The iPhone Wiki - User contributions [en]

AES Keys

2012-03-02T09:28:57Z

Jan0: derived keys

The {{wp|System-on-a-chip|SoC}} in each device have an {{wp|Advanced_Encryption_Standard|AES}} coprocessor with the [[GID-key]] and [[UID-key]] built in.

==Running The Engine==
Currently, there are several ways to run the hardware AES engine:
* Patch [[iBoot (Bootloader)|iBoot]] to jump to aes_decrypt.
* Use [http://github.com/planetbeing/iphonelinux/tree/master OpenIBoot].
* Use the crypto bundle provided in [[XPwn]] to utilize it via userland. This method requires a kernel patch.
* Use [[Greenpois0n (toolkit)|Greenpois0n]] console.

If you want to decrypt [[IMG3 File Format|IMG3]] files you need to use this. The [[GID-key]] currently has not been extracted from the phone, so the only way to use it is on the phone itself.

See [[Grabbing IMG3 Keys]] for an [[iBoot (Bootloader)|iBoot]] patch.

==Derived keys==

Some derived keys are computed by the IOAESAccelerator kernel service at boot. These keys are generated by encrypting static values either with the UID key (0x7D0 identifier) or the GID key (0x3E8 identifier). The values defined in the iPhone 4 5.0 kernel are :
<pre>
__text:807E3000 keys_to_compute DCD 0x835,0x7D0,0x1010101,0x1010101,0x1010101,0x1010101
__text:807E3018 DCD 0x899,0x7D0,0xB5FCE8D1,0x8DBF3739,0xD14CC7EF,0xB0D4F1D0
__text:807E3030 DCD 0x89B,0x7D0,0x67993E18,0x543CB06B,0xF568A46F,0x49BD0C1C
__text:807E3048 DCD 0x89A,0x7D0,0x335B1FDB,0x1C5F6C60,0x66AA3419,0x61069C58
</pre>

==Key 0x835==

Generated by encrypting 01010101010101010101010101010101 with the [[UID-key]]. Used for data protection.

==Key 0x837==
Generated by encrypting 345A2D6C5050D058780DA431F0710E15 with the [[S5L8900]] [[GID-key]], resulting in 188458A6D15034DFE386F23B61D43774.

It is used as the encryption key for [[S5L File Formats#IMG2|IMG2 files]]. With the introduction of [[IMG3 File Format|IMG3]] in iOS 2.0, [[KBAG]]s are now used instead of the 0x837 key. Because iOS versions 1.x were used only on the [[M68ap|iPhone]] and [[N45ap|iPod touch]] (both use the [[S5L8900]]) the encrypted values for other processors don't matter.
==Key 0x89A==
For A4 devices:
Generated by encrypting DB1F5B33606C5F1C1934AA66589C0661 with the [[UID-key]], getting a device-specific key.

It is used to encrypt the [[SHSH]] blobs on the device.

==Key 0x89B==

Generated by encrypting 183E99676BB03C546FA468F51C0CBD49 with the [[UID-key]]. It is used the encrypt the data partition key.

==Key 0x899==

Generated by encrypting D1E8FCB53937BF8DEFC74CD1D0F1D4B0 with the [[UID-key]]. Usage unknown.

==Using [[Greenpois0n (toolkit)|greenpois0n]] to get the keys==
* Run steps 1 thru 5 from [[PwnStrap]]
* Use 'xpwntool file.img3 /dev/null' to extract the KBAG hex string from ''file.img3''
* Start greenpois0n console: irecovery -s
* Execute 'go aes dec _KBAG_STRING_' in irecovery console

==Resources==
[http://wikee.iphwn.org/s5l8900:encryption_keys Dev Team wiki]

System Log

2011-08-28T10:32:25Z

Jan0: added command line syslog trick

==bgm's trick for enabling system log==
# In the shell, do: echo "*.* /var/log/syslog" > /etc/syslog.conf
# Add the following tags to /System/Library/LaunchDaemons/com.apple.syslogd.plist after the tag <string>/usr/sbin/syslogd</string>
<string>-bsd_out</string>
<string>1</string>
This will tell the Daemon Launcher to call /usr/sbin/syslogd -bsd_out 1, and we have configured it to write all messages to [[:/var/log/syslog]]
# "reboot & enjoy your kernel and other messages" (bgm)

== Note ==
The syslog will grow very big quite quickly if you use [[Winterboard.app|Winterboard]]'s debug setting, but the folder [[:/private/var/log]] is on the data partition (music, etc).<br>
If you keep your device full of music, be careful you don't fill the partition. Unix systems tend to break when they
cant write to the syslog. Keep an eye on it or employ some log rotation.

To disable, enter [[Terminal.app]] and run:
rm /var/log/syslog;
mknod /var/log/syslog c 3 2
This will delete (<tt>rm</tt>) the file and create a [[:/dev/null]]. (<tt>mknod *** c 3 2</tt>)

To reenable, enter [[Terminal.app]] and run:
rm /var/log/syslog
touch /var/log/syslog

This will delete (<tt>rm</tt>) the file and and make a blank regular file. (<tt>touch</tt>)

== SBSettings Toggle ==
An SBSettings [http://apt.thebigboss.org/onepackage.php?bundleid=sbsettingssyslogd toggle] for enabling/disabling syslog is available at BigBoss' Cydia repository. The <tt>syslog > /var/log/syslog</tt> package from [[User:Saurik|saurik]]'s repo is not a dependency and you must manually install it also.

== Read syslog from command line ==

apt-get install socat
socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock

This gives an interactive shell with the syslog daemon (no need to enable file output). The watch command prints new messages as they arrive.

== Reference ==
* [http://code.google.com/p/iphone-elite/wiki/IphoneSyslogd Google Code]<br />
* [http://code.google.com/p/iphone-elite/source/list?path=/wiki/IphoneSyslogd.wiki&start=398 Full History]

Incomplete Codesign Exploit

2011-07-10T12:52:30Z

Jan0: added infos for ndrv_setspec & Saffron kickstarts

Incomplete Codesign is a technique introduced by [[User:Comex|Comex]] in the [[Spirit]] jailbreak that allows untethered userland code execution. The idea is to plant a crafted Mach-O binary on the filesystem and have it loaded early during the boot process. This technique must be used in conjunction with another exploit to first plant the binary on the filesystem (like the [[MobileBackup Copy Exploit]] used in Spirit, or one of the DFU mode exploits [[Pwnage 2.0]]/[[Steaks4uce]]/[[Limera1n]]).
Since executable pages must be signed, the crafted binary will have to abuse the loader or the dynamic linker functionalities to transfer execution to a ROP payload that will use existing (signed) code fragments (gadgets). The endgame is to have the userland code trigger and exploit a kernel vulnerability to achieve the jailbroken state.

