The iPhone Wiki - User contributions [en]

Talk:Usb control msg(0x21, 2) Exploit

2010-10-18T07:55:34Z

Malontop: New page: This exploit isn't used in greepois0n, is it? --malontop

This exploit isn't used in greepois0n, is it? --malontop

Redsn0w

2010-10-18T07:53:59Z

Malontop:

[[Image:Redsn0w.png|thumb|redsn0w 0.9.5-b5]]
redsn0w was originally called [[QuickPwn]] but due to the theft and exploitation of the name, QuickPWN by quickpwn.com, as of iOS 3.0, QuickPwn was discontinued and redsn0w (at the time, version 0.7) was converted into a [[jailbreak]]ing tool for all current devices as well as providing [[unlock]] support the [[M68ap|iPhone 2G]]. As of version 0.8, the [[N88ap|iPhone 3GS]] can also be jailbroken through redsn0w.

Version 0.9 beta 3 was released for Windows and Mac OS X, and it allows iOS 3.0 through 3.1.2 to be jailbroken. It includes support for all devices except the [[N18ap|iPod touch 3G]], and supports a [[tethered jailbreak]] on [[N88ap|iPhone 3GS]] units and [[N72ap|iPod touch 2G]] units with new bootroms. In addition, this version supported custom boot and recovery mode logos, as well as verbose mode on bootup.

The final release, version [http://wikee.iphwn.org/howto:rs9 0.9.2], supports jailbreaking of all iDevices (at the time) with iOS 3.0 through 3.1.2 on Windows and Mac OS X, as well as 3.1.3 on [[S5L8900]] devices. Version 0.9.3 adds support of internet tethering IPCC hack on those devices and 0.9.4 allows jailbreaking of early [[N72ap|iPod touch 2G]] with iOS 3.1.3.

Version [http://wikee.iphwn.org/howto:rsbeta 0.9.5b5-5] supports jailbreaking the [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]]) with iOS 4.0 on Windows and Mac OS X.

redsn0w [http://blog.iphone-dev.org/post/1160213613 0.9.6b1] supports jailbreaking the [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] (both bootroms, although the [[iBoot-240.5.1|new bootrom]]'s jailbreak is tethered) with iOS 4.0 through 4.1 on Mac OS X and Windows.

== Credit ==
[[iPhone Dev Team]]

== Versions ==
{| class="wikitable" width="100%" style="font-size: 90%"
! style="background-color:#E9E9E9; text-align:center; width:150px;" |Version
! style="background-color:#E9E9E9; text-align:center; width:175px;" |Release date
! style="background-color:#E9E9E9; text-align:center;" |Changes
|-
! style="white-space: nowrap;" |

==== 0.9.2 ====
| style="white-space: nowrap;" | Unknown
|
* Supports 3.0-3.1.2 on all iPhones and iPod touches (still a tethered-only JB for late-model devices though)
|-
! style="white-space: nowrap;" |

==== 0.9.3 beta ====
| style="white-space: nowrap;" | Unknown
|
* Contains the IPCC hack to enable tethering on the iPhone 3G and 3GS.
|-
! style="white-space: nowrap;" |

==== 0.9.4 ====
| style="white-space: nowrap;" | Unknown
|
* Supports jailbreaking iOS 3.1.3 on [[M68ap|iPhone 2G]], [[N82ap|iPhone 3G]], [[N45ap|iPod touch 1G]], [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom/MB model]])
|-
! style="white-space: nowrap;" |

==== 0.9.5 beta 5-3 ====
| style="white-space: nowrap;" | June 21, 2010
|
* Supports jailbreaking iOS 4.0 on [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom/MB model]])
|-
! style="white-space: nowrap;" |

==== 0.9.5 beta 5-4 ====
| style="white-space: nowrap;" | Unknown
|
* Resolved a problem with iBooks.
|-
! style="white-space: nowrap;" |

==== 0.9.5 beta 5-5 ====
| style="white-space: nowrap;" | Unknown
|
* Supposed to fix any APN or MMS issues that users were seeing.
|-
! style="white-space: nowrap;" |

==== 0.9.6 beta 1 ====
| style="white-space: nowrap;" | September 21, 2010
|
* Supports jailbreaking iOS 4.0/4.1 on [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] (Tethered on New Bootrom)
|}

== Exploits used ==
For [[N45ap|iPod touch]], [[M68ap|iPhone]] and [[N82ap|iPhone 3G]], see:
*[[Pwnage]]
*[[Pwnage 2.0]]

For [[N72ap|iPod touch 2G]], see:
*[[0x24000 Segment Overflow]]
*[[ARM7 Go]] - was used to upload the oversized [[LLB]] required to utilize the 0x24000 Segment Overflow.
*[[usb_control_msg(0xA1, 1) Exploit]] - used to upload the oversized [[LLB]] to utilize the 0x24000 Segment Overflow. It is also used for a [[tethered jailbreak]] on units with the [[iBoot-240.5.1|new bootrom]].

For [[N88ap|iPhone 3GS]], see:
*[[0x24000 Segment Overflow]]
*[[iBoot Environment Variable Overflow]] - Exploit has a different implementation from [[User:geohot|geohot]]'s implementation in [[purplera1n]].
*[[usb_control_msg(0x21, 2) Exploit]]

For [[N18ap|iPod touch 3G]]
*[[usb_control_msg(0x21, 2) Exploit]]

[[Category:Hacking Software]]

Redsn0w

2010-10-18T07:42:56Z

Malontop:

[[Image:Redsn0w.png|thumb|redsn0w 0.9.5-b5]]
redsn0w was originally called [[QuickPwn]] but due to the theft and exploitation of the name, QuickPWN by quickpwn.com, as of iOS 3.0, QuickPwn was discontinued and redsn0w (at the time, version 0.7) was converted into a [[jailbreak]]ing tool for all current devices as well as providing [[unlock]] support the [[M68ap|iPhone 2G]]. As of version 0.8, the [[N88ap|iPhone 3GS]] can also be jailbroken through redsn0w.

Version 0.9 beta 3 was released for Windows and Mac OS X, and it allows iOS 3.0 through 3.1.2 to be jailbroken. It includes support for all devices except the [[N18ap|iPod touch 3G]], and supports a [[tethered jailbreak]] on [[N88ap|iPhone 3GS]] units and [[N72ap|iPod touch 2G]] units with new bootroms. In addition, this version supported custom boot and recovery mode logos, as well as verbose mode on bootup.

The final release, version [http://wikee.iphwn.org/howto:rs9 0.9.2], supports jailbreaking of all iDevices (at the time) with iOS 3.0 through 3.1.2 on Windows and Mac OS X, as well as 3.1.3 on [[S5L8900]] devices. Version 0.9.3 adds support of internet tethering IPCC hack on those devices and 0.9.4 allows jailbreaking of early [[N72ap|iPod touch 2G]] with iOS 3.1.3.

Version [http://wikee.iphwn.org/howto:rsbeta 0.9.5b5-5] supports jailbreaking the [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]]) with iOS 4.0 on W
Version 0.9.5b5-5 supports jailbreaking the iPhone 3G and iPod touch 2G (old bootrom) with iOS 4.0 on Windows and Mac OS X.
redsn0w 0.9.6b1 supportsindows and Mac OS X.

redsn0w [http://blog.iphone-dev.org/post/1160213613 0.9.6b1] supporrts jailbreaking the [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] (both bootroms, although the [[iBoot-240.5.1|new bootrom