The iPhone Wiki - User contributions [en]

J105aAP

2020-06-29T14:52:54Z

Lilstevie: Results from further research into the debug port and how it Sets USB modes

[[File:Apple TV 4K.png|thumb|131px|Apple TV 4K]]
The Apple TV 4K starts at $179 for 32GB of storage, and $199 for 64GB. Its firmware identifier is AppleTV6,2. It is capable of playing 4K content.

The Apple TV 4K was announced on 12th September 2017 and released on 22nd September 2017.

== Application processor ==
The Apple TV 4K makes use of the [[T8011|Apple A10X]] processor.

== Debug Port ==

[[File:AppleTV4K_Debug_Ethernet.jpg|thumb|right]]

Hidden behind a small trapdoor in the back of the Ethernet port is a debug port that includes USB access.

Without a custom cable the easiest method of access to the port is to solder directly onto the pins. Care should be taken with the test points that are near the port as they also serve as the top of the via that connects the debug port to the rest of the Apple TV. USB access is enabled by setting the voltage on the mode pin to either USB device mode or assert force_dfu mode. While in DFU or recovery Apple's firmware does not care about the mode pin state and always enables USB. In assert force_dfu mode the Apple TV will enter DFU on every boot.

[[File:AppleTV4K_Debug_Internal.jpg|thumb|left]]


{| class="wikitable"
|+ Pinout
! Pin
! Name
! Max Voltage
! Notes
|-
! scope=row | 1
| Unknown
| 1.8V
| Purpose of the pin is unknown but it is connected to the A10X near the USB pins
|-
! scope=row | 2
| ACC_PWR
| 3.3V
| Pin is connected to a power switch, more exploration is required to see if it is capable of outputting 5V
|-
! scope=row | 3
| USB_DM
| 3.3V
| Pin operates at USB logic levels.
|-
! scope=row | 4
| USB_DP
| 3.3V
| Pin operates at USB logic levels.
|-
! scope=row | 5
| GND
| 0V
| Pin is connected directly to the boards ground plane
|-
! scope=row | 6
| Mode Pin
| 1.8V
| Selects mode dependant on voltage
|-
! scope=row | 7
| Unknown
| 1.8V
| See pin 1, connected to the A10X next to pin 1
|}




== Mode Pin ==

Pin 6 in the debug connector is a mode select pin. There are 4 known modes available.
{| class="wikitable"
|+ Modes
! VMin
! VMax
! Function
|-
! scope=row | 0V
| 0.49V
| Disabled
|-
! scope=row | 0.51V
| 0.76V
| USB Device mode active
|-
! scope=row | 0.76V
| 0.99V
| Assert force_dfu
|-
! scope=row | 1.01V
| 1.8V
| Reset device
|}

USB Device mode is active from 0.5-0.99V After 0.99V the device will enter a reset loop. Force_dfu is asserted with voltages above 0.76V, and will enter DFU on reboot. To trigger a reboot and enter DFU from the port alone without an external reboot requires first raising the voltage about 1.01V then dropping it no lower than 0.76V. The transition between each mode results in metastability for ±10mV from the transition point (0.50V, 0.75V, 1.00V) between modes.

[[Category:Devices]]

J105aAP

2019-11-18T07:58:11Z

Lilstevie: Add some basic information about the hidden debug port

[[File:Apple TV 4K.png|thumb|131px|Apple TV 4K]]
The Apple TV 4K starts at $179 for 32GB of storage, and $199 for 64GB. It’s firmware identifier is AppleTV6,2. It is capable of playing 4K content.

The Apple TV 4K was announced on 12th September 2017 and released on 22nd September 2017.

== Application processor ==
The Apple TV 4K makes use of the [[T8011|Apple A10X]] processor.

== Debug Port ==

[[File:AppleTV4K_Debug_Ethernet.jpg|thumb|right]]

Hidden behind a small trapdoor in the back of the Ethernet port is a debug port that includes USB access.

Without a custom cable the easiest method of access to the port is to solder directly onto the pins. Care should be taken with the test points that are near the port as they also serve as the top of the via that connects the debug port to the rest of the Apple TV. USB access is disabled in tvOS due to us not knowing how to instruct the AppleTV that a device is currently connected, but this limitation does not exist in DFU or Recovery. While the Reset pin pulls force dfu high, secureROM requires that it detects a USB connection. At this time it does not allow entry into DFU.

[[File:AppleTV4K_Debug_Internal.jpg|thumb|left]]

{| class="wikitable"
|+ Pinout
! Pin
! Name
! Max Voltage
! Notes
|-
! scope=row | 1
| Unknown
| 1.8V
| Purpose of the pin is unknown but it is connected to the A10X near the USB pins
|-
! scope=row | 2
| ACC_PWR
| 3.3V
| Pin is connected to a power switch, more exploration is required to see if it is capable of outputting 5V
|-
! scope=row | 3
| USB_DM
| 3.3V
| Pin operates at USB logic levels.
|-
! scope=row | 4
| USB_DP
| 3.3V
| Pin operates at USB logic levels.
|-
! scope=row | 5
| GND
| 0V
| Pin is connected directly to the boards ground plane
|-
! scope=row | 6
| Reset
| 1.8V
| Pin is connected to a buffer which appears to be 3.3V tolerant, but caution is advised. Pin also triggers the force dfu pin to be pulled high for 20ms
|-
! scope=row | 7
| Unknown
| 1.8V
| See pin 1, connected to the A10X next to pin 1
|}

[[Category:Devices]]

File:AppleTV4K Debug Internal.jpg

2019-11-18T07:08:21Z

Lilstevie: /* Summary */

== Summary ==
Internal view of where the pins connect

File:AppleTV4K Debug Internal.jpg

2019-11-18T07:08:07Z

Lilstevie: Internal view of where the pins connect internally

== Summary ==
Internal view of where the pins connect internally

File:AppleTV4K Debug Ethernet.jpg

2019-11-18T07:01:26Z

Lilstevie: External View of debug port

== Summary ==
External View of debug port

File:AppleTV4K ExternalDebug.jpg

2019-11-18T06:54:12Z

Lilstevie: External view of debug port

== Summary ==
External view of debug port

List of baseband commands

2011-05-16T16:38:58Z

Lilstevie: Neither of those were crashes, but rather ways to turn the baseband off

For instructions how to use these commands, please see [[Baseband Commands]].

List compiled by [[User:keps|keps]].

==Other==
*ASSIGN (Present in [[2.10.04]])
* AT
* AT@ (Present in [[2.10.04]])
* ATD
* AT&H (Show more baseband commands)
* AT&V (Display the profiles in the baseband)
* ATE (Present in [[2.10.04]])
* ATH (Present in [[2.10.04]])
* ATZ (Present in [[2.10.04]])

==AT+A... (present in [[2.10.04]])==
* AT+ATA
* AT+ATAC
* AT+ATAD
* AT+ATAE
* AT+ATAF
* AT+ATAH
* AT+ATAK
* AT+ATAS
* AT+ATAV
* AT+ATAW
* AT+ATAY
* AT+ATBQ
* AT+ATD
* AT+ATDL
* AT+ATDPBK
* AT+ATE
* AT+ATH
* AT+ATI
* AT+ATL
* AT+ATM
* AT+ATO
* AT+ATON
* AT+ATP
* AT+ATQ
* AT+ATSN
* AT+ATT
* AT+ATV
* AT+ATX
* AT+ATZ

