|-
| 2.1
| Sugar Bowl 5F136
| 02.11.07
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]
| c6957dcbf2a95ccfd6dce374a727b1b7700a9043
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 249.341.655
|-
| 2.2
| Timberline 5G77
| 02.28.00
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]
| f67f8b2b842428bf89456cda0c2d5cf954d111a4
|
| {{yes}}
| {{yes}}
| 258.342.348
|-
| 2.2.1
| SUTimberline 5H11
| 02.30.03
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]
| -
|
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| {{no}}
| -
|}

===[[N45ap|iPod touch (1st generation)]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! File Size
|-
| 1.1.0
| Snowbird 3A100a
| No download available
|
| Initial shipment.
| {{yes}}
|
|-
| 1.1.0
| Snowbird 3A101a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]
| 9b0d83c7f8b4328174a3f31e0e93f60e591ae143
|
| {{yes}}
| 157.890.186
|-
| 1.1.1
| Snowbird 3A110a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]
| 84bbc6ea8bf29745195bc9926c1874f7c2a36f32
|
| {{yes}}
| 157.906.686
|-
| 1.1.2
| Oktoberfest 3B48b
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]
| 108d8ffe9ea75e61cd5e57170ad388b7fa00d923
|
| {{yes}}
| 165.567.897
|-
| 1.1.3
| Little Bear 4A93
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]
| 8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6
|
| {{yes}}
| 173.511.411
|-
| 1.1.4
| Little Bear 4A102
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]
| c148d1eb1c979bb6434175411d4a372103a4fdd2
|
| {{yes}}
| 173.519.589
|-
| 1.1.5
| Little Bear 4B1
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]
| 1b818911316e4248ee01d3ec67f9d39afc3db240
|
| {{yes}}
| 173.519.637
|-
| 2.0
| Big Bear 5A347
| Download Link Prohibited
| ae82798e85f9953b0f4798bad36187cb020c9d22
| 2.0+ is a paid upgrade series
| {{yes}}
| 233.409.573
|-
| 2.0.1
| Big Bear 5B108
| Download Link Prohibited
| a81b6e7af4b85ef436d047f9da57c0f694d8964a
|
| {{yes}}
| 258.660.321
|-
| 2.0.2
| Big Bear 5C1
| Download Link Prohibited
| c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2
|
| {{yes}}
| 258.201.218
|-
| 2.1
| Sugar Bowl 5F137
| Download Link Prohibited
| fc7f6d0972927df502ffca47438ca75dcccffaf3
|
| {{yes}}
| 251.155.156
|-
| 2.2
| Timberline 5G77
| Download Link Prohibited
| 081a7de363230fb38d0ce092cbbe42f2a50c8a5f
|
| {{yes}}
| 260.186.851
|-
| 2.2.1
| SUTimberline 5H11
| Download Link Prohibited
| -
|
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| -
|}

===[[N72ap|iPod touch (2nd generation)]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! File Size
|-
| 2.1.1
| Sugar Bowl 5F138
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]
| c3c700be49ad227d1152188e7c1e46b8958fd1e4
|
| {{yes|Yes (but not yet released)}}
| 282.083.944
|-
| 2.2
| Timberline 5G77a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]
| 34a0a489605f34d6cc6c9954edcaaf9a050deedc
|
| {{yes|Yes (but not yet released)}}
| 291.123.491
|-
| 2.2.1
| SUTimberline 5H11a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]
| -
|
| {{yes|Yes (but not yet released)}}
| -
|}

==See also==
* [[VFDecrypt Keys]]

==Resources==
*[http://www.trejan.com/projects/ipod/ Firmware List]
*[http://www.iphones.ru/forum/index.php?showtopic=7115 iPhone FW's Links (Russian)]
*[http://www.iphones.ru/forum/index.php?showtopic=13934 iPod Touch FW's Links (Russian)]
*[http://pastebin.ca/1209360 A link of interest...]

Firmware Keys

2009-01-23T02:24:59Z

James: Added 2.1.1 RootFS key, rd key, and rd IV. Also added 2.2 5G77a rd key and rd IV. Both courtesy of Chronic and co.

== Introduction ==
These keys are for use with the 'vfdecrypt' tool to decrypt the main filesystem DMG found in every iPhone/iPhone 3G/iPod touch .ipsw file. Every key will work on the main filesystem DMG for that build, regardless if it is for the iPhone or iPod touch unless specified. The DMG that you are after is the bigger one, in the case of current builds of 2.0, it can sometimes be 200+ MB!