== Credit ==
[[User:Comex|Comex]]

== Interposition exploit ([[Spirit]] & [[Star]])==

The first technique used in the Spirit and Star jailbreaks involves loading a custom shared library (dylib) in the first userland process ([[launchd]]). The library is loaded using the launchd libgmalloc debugging feature that can be enabled by creating the <code>/var/db/.launchd_use_gmalloc</code> file.
<pre>
if (pid1_magic && g_use_gmalloc) {
if (!getenv("DYLD_INSERT_LIBRARIES")) {
setenv("DYLD_INSERT_LIBRARIES", "/usr/lib/libgmalloc.dylib", 1);
setenv("MALLOC_STRICT_SIZE", "1", 1);
execv(argv[0], argv);
} else {
unsetenv("DYLD_INSERT_LIBRARIES"); //this call is hijacked through interposition
unsetenv("MALLOC_STRICT_SIZE");
}
}
</pre>

The crafted libgmalloc.dylib does not contains any executable segments, but instead uses the dyld interposition feature to redirect several exported functions to code fragments in the launchd binary. The interposed functions and their replacement addresses are chosen to force launchd to perform a stack pivot, and have SP pointing to a data segment in the shared library, allowing ROP code execution. The following functions are interposed to allow the stack pivot : <code>_unsetenv, _launch_data_new_errno, _setrlimit, __exit, _audit_token_to_au32, _launch_data_unpack, _launch_data_dict_iterate </code> (a few other functions are also interposed to create some gadgets used by the ROP payload).
Once launchd has restarted itself with the crafted libgmalloc.dylib, the unsetenv function call will execute the following "interposition gadgets" :

<pre>
LDR R0, =aDyld_insert_li ; "DYLD_INSERT_LIBRARIES"
BL _unsetenv
LDR R0, [R0] #R0 = 0x444c5944 = "DLYD" = little endian "DYLD"
BL _launch_data_new_errno
MOV R0, R0, LSR#2 #R0 = R0 / 4
BL _setrlimit
ADD R0, R0, #3 #R0 = R0 + 3
BL __exit
LDMIA R0, {R0-R3} #R0 = 0x11131654 (__heap section in libgmalloc.dylib =[0,0, 0x1113000C, STACK_PIVOT_GADGET)
BL _audit_token_to_au32
STR R2, [SP+4] #R2 = 0x1113000C
BL _launch_data_unpack
STR R3, [SP+8] #R3 = STACK_PIVOT_GADGET
BL _launch_data_dict_iterate
LDMFD SP!, {R4,R7,PC} #=> R7 = 0x1113000C, PC = STACK_PIVOT_GADGET

STACK_PIVOT_GADGET:
SUB SP, R7, #0xC #SP = 0x11130000 (start of ROP stack in __heap section)
LDMFD SP!, {R4-R7,PC} #ROP starts here
</pre>

The ROP payloads in Spirit and Star exploit respectively the BPF and IOSurface kernel vulnerabilities in order to patch the kernel, and then restart launchd to continue the normal boot process.

In iOS 4.1, dyld does a range check on the interposition targets to make sure that a dylib only redirects symbols to its own code segments, preventing the use of this feature to control code flow (since we cannot have executable code segments without a valid signature).

== Initializers exploit (Packet Filter/HFS Legacy Volume Name)==
For the iOS 4.1 [[Packet Filter Kernel Exploit]], comex introduced another technique to get code execution, still using libgmalloc.dylib but in a less convoluted manner.
A Mach-O binary can declare an initializers section holding function pointers to be called upon loading (just like the ELF constructors section). This feature allows immediate control of the instruction pointer. Initializers calls are made in <code>ImageLoaderMachO::doModInitFunctions()</code> (note that the iOS version of dyld is slightly different than the open-source version). The following code shows this function on iOS 4.1 :

<pre>
__text:2FE0BFE6 LDR.W R6, [R11,R5,LSL#2] ; Initializer func = inits[i];
__text:2FE0BFEA CBZ R3, loc_2FE0BFFA
__text:2FE0BFEC LDR R3, [SP,#0x30+var_2C]
__text:2FE0BFEE LDR R0, =(aDyldCallingIni - 0x2FE0BFF6)
__text:2FE0BFF0 MOV R1, R6
__text:2FE0BFF2 ADD R0, PC ; "dyld: calling initializer function %p i"...
__text:2FE0BFF4 LDR R2, [R3,#4]
__text:2FE0BFF6 BL __ZN4dyld3logEPKcz ; dyld::log(char const*,...)
__text:2FE0BFFA
__text:2FE0BFFA loc_2FE0BFFA
__text:2FE0BFFA ADD.W R12, R4, #0x58
__text:2FE0BFFE LDR R0, [R4,#0x44]
__text:2FE0C000 LDR R1, [R4,#0x48]
__text:2FE0C002 LDR R2, [R4,#0x4C]
__text:2FE0C004 LDR R3, [R4,#0x50]
__text:2FE0C006 STR.W R12, [SP]
__text:2FE0C00A BLX R6 ; func(context.argc, context.argv, context.envp, context.apple, &context.programVars)
</pre>

Since R11 points to the start of the section containing the initializers function pointers (<code>inits</code>), comex uses the following uncommon gadget to perform the stack pivot :
<pre>
0x499ba000 LDMIBMI R11, {SP, PC} #increments R11 by 4, then pops SP and PC
</pre>

Unlike Spirit's and Star's kernel exploits, the [[Packet Filter Kernel Exploit]] is not done in the ROP payload. Instead, the ROP payload is shorter and performs the following calls to run the exploit in an unsigned binary :

<pre>
int zero = 0;
char *params[] = {"/usr/lib/pf2", NULL};
char *env[] = {NULL};
/* these 3 function calls are done as ROP */
sysctlbyname("security.mac.proc_enforce", NULL, 0, &zero, sizeof(zero));
sysctlbyname("security.mac.vnode_enforce", NULL, 0, &zero, sizeof(zero));
execve("/usr/lib/pf2", params, env);
</pre>

Setting the <code>security.mac.proc_enforce</code> and <code>security.mac.vnode_enforce</code> variables to 0 allows running unsigned binaries, with some side effects (see [http://www.saurik.com/id/8]). The <code>vnode_enforce</code> is reset to 0 as soon as the kernel exploit completes. In iOS 4.3 beta, those variables are now read only.