==AT+B...==
* AT+BINP
* AT+BLDN
* AT+BRSF
* AT+BVRA

==AT+C...==
* AT+CACM
* AT+CAEMLPP
* AT+CALA
* AT+CALD
* AT+CALM
* AT+CAMM (present in [[2.10.04]])
* AT+CAOC
* AT+CBC
* AT+CBST
* AT+CCFC
* AT+CCID
* AT+CCLK
* AT+CCUG
* AT+CCWA
* AT+CCWE
* AT+CDIS (present in [[2.10.04]])
* AT+CEER
* AT+CFUN
* AT+CGACT
* AT+CGANS
* AT+CGATT
* AT+CGAUTO
* AT+CGCLASS
* AT+CGCMOD
* AT+CGDATA
* AT+CGDCONT
* AT+CGDSCONT
* AT+CGED
* AT+CGEQMIN
* AT+CGEQNEG
* AT+CGEQREQ
* AT+CGEREP
* AT+CGMI
* AT+CGMM
* AT+CGMR
* AT+CGPADDR
* AT+CGQMIN
* AT+CGQREQ
* AT+CGREG
* AT+CGSMS
* AT+CGSN
* AT+CGTFT
* AT+CHLD
* AT+CHUP
* AT+CIMI
* AT+CIND
* AT+CKPD (Present in [[2.10.04]])
* AT+CLAC (Show some baseband commands.)
* AT+CLAN (Present in [[5.12.01]])
* AT+CLCC
* AT+CLCK (Traditional unlock method.)
* AT+CLIP
* AT+CLIR
* AT+CLVL
* AT+CMDR (Present in [[2.10.04]])
* AT+CMDW (Present in [[2.10.04]])
* AT+CMEC
* AT+CMEE
* AT+CMER
* AT+CMGC
* AT+CMGD
* AT+CMGF (SMS operating mode.)
* AT+CMGL
* AT+CMGR
* AT+CMGS (Sends SMS message.)
* AT+CMGW
* AT+CMMS
* AT+CMOD
* AT+CMSS
* AT+CMUT
* AT+CMUX
* AT+CNAP
* AT+CNMA
* AT+CNMI
* AT+CNUM
* AT+COLP
* AT+COLR
* AT+COPN
* AT+COPS
* AT+CPAS
* AT+CPBF
* AT+CPBR
* AT+CPBS
* AT+CPBW
* AT+CPGR (Present in [[2.10.04]])
* AT+CPIN
* AT+CPLS
* AT+CPMS (Present in [[2.10.04]])
* AT+CPOL
* AT+CPUC
* AT+CPWAC (Present in [[2.10.04]])
* AT+CPWD
* AT+CPWROFF
* AT+CR
* AT+CRC
* AT+CREG
* AT+CRES
* AT+CRLP
* AT+CRSL
* AT+CRSM
* AT+CSAS
* AT+CSCA
* AT+CSCB
* AT+CSCC (Present in [[2.10.04]])
* AT+CSCS
* AT+CSDH
* AT+CSGT
* AT+CSIM
* AT+CSMP
* AT+CSMS
* AT+CSQ
* AT+CSSN
* AT+CSTA
* AT+CSVM
* AT+CTFR
* AT+CTZR
* AT+CTZU
* AT+CUSD
* AT+CUUS1 (Present in [[5.12.01]])
* AT+CXAR (Present in [[2.10.04]])
* AT+CXDR (Present in [[2.10.04]])
* AT+CXDW (Present in [[2.10.04]])
* AT+CXRR (Present in [[2.10.04]])

==AT+D... (Present in [[2.10.04]])==
* AT+DDLD
* AT+DDLE
* AT+DDLI
* AT+DDLL
* AT+DDLR
* AT+DDLS
* AT+DDLU
* AT+DDLW
* AT+DS

==AT+E... (Present in [[2.10.04]])==
* AT+ETBM

==AT+F...==
* AT+FAA
* AT+FAP
* AT+FBO
* AT+FBS
* AT+FBU
* AT+FCC
* AT+FCLASS
* AT+FCQ
* AT+FCR
* AT+FCS
* AT+FCT
* AT+FDR
* AT+FDT
* AT+FEA
* AT+FFC
* AT+FFD
* AT+FHS
* AT+FIE
* AT+FIP
* AT+FIS
* AT+FIT
* AT+FKS
* AT+FLI
* AT+FLO
* AT+FLP
* AT+FMR (Present in [[5.12.01]])
* AT+FMS
* AT+FND
* AT+FNR
* [[AT+FNS]]
** (exploitable crash in [[4.26.08]])
* AT+FPA
* AT+FPI
* AT+FPP
* AT+FPS
* AT+FPW
* AT+FRQ
* AT+FRY
* AT+FSA
* AT+FSP

==AT+G...==
* AT+GCAP
* AT+GMI
* AT+GMM
* AT+GMR
* AT+GSN

==AT+I...==
* AT+ICF
* AT+IFC
* AT+IPR

==AT+L... (Present in [[2.10.04]])==
* AT+LAST_CMD
* AT+LEGACY

==AT+N...==
* AT+NREC

==AT+P... (Present in [[2.10.04]])==
* AT+PDU_INFO

==AT+S...==
* AT+SBEG (Present in [[2.10.04]])
* AT+SMSSRESUL (Present in [[5.12.01]])
* AT+STKENV
* AT+STKLBR
* AT+STKPRO
* [[AT+stkprof|AT+STKPROF]]
** (exploitable crash in [[2.28.00]])
* AT+STKTR

==AT+T...==
* AT+TRACE

==AT+U... (Present in [[2.10.04]])==
* AT+UNKNOWN

==AT+V...==
* AT+VGM
* AT+VGR (Present in [[5.12.01]])
* AT+VGS
* AT+VGT (Present in [[5.12.01]])
* AT+VTD
* AT+VTS

==AT+W... (Present in [[5.12.01]])==
* AT+WS46

==AT+X...==
* AT+XADDTRACE
* AT+XALS
* AT+XALSBLOCK
* AT+XAPOXI
* [[AT+XAPP Vulnerability|AT+XAPP]]
** (exploitable crash in [[5.13.04]] with command "AT+XAPP="kepskepskepskepskepskepskepskeps")
* AT+XBANDSEL
* AT+XCALLREFUSE
* AT+XCALLSTAT
* AT+XCAOC
* AT+XCBS
* AT+XAT+CCBS
* AT+XCEER
* AT+XCELLINFO
* AT+XCFC
* AT+XCGCLASS
* AT+XCGEDPAGE (Present in [[5.12.01]])
* AT+XCHNSIM
* AT+XCIND
* AT+XCIPH
* AT+XCONFIG
* AT+XCOPS
* AT+XCRSM
* AT+XCSIM
* AT+XCSP
* AT+XCSPAGING
* AT+XCSSMS
* AT+XCTMDR
* AT+XCTMS
* AT+XDATACHANNEL (Present in [[5.12.01]])
* AT+XDEV
* AT+XDEVICE
* AT+XDIAG
* AT+XDNOABORT
* AT+XDNS
* AT+XDRV
* AT+XDTMF
* AT+XEMC (Present in [[5.12.01]])
* [[AT+XEMN Heap Overflow|AT+XEMN]] (Present in [[5.11.07]])
** (exploitable crash in [[5.11.07]] with lots of zeroes)
* AT+XEONS
* AT+XETFT
* AT+XFDOR (Present in [[5.12.01]])
* AT+XFDORT (Present in [[5.12.01]])
* AT+XGAUTH
* AT+XGCNTRD
* AT+XGCNTSET
* AT+XGENDATA (Displays some information about the baseband.)
* AT+XGENDATE (Present in [[02.10.04]])
* AT+XGPRSERRMAP (Present in [[5.12.01]])
* AT+XHANDSFREE
* AT+XHOMEZR
* AT+XHSDUPA (Present in [[5.12.01]])
* AT+XIA (Present in [[5.12.01]])
* AT+XIMS
* AT+XL1SET
* AT+XLCAPS
* AT+XLCK
* AT+XLGASSIST (Present in [[5.12.01]])
* AT+XLGCPL (Present in [[5.12.01]])
* AT+XLGINFO (Present in [[5.12.01]])
* AT+XLGLOGLEV (Present in [[5.12.01]])
* AT+XLGMODE (Present in [[5.12.01]])
* AT+XLGMOTIONTYPE (Present in [[5.12.01]])
* AT+XLGNAV (Present in [[5.12.01]])
* AT+XLGNMEA (Present in [[5.12.01]])
* AT+XLGNVRAM (Present in [[5.12.01]])
* AT+XLGPOS (Present in [[5.12.01]])
* AT+XLGSENSORDATA (Present in [[5.12.01]])
* AT+XLGTEST (Present in [[5.12.01]])
* AT+XLGTIME (Present in [[5.12.01]])
* AT+XLIN
* AT+XLOCK (Wildcard unlock. Present in [[5.12.01]])
* [[AT+XLOG Vulnerability|AT+XLOG]]
** (exploitable crash in [[4.26.08]] with command "AT+XLOG=1,"kepskepskepskepskepskepskepskepskepskepskepskeps")
* AT+XLOOPBACK
* AT+XLQOS
* AT+XLRMT
* AT+XLRSUPL (Present in [[5.12.01]])
* AT+XLRTA
* AT+XLRV
* AT+XLRWAP (Present in [[2.10.04]])
* AT+XLSR
* AT+XLSRSTOP (Present in [[5.12.01]])
* AT+XMAGETBLOCK
* AT+XMAGETKEY
* AT+XMER
* AT+XMSG
* AT+XMULTISLOT
* AT+XMUX
* AT+XNMI
* [[AT+XNONCE]] (Random string generated on bootup. Present in [[5.12.01]].)
* AT+XPIN
* AT+XPINCNT
* AT+XPOW
* AT+XPPP
* AT+XPROGRESS
* AT+XQNEG
* AT+XRAT
* AT+XREDIAL
* AT+XREG
* AT+XREL
* AT+XRFS
* AT+XRLCSET
* AT+XRRSET
* AT+XSCELLLOCK (Present in [[5.12.01]])
* AT+XSECSTATE
* AT+XSELFRXSTAT
* AT+XSERVICE
* AT+XSIMCHG
* AT+XSIMLG
* AT+XSIMLOOPBACK
* AT+XSIMSIMUL (Present in [[2.10.04]])
* AT+XSIMSTATE (Reports lock state.)
* AT+XSIMVALID
* AT+XSIO
* AT+XSLN
* AT+XSMS
* AT+XSTK
* AT+XSTRESSSIM
* AT+XSVM
* AT+XSYSERR (Present in [[5.12.01]])
* AT+XTDEV
* AT+XTERM (Present in [[5.12.01]])
* AT+XTESM
* AT+XTEST (Present in [[5.12.01]])
* AT+XTFILTER
* AT+XTHUMB
* AT+XTOS
* AT+XTRACECONFIG (Present in [[5.12.01]])
* AT+XTRACEIP
* AT+XTRACESYSTIME
* AT+XTRANSPORTMODE
* AT+XUBANDSEL (Present in [[5.12.01]])
* AT+XUICC (Present in [[5.12.01]])
* AT+XUSBFLASH
* AT+XVTS