== VFDecrypt Usage ==
./vfdecrypt -i <dmg> -o decrypted_fs.dmg -k <key>

== Gaps ==
As you will notice, there may be a gap or two, or a key for a current build that is not there. Please feel free to add them, but please be sure that it is only the key for a User or Developer build, as if you gave the key for another type of build that might or may not be out there '''people could get in trouble, and we do not want that'''. Thanks for contributing!

== Downloads ==

* http://rgov.org/files/vfdecrypt.zip (Mac OS X Universal) (link is broken)
* http://iphoneelite.googlecode.com/files/vfdecrypt.zip (Windows)

* Source Credit: http://lorenzo.yellowspace.net/corrupt-sparseimage.html

== 1.0 (Build 1A543a) ==
28c909fc6d322fa18940f03279d70880e59a4507998347c70d5b8ca7ef090ecccc15e82d

== 1.0.1 (Build 1C25) ==
7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5

== 1.0.2 (Build 1C28) ==
7d5962d0b582ec2557c2cade50de90f4353a1c1de07b74212513fef9cc71fb890574bfe5

== 1.1.1 (Build 3A109a) ==
f45de7637a62b200950e550f4144696d7ff3dc5f0b19c8efdf194c88f3bc2fa808fea3b3

== 1.1.1 (Build 3A110a) ==
d45b837ddd85bdae0ec82a033ba00ea03ceb8c827040034f7554c65d6376472844b8dc6a

== 1.1.2 (Build 3B48b) ==
70e11d7209602ada5b15fbecc1709ad4910d0ad010bb9a9125b78f9f50e25f3e05c595e2

== 1.1.3 (Build 4A93) ==
11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816

== 1.1.4 (Build 4A102) ==
d0a0c0977bd4b6350b256d6650ec9eca419b6f961f593e74b7e5b93e010b698ca6cca1fe

== 1.1.5 (Build 4B1) ==
c7973558e8f6af22e38d4573737d1533f1d5eec202bf86a32d941975d76f8906c7f0afe4

== 1.2 (Beta 1) (Build 5A147p) ==
86bec353ddfbe3fb750e9d7905801f79791e69acf65d16930d288e697644c76f16c4f16d

== 2.0 (Beta 2) (Build 5A225c) ==
ea14f3ec624c7fdbd52e108aa92d13b16f6b0b940c841f7bbc7792099dae45da928d13e7

== 2.0 (Beta 3) (Build 5A240d) ==
e24bfab40a2e5d3dc25e089291846e5615b640897ae8b424946c587bcf53b201a1041d36

== 2.0 (Beta 4) (Build 5A258f) ==
198d6602ba2ad2d427adf7058045fff5f20d05846622c186cca3d423ad03b5bc3f43c61c

== 2.0 (Beta 5) (Build 5a274d) ==
589df25eaa4ff0a5e29e1425fb99bf50957888ff098ba2fcb72cf130f40e15e00bcf2fc7

== 2.0 (Beta 6 Pre-Release) (Build 5a292g) ==
890b1fbf22975e0d4be2ea3f9bc5c87f38fd8158394fd31cf80a43ad25547573bbd0ec4e

== 2.0 (Beta 6 Final) (Build 5a308) ==
3964ca8d8bf5d3715cdc172986f2d9606672c54d5e0aa3f3a892166b4e54e4cefef21279

== 2.0 (Beta 7) (Build 5a331) ==
3d9a9832a108fc5084fc9329d6e84e38edf06e380554c49376b70e951f8a8d1ed943f819

== 2.0 (Build 5a347) ==
Ramdisk Key: 85 0A FC 27 11 32 D1 5A E6 98 95 65 56 7E 65 BF
Ramdisk IV: 29 68 1F 62 5D 1F 61 27 1E C3 11 66 01 B8 BC DE
2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755

== 2.0.1 (Build 5B108) ==
Ramdisk Key: 21 9E AC 3E 01 27 6C 7E C5 04 32 12 3F 50 97 1A
Ramdisk IV: 02 4f DB BA 71 EB F3 4D F5 B5 25 CD 97 5A EF E8
2cfca55aabb22fde7746e6a034f738b7795458be9902726002a8341995558990f41e3755

== 2.0.2 (Build 5C1) ==
Ramdisk Key: CC 02 8F D2 9D C2 7F 89 5E 40 1D 98 65 E7 21 00
Ramdisk IV: 53 7E B4 E7 12 9E A8 1F 57 2E C2 3D BE C4 2B 80
31e3ff09ff046d5237187346ee893015354d2135e3f0f39480be63dd2a18444961c2da5d