Starting with iOS 4.2.1, dyld does a range check on the initializers so that the previous trick does not work (look for the <code>"dyld: ignoring out of bounds initializer function %p in %s"</code> string). However, for some unknown reason this check is only made if <code>ImageLoaderMachO::isDylib()</code> returns true. Hence, in [[Greenpois0n_(jailbreak)|Greenpois0n]] RC5, a crafted executable with an initializers section was used to replace the launchd binary and kickstart [[User:pod2g|pod2g]]'s [[HFS Legacy Volume Name Stack Buffer Overflow]] kernel exploit. The original launchd binary is renamed to punchd and is run as soon as the kernel exploit is done.

In iOS 4.2.1 dyld the <code>inits</code> pointer is not stored in R11 anymore but at [SP+4] :
<pre>
__text:2FE0C03C loc_2FE0C03C
__text:2FE0C03C LDR R3, [SP,#4]
__text:2FE0C03E MOV R0, R6
__text:2FE0C040 LDR.W R4, [R3,R8,LSL#2] ;Initializer func = inits[i];
__text:2FE0C044 LDR R3, [R6]
__text:2FE0C046 LDR R3, [R3,#0x78]
__text:2FE0C048 BLX R3 ; ImageLoaderMachO::isDylib(void)
__text:2FE0C04A CMP R0, #0
__text:2FE0C04C BEQ loc_2FE0C0EE ;bypass range check

...

__text:2FE0C088 loc_2FE0C088
__text:2FE0C088 ADD.W R12, R5, #0x5C
__text:2FE0C08C LDR R0, [R5,#0x48]
__text:2FE0C08E LDR R1, [R5,#0x4C]
__text:2FE0C090 LDR R2, [R5,#0x50]
__text:2FE0C092 LDR R3, [R5,#0x54]
__text:2FE0C094 STR.W R12, [SP] ; &context.programVars->mh
__text:2FE0C098 BLX R4 ; func(context.argc, context.argv, context.envp, context.apple, &context.programVars)
</pre>

The stack pivot is done using two initializers :
<pre>
POP {R6,R7} ; BX LR #R6=&context.programVars->mh, R7=inits
SUB SP, R7, #0 ; POP {R7,PC} #do the stack pivot
</pre>
Since the first initializer clobbers R6 and shuffles the local variables by incrementing SP by 8, some conditions must be met for dyld to reach the second initializer call without crashing :
* the second initializer pointer has to be stored at offset 0x1004 (segPreferredLoadAddress(0) + 4)
* a pointer to a return 0 gadget must be present at offset 0x78 in the Mach-O file (context.programVars->mh[0x78])

== [[ndrv_setspec() Integer Overflow]] kickstart ==

Starting with iOS 4.3, gadget addresses cannot be hardcoded because of ASLR. [[i0n1c]]'s launchd binary uses the relocation functionality of dyld to fix those adresses dynamically. This can be seen by running the binary with the <code>DYLD_PRINT_BINDINGS</code> environment variable set. The "compressed" format of relocations is used (see the <code>LC_DYLD_INFO_ONLY</code> command and the <code>ImageLoaderMachOCompressed::eachBind</code> function in dyld). The binary also contains rebasing information but is not marked as position independent (?).

The section <code>__DATA:__b</code> contains one initializer that points to the <code>dyld::runTerminators</code> function. This function calls <code>ImageLoaderMachO::doTermination</code>, that does the same job as <code>doModInitFunctions</code> but for termination functions.

<pre>
__text:2FE0DEEA loc_2FE0DEEA
__text:2FE0DEEA LDRB.W R3, [R11,#0x91]
__text:2FE0DEEE LDR.W R6, [R5,#-4] ;Terminator func = terms[i-1];
__text:2FE0DEF2 CBZ R3, loc_2FE0DF02
__text:2FE0DEF4 LDR R3, [SP,#0x28+var_28]
__text:2FE0DEF6 LDR R0, =(aDyldCallingTer - 0x2FE0DEFE)
__text:2FE0DEF8 MOV R1, R6
__text:2FE0DEFA ADD R0, PC ; "dyld: calling termination function %p i"...
__text:2FE0DEFC LDR R2, [R3,#4]
__text:2FE0DEFE BL __ZN4dyld3logEPKcz ; dyld::log(char const*,...)
__text:2FE0DF02
__text:2FE0DF02 loc_2FE0DF02
__text:2FE0DF02 BLX R6 ;func()
__text:2FE0DF04 SUBS R4, #1
__text:2FE0DF06 SUBS R5, #4
__text:2FE0DF08
__text:2FE0DF08 loc_2FE0DF08
__text:2FE0DF08 CMP R4, #0
__text:2FE0DF0A BNE loc_2FE0DEEA
</pre>

Here R5 points directly to the to the array of terminators (<code>terms</code>). The binary contains one termination function (in section <code>__DATA:__c</code>) that points to the following gadget which will transfer execution to the ROP payload (in section <code>__DATA:__d</code>).

<pre>
ldm r5, {r2, r4, r5, r7, r8, r9, r10, r11, r12, sp, pc}
</pre>

== [[Saffron]] kickstart ==

The [[Saffron]] untether binary also uses relocations. Here, the standard format is used (<code>ARM_RELOC_VANILLA</code>, not compressed <code>LINKEDIT</code>). The initializer gadget used simply modifies the R7 register :

<pre>
asrs r7, r3, #13
bx lr
</pre>

When calling an initializer, R3 points to <code>context.apple</code>, which happens to be the value of the stack pointer set by the <code>LC_UNIXTHREAD</code> command. Values for this stack pointer and the ROP payload segment base are chosen so that transfer to the ROP payload will happen at the <code>ImageLoaderMachO::doModInitFunctions()</code> epilog.