[[Category:Baseband]]

Talk:List of baseband commands

2011-05-15T10:11:22Z

Lilstevie: discussion on baseband commands

==Merge==
This is the third page with baseband commands. We now have:
*[[Baseband Commands]]
*[[AT Commands]]
*[[List of baseband commands]]
I started the [[AT Commands]] page for exactly this reason, but it was incomplete of course. But in any case I would recommend a merge of [[AT Commands]] and [[List of baseband commands]] at least. The only thing missing here is a description of each command with its parameters. I'll do the merge in a few days if nobody else is faster. --[[User:Http|http]] 20:50, 4 October 2010 (UTC)
:Done. :) --[[User:Dialexio|Dialexio]] 21:04, 4 October 2010 (UTC)
::Thanks [[User:Dialexio|Dialexio]]. Currently I only have my iPhone to edit and you know how easy copy&pasting is there.--[[User:Http|http]] 21:41, 4 October 2010 (UTC)
==More infos==
We need to look at the old pages about the sim tool kit [http://chickenenchiladagrilledstuftburrito.info/u.htm] and this list need's more command's from [http://code.google.com/p/iphone-elite/wiki/UndocumentedATcommands] --[[User:Liamchat|liamchat]] 21:13, 4 October 2010 (UTC)

I think that AT+CFUN and AT+CPWROFF should not have a note on them stating non-exploitable crash, they are not crashes but are methods to turn the baseband device off --[[User:Lilstevie|Lilstevie]] 10:11, 15 May 2011 (UTC)

Talk:IBoot (Bootloader)

2010-10-22T07:19:10Z

Lilstevie:

== Commands used as an exploit vector ==
the armv7 go and stop do not have vectors you just point at the kernelcache and boot --[[User:Liamchat|liamchat]] 21:23, 29 August 2010 (UTC)

the usb_control_msg(0x21, 2) Exploit has a vector and there may be lots of tiny write zones in iboot --[[User:Liamchat|liamchat]] 21:23, 29 August 2010 (UTC)

== Article name ==

I'm not a big fan of the new name, so I'd like to propose a name change to "iBoot (Stage 2 Bootloader)." Would this be fine with others? --[[User:Dialexio|Dialexio]] 00:29, 21 October 2010 (UTC)
:For me it was just important to separate the two iBoot's. That was very confusing. For me your suggestion would be ok. --[[User:Http|http]] 06:19, 21 October 2010 (UTC)

:Sorry for making such a change without discussing first. I was excited about the fact that disambiguation pages work now and wanted these two things to separate long ago. [[Cydia Application]] is also not the ideal name. I'll discuss the next time first. --[[User:Http|http]] 06:34, 21 October 2010 (UTC)

::It's fine. :) <del>I'll get to changing it now.</del> Actually... would "iBoot (bootloader)" be a better name? The name probably doesn't need to be specific about which bootloader it is; it's mentioned in the article. --[[User:Dialexio|Dialexio]] 19:38, 21 October 2010 (UTC)

:::I would use uppercase for the Bootloader as it is a title. Not sure though. And yes, you can leave "Stage 2" away if there only exists one bootloader. But isn't the [[Bootrom]] the "Stage 1 Bootloader"? In that case I wouldn't leave it away. --[[User:Http|http]] 22:21, 21 October 2010 (UTC)

::::The stage 1 bootloader is actually [[LLB]]. However, I still don't believe that the "Stage 2" part should be included in parentheses; putting "(bootloader)" or "(Bootloader)" is sufficient enough to differentiate between this article and the bootrom's article. --[[User:Dialexio|Dialexio]] 23:08, 21 October 2010 (UTC)

:::::Ok [[LLB]]. Does [[LLB]] also have versions that begin with iBoot? Or is it included in the Stage 2 part? --[[User:Http|http]] 23:17, 21 October 2010 (UTC)

::::::LLB's version does indeed begin with "iBoot." It's the same version number as iBEC/iBoot/iBSS from the same firmware. --[[User:Dialexio|Dialexio]] 23:40, 21 October 2010 (UTC)

:::::::The Bootrom, LLB, iBEC, iBSS and iBoot all have the tag iBoot in their version numbers as they are part of the iBoot family, but iBoot(2nd stage bootloader) is the only one internally referred to as iBoot --[[User:Lilstevie|Lilstevie]] 07:19, 22 October 2010 (UTC)

QuickPwn

2010-10-15T11:30:15Z

Lilstevie: Undo revision 10575 by Whiteshinyapple (Talk) why was this page blanked

[[Image:QuickPwn Mac.png|thumb]]
QuickPwn was a program from the [[iPhone Dev Team]] that allowed people to quickly [[jailbreak]] their devices. Initially, it was only available as a Windows CLI tool, but poorlad created a GUI shortly afterwards. Later, a Mac OS X GUI was also released.

The name was exploited (as "QuickPWN") by quickpwn.com, so the decision was made to discontinue QuickPwn in favor of [[redsn0w]].

Talk:Limera1n

2010-10-12T07:29:44Z

Lilstevie:

== Drop size on image ==
Has anyone else noticed that on the picture, the lime raindrop us bigger than the rest of them? Could be nothing but could also mean that [[User:Geohot|geohot]] has worked out [[SHAtter]] and use it on the three A4 devices that are there and just used the photos app for the [[N88ap|3GS]].
Also (if it's real) why is [[User:Geohot|Geohots]] exploit not used and keep [[SHAtter]] for when there are more A4 devices around? --[[User:Shengis14|Shengis14]] 07:16, 9 October 2010 (UTC)
:I did see that and assume it's just the same image everywhere, but on retina display it's just smaller due to higher resolution. --[[User:Http|http]] 09:00, 9 October 2010 (UTC)
::I also saw that and would ask you to look at the image again. iPod Touch 4g and iPhone 4, both retina, have smaller... This could be because [[geohot]] has a problem with the program as he didn't create a @2x.png image... I believe this is a true jailbreK. [[User:Balloonhead66|Balloonhead66]] 13:57, 9 October 2010 (UTC)
:::In the dump, I found the lime drop and it is a 320x480 image. Therfore, when you jailbreak a retina device with a 320x480 it shrinks the image because there is no lime@2x.png file...