== 2.1 (Beta 1) (Build 5F90) ==
Ramdisk Key: 78 29 32 89 1F 0D 76 DB 49 0F DD CA 02 7A 13 B2
Ramdisk IV: 6B EA 32 6D 0F 41 10 51 59 F0 AE A8 F9 9F E7 77
f61c14aa0d53386dd42c49163686e8ccdeb86d14aafdecfe99c2e12c41a7f9f2811daa3d

== 2.1 (Build 5F136) ==
Ramdisk Key: 42 B4 F3 99 76 AF A5 9F 9E C6 80 FC CD 2C 7D 04
Ramdisk IV: FD 53 0C 4C F8 A8 78 F1 63 87 43 29 88 B1 99 B8
562ca0f7963eafb462da74a9c1f01a45c30a7eb5f1f493feceecae03ee6521a334f4ff68

== 2.1 (Build 5F137) ==
Ramdisk Key: 7C 80 7F 65 65 01 5D AA 6D 18 2D FF 79 5E 10 91
Ramdisk IV: 5C B7 FA 82 E8 FC 42 B9 DB 6C 02 7D 8F 4C 7C 39
9714f2cb955afa550d6287a1c7dd7bd0efb3c26cf74b948de7c43cf934913df69fc5a05f

==2.1.1 (Build 5F138)==
Ramdisk Key: 6D 4A 00 C0 A0 8E 90 A3 B0 24 88 5F 45 BC B7 20
Ramdisk IV: 2F 44 81 85 5C A3 9E 67 DF BF 3D 19 B8 AD E6 0E
d1b957a0a5e56903adc523c5fa99f5d165c3963aea48274770b766b44ecdebab7b5a8f30

== 2.2 (Build 5G77) ==
Ramdisk Key: EE A6 E8 78 24 A3 C0 B0 BE 86 E8 E2 BB D8 CF E9
Ramdisk IV: 18 2C DD A9 0A 38 87 0D E9 68 80 EE 7F F5 BB BC
dc39d88afe4cbd8a3f36824b8fd68acf04ac72718c09100816c5cb89889b8079e96802f0

== 2.2 (Build 5G77a) ==
Ramdisk Key: 77 8B 48 88 33 CA DA 94 0A 10 A7 C4 4C AC 74 13
Ramdisk IV: 47 9C 46 F2 7F 5B 18 AC 5F A0 18 85 CF 2B 06 F9
148025cde5c51d51d7733e74c6857dfca70d7240287d6eb039a1ed835413120b0af1e296

== See also ==

* [[System]] - a page with links to download the firmware images

Redsn0w Lite

2009-01-16T22:50:45Z

James:

This is the [[dev team]] jailbreak for the [[n72ap|iPod Touch 2G]]. It has not been released yet and this page will be updated when it is :)

==Links==
[http://redsn0w.com/ Red Sn0w Website]

ARM7 Go

2009-01-16T21:44:20Z

James:

This exploit is present in 2.1.1 iPod Touch 2G devices, as well as the iBEC / iBSS if you choose to upload it via DFU. It allows the running of unsigned code on the iPod Touch 2G device's ARM7 processor (not the ARM11, mind you).

'''This exploit cannot be used on an [[iPhone]], [[iPhone 3G]], or [[n45ap|iPod touch 1G]], nor is there any reason for it to be as they have already been jailbroken.'''

==Credit==
chronic / [[dev team]] (no collaboration - spotted by each on their own and worked on seperately)

==Exploit==
There is an ARM7 in the iPod Touch 2G in addition to the main processor, the ARM11. It is on the same address bus, so it has access to everything the ARM11 has access to, such as the AES engine, the PKE accelorator, and such. The actual exploit is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands: arm7_stop and arm7_go. They were promptly removed in 2.2. The arm7_go command had no signature checking, permissions checking, or anything like that. The command gives the ARM7 the load address (default is 0x09000000) of an "image" you sent it, and it is supposed to execute it. Unfortunately, it does not like naked binaries, nor does it like IMG3 files. Hopefully on the release of [[RedSn0w]] it will provide some insight on how the ARM7 expects an image to before it is executed.