<pre>
__text:2FE0C804 SUB.W SP, R7, #0x18
__text:2FE0C808 POP.W {R8,R10,R11}
__text:2FE0C80C POP {R4-R7,PC}
__text:2FE0C80C ; End of function ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&)
</pre>

<pre>
r3 = 0x10031000 (ARM_THREAD_STATE[sp])
r7 = r3 >> 13 = 0x8018
sp = r7 - 0x18 = 0x8000 (start of __ROP segment)
</pre>

== Sources for information ==

* https://github.com/comex/spirit/blob/master/igor/one.py
* https://github.com/comex/spirit/blob/master/igor/configdata.py
* http://books.google.fr/books?id=K8vUkpOXhN4C&lpg=PA73&ots=OJqiYTUwVD&dq=dyld%20interpose&pg=PA73#v=onepage&q&f=false
* http://launchd.macosforge.org/trac/browser/trunk/launchd/src/launchd.c
* http://blogs.embarcadero.com/eboling/2010/01/29/5639/
* http://opensource.apple.com/source/dyld/dyld-132.13/src/ImageLoaderMachO.cpp
* https://github.com/comex/starn/blob/43989121a0f74639cf8cc3aa57514e6ef0c97dbd/goo/one.py
* https://github.com/comex/starn/blob/43989121a0f74639cf8cc3aa57514e6ef0c97dbd/config/configdata.py
* http://pastie.org/572025
* http://opensource.apple.com/source/dyld/dyld-132.13/src/ImageLoaderMachOCompressed.cpp
* http://www.opensource.apple.com/source/xnu/xnu-1504.9.37/EXTERNAL_HEADERS/mach-o/reloc.h
[[Category:Exploits]]

Incomplete Codesign Exploit

2011-02-06T12:32:45Z

Jan0: comex is a Mach-o man :)

Incomplete Codesign is a technique introduced by [[User:Comex|Comex]] in the [[Spirit]] jailbreak that allows untethered userland code execution. The idea is to plant a crafted Mach-O binary on the filesystem and have it loaded early during the boot process. This technique must be used in conjunction with another exploit to first plant the binary on the filesystem (like the [[MobileBackup Copy Exploit]] used in Spirit, or one of the DFU mode exploits [[Pwnage 2.0]]/[[Steaks4uce]]/[[Limera1n]]).
Since executable pages must be signed, the crafted binary will have to abuse the loader or the dynamic linker functionalities to transfer execution to a ROP payload that will use existing (signed) code fragments (gadgets). The endgame is to have the userland code trigger and exploit a kernel vulnerability to achieve the jailbroken state.

== Credit ==
[[User:Comex|Comex]]

== Interposition exploit ([[Spirit]] & [[Star]])==

The first technique used in the Spirit and Star jailbreaks involves loading a custom shared library (dylib) in the first userland process ([[launchd]]). The library is loaded using the launchd libgmalloc debugging feature that can be enabled by creating the <code>/var/db/.launchd_use_gmalloc</code> file.
<pre>
if (pid1_magic && g_use_gmalloc) {
if (!getenv("DYLD_INSERT_LIBRARIES")) {
setenv("DYLD_INSERT_LIBRARIES", "/usr/lib/libgmalloc.dylib", 1);
setenv("MALLOC_STRICT_SIZE", "1", 1);
execv(argv[0], argv);
} else {
unsetenv("DYLD_INSERT_LIBRARIES"); //this call is hijacked through interposition
unsetenv("MALLOC_STRICT_SIZE");
}
}
</pre>

The crafted libgmalloc.dylib does not contains any executable segments, but instead uses the dyld interposition feature to redirect several exported functions to code fragments in the launchd binary. The interposed functions and their replacement addresses are chosen to force launchd to perform a stack pivot, and have SP pointing to a data segment in the shared library, allowing ROP code execution. The following functions are interposed to allow the stack pivot : <code>_unsetenv, _launch_data_new_errno, _setrlimit, __exit, _audit_token_to_au32, _launch_data_unpack, _launch_data_dict_iterate </code> (a few other functions are also interposed to create some gadgets used by the ROP payload).
Once launchd has restarted itself with the crafted libgmalloc.dylib, the unsetenv function call will execute the following "interposition gadgets" :

<pre>
LDR R0, =aDyld_insert_li ; "DYLD_INSERT_LIBRARIES"
BL _unsetenv
LDR R0, [R0] #R0 = 0x444c5944 = "DLYD" = little endian "DYLD"
BL _launch_data_new_errno
MOV R0, R0, LSR#2 #R0 = R0 / 4
BL _setrlimit
ADD R0, R0, #3 #R0 = R0 + 3
BL __exit
LDMIA R0, {R0-R3} #R0 = 0x11131654 (__heap section in libgmalloc.dylib =[0,0, 0x1113000C, STACK_PIVOT_GADGET)
BL _audit_token_to_au32
STR R2, [SP+4] #R2 = 0x1113000C
BL _launch_data_unpack
STR R3, [SP+8] #R3 = STACK_PIVOT_GADGET
BL _launch_data_dict_iterate
LDMFD SP!, {R4,R7,PC} #=> R7 = 0x1113000C, PC = STACK_PIVOT_GADGET

STACK_PIVOT_GADGET:
SUB SP, R7, #0xC #SP = 0x11130000 (start of ROP stack in __heap section)
LDMFD SP!, {R4-R7,PC} #ROP starts here
</pre>

The ROP payloads in Spirit and Star exploit respectively the BPF and IOSurface kernel vulnerabilities in order to patch the kernel, and then restart launchd to continue the normal boot process.

In iOS 4.1, dyld does a range check on the interposition targets to make sure that a dylib only redirects symbols to its own code segments, preventing the use of this feature to control code flow (since we cannot have executable code segments without a valid signature).

== Initializers exploit (pf2/hfs legacy)==
For the iOS 4.1 [[Packet Filter Kernel Exploit]], comex introduced another technique to get code execution, still using libgmalloc.dylib but in a less convoluted manner.
A Mach-O binary can declare an initializers section holding function pointers to be called upon loading (just like the ELF constructors section). This feature allows immediate control of the instruction pointer. Initializers calls are made in <code>ImageLoaderMachO::doModInitFunctions()</code> (note that the iphone version of dyld is slightly different than the open-source version). The following code shows this function on iOS 4.1 :