== Misc. ==
I think some more info may be needed. What is some background on it? I thought Limera1n was a fake from the 3.x days? --[[User:OMEGA RAZER|OMEGA RAZER]] 22:09, 8 October 2010 (UTC
:It was never fake see [http://theiphonewiki.com/limera1n http://theiphonewiki.com/limera1n] (a cached copy). --[[User:GreySyntax|GreySyntax]] 22:45, 8 October 2010 (UTC)
::Thanks for the clarification. Not sure where I heard that. --[[User:OMEGA RAZER|OMEGA RAZER]] 23:09, 8 October 2010 (UTC)
Geohot made the web page when 3.1.3 come out but he said it used a bootrom exploit for untetherdness that he was saving for the iPhone 4 --[[User:Liamchat|liamchat]] 22:53, 8 October 2010 (UTC)
Anything else we should mention? :P --[[User:Dra1nerdrake|dra1nerdrake]] 23:14, 8 October 2010 (UTC)
:Why the insane secrecy of it? I'm not deep in the scene but this is the first I'm hearing more than the name lol. --[[User:OMEGA RAZER|OMEGA RAZER]] 23:18, 8 October 2010 (UTC)

== Release ==

I thought geohot had no plans to release it... [[User:Balloonhead66|Balloonhead66]] 23:22, 8 October 2010 (UTC)
:Correct. Read the controversy section of this page. It should answer as to why the sudden change in heart. ~Drake

== SIGN YOUR COMMENTS ON THE TALK PAGE ==
Please press the button on top of the exit box or type <nowiki>~~~~</nowiki> manually. This will give you the basic signature. It's also acceptable to just identify yourself. Just make sure we know who you are. ;P ~Drake

== Latest edit to [[Limera1n]] ==

How does it look like a tethered? -- Balloonhead66|23:34, October 8, 2010 (UTC)
:They're all plugged in with USB cables. --[[User:OMEGA RAZER|OMEGA RAZER]] 23:35, 8 October 2010 (UTC)
::They could just be charging and he is in the photos app -- Balloonhead66|23:41, October 8, 2010 (UTC)

== Who is John Galt? ==

Look at the HTML source of the page. Is this comment new? [[User:Angelo|Angelo]] 23:42, 8 October 2010 (UTC)
:Yep. I've looked at the source of this page before and after this update. The John Galt is probably meant to throw us off. Geohot does that. :P But, yes, it's new. ~Drake
::Where did you see that? [[User:Balloonhead66|Balloonhead66]] 23:50, 8 October 2010 (UTC)
:::Type in Firefox URL bar: view-source:http://limera1n.com/ [[User:Angelo|Angelo]] 23:47, 8 October 2010 (UTC)
::::Or google chrome for that matter :D . Anyway, I thought you meant the source of this page or the [[Limera1n]] page, not the website... *stupid* Thanks for explaining that! [[User:Balloonhead66|Balloonhead66]] 23:50, 8 October 2010 (UTC)
:::::[http://en.wikipedia.org/wiki/John_Galt Who is John Galt] Kind of funny actually when you read it and what's going on right now --[[User:alpineflip|alpineflip]]
:::::: yes I see why "learns that all of the stories have an element of truth to them." maybe it will ra1n again but not today --[[User:Liamchat|liamchat]] 00:35, 9 October 2010 (UTC)

== Explanation ==

So, I'm sure most, if not all, of you are confused. This Limera1n is nothing more than a plot by geohot to get the chronic dev team to incorporate the exploit used in limera1n into greenpois0n. This is not plausible because the exploit in limera1n is a bootrom level exploit, which can be used to make a jailbreak (albeit [[tethered]]) on its own. To make greenpois0n untethered, chronic dev has used a tweak by comex (in userland) to patch the kernel. The exploit in Limera1n can be used at a later date to make another untethered jailbreak, but it's better to leave the lower level exploits until later, after all, either way, it produces the same affect. To implement the limera1n exploit into greenpois0n, they'd have to rewrite the entire jailbreak, which would offset the release. This should clear up confusion. ~Drake

I reckon it was the iphone dev teams fault if they just had to release spirit after the iphone 4 was released there would be no drama because the ipod touch 4 would hav been jailbroken via star. --[[User:Robinhood|robinhood]]

I think Geohot told someone about his exploit and apple attempted to patch it in a4 bootrom [http://mobile.twitter.com/musclenerd/status/26801617164] --[[User:Liamchat|liamchat]] 01:54, 9 October 2010 (UTC)

===UPDATE:===
A [http://twitter.com/#!/p0sixninja/status/26799962302 recent tweet] from iPhone hacker p0sixninja has just confirmed that the date WILL NOT be changed. If they can implement geohot's exploit before 10/10, they will use that. If they can't they won't. --[[User:Dra1nerdrake|dra1nerdrake]] 00:53, 9 October 2010 (UTC)
: This has nothing to-do with Limera1n. -- [[User:Shorty|Shorty]] 01:06, 9 October 2010 (UTC)
::It does. If they can integrate it into GP then there's not going to be a Limera1n. If they can't in time then there will be two jailbreaks released... --[[User:OMEGA RAZER|OMEGA RAZER]] 01:11, 9 October 2010 (UTC)
::: This is a grand waste of a bootrom exploit though. ~Drake
:::: Geohot will not waste the exploit's used in limera1n but greenpois0n is using a bootrom exploit to inject a userland exploit that is odd --[[User:Liamchat|liamchat]] 01:20, 9 October 2010 (UTC)
:::::Yes it does limera1n will use an untetherd bootrom and iboot exploit but Why does Geohot not want us to use comex's kernel patch just for 4.1 then when 4.2 is out we can use shatter to reuse the iboot exploit --[[User:Liamchat|liamchat]] 01:20, 9 October 2010 (UTC)
::::::@[[User:Dra1nerdrake|dra1nerdrake]] - Sorry if I didn't make myself more clear, I was basically on about the first part, not the last bit. -- [[User:Shorty|Shorty]] 01:25, 9 October 2010 (UTC)
the exploit used by [[limera1n]] is a [[24kPwn]] like [[bootrom]] exploit and a [[IBoot]] exploit ( read the second to last paragraph [http://posixninja.blogspot.com/2010/06/latest-progress-and-new-updates.html] ) --[[User:Liamchat|liamchat]] 12:55, 9 October 2010 (UTC)

== Image Taken Down ==

I'm just speculating here. With all this controversy, I am on the edge of believing... Also, the image was taken down from the site... It gives you a bitly link that takes you back to the bitty link... --[[User:Balloonhead66|Balloonhead66]] 14:20, 9 October 2010 (UTC)

:It is now very real [[greenpois0n]] will be cancelled (said by [[MuscleNerd]] [http://twitter.com/MuscleNerd/status/26860163077 Twitter Status]) and [[Limera1n]] will be used to jailbreak on 4.1 but [[wikipedia:Apple Inc.|Apple]] knows about both exploit's but [[Geohot]]'s has already being patched (patched in 4.2 beta 2 iboot [http://twitter.com/MuscleNerd/status/26860634891]) --[[User:Liamchat|liamchat]] 19:21, 9 October 2010 (UTC)

::The exploit has not been patched though, but because of the code similarities geohot can tell his exploit will be patched anyway by iPad2,1 so he wants it to be used instead of wasted, greenpois0n and SHAtter should be kept as they will affect a larger crowd of iOS devices (assuming apple continue to use the A4 chip. --[[User:Shengis14|Shengis14]] 19:36, 9 October 2010 (UTC)

:::[[Geohot]]'s exploit will be used in [[greenpois0n]] if it can be utilised in time. Otherwise both exploits will be burned. In relation to the image being taken down, it was proving to be too popular, so imageshack moved it. --[[User:Mushroom|Mushroom]] 19:47, 9 October 2010 (UTC)

::::I dont think so we said a lot about [[SHAtter]] (if apple patch one of the three BSS+Heap+Stack the exploit wont work) so it may be to late to protect [[SHAtter]] but [[Geohot]]'s exploit was fixed in [[iBoot]] so [[wikipedia:Apple Inc.|Apple]] knows 100% what his exploit is --[[User:Liamchat|liamchat]] 20:06, 9 October 2010 (UTC)

== He did it==
It's in the wild. Thoughts? ~Drake
:It's just BETA2 though... --[[User:Balloonhead66|Balloonhead66]] 22:28, 9 October 2010 (UTC)
::Has anyone being able to grab information about the exploit we need to delete shatter and name the new dfu exploit --[[User:Liamchat|liamchat]] 23:22, 9 October 2010 (UTC)
:::BETA2 naming means nothing. We need to delete SHAtter? Wtf? And also this exploit will either be named by Geohot or by it's technical name (like Environment Variable Overflow). [[User:Iemit737|Iemit737]] 00:03, 10 October 2010 (UTC)
::::I'd like to disassemble this and see what's in that exe of his. Anyone take a gander into this magical land of software yet? The payload's bound to be in there somewhere. ~Drake
:::::A dump has been released by ih8sn0w, see links. So much for the protection he put on it. It uses the ramdisk from purplera1n ( lulz). You'll need IDA Pro... [[User:Pwnd-v1|Pwnd-v1]] 13:12, 10 October 2010 (UTC)