==Payload==
As mentioned above, the payload is not as simple as writing some ARM code and sending it, then using "arm7_go". This section will be updated once I get a chance to see how the dev team's redsn0w utilizes this exploit :)

[[Category:Jailbreaks]]

ARM7 Go

2009-01-16T21:42:38Z

James:

This exploit is present in 2.1.1 iPod Touch 2G devices, as well as the iBEC / iBSS if you choose to upload it via DFU. It allows the running of unsigned code on the iPod Touch 2G device's ARM7 processor (not the ARM11, mind you).

'''This exploit cannot be used on an [[iPhone]], [[iPhone 3G]], or [[iPod Touch 1G]], nor is there any reason for it to be as they have already been jailbroken'''

==Credit==
chronic / [[dev team]] (no collaboration - spotted by each on their own and worked on seperately)

==Exploit==
There is an ARM7 in the iPod Touch 2G in addition to the main processor, the ARM11. It is on the same address bus, so it has access to everything the ARM11 has access to, such as the AES engine, the PKE accelorator, and such. The actual exploit is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands: arm7_stop and arm7_go. They were promptly removed in 2.2. The arm7_go command had no signature checking, permissions checking, or anything like that. The command gives the ARM7 the load address (default is 0x09000000) of an "image" you sent it, and it is supposed to execute it. Unfortunately, it does not like naked binaries, nor does it like IMG3 files. Hopefully on the release of [[RedSn0w]] it will provide some insight on how the ARM7 expects an image to before it is executed.

==Payload==
As mentioned above, the payload is not as simple as writing some ARM code and sending it, then using "arm7_go". This section will be updated once I get a chance to see how the dev team's redsn0w utilizes this exploit :)

[[Category:Jailbreaks]]

Redsn0w Lite

2009-01-16T21:39:26Z

James:

This is the [[dev team]] jailbreak for the [[iPod Touch 2G]]. It has not been released yet and this page will be updated when it is :)

==Links==
[http://redsn0w.com/ Red Sn0w Website]

Firmware

2009-01-14T21:39:29Z

James: Updated iPod 2G table.

This is the iPhone OS system the iPhone runs. Latest Apple download links can be found [http://www.itunes.com/version here].

==Comparison of firmware versions==

===[[iPhone]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! [[Baseband]]
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! Can be [[unlock|unlocked]]?
! File Size
|-
| 1.0.0
| Heavenly 1A543a
| 03.12.06_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]
| fb8bb3ee2e9a997affbb97868599f2995c78209c
| Initial US shipment.
| {{yes}}
| {{yes}}
| 95.604.348
|-
| 1.0.1
| Heavenly 1C25
| 03.12.06_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]
| a00b85a7a55d62a94be5fbf5effbc42fd63f3097
|
| {{yes}}
| {{yes}}
| 95.627.958
|-
| 1.0.2
| Heavenly 1C28
| 03.14.08_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]
| 7f5c0ff1f84a0202b75a55c3fcb362e415334d1e
|
| {{yes}}
| {{yes}}
| 95.627.324
|-
| 1.1.1
| Snowbird 3A109a
| 04.01.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]
| d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c
|
| {{yes}}
| {{yes}}
| 159.668.150
|-
| 1.1.2
| Oktoberfest 3B48a
| 04.02.13_G
| No download available
|
| Initial Euro shipment.
| {{yes}}
| {{yes}}
|
|-
| 1.1.2
| Oktoberfest 3B48b
| 04.02.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]
| 797c02e7d660940e8d9a16cc7229ccf3f67dd8b1
|
| {{yes}}
| {{yes}}
| 167.927.501
|-
| 1.1.3
| Little Bear 4A93
| 04.03.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]
| b3dec7580bd00dc4faf28449d9618ef40aeacc96
|
| {{yes}}
| {{yes}}
| 169.950.551
|-
| 1.1.4
| Little Bear 4A102
| 04.04.05_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]
| 000811bac096011b50ebf6ec1ec2285b62fda4cb
|
| {{yes}}
| {{yes}}
| 169.946.442
|-
| 2.0
| Big Bear 5A347
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]
| 9c510a3cfce789fa5f92a8f763c231bac82ff6d4
|
| {{yes}}
| {{yes}}
| 228.768.637
|-
| 2.0.1
| Big Bear 5B108
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]
| 61de6a2bd6ceddc9ecabad1671b91a59b3824bc4
|
| {{yes}}
| {{yes}}
| 254.048.068
|-
| 2.0.2
| Big Bear 5C1
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]
| b84b57bea919bdc720287ec908c1378e7d7b5e1b
|
| {{yes}}
| {{yes}}
| 253.589.000
|-
| 2.1
| Sugar Bowl 5F136
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]
| 353b7745767b85932e14e262e69463620939bdf7
|
| {{yes}}
| {{yes}}
| 242.171.241
|-
| 2.2
| Timberline 5G77
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]
| cbfc6ff886ce89868a55547b9fb980dbf92e6418
|
| {{yes}}
| {{yes}}
| 257.576.980
|-
|}