<pre>
__text:2FE0BFE6 LDR.W R6, [R11,R5,LSL#2] ; Initializer func = inits[i];
__text:2FE0BFEA CBZ R3, loc_2FE0BFFA
__text:2FE0BFEC LDR R3, [SP,#0x30+var_2C]
__text:2FE0BFEE LDR R0, =(aDyldCallingIni - 0x2FE0BFF6)
__text:2FE0BFF0 MOV R1, R6
__text:2FE0BFF2 ADD R0, PC ; "dyld: calling initializer function %p i"...
__text:2FE0BFF4 LDR R2, [R3,#4]
__text:2FE0BFF6 BL __ZN4dyld3logEPKcz ; dyld::log(char const*,...)
__text:2FE0BFFA
__text:2FE0BFFA loc_2FE0BFFA
__text:2FE0BFFA ADD.W R12, R4, #0x58
__text:2FE0BFFE LDR R0, [R4,#0x44]
__text:2FE0C000 LDR R1, [R4,#0x48]
__text:2FE0C002 LDR R2, [R4,#0x4C]
__text:2FE0C004 LDR R3, [R4,#0x50]
__text:2FE0C006 STR.W R12, [SP]
__text:2FE0C00A BLX R6 ; func(context.argc, context.argv, context.envp, context.apple, &context.programVars)
</pre>

Since R11 points to the start of the section containing the initializers function pointers (<code>inits</code>), comex uses the following uncommon gadget to perform the stack pivot :
<pre>
0x499ba000 LDMIBMI R11, {SP, PC} #increments R11 by 4, then pops SP and PC
</pre>

Unlike Spirit and Star kernel exploits, the [[Packet Filter Kernel Exploit]] is not done in the ROP payload. Instead, the ROP payload is shorter and performs the following calls to run the exploit in an unsigned binary :

<pre>
int zero = 0;
char *params[] = {"/usr/lib/pf2", NULL};
char *env[] = {NULL};
/* these 3 function calls are done as ROP */
sysctlbyname("security.mac.proc_enforce", NULL, 0, &zero, sizeof(zero));
sysctlbyname("security.mac.vnode_enforce", NULL, 0, &zero, sizeof(zero));
execve("/usr/lib/pf2", params, env);
</pre>

Setting the <code>security.mac.proc_enforce</code> and <code>security.mac.vnode_enforce</code> variables to 0 allows running unsigned binaries, with some side effects (see [http://www.saurik.com/id/8]). The <code>vnode_enforce</code> is reset to 0 as soon as the kernel exploit completes. In iOS 4.3 beta, those variables are now read only.

Starting with iOS 4.2.1, dyld does a range check on the initializers so that the previous trick does not work (look for the <code>"dyld: ignoring out of bounds initializer function %p in %s"</code> string). However, for some unknown reason this check is only made if <code>ImageLoaderMachO::isDylib()</code> returns true. Hence, in [[Greenpois0n_(jailbreak)|Greenpois0n]] RC5, a crafted executable with an initializers section was used to replace the launchd binary and kickstart [[User:pod2g|pod2g]]'s [[HFS_Legacy_Volume_Name_Stack_Buffer_Overflow]] kernel exploit. The original launchd binary is renamed to punchd and is run as soon as the kernel exploit is done.

In iOS 4.2.1 dyld the <code>inits</code> pointer is not stored in R11 anymore but at [SP+4] :
<pre>
__text:2FE0C03C loc_2FE0C03C
__text:2FE0C03C LDR R3, [SP,#4]
__text:2FE0C03E MOV R0, R6
__text:2FE0C040 LDR.W R4, [R3,R8,LSL#2] ;Initializer func = inits[i];
__text:2FE0C044 LDR R3, [R6]
__text:2FE0C046 LDR R3, [R3,#0x78]
__text:2FE0C048 BLX R3 ; ImageLoaderMachO::isDylib(void)
__text:2FE0C04A CMP R0, #0
__text:2FE0C04C BEQ loc_2FE0C0EE ;bypass range check

...

__text:2FE0C088 loc_2FE0C088
__text:2FE0C088 ADD.W R12, R5, #0x5C
__text:2FE0C08C LDR R0, [R5,#0x48]
__text:2FE0C08E LDR R1, [R5,#0x4C]
__text:2FE0C090 LDR R2, [R5,#0x50]
__text:2FE0C092 LDR R3, [R5,#0x54]
__text:2FE0C094 STR.W R12, [SP] ; &context.programVars->mh
__text:2FE0C098 BLX R4 ; func(context.argc, context.argv, context.envp, context.apple, &context.programVars)
</pre>

The stack pivot is done using two initializers :
<pre>
POP {R6,R7} ; BX LR #R6=&context.programVars->mh, R7=inits
SUB SP, R7, #0 ; POP {R7,PC} #do the stack pivot
</pre>
Since the first initializer clobbers R6 and shuffles the local variables by incrementing SP by 8, some conditions must be met for dyld to reach the second initializer call without crashing :
* the second initializer pointer has to be stored at offset 0x1004 (segPreferredLoadAddress(0) + 4)
* a pointer to a return 0 gadget must be present at offset 0x78 in the Mach-O file (context.programVars->mh[0x78])

== Sources for information ==

* https://github.com/comex/spirit/blob/master/igor/one.py
* https://github.com/comex/spirit/blob/master/igor/configdata.py
* http://books.google.fr/books?id=K8vUkpOXhN4C&lpg=PA73&ots=OJqiYTUwVD&dq=dyld%20interpose&pg=PA73#v=onepage&q&f=false
* http://launchd.macosforge.org/trac/browser/trunk/launchd/src/launchd.c
* http://blogs.embarcadero.com/eboling/2010/01/29/5639/
* http://opensource.apple.com/source/dyld/dyld-132.13/src/ImageLoaderMachO.cpp
* https://github.com/comex/starn/blob/43989121a0f74639cf8cc3aa57514e6ef0c97dbd/goo/one.py
* https://github.com/comex/starn/blob/43989121a0f74639cf8cc3aa57514e6ef0c97dbd/config/configdata.py

[[Category:Exploits]]

Firmware

2010-03-13T18:47:00Z

Jan0: /* iPhone 3G */ Kirkwood 7A400

This is the operating system the iPhone/iPod Touch runs. Latest Apple download links can be found [http://www.itunes.com/version here].