== Pwnage ==

Does limera1n flash the NOR? I never managed to install a custom firmware after using limera1n.--[[User talk:Ryccardo|Ryccardo]], 11 October 2010 (UTC)
:Sign your posts, please. And, limera1n leaves your NOR untouched. All it does is patch the kernel (which is on your NAND). Theoretically, one might be able to restore to a custom firmware by jumping to a pwned iBSS or iBEC through the limera1n exploit and using that to trick the device into accepting the firmware, but I'm probably mistaken. --[[User:Dra1nerdrake|dra1nerdrake]] 19:28, 11 October 2010 (UTC)
:It leaves the NOR un-touched otherwise the signature checks would fail during boot. Hence the kernel exploit from [[User:comex|comex]] is used to patch the kernel at runtime. --[[User:GreySyntax|GreySyntax]] 19:49, 11 October 2010 (UTC)
::Thanks, [[http://twitter.com/iH8sn0w/statuses/27065535774 iH8Sn0w confirms.]] Sorry for the signature, I always forget to use that button. --[[User:Ryccardo|Ryccardo]] 20:43, 11 October 2010 (UTC)

== Support ==

I propose that appleTV should be removed from the supported list until further notice as while the exploit interacts with the bootrom, the ramdisk never executes to jailbreak the OS and leaves you in recovery mode (yet to establish if it is in a pwned state or not) --[[User:Lilstevie|Lilstevie]] 07:29, 12 October 2010 (UTC)

Malformed CFF Vulnerability

2010-10-12T07:26:48Z

Lilstevie: IOService to IOSurface

This vulnerability, along with the [[IOSurface Kernel Exploit]], was used in [[Star]]/[[JailbreakMe]] 2.0. It is a stack overflow in the handling of [[wikipedia:PostScript fonts#Compact Font Format|CFF]] opcodes. Contrary to popular belief, it is '''not''' a problem with the PDF parser, although the malformed font was placed in a PDF for exploitation.

== Credit ==
[[User:Comex|comex]]

[[Category:Exploits]]

IREB

2010-10-05T12:52:54Z

Lilstevie:

[[Image:iREB_4.0.png|360px|right|iREB 4.0]]
{{DISPLAYTITLE:iREB}}
A program created by iH8sn0w, that is used for early-generation devices, which include:
*[[N82ap|iPhone 3G]]
*[[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]])

== What is iREB? ==
iREB is a GUI application that uses iTunnel. It uploads 3 pwned files, so that [[iTunes]] can accept custom [[IPSW File Format|IPSW]] firmware/downgrade to lower firmwares. For [[S5L8900]] devices, it uploads the following:
* iBSS.MODEL.RELEASE.dfu
* WTF.MODEL.RELEASE.dfu
* WTF.s5l8900xall.RELEASE.dfu

iREB does '''''NOT''''' jailbreak, it just disables [[iTunes]]'s ability to upload a patch to the ramdisk to block custom firmware made by [[sn0wbreeze]].

== Why cant it work with the later-generation devices? ==
Those devices such as [[iPhone 3GS]] [[iPhone 4]] [[iPod Touch 3G]] require SHSH Blobs to upload iBSS to these devices, Also required is an exploit within the bootchain to execute unsigned code.

== Current Developers ==
*[[User:ih8sn0w|iH8sn0w]] (Windows + Mac)
*w3st05 (Windows)
*spendl (Windows)
*srts (Mac)
*greenp0ison (Windows)

== Compatible Operating Systems: ==
Windows XP/Vista/7

== Changelog ==
===4.0===
*Changed GUI
*Removed Support for iPod Touch 1G and iPhone 2G
*Removed Umbrella SHSH Grabber
*Removed sn0wblower
*No LibUsb Required
*Uses iTunnel To Fix [[Recovery Mode]] Loops and bypass 1015 error.

===3.1.2===
*Updated [[SHSH]] Grabber to accept the [[N72ap|iPod touch 2G]] and [[N18ap|iPod touch 3G]].
*Updated [[SHSH]] Grabber to grab 3.1.2 blobs.
*Integrated sn0wbl0wer, which uploads the following to an [[N72ap|iPod touch 2G]]:
**[[iBSS]] 2.1.1 (stock)
**[[ARM7 Go]] Exploit
**Pwned [[iBSS]]
*Removed PayPal Donate link.

===3.1-3===
*Added [[N88ap|iPhone 3GS]] 3.1 SHSH Grabber
*More stable
*Added credits

===3.1===
*Added GUI
*Added [[Recovery Mode]] loop fixer
*Fixed Bug from 2.2
*Removed popups
*Removed command prompts

===2.2===
*Added Support for 3.1 (7C144)/3.1.1 (7C145)
*This version contains a bug, that will be fixed.
*Improved GUI (Windows)
*Added a bit more user-friendly GUI (Mac)
*Snow Leopard compatibility (Mac)

===2.1===
*Added GUI
*All 3 supported devices are implemented.

===2.0===
*No longer required to rename ipsw to ih8sn0w.ipsw (Windows)
*No longer required to move ipsw to C:\ (Windows)

===1.0===
*Initial Release

Sn0wbreeze

2010-10-05T12:18:07Z

Lilstevie: corrected reason for being tethered

sn0wbreeze is a [[PwnageTool]] port to Windows, developed by [[User:ih8sn0w|iH8sn0w]], w3st05, srts, Little_Martian and LiLBush81.

== Models Supported ==
* [[M68ap|iPhone 2G]]
* [[N45ap|iPod touch 1G]]
* [[N82ap|iPhone 3G]]
* [[N72ap|iPod touch 2G]]
* [[N88ap|iPhone 3GS]]
* [[N18ap|iPod touch 3G]]

The [[N72ap|iPod touch 2G]] [[N18ap|iPod Touch 3G]] [[N88ap|iPhone 3GS]] need to have the signature checks disabled beforehand by having a pwned iBoot either by jailbreaking using a iBoot exploit or using the [[iBooty]] method. The [[S5L8900]] devices can enter [[DFU Mode]] and restore with [[iTunes]] without being jailbroken.

== What about the iPhone 4 and the iPod Touch 4? ==
A iBoot Exploit or a bootrom exploit is required to run custom firmware.No such low level exploits has been found yet so there is no custom firmware.

== Why is it tethered with the later-generation models? ==
Sn0wbreeze is tethered on later model devices due to the lack of a bootrom exploit like [[0x24000_Segment_Overflow]] or [[pwnage]].

== Versions ==
sn0wbreeze was first released January 13, 2010 as a beta version. The following versions that are shown here are official, and sorted by compatibility with iOS revisions.

=== 3.1.X ===
{| class="wikitable" width="100%" style="font-size: 90%"
! style="background-color:#E9E9E9; text-align:center; width:150px;" |Version
! style="background-color:#E9E9E9; text-align:center;" |Release date
! style="background-color:#E9E9E9; text-align:center;" |Changes
|-
! style="white-space: nowrap;" |
==== Public Beta ====
| style="white-space: nowrap;" | January 13, 2010
|
* Initial release
* Jailbreaks iOS 3.1.2
* Only allows you to be able to select simple mode
* Taken down due to copyright issues with [[XPwn]]
|
|-
! style="white-space: nowrap;" |
==== 1.0 ====
| style="white-space: nowrap;" | January 16, 2010
|
* Official release of sn0wbreeze
|-
! style="white-space: nowrap;" |
==== 1.1 ====
| style="white-space: nowrap;" | January 19, 2010
|
* Fixes [[Cydia]] problems
* Fixes problems with [[NOR]] on [[S5L8900]] devices
* Fixes custom packages not being installed
|-
! style="white-space: nowrap;" |
==== 1.2 ====
| style="white-space: nowrap;" |January 21, 2010
|
* GUI fixes
* Fixed even more [[Cydia]] problems
|-
! style="white-space: nowrap;" |
==== 1.3 ====
| style="white-space: nowrap;" | January 23, 2010
|
* fixes bug where some [[Cydia]] repositories could not be added and downloaded from
|-
! style="white-space: nowrap;" |
==== 1.4 ====
| style="white-space: nowrap;" | January 26, 2010
|
* Fixed vital bug where deb files may not be added to the right place
|-
! style="white-space: nowrap;" |
==== 1.5 ====
| style="white-space: nowrap;" | February 5, 2010
|
* Jailbreaks iOS 3.1.3
* Removed verbose mode support
|-
! style="white-space: nowrap;" |
==== 1.5.1 ====
| style="white-space: nowrap;" | February 7, 2010
|
* Removed [[blacksn0w]] due to CommCenter issues (fix being worked on)
|-
! style="white-space: nowrap;" |
|}

=== 4.X ===
{| class="wikitable" width="100%" style="font-size: 90%"
! style="background-color:#E9E9E9; text-align:center; width:150px;" |Version
! style="background-color:#E9E9E9; text-align:center; width:175px;" |Release date
! style="background-color:#E9E9E9; text-align:center;" |Changes
|-
! style="white-space: nowrap;" |