===[[iPhone 3G]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! [[Baseband]]
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! Can be [[unlock|unlocked]]?
! File Size
|-
| 2.0
| Big Bear 5A345
| 01.45.00
| No download available
|
| Initial iPhone 3G shipment.
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
|
|-
| 2.0
| Big Bear 5A347
| 01.45.00
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]
| af9506ca0034e462674f9f59c5406f159eaf9fc1
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 235.957.125
|-
| 2.0.1
| Big Bear 5B108
| 01.48.02
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]
| e81c7ac7e334a3e9d81b3b47894bfaa1ec495482
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 261.224.227
|-
| 2.0.2
| Big Bear 5C1
| 02.08.01
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]
| bef7fef954293046420fbcf947379839178a195b
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 260.761.030
|-
| 2.1
| Sugar Bowl 5F136
| 02.11.07
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]
| c6957dcbf2a95ccfd6dce374a727b1b7700a9043
|
| {{yes}}
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 249.341.655
|-
| 2.2
| Timberline 5G77
| 02.28.00
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]
| f67f8b2b842428bf89456cda0c2d5cf954d111a4
|
| {{yes}}
| {{yes}}
| 258.342.348
|}

===[[N45ap|iPod touch (1st generation)]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! File Size
|-
| 1.1.0
| Snowbird 3A100a
| No download available
|
| Initial shipment.
| {{yes}}
|
|-
| 1.1.0
| Snowbird 3A101a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]
| 9b0d83c7f8b4328174a3f31e0e93f60e591ae143
|
| {{yes}}
| 157.890.186
|-
| 1.1.1
| Snowbird 3A110a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]
| 84bbc6ea8bf29745195bc9926c1874f7c2a36f32
|
| {{yes}}
| 157.906.686
|-
| 1.1.2
| Oktoberfest 3B48b
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]
| 108d8ffe9ea75e61cd5e57170ad388b7fa00d923
|
| {{yes}}
| 165.567.897
|-
| 1.1.3
| Little Bear 4A93
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]
| 8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6
|
| {{yes}}
| 173.511.411
|-
| 1.1.4
| Little Bear 4A102
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]
| c148d1eb1c979bb6434175411d4a372103a4fdd2
|
| {{yes}}
| 173.519.589
|-
| 1.1.5
| Little Bear 4B1
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]
| 1b818911316e4248ee01d3ec67f9d39afc3db240
|
| {{yes}}
| 173.519.637
|-
| 2.0
| Big Bear 5A347
| Download Link Prohibited
| ae82798e85f9953b0f4798bad36187cb020c9d22
| 2.0+ is a paid upgrade series
| {{yes}}
| 233.409.573
|-
| 2.0.1
| Big Bear 5B108
| Download Link Prohibited
| a81b6e7af4b85ef436d047f9da57c0f694d8964a
|
| {{yes}}
| 258.660.321
|-
| 2.0.2
| Big Bear 5C1
| Download Link Prohibited
| c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2
|
| {{yes}}
| 258.201.218
|-
| 2.1
| Sugar Bowl 5F137
| Download Link Prohibited
| fc7f6d0972927df502ffca47438ca75dcccffaf3
|
| {{yes}}
| 251.155.156
|-
| 2.2
| Timberline 5G77
| Download Link Prohibited
| 081a7de363230fb38d0ce092cbbe42f2a50c8a5f
|
| {{yes}}
| 260.186.851
|}

===[[N72ap|iPod touch (2nd generation)]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Version
! Build
! IPSW Download URL
! SHA1 Hash
! Comments
! Can be [[jailbreak|jailbroken]]?
! File Size
|-
| 2.1.1
| Sugar Bowl 5F138
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]
| c3c700be49ad227d1152188e7c1e46b8958fd1e4
|
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 282.083.944
|-
| 2.2
| Timberline 5G77a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]
| 34a0a489605f34d6cc6c9954edcaaf9a050deedc
|
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)
| 291.123.491
|}

==See also==
* [[VFDecrypt Keys]]

==Resources==
*[http://www.trejan.com/projects/ipod/ Firmware List]
*[http://www.iphones.ru/forum/index.php?showtopic=7115 iPhone FW's Links (Russian)]
*[http://www.iphones.ru/forum/index.php?showtopic=13934 iPod Touch FW's Links (Russian)]
*[http://pastebin.ca/1209360 A link of interest...]