==Comparison of firmware versions==

===[[M68ap|iPhone]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!width="40"| Version
!width="120"| Build
!width="70"| [[Baseband]]
!width="210"| IPSW Download URL
!width="220"| SHA1 Hash
!width="140"| Comments
!width="95"| Can be [[jailbreak|jailbroken]]?
!width="95"| Can be [[unlock|unlocked]] OTB?
!width="70"| File Size
|-
| 1.0
| [[Alpine 1A420]]
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]
| iphoneproto.zip
| <code>6e798e906c6590a7521ef89b731569be6d05b3aa</code>
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]
| {{yes}}
| {{no}}
| 109,813,128
|-
| 1.0.0
| Heavenly 1A543a
| 03.12.06_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]
| <code>fb8bb3ee2e9a997affbb97868599f2995c78209c</code>
| Initial US shipment.
| {{yes}}
| {{yes}}
| 95,604,348
|-
| 1.0.1
| Heavenly 1C25
| 03.12.06_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]
| <code>a00b85a7a55d62a94be5fbf5effbc42fd63f3097</code>
|
| {{yes}}
| {{yes}}
| 95,627,958
|-
| 1.0.2
| Heavenly 1C28
| 03.14.08_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]
| <code>7f5c0ff1f84a0202b75a55c3fcb362e415334d1e</code>
|
| {{yes}}
| {{yes}}
| 95,627,324
|-
| 1.1.1
| Snowbird 3A109a
| 04.01.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]
| <code>d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c</code>
|
| {{yes}}
| {{yes}}
| 159,668,150
|-
| 1.1.2
| Oktoberfest 3B48b
| 04.02.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]
| <code>797c02e7d660940e8d9a16cc7229ccf3f67dd8b1</code>
| Initial Euro shipment.
| {{yes}}
| {{yes}}
| 167,927,501
|-
| 1.1.3
| Little Bear 4A93
| 04.03.13_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]
| <code>b3dec7580bd00dc4faf28449d9618ef40aeacc96</code>
|
| {{yes}}
| {{yes}}
| 169,950,551
|-
| 1.1.4
| Little Bear 4A102
| 04.04.05_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]
| <code>000811bac096011b50ebf6ec1ec2285b62fda4cb</code>
|
| {{yes}}
| {{yes}}
| 169,946,442
|-
| 2.0
| Big Bear 5A347
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]
| <code>9c510a3cfce789fa5f92a8f763c231bac82ff6d4</code>
|
| {{yes}}
| {{yes}}
| 228,768,637
|-
| 2.0.1
| Big Bear 5B108
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]
| <code>61de6a2bd6ceddc9ecabad1671b91a59b3824bc4</code>
|
| {{yes}}
| {{yes}}
| 254,048,068
|-
| 2.0.2
| Big Bear 5C1
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]
| <code>b84b57bea919bdc720287ec908c1378e7d7b5e1b</code>
|
| {{yes}}
| {{yes}}
| 253,589,000
|-
| 2.1
| Sugar Bowl 5F136
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]
| <code>353b7745767b85932e14e262e69463620939bdf7</code>
|
| {{yes}}
| {{yes}}
| 242,171,241
|-
| 2.2
| Timberline 5G77
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]
| <code>cbfc6ff886ce89868a55547b9fb980dbf92e6418</code>
|
| {{yes}}
| {{yes}}
| 257,576,980
|-
| 2.2.1
| SUTimberline 5H11
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]
| <code>43b95ebe1e51f8d30eae916053396595c08440d3</code>
|
| {{yes}}
| {{yes}}
| 257,593,705
|-
| 3.0
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]
| <code>2afd3f8ede17390737f508473ed205506a0bd23f</code>
|
| {{yes}}
| {{yes}}
| 240,394,111
|-
| 3.0.1
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]
| <code>34c391fbbc7b31b159372766de39ce5c9cc26ebb</code>
|
| {{yes}}
| {{yes}}
| 240,439,502
|-
| 3.1
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]
| <code>b7b5f436f81c6f855410e8b44a3d432ccaacd6fc</code>
|
| {{yes}}
| {{yes}}
| 252,536,460
|-
| 3.1.2
| [[Northstar 7D11 (iPhone)|Northstar 7D11]]
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7268.20091008.32pNe/iPhone1,1_3.1.2_7D11_Restore.ipsw iPhone1,1_3.1.2_7D11_Restore.ipsw]
| <code>e4a1171542dbbd3093516d9c02047b9f7e143050</code>
|
| {{yes}}
| {{yes}}
| 252,515,888
|-
| 3.1.3
| [[SUNorthstarTwo 7E18 (iPhone)|SUNorthstarTwo 7E18]]
| 04.05.04_G
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7481.20100202.4orot/iPhone1,1_3.1.3_7E18_Restore.ipsw iPhone1,1_3.1.3_7E18_Restore.ipsw]
| <code>eab23a7f8d2a17cb71046c50fc5f67ec390a3c2b</code>
|
| {{yes}}
| {{yes}}
| 238,319,275
|}

===[[N82ap|iPhone 3G]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!width="40"| Version
!width="120"| Build
!width="70"| [[Baseband]]
!width="210"| IPSW Download URL
!width="220"| SHA1 Hash
!width="140"| Comments
!width="95"| Can be [[jailbreak|jailbroken]]?
!width="95"| Can be [[unlock|unlocked]] OTB?
!width="70"| File Size
|-
| 2.0
| Big Bear 5A345
| 01.45.00
| No download available
|
| Initial shipment.
| {{yes}}
| {{no}}
|
|-
| 2.0
| Big Bear 5A347
| 01.45.00
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]
| <code>af9506ca0034e462674f9f59c5406f159eaf9fc1</code>
|
| {{yes}}
| {{no}}
| 235,957,125
|-
| 2.0.1
| Big Bear 5B108
| 01.48.02
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]
| <code>e81c7ac7e334a3e9d81b3b47894bfaa1ec495482</code>
|
| {{yes}}
| {{no}}
| 261,224,227
|-
| 2.0.2
| Big Bear 5C1
| 02.08.01
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]
| <code>bef7fef954293046420fbcf947379839178a195b</code>
|
| {{yes}}
| {{no}}
| 260,761,030
|-
| 2.1
| Sugar Bowl 5F136
| 02.11.07
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]
| <code>c6957dcbf2a95ccfd6dce374a727b1b7700a9043</code>
|
| {{yes}}
| {{no}}
| 249,341,655
|-
| 2.2
| Timberline 5G77
| 02.28.00
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]
| <code>f67f8b2b842428bf89456cda0c2d5cf954d111a4</code>
|
| {{yes}}
| {{yes|[[Ultrasn0w|yellowsn0w]]}}
| 258,342,348
|-
| 2.2.1
| SUTimberline 5H11
| 02.30.03
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]
| <code>e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c</code>
|
| {{yes}}
| {{no}}
| 258,359,073
|-
| 3.0
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]
| 04.26.08
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]
| <code>94f1fb43de12bff0f168ce690b7e794cc6220ae3</code>
|
| {{yes}}
| {{yes|[[Ultrasn0w|ultrasn0w]]}}
| 241,229,233
|-
| 3.0.1
| [[Kirkwood 7A400 (iPhone 3G)|Kirkwood 7A400]]
| 04.26.08
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]
| <code>a148ff39fa4dea499e7a9dd007b63e90c4f56666</code>
|
| {{yes}}
| {{yes|[[Ultrasn0w|ultrasn0w]]}}
| 241,274,617
|-
| 3.1
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]
| 05.11.07
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]
| <code>9b3b3c148170b012012278efda9ff5c38282d559</code>
|
| {{yes}}
| {{yes|[[blacksn0w]]}}
| 253,361,339
|-
| 3.1.2
| [[Northstar 7D11 (iPhone 3G)|Northstar 7D11]]
| 05.11.07
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7265.20091008.Xsd32/iPhone1,2_3.1.2_7D11_Restore.ipsw iPhone1,2_3.1.2_7D11_Restore.ipsw]
| <code>b1a6ab2771bb5da372ba75a8fa3e1d72b71359d0</code>
|
| {{yes}}
| {{yes|[[blacksn0w]]}}
| 253,340,786
|-
| 3.1.3
| [[SUNorthstarTwo 7E18 (iPhone 3G)|SUNorthstarTwo 7E18]]
| 05.12.01
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7468.20100202.pbnrt/iPhone1,2_3.1.3_7E18_Restore.ipsw iPhone1,2_3.1.3_7E18_Restore.ipsw]
| <code>f5950afca546f93e281ba3cdb08bc0cfed7f0896</code>
|
| {{yes}}
| {{no}}
| 239,139,281
|}