==== 1.6 ====
| style="white-space: nowrap;" | June 24, 2010
|
* Jailbreaks iOS 4.0.
* Deleted [[ultrasn0w]] unlock option.
* Removed the option sn0wbreeze App
|-
! style="white-space: nowrap;" |
==== 1.7 ====
| style="white-space: nowrap;" | July 6, 2010
|
* Added support for new bootrooms ([[tethered jailbreak]])
|-
! style="white-space: nowrap;" |
==== 1.8 Beta ====
| style="white-space: nowrap;" | July 16, 2010
|
* Added Support for iOS 4.1 beta 1.
* Deleted [[hacktivation]].
|-
! style="white-space: nowrap;" |
==== 2.0 ====
| style="white-space: nowrap;" | September 22nd, 2010
|
* Added support for "MC model" [[N72ap|iPod touch 2G]] ([[Tethered jailbreak|tethered]] using [[usb_control_msg(0xA1, 1) Exploit]])
* Added Support for [[N18ap|iPod touch 3G]] and [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]]) on iOS 3.1.2
* Simplified the GUI
|-
! style="white-space: nowrap;" |
==== 2.0.1 ====
| style="white-space: nowrap;" | September 22nd, 2010
|
* Fixed Error 37
! style="white-space: nowrap;" |
|-
! style="white-space: nowrap;" |
==== 2.0.2 ====
| style="white-space: nowrap;" | September 25th, 2010
|
* [https://twitter.com/iH8sn0w/status/25462030444 Bug fixes]
|}

==Problems==
There are some problems with blacksn0w because it relies on the 3.1.2 CommCenter, and needs to be updated to the 3.1.3 version. If installed it will cause your iPhone to go into a boot loop.

== Use of xpwn ==
The backend of sn0wbreeze is [http://github.com/planetbeing/xpwn xpwn], an open-source custom IPSW generator created by planetbeing in parallel with [[iPhone Dev Team]] developments of techniques and tools. xpwn runs on Windows, Mac OS X, and Linux. Given a "bundle" of patches from either [[PwnageTool]] or sn0wbreeze, xpwn driven from the command line is able to create the same custom IPSW as either tool. All Fixes to xpwn made by iH8sn0w have been made available. [http://github.com/iH8sn0w/xpwn].

== License ==
sn0wbreeze is freeware.

== Download ==
[http://ih8sn0w.com/index.php/welcome.snow Download sn0wbreeze]

[[Category:Hacking Software]]

Talk:Firmware

2010-09-30T10:55:02Z

Lilstevie:

What do you mean by protected? iTunes has to dl it somehow

o yea, forgot you had to pay for it :-) i wonder if the iPhone one would run easily?

I've never had any luck myself, but I suppose anything's possible :-)
As for the actual word 'protected', the URLs in the XML are prefixed protected://. Perhaps those URLs are still of value?
BTW, as far as I know, having a 2.0 beta installed will still allow "free" upgrades to 2.0. --[[User:Haldo|Haldo]] 13:39, 5 August 2008 (UTC)

:After reading a post on Zibri's blog today, I tested (and confirmed) that the iPod touch 2.0.1 firmware could be downloaded from Apple's servers. Should this URL be provided on this page? -[[User:Dialexio|Dialexio]] 00:29, 6 August 2008 (UTC)

::That is a tough question... I may have to defer to geohot for that. It is unfortunately very much a gray area. Maybe we link to the file linked by Zibri? --[[User:Haldo|Haldo]] 20:47, 7 August 2008 (UTC)

:::My thinking is this. If Apple sells it, no download link should be posted here. But perhaps a link to Zibri's page about it in the resources area. ~geohot

== chex ==

itunes probably checks to see if u bought it somehow...

== yup ==

funny you should mention that. my friend np1011357 got a 2.0 fw working, but I don't think people are brave enough to test any further :P

I do know you have to be pwned for it to work though...

== hmm ==

well if its on apples servers, then we are not really 'hosting' warez, not could we be connected to hosting it at all, unlike if someone uploaded it to rapidshare, then there would be reason to believe we were involved. although its a community wiki, for something like this, it is geohot's call.

== totally free :) ==

ipod touch 1.1 (day it came out) -> 1.1.1 (command line jailbreak and jailbreakme.com) -> 1.1.2 symlink jailbreak -> 1.1.3 soft -> 1.1.3 ziphone -> 1.1.4 ijailbreak with jan. app pack -> 1.1.4 pwned and jan. app pack -> beta 1 and 2 pwned -> beta 8 -> 2.0 for free -> pwned 2.0 -> i downloaded 2.0.1 from itunes but i haven't updated yet

haven't wasted a dime cuz i'm a lazy, jobless 14 year old and all my money goes to my 3g plan (only pay $55 a month with unlimted data, 300 minutes, and unlimted) texts $9 movie tickets, and girls

== WOW ==

ffs guys. i was hoping someone would figure this out. Anyone at all could just type 'strings iTunes' on the iTunes binary, and see that there is a link saying http://itunes.com/version, then another directly after is '?touchUpdate=yes". It's not even that hard if u disassembeld it in IDA

== Add defunct firmwares? ==

There are some defunct firmware builds referenced in Apple's XML file (i.e.- iPhone 3A101a). Should these be added to this page, or not?
-[[User:Dialexio|Dialexio]] 20:05, 23 September 2008 (UTC)

== Clarification of "Can be unlocked" ? ==

I think we need a clarification what the "Can be unlocked?"-Column means. Because Northstar 7C144 on the 3G can be unlocked using pwnage (i.e. if you stay at BB 04.26.08). However if you'd upgrade to BB 05.11.07 it can't. --[[User:M2m|M2m]] 03:17, 16 September 2009 (UTC)

Quote Oranav: "There's no point for an "unlock" column if we write "yes, stay at X".

I totally agree on this, however the Columns also states ''"Yes (Upgrade to 04.26.08)"'' for BB 01.45.00 - 02.30.03, while technically currently a working implementation only is available for 04.26.08 (ultrasn0w - yellowsn0w is not available anymore AFAIK). Like this I would think for BB 01.45.00 - 02.30.03 it should also read ''"No (Though you can upgrade to 04.26.08)"'' - or something similar.
Therefore my statement/request for a clarification.
Regards --[[User:M2m|M2m]] 02:19, 17 September 2009 (UTC)

I am of the opinion that if the BB that ships with the given Apple IPSW is not unlock(ed/able) then it should be marked NO. It should be made clear elsewhere that 04.26.08 is suitable for devices looking for an unlock. [[User:Haldo|Haldo]] 13:53, 17 September 2009 (UTC)

The main difference here is that for older firmwares there's an upgrade path towards unlock. For example, if you buy a 3G phone now with 2.0 and BB 01.45.00, it can be easily upgraded to 3.0 and unlocked. On the other hand, if the phone has 3.1 and 05.11.07 pre-installed, there's no such upgrade path. --[[User:Blackbox|Blackbox]] 18:22, 17 September 2009 (UTC)

What about changing the title of the column to say "Can baseband be unlocked?" and then only answer yes if there is an unlock available for the baseband included in that version? [[User:Rekoil|Rekoil]] 21:26, 17 September 2009 (UTC)

I've changed it to say yes only on the rows with basebands that can be unlocked "OTB". No one should have problems figuring out that you can upgrade to a version that can be unlocked if you're at a version below that cannot be unlocked. But maybe a clarification that you cannot downgrade basebands? --[[User:Rekoil|adriaaan]] 15:16, 14 October 2009 (UTC)

== Tethered Jailbreak ==
at this point with ipt3g a tethered jailbreak may be the only option we have. the chances of another bootrom exploit being found are rather slim. And find an untethering exploit beyond that is stupid/pointless. I know a tethered exploit sucks, but there's a real chance that this may be the only thing that's left! Should we mark is as "yes jailbreakable" or not? I say take it and be happy with what you got!!
--[[User:Posixninja|posixninja]] 13:22, 12 October 2009 (UTC)

I see what you mean, and I tend to agree for the most part, but a tethered jailbreak just isn't a complete jailbreak in my opinion. Plus if people keep looking I know a tether-less jailbreak will be found eventually, nothing is unhackable ;) --[[User:Rekoil|adriaaan]] 19:39, 12 October 2009 (UTC)

I wish that was true, but most people average 1 exploit for every so many kilobytes, and bootrom really isn't very large. Even then there's a limited number of injection vectors to exploits. So the chances of bootrom becoming exploitable is actually a real risk!! every exploit that is found greatly decreases the chances another exploit will be found. Within the next 2-3 years jailbreaking on iphone will probably be extinct. 4 years max
--[[User:Posixninja|posixninja]] 04:36, 15 October 2009 (UTC)

Well then in the next two years we'll "borrow one of nsa's super computers and extract the private signing key :D. Or get hold of a developer model and maybe there will be some interesting stuff on it.