Tutorial:Unlock iPhone 3G with TurboSim

2008-12-07T05:26:39Z

James: Cleaned up modem firmware versions and added information for newer firmwares 02.11.07 and 02.28.00.

{{disclaimer}}

This article is a step by step instruction to use a net-locked iPhone-3G with a different provider.

The dev team states on [http://blog.iphone-dev.org/post/44428446/updates their blog] that the SIM hacks they examined send illegal signals.
<table border=1 width=100%><tr>
<td bgcolor=#ffA4A4>

'''Update / Warning:'''

'''ZeroG''', was '''''not intended''''' ''' to do trickery to your cellular network'''. But due to the way the iPhone's 2.x baseband firmware handles the login, '''actually it does'''. Short overview: ZeroG starts up the SIM replacing MCC / MNC with test IMSI codes, leaving the MSIN untouched. Then it restarts the SIM giving the correct IMSI afterwards. Unfortunately the iPhone asks the SIM exactly ''one'' time for the IMSI, it doesn't care about the restart. So effectively the login into the cellular network is done in test IMSI mode. Now it is up to your provider, how it handles such requests. For normal logins (no turboSIM) the login request is processed by your provider. In the roaming case your login request is routed from the guest provider to your provider. There is no provider for 'test' MCC / MCN. Your provider has to recognize this upon login (This implies you have to manually select cellular network right from the start.) If your provider accepts the test IMSI code and does authentication with your MSIN (this implies, (real) roaming is not possible, as only _your_ provider can process MSIN correctly), everything ''could'' be fine. You don't spoof your identity, there should also be no billing problems. But if you try this method, have successfully installed ZeroG.trb and do _not_ gain access, probably your provider does not accept test IMSI mode. In this case better do not retry as you might risk your IMSI beeing blacklisted.<BR>

</td>
</tr>
</table><BR>

[[Image:Ip terminal.png | thumb | right | 240px | Swisscom -> O2 Germany]]

----

=== Preamble ===

Apart from the warning and some other things, the method is quite stable if it works with your provider at all. You have to take care of:
* never switch on 3G mode
* before you use your SIM card that you want to unlock, put it in a different 2G phone and manually select provider and check GPRS works
* for GPRS, "data roaming" has to be enabled on the iPhone (it is not roaming for your provider, but the iPhone thinks it's roaming)

=== Motivation ===

Everyone who dislikes pink T's, over-priced unlocked iPhones and likes investigating exciting techniques ... (a.s.o.)

<br>
=== Supported Basebands ===

<table cellpadding=5 border=1>
<tr>
<td style="text-align: center">Baseband</td>
<td style="text-align: center">Exploitable</td>
</tr>
<tr>
<td style="text-align: center">01.43.00</td>
<td style="background-color: #c0c0c0; text-align: center">unknown</td>
</tr>
<tr>
<td style="text-align: center">01.45.00</td>
<td style="background-color: #64ff64; text-align: center">yes</td>
</tr>
<tr>
<td style="text-align: center">01.48.02</td>
<td style="background-color: #64ff64; text-align: center">yes</td>
</tr>
<tr>
<td style="text-align: center">02.04.03</td>
<td style="background-color: #c0c0c0; text-align: center">unknown</td>
</tr>
<tr>
<td style="text-align: center">02.08.01</td>
<td style="background-color: #64ff64; text-align: center">yes</td>
</tr>
<tr>
<td style="text-align: center">02.11.07</td>
<td style="background-color: #64ff64; text-align: center">yes</td>
</tr>
<tr>
<td style="text-align: center">02.28.00</td>
<td style="background-color: #ff9090; text-align: center">no</td>
</tr>
</table>
<br>

=== Prerequisites ===

You need:
* Jailbroken iPhone 3G with OpenSSH installed (from cydia) and WLAN connection to your PC. ([http://www.iclarified.com/entry/index.php?enid=1558 Jailbreak Tutorial])
* Bladox's TurboSIM. (From http://www.bladox.com)
* SSH client for Windows Users such as Putty ([http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Putty Download Page])
* SCP client (e.g. [http://winscp.net/eng/download.php#download2 WinSCP]) or FTP Client such as [http://rsug.itd.umich.edu/software/fugu/ Fugu] for Mac and [http://rsug.itd.umich.edu/software/fugu/ SmartFTP] for Windows
* TurboSIM programming sw [[http://dl.free.fr/pzijbVjXl/turbo-cable-utils-iPhone-0.7.0-rev3-firmware-v2.tar.gz download]]
* TurboSIM app zero-g [[http://www.bladox.com/pub/zerog-0.95.tar.gz download]]