===[[N88ap|iPhone 3GS]]===
Due to a new bootrom designed to close the [[0x24000 Segment Overflow]], an iPhone 3GS produced around year 2009 week 40/41 or later is currently limited to a '''tethered jailbreak'''.

{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!width="40"| Version
!width="120"| Build
!width="70"| [[Baseband]]
!width="210"| IPSW Download URL
!width="220"| SHA1 Hash
!width="140"| Comments
!width="95"| Can be [[jailbreak|jailbroken]]?
!width="95"| Can be [[unlock|unlocked]] OTB?
!width="70"| File Size
|-
| 3.0
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]
| 04.26.08
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw]
| <code>d8534408c8679c830fd0c4e36ef9762c11ef73df</code>
| Initial shipment.
| {{yes}}
| {{yes|[[Ultrasn0w|ultrasn0w]]}}
| 312,292,933
|-
| 3.0.1
| Kirkwood 7A400
| 04.26.08
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]
| <code>30006575af931e3da0521febace005152cdb8853</code>
|
| {{yes}}
| {{yes|[[Ultrasn0w|ultrasn0w]]}}
| 312,330,244
|-
| 3.1
| [[Northstar 7C144 (iPhone 3GS)|Northstar 7C144]]
| 05.11.07
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]
| <code>527c74f87588afa1d69c1e2c08eedc88f113013a</code>
| Installed on phones produced week 37.
| {{yes}}
| {{yes|[[blacksn0w]]}}
| 321,011,474
|-
| 3.1.2
| [[Northstar 7D11 (iPhone 3GS)|Northstar 7D11]]
| 05.11.07
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7270.20091008.phn32/iPhone2,1_3.1.2_7D11_Restore.ipsw iPhone2,1_3.1.2_7D11_Restore.ipsw]
| <code>6998bb7d9e869b2d89a08853312f9457d070fb1f</code>
|
| {{yes}}
| {{yes|[[blacksn0w]]}}
| 321,015,700
|-
| 3.1.3
| [[SUNorthstarTwo 7E18 (iPhone 3GS)|SUNorthstarTwo 7E18]]
| 05.12.01
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7472.20100202.8tugj/iPhone2,1_3.1.3_7E18_Restore.ipsw iPhone2,1_3.1.3_7E18_Restore.ipsw]
| <code>8cb3775e62c6f72059a962bf891b4e145b965052</code>
|
| {{no|No, for OTB phones}}
| {{no}}
| 305,122,343
|}

===[[N45ap|iPod touch (1st generation)]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!width="40"| Version
!width="168"| Build
!width="200"| IPSW Download URL
!width="220"| SHA1 Hash
!width="150"| Comments
!width="100"| Can be [[jailbreak|jailbroken]]?
!width="70"| File Size
|-
| 1.1.0
| Snowbird 3A100a
| No download available
|
| Initial shipment.
| {{yes}}
|
|-
| 1.1.0
| Snowbird 3A101a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]
| <code>9b0d83c7f8b4328174a3f31e0e93f60e591ae143</code>
|
| {{yes}}
| 157,890,186
|-
| 1.1.1
| Snowbird 3A110a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]
| <code>84bbc6ea8bf29745195bc9926c1874f7c2a36f32</code>
|
| {{yes}}
| 157,906,686
|-
| 1.1.2
| Oktoberfest 3B48b
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]
| <code>108d8ffe9ea75e61cd5e57170ad388b7fa00d923</code>
|
| {{yes}}
| 165,567,897
|-
| 1.1.3
| Little Bear 4A93
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]
| <code>8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6</code>
|
| {{yes}}
| 173,511,411
|-
| 1.1.4
| Little Bear 4A102
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]
| <code>c148d1eb1c979bb6434175411d4a372103a4fdd2</code>
|
| {{yes}}
| 173,519,589
|-
| 1.1.5
| Little Bear 4B1
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]
| <code>1b818911316e4248ee01d3ec67f9d39afc3db240</code>
|
| {{yes}}
| 173,519,637
|-
| 2.0
| Big Bear 5A347
| Download Link Prohibited
| <code>ae82798e85f9953b0f4798bad36187cb020c9d22</code>
| 2.0+ is a paid upgrade series
| {{yes}}
| 233,409,573
|-
| 2.0.1
| Big Bear 5B108
| Download Link Prohibited
| <code>a81b6e7af4b85ef436d047f9da57c0f694d8964a</code>
|
| {{yes}}
| 258,660,321
|-
| 2.0.2
| Big Bear 5C1
| Download Link Prohibited
| <code>c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2</code>
|
| {{yes}}
| 258,201,218
|-
| 2.1
| Sugar Bowl 5F137
| Download Link Prohibited
| <code>fc7f6d0972927df502ffca47438ca75dcccffaf3</code>
|
| {{yes}}
| 251,155,156
|-
| 2.2
| Timberline 5G77
| Download Link Prohibited
| <code>081a7de363230fb38d0ce092cbbe42f2a50c8a5f</code>
|
| {{yes}}
| 260,186,851
|-
| 2.2.1
| SUTimberline 5H11
| Download Link Prohibited
| <code>fc69be9e421bc0630567184506ab771f6b7ef68b</code>
|
| {{yes}}
| 260,166,688
|-
| 3.0
| Kirkwood 7A341
| Download Link Prohibited
| <code>dff2bd14931225908a360fb8e60a336f17d2dd6d</code>
| 3.0+ is a paid upgrade series
| {{yes}}
| 242,458,552
|-
| 3.1.1
| Northstar 7C145
| Download Link Prohibited
| <code>c6270780c166db4c9f4f0a7fa945754a1f9fe7e8</code>
|
| {{yes}}
| 249,755,862
|-
| 3.1.2
| Northstar 7D11
| Download Link Prohibited
| <code>7367dd9ba58a3b9777307368a0128e696fdfc9a6</code>
|
| {{yes}}
| 249,780,497
|-
| 3.1.3
| SUNorthstarTwo 7E18
| Download Link Prohibited
| <code>5f897990f19d2f093b35e0813d7d77806404fb1f</code>
|
| {{yes}}
| 235,678,189
|}