==Updated Bootroms==
How can we note on this page that for some 3gs and touch 2G users (ones after September 9) they can only have a tethered jailbreak at the moment. [[User:Iemit737|Iemit737]] 18:07, 31 October 2009 (UTC)

== Easily find rare firmwares using Google. ==

A handy way to search for firmwares, is to just search in Google using the corresponding listed SHA1 Hash (or even just the file size) as your query. Perhaps someone feels like editing the wiki so that the SHA1 strings become links to the right Google search results. Example: http://www.google.com/search?q=7367dd9ba58a3b9777307368a0128e696fdfc9a6 and http://www.google.com/search?q=249%2C780%2C497 [[User:Harlekeyn|Harlekeyn]] 22:59, 28 March 2010 (UTC)
:I say no. Links for some of the iPod touch firmwares are missing because [https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/touchLandingPage Apple sells or sold them]. Not to mention, Apple's links to download them expire over time. (A third-party site hosting the firmware is copyright violation, which is a big no-no.) --[[User:Dialexio|Dialexio]] 06:51, 29 March 2010 (UTC)

== Forbidden ==
There are some IPSW links which instead of a download link contain just the text "forbidden". It would be good to know at least the name of this IPSW. To make sure nobody puts a working download link there instead (later), we could leave the "forbidden" text there and add a link to Google with the full name in the search query. I think that would be ok. What do you think? --[[User:Http|http]] 19:35, 13 June 2010 (UTC)
:I suppose supplying the firmware name would be fine, but I'm not a fan of linking to a Google search of the name as it would still promote piracy/copyright infringement. Perhaps we could use the "protected://" URL that Apple supplies in the [http://itunes.apple.com/version version XML], like how [http://www.trejan.com/projects/ipod/ Trejan] lists it. --[[User:Dialexio|Dialexio]] 19:48, 13 June 2010 (UTC)

==4.0 Jailbreak==

There is a userland exploit out there, and @comex (et al.) have verified that will likely work on iPhone 4 too. There is no such case as iPhone 4 having an exploit that an iPod touch 3G does not. Also this page displays if a jailbreak tool is available, not if a jailbreak has been demonstrated by geohot/chronic/dev-team/comex or Santa. -- [[User:Iemit737|Iemit737]] 21:55, 2 July 2010 (UTC)

[[User:Dialexio|Dialexio]], ok it sounds better now. But you also removed the two other jailbreak possibilites for 4.0:
*with 3.1.2 shsh (this one is listed)
*if still running 3.1.2, but no shsh
*old bootrom
And what does OTB stand for?
-- [[User:Http|http]] 22:51, 21 July 2010 (UTC)
:OTB stands for "'''O'''ut of '''T'''he '''B'''ox." I'll fix it up now. --[[User:Dialexio|Dialexio]] 23:07, 21 July 2010 (UTC)
::I saw that you changed it to ''virgin'', but not everywhere. Can you make it consistent? -- [[User:Http|http]] 05:18, 12 August 2010 (UTC)
:::Done. :) --[[User:Dialexio|Dialexio]] 05:23, 12 August 2010 (UTC)

==Clarification of virgin jailbreak==

2.2 Timberline 5G77a iPod2,1_2.2_5G77a_Restore.ipsw 34a0a489605f34d6cc6c9954edcaaf9a050deedc No <-- shouldn't this be a yes with a superscript 1 for tethered as there were no real protections against using iBSS/iBEC from 2.1.1 on a 2.2 device, infact the run rs program was adapted to chainload a 2.2 iBEC/iBSS for devices that the NAND didn't detect with 2.1.1 iBSS

S5L8900

2010-09-28T17:56:06Z

Lilstevie: /* iBoot */ arm7go was not an exploit on this platform, nor was 2.1.1 released for this processor type

This is the Application Processor shared between the [[M68ap|iPhone]], [[N45ap|iPod touch]], and the [[N82ap|iPhone 3G]]. Not much is known about it through official sources. This processor is not used in any of the newest devices, being replaced by the [[S5L8720]] and [[S5L8920]].

==[[S5L File Formats|Firmware File Formats]]==

== Exploits ==
=== [[iBoot]] ===
* [[Restore Mode]] - Works up to [[iOS]] 1.0.2
* [[Ramdisk Hack]] - Works up to [[iOS]] 2.0 beta 3
* [[diags]] - Works up to [[iOS]] 2.0 beta 5
* [[iBoot Environment Variable Overflow]] - Works up to [[iOS]] 3.1 beta 3
* [[usb_control_msg(0x21, 2) Exploit]] - Works up to [[iOS]] 3.1.2

===[[VROM (S5L8900)|Bootrom]]===
* [[pwnage|Pwnage 1.0 (Ramdisk + AppleImage2NORAccess)]]
* [[Pwnage 2.0|Pwnage 2.0 (DFU + Malformed Certificate)]]

=== [[Kernel]] ===
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.1.3
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0.1

=== [[Userland]] ===
* [[Symlinks]] - Works up to [[iOS]] 1.1.1
* [[LibTiff]] - Works up to [[iOS]] 1.1.1
* [[Mknod]] - Works up to [[iOS]] 1.1.2
* [[Dual Boot Exploit]] - Works up to [[iOS]] 2.0 beta 3
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.1.3
* [[PDF CFF Font Stack Overflow]] - Works up to [[iOS]] 4.0.1

==Boot Chain==
[[VROM (S5L8900)]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]

One of the [[iPhoneLinux]] goals are to replace that Boot Chain after iBoot:

[[VROM (S5L8900)]]->OpeniBoot->Linux Kernel->X Server->Window Manager

==Upgrade Process==

=== [[Restore Mode]] ===
The common upgrade process chain is [[VROM]]->[[DFU Mode]]->[[WTF]]->[[iBoot]]->[[Kernel]]->[[Ramdisk]]->[[Restore Mode]].

=== [[DFU Mode]] ===
To flash an older version of the iPhone software you have to let your phone reside in [[DFU Mode]]. In iTunes you have to press the option key (Mac) or the shift key (Windows) when pressing 'Restore' to be able to manually chose an [[IPSW File Format|IPSW]].

==== Boot Chain ====
[[VROM]]->[[DFU Mode]]

==External Links==
* [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0301h/DDI0301H_arm1176jzfs_r0p7_trm.pdf Technical Reference Manual: ARM1176JZF-S]

Talk:S5L8930

2010-09-20T14:26:09Z

Lilstevie:

==Merge?==
Should this and the A4 page be merged? They're practically the same in content. --[[User:Dialexio|Dialexio]] 17:18, 6 April 2010 (UTC)
:A4 is just the public name for the s5l8930, no? I say we merge it and make A4 redirect to this page, with a /very minor/ explanation on why it redirects you to this page. ~Drake
::This was from when the pages were separate entities. The problem has since been resolved. :) --[[User:Dialexio|Dialexio]] 04:13, 20 September 2010 (UTC)

==Is there an iBoot exploit?==

Geohot got the iPad to boot verbosely, and the VFDecrypt and other fun keys.

This almost certainly means there is an iboot/llb exploit out there, no? Can the keys be gotten with just a tethered bootrom exploits?

[[User:Iemit737|Iemit737]] 21:39, 25 August 2010 (UTC)

it could be possible he found a bootrom exploit that was pwnage 2 like however the real pwnage exploits the unchecked LLB but apple could have made a mistake with the new shsh check --[[User:Liamchat|liamchat]] 19:20, 29 August 2010 (UTC)

Are we sure that geohot even had an untethered bootrom exploit? He had denied that "pwned4life" or whatever it was was real. [[User:LiNK|LiNK]] 02:07, 20 September 2010 (UTC)

There /is/ a bootrom exploit. It's probably tethered (for now). It's a code-execution exploit, as you can't get keys without executing code. Nor can you boot verbosely without an untethered bootrom exploit. Hope this helps. ~Drake
::A bootrom exploit tethered or untethered can be used to boot verbosely, SIDEBAR: people take tethered/untethered as meaning far too much, all tethered/untethered means is you need to plug in to something to boot, it has absolutely NO bearing on any other capability --[[User:Lilstevie|Lilstevie]] 14:26, 20 September 2010 (UTC)

Talk:WildcardTicket

2010-09-19T14:52:21Z

Lilstevie:

Theoretically, can't we just edit the .plist? and make it into the factory unlocked IMSI Mask? -- {{unsigned|Leobruh|5:32, 19 August 2010 (UTC)}}

:The activation plist is signed, so to do this you require a jailbreak anyway. --[[User:Lilstevie|Lilstevie]] 09:45, 20 August 2010 (UTC)- lilstevie

i realize that. but wouldnt this result in a permanent unlock? [[User:Leobruh|Leobruh]] 07:37, 19 August 2010 (UTC)!