----

=== Installation ===

1. Insert your simcard in another 2G phone, and remove the SIM Card Pin Code. You should also go to the Network Selection, and Manually select your network. Then cut your SIM card to fit with the TurboSIM. Google a little bit how to do this, or use YouTube and insert both into your iPhone 3G.

2. Unpack turbo-cable-utils

3. Copy contents of bin-iphonev2 to folder /bin/ on your iPhone. (username: root password: alpine)

4. Unpack zerog-0.95 and copy zerog095.trb to /private/var/root/

[[Image:Winscp_turbo-utils.png]]

5. For Windows users, SSH into your iPhone using Putty. For Mac users, SSH into your iPhone using Terminal (Applications::Utilities::Terminal)

6. Change the permissions of the turbo files to 755

chmod 755 /bin/turbo-*

7. Run
launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist

8. You should now lose your signal, and WiFi. Restart your phone. You will now have WiFi on and CommCentre unloaded.

9. Run turbo-info

# turbo-info
initializing modem
modem initiated
OK. No Error

NOTE: If you get an error from turbo-info, look for turbo-iphone-smsreset and run it.

10. Now run turbo-app /private/var/root/zerog095.trb

# turbo-app /private/var/root/zerog095.trb
SRC /private/var/root/zerog095.trb
SIZE 1032
initializing modem
modem initiated
OK. No Error

11. Run
launchctl load -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist

12. Now you should see Zero-G in the Sim Applications in Settings -> Phone -> Sim Applications

[[Image:Ip_simapp.png]]

[[Image:Ip_zerog.png]]

14. Click on Zero-G

15. Remove your card and TurboSIM from the 1st Generation iPhone

16. You will get No Service

[[Image:Ip_noservice.png]]

17. Open Settings -> Phone -> Sim Applications and click on Zero-G
You may be interrupted by a popup which says Going to Switch, just choose Accept (Green Button) If you do not get interrupted, it will appear in a minute after choosing Zero-G from Sim Applications.

[[Image:Ip_zerog2.png]]

18. That's it!!

[[Image:Ip_unlocked.png]]

----

=== 2G data settings ===
* roaming must be enabled
* make sure APN settings are correct (if APN options don't show up, just install a configuration file created with Apple's 'Web Configuration Utility' ([http://www.apple.com/support/downloads/iphoneconfigurationwebutility10formac.html Mac] / [http://www.apple.com/support/downloads/iphoneconfigurationwebutility10forwindows.html Windoze]) (In Windoze you can reach it with http://localhost:3000 ). Send this file to yourself and open it with the mail client.
* in BossPref (if you don't use it, don't care) 'edge' should be left enabled, even if network does not provide it (seems the BossPref option is a little bit misleading and 'edge' actually means 'GPRS/edge')

=== 3G-SIM / USIM ===

A new adapter was released in September (Gevey-3G) which allows full unlocking without the need of first placing the simcard in another unlocked device. You may have to turn 3G off, then insert the adapter placed with your sim card. After that you can turn 3G on. You'll have a full unlocked iPhone, including 3G signal. Also, this particular adapter does not require to cut your simcard, since the memory component is placed in the bottom part. This adapter does not allow "flight mode" use. In some cases a jailbreaking is needed in order to have it working properly.

It works with (some?) USIMs (blau.de Germany) as well. 3G '''must not be activated''' on the iPhone. Once 3G is activated, it stops working, even if it is deactivated afterwards. To revive such SIM, put it in a non UMTS capable phone (did it together with turboSIM), check phone and GPRS functions and then this USIM will work again on the iPhone-3G. The SIM application (zero-g) was not visible, but it worked though. If GPRS does not work after a while (3 minutes or so), reboot your phone and try again.