===[[N72ap|iPod touch (2nd generation)]]===
Due to a new bootrom designed to close the [[0x24000 Segment Overflow]], an iPod touch 2G with a model number beginning with "MC" is currently limited to a tethered jailbreak.

{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!width="40"| Version
!width="168"| Build
!width="200"| IPSW Download URL
!width="220"| SHA1 Hash
!width="150"| Comments
!width="100"| Can be [[jailbreak|jailbroken]]?
!width="70"| File Size
|-
| 2.1.1
| [[Sugar Bowl 5F138]]
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]
| <code>c3c700be49ad227d1152188e7c1e46b8958fd1e4</code>
| Initial shipment.
| {{yes}}
| 282,083,944
|-
| 2.2
| Timberline 5G77a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]
| <code>34a0a489605f34d6cc6c9954edcaaf9a050deedc</code>
|
| {{yes}}
| 291,123,491
|-
| 2.2.1
| SUTimberline 5H11a
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]
| <code>9af5625ea34acdd8abeb6fce71a72651d0c815d5</code>
|
| {{yes}}
| 291,140,244
|-
| 3.0
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]
| Download Link Prohibited
| <code>0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42</code>
| 3.0+ is a paid upgrade series
| {{yes}}
| 270,315,364
|-
| 3.1.1
| [[Northstar 7C145 (iPod touch 2G)|Northstar 7C145]]
| Download Link Prohibited
| <code>e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7</code>
|
| {{yes}}
| 277,753,989
|-
| 3.1.2
| Northstar 7D11
| Download Link Prohibited
| <code>e7c83d4a5baec0e81816ae1cd1caf9a4dc38ebf0</code>
|
| {{yes}}
| 277,794,671
|-
| 3.1.3
| [[SUNorthstarTwo 7E18 (iPod touch 2G)|SUNorthstarTwo 7E18]]
| Download Link Prohibited
| <code>5f4f5c01eda2f811f73167e7d1f82dbeed82367b</code>
|
| {{yes}}
| 263,275,211
|}

===[[N18AP|iPod touch (3rd generation)]]===
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
!width="40"| Version
!width="168"| Build
!width="200"| IPSW Download URL
!width="220"| SHA1 Hash
!width="150"| Comments
!width="100"| Can be [[jailbreak|jailbroken]]?
!width="70"| File Size
|-
| 3.1.1
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C145]]
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]
| <code>a3eddbe2cf77858bae7087dc8b2035f0d3097e57</code>
| Initial shipment.
| style="background:yellow; color:black;" class="table-yes" | Tethered

| 311,702,789
|-
| 3.1.1
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C146]]
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7238.20090918.23GhT/iPod3,1_3.1.1_7C146_Restore.ipsw iPod3,1_3.1.1_7C146_Restore.ipsw]
| <code>f66a7286b261137f25ddbbd84047f9a7ea181904</code>
|
| style="background:yellow; color:black;" class="table-yes" | Tethered
| 311,690,768
|-
| 3.1.2
| [[Northstar 7D11 (iPod touch 3G)|Northstar 7D11]]
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7271.20091008.Tch23/iPod3,1_3.1.2_7D11_Restore.ipsw iPod3,1_3.1.2_7D11_Restore.ipsw]
| <code>02dcee28d788d594a2939ab564f4f183af6ccdf2</code>
|
| style="background:yellow; color:black;" class="table-yes" | Tethered
| 311,740,034
|-
| 3.1.3
| SUNorthstarTwo 7E18
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7473.20100202.4i44t/iPod3,1_3.1.3_7E18_Restore.ipsw iPod3,1_3.1.3_7E18_Restore.ipsw]
| <code>375fd469b18bfc0b74c7cfa5b4d5945197b1d106</code>
|
| {{no}}
| 295,870,806
|}

==See also==
* [[VFDecrypt Keys]]

==Resources==
*[http://www.trejan.com/projects/ipod/ Firmware List]
*[http://pastebin.ca/1209360 A link of interest...]

Kirkwood 7A400 (iPhone1,2)

2010-03-13T18:44:49Z

Jan0: added some keys for 3.0.1 3G

== Decryption Keys ==

=== Root Filesystem ===
* '''VFDecrypt''': 62deb9e26f11ef6d0ce2afc85becdcf65b81486b3430a9930cccaccd6879c405e06d8ac3

=== KernelCache (kernelcache.release.s5l8900x) ===
* '''Key''': 5bf1ea6596f26dc37ee2b2b6a43e1320
* '''IV''': 63680cd8965137a064a3d19a689a80b3

=== Restore Ramdisk (018-5809-001.dmg) ===
* '''Key''': 3bb4e6ec9117ea60cfcf4649d296bea9
* '''IV''': 391949ef28cd2f20aa06f04e0e621c72

=== Update Ramdisk (018-5803-001.dmg) ===
* '''Key''': e4d7c7f324c55f8a31e863eae539c668
* '''IV''': b45759a73c69f440733a5a258a09a86f

=== iBoot (iBoot.n82ap.RELEASE.img3) ===
* '''Key''': 4a8d6657297ca45cf6bec0854ee0a2e8
* '''IV''': 674a95015a8d33cd2f1f259ebe01aca7