I'm guessing the ticket is handled by the baseband, which requires an exploit to get unsigned code running in the first place? [[User:Iemit737|Iemit737]] 07:41, 19 August 2010 (UTC)

The wildcard ticket is also signed - simple edits break the signature and the ticket gets rejected then. rtfm cryptography 101. [[User:dogbert|dogbert]] 16:02, 19 August 2010 (UTC)

kay but unsigned code already runs when the phone is jailbroken and has access to the filesystem. wouldnt editing the .plist be okay since the sig checks arent needed. again this is all theoretical. im jw [[User:Leobruh|Leobruh]] 18:33, 19 August 2010 (UTC)!

The baseband processor checks the signature, not the application processor. [[User:dogbert|dogbert]] 18:36, 19 August 2010 (UTC)

ahh got ya! but would my theory work though through an exploit such as AT+XAPP? instead of a payload it just changes the .plist? [[User:Leobruh|Leobruh]] 00:15, 20 August 2010 (UTC)!

:you would still require the valid NCK for it to process the unlock in that method, the current way the payloads work for exploits in the baseband processor are adequate --[[User:Lilstevie|Lilstevie]] 09:44, 20 August 2010 (UTC)

:i thought NKC was only for the iPhone 2G? 0.o [[User:Leobruh|Leobruh]] 14:47, 21 August 2010 (UTC)!
::NCK or Network Code Key is on any cellular device that gets locked to a carrier --[[User:Lilstevie|Lilstevie]] 14:52, 19 September 2010 (UTC)

Talk:WildcardTicket

2010-08-20T09:45:29Z

Lilstevie:

Talk:WildcardTicket

2010-08-20T09:44:54Z

Lilstevie:

Theoretically, can't we just edit the .plist? and make it into the factory unlocked IMSI Mask? -- {{unsigned|Leobruh|5:32, 19 August 2010 (UTC)}}
:The activation plist is signed, so to do this you require a jailbreak anyway. - lilstevie

i realize that. but wouldnt this result in a permanent unlock? [[User:Leobruh|Leobruh]] 07:37, 19 August 2010 (UTC)!

I'm guessing the ticket is handled by the baseband, which requires an exploit to get unsigned code running in the first place? [[User:Iemit737|Iemit737]] 07:41, 19 August 2010 (UTC)

The wildcard ticket is also signed - simple edits break the signature and the ticket gets rejected then. rtfm cryptography 101. [[User:dogbert|dogbert]] 16:02, 19 August 2010 (UTC)

kay but unsigned code already runs when the phone is jailbroken and has access to the filesystem. wouldnt editing the .plist be okay since the sig checks arent needed. again this is all theoretical. im jw [[User:Leobruh|Leobruh]] 18:33, 19 August 2010 (UTC)!

The baseband processor checks the signature, not the application processor. [[User:dogbert|dogbert]] 18:36, 19 August 2010 (UTC)

ahh got ya! but would my theory work though through an exploit such as AT+XAPP? instead of a payload it just changes the .plist? [[User:Leobruh|Leobruh]] 00:15, 20 August 2010 (UTC)!

you would still require the valid NCK for it to process the unlock in that method, the current way the payloads work for exploits in the baseband processor are adequate --[[User:Lilstevie|Lilstevie]] 09:44, 20 August 2010 (UTC)

Talk:WildcardTicket

2010-08-19T06:14:31Z

Lilstevie:

Theoritically, cant we just edit the .plist? and make it into the factory unlocked IMSI Mask?
The activation plist is signed, so to do this you require a jailbreak anyway. - lilstevie

Talk:WildcardTicket

2010-08-19T06:14:07Z

Lilstevie:

Theoritically, cant we just edit the .plist? and make it into the factory unlocked IMSI Mask?
- The activation plist is signed, so to do this you require a jailbreak anyway. - lilstevie

Lilstevie

2010-08-07T10:02:08Z

Lilstevie: Lilstevie moved to User:Lilstevie: I am a user of this wiki

#REDIRECT [[User:Lilstevie]]

User:Lilstevie

2010-08-07T10:02:07Z

Lilstevie: Lilstevie moved to User:Lilstevie: I am a user of this wiki

iPhone Hacker, Member of the [[Chronic Dev]]
[[Category:Hackers]]

IPhoneTunnel

2009-07-23T09:32:45Z

Lilstevie: corrected itunes version number

Mac OSX Software developed by novi to open TCP connections (TCP tunnels) between your iPhone / iPod touch and Mac via USB cable. This can be used in case WiFi connection is not available. Currently not working with iPhone OS 3.0 and [[iTunes]] 8.2.x

A MS Windows Software featuring a more or less similar functionality called iPhone Tunnel suit is available as well.

== Download ==

*[http://web.me.com/novi.mad/page2/page2.html iPhoneTunnel]
*[http://minephone.blogspot.com/2009/03/iphone-tunnel-suit-27.html iPhone Tunnel suit]

S5L8920

2009-07-17T11:54:12Z

Lilstevie: /* iBoot / Kernel */ adding in the info removed from S5L8720 page that was related to s5l8920

This is the processor used in the [[iPhone 3GS]].

S5L8920 using [http://www.arm.com/products/CPUs/archi-thumb2.html THUMB-2] instruction set as much as ARM and THUMB ones. So the compiled binaries are not compatible with older CPUs.

== Exploits ==
=== [[iBoot]] / [[Kernel]] ===
* [[iBoot Environment Variable Overflow]] - Firmware 3.1b1 and below (Note: [[iBoot]] on the S5l8720 can be downgraded allowing the exploit to be used on future firmwares, but ''only if'' a backup of the device-specific Apple-signed 3.0 iBSS with unique [[ECID]] was made.)

=== [[S5L8920 (Bootrom)|Bootrom]] ===
* [[0x24000 Segment Overflow]]

== Boot Chain ==
[[S5L8920 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]

== See also ==
* [[S5L8920 (Bootrom)]]
* [[S5L8920 (Hardware)]]
* [[S5L8920 (Hardware - Quick Notes)]]

S5L8720

2009-07-16T21:50:48Z

Lilstevie: adding back in info i accidentally removed while cleaning the incorrect stuff out

This is the Application Processor used on the [[n72ap|iPod Touch 2G]].

==Exploits==
===[[iBoot]] / [[Kernel]] Level===
* [[ARM7 Go]] - Firmware v2.1.1
* [[iBoot Environment Variable Overflow]] - Firmware v3.1b1 and below (Note: [[iBoot]] on the S5l8720 can be downgraded allowing the exploit to be used on future firmwares)

===[[VROM (S5L8720)|Bootrom]]===
* [[0x24000 Segment Overflow]]

==Boot Chain==
[[VROM (S5L8720)|VROM]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]

It is definitely worthy to note that the [[Pwnage]] exploit is fixed because the images are now flashed to the [[NOR]] in their encrypted [[IMG3]] containers, and the [[S5L8720 Bootrom|bootrom]] can properly sigcheck [[LLB]]. That being said, unsigned images can still be run using the [[0x24000 Segment Overflow]].

==See Also==
* [[S5L8720 (Hardware)]]
* [[S5L File Formats]]

S5L8720

2009-07-16T21:48:23Z

Lilstevie: /* iBoot / Kernel Level */ removed information that was for the s5l8920

This is the Application Processor used on the [[n72ap|iPod Touch 2G]].

==Exploits==
===[[iBoot]] / [[Kernel]] Level===
* [[ARM7 Go]] - Firmware v2.1.1
* [[iBoot Environment Variable Overflow]] - Firmware v3.1b1 and below

===[[VROM (S5L8720)|Bootrom]]===
* [[0x24000 Segment Overflow]]

==Boot Chain==
[[VROM (S5L8720)|VROM]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]

It is definitely worthy to note that the [[Pwnage]] exploit is fixed because the images are now flashed to the [[NOR]] in their encrypted [[IMG3]] containers, and the [[S5L8720 Bootrom|bootrom]] can properly sigcheck [[LLB]]. That being said, unsigned images can still be run using the [[0x24000 Segment Overflow]].

==See Also==
* [[S5L8720 (Hardware)]]
* [[S5L File Formats]]