=== GPRS-'Fix' ===

Today GPRS stopped working for me. Seems to be there are some 'states', stored on the SIM. This fixed the issue:
* removed SIM+TSim
* put SIM (without TSim) into non UMTS, but GPRS/edge mobile
* checked GPRS
* repacked Sim+TSim and put it back to the iPhone

Voilà, here we go :-) GPRS for another few days :-)

Tho' this might really not be the ultimate solution, I could hardly switch back to my old XDA Orbit. But XDA is a good device to revive the TSim solution... For that, I still love it a litte bit ;-)

=== Stuck in No Signal after a period ===

Randomly you can get stuck in a bad No Signal. To correct that:

* remove SIM+TSim
* put SIM (without TSim) into non 3G phone
* Manually select your provider (desired to unlock) network
* repack Sim+TSim and put it back to the iPhone

Here we go again, unlock iphone for a few days more also.

<br>

=== TurboSIM Compatibility with Operators ===

Actually this table gives a rough overview of all *sim solutions because it reflects working of MCC/MNC = 001/01 and all *sim known so far use this method. The table doesn't give information about 3G though, as turbosim does not support 3G SIM-ME communication at the moment. So could be, some *sim solutions work with 3G where this table indicates no. Most probably there isn't any *sim solution that works in a specific configuration if this table indicates 'no' for the method at all.<br>

{| class="wikitable sortable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Country
! Unlocked Provider
! SIM/USIM
! Calls?
! SMS?
! GPRS/EDGE?
! UMTS/HSDPA?
! Comments
|-
| Brazil
| TIM
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| 3G signal with Gevey-3G adapter. Turn off 3G, insert simcard, then turn 3G on.
|-
| Brazil
| Claro
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| 3G signal with Gevey-3G adapter. Turn off 3G, insert simcard, then turn 3G on.
|-
| Brazil
| Vivo (Telefónica)
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| 3G signal with Gevey-3G adapter. Turn off 3G, insert simcard, then turn 3G on.
|-
| Brazil
| BrasilTelecom
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| 3G signal with Gevey-3G adapter. Turn off 3G, insert simcard, then turn 3G on.
|-
| Germany
| Blau.de
| USIM
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}
|
|-
| Germany
| Congstar
| USIM
| {{yes}}
| {{yes}}
| {{no}}
| {{no}}
| N/A
|-
| Germany
| O2
| USIM
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| They realized the challenge, striking back. Don't stress them. Don't use it.
|-
| Germany
| O2
| SIM
| {{no}}
| {{no}}
| {{no}}
| N/A
| They realized the challenge, striking back. Don't stress them. Don't use it.
|-
| Israel
| Orange (Partner)
| USIM
| {{yes}}
| {{yes}}
| {{yes}}
| {{no}}
|
|-
| Jordan
| Orange
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| N/A
|
|-
| Jordan
| Umniah
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| N/A
|
|-
| Jordan
| Zain
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| N/A
|
|-
| Netherlands
| KPN
| USIM
| {{yes}}
| {{no}}
| {{no}}
| {{no}}
| Unstable.
|-
| Turkey
| Turkcell
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| N/A
|
|-
| UK
| Orange
| SIM
| {{no}}
| {{no}}
| {{no}}
| N/A
|
|-
| UK
| Tesco
| SIM
| {{yes}}
| {{yes}}
| N/A
| N/A
|
|-
| UK
| Virgin
| SIM
| {{yes}}
| {{yes}}
| N/A
| N/A
|
|-
| UK
| Vodafone
| SIM
| {{yes}}
| {{yes}}
| N/A
| N/A
|
|-
| N/A
| T-Mobile
| SIM
| {{no}}
| {{no}}
| {{no}}
| N/A
|
|-
| Bermuda
| Mobility
| SIM
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| Please note this is a Gevey 3G and it may just be my card.
|-
! Australia
! Three
! USIM
! {{yes}}
! {{yes}}
! {{no}}
! {{yes}}
! Airplane mode not working. Turn 3G off needs reboot if you want signal again. Using "i-SmartPhone" TSim
|-}

=== Remarks ===

* Important is you get zero-g into your turboSim. So you could also try with a first gen iphone, this needs the other version of turbo-cable-utils (bin-iphonev1) in case you didn't upgrade to 2.x yet.
* If you get ''ERROR: Not Enough RAM'' run '''turbo-rm-apps'''
* If you should encounter any problems with your TurboSIM (no access anymore, wrong app, ...) there is an easy method to remove installed turbo sim applications: instead of giving your SIM-Pin, enter the TPIN which you can find next to the serial number on the cover. This will reset your TurboSIM. Afterwards the phone asks a second time for your PIN, now use the SIM-Pin.

**A little help Gevey 3G not working at all not even picking up sim card any suggestions?**

[[Category:Unlocking Methods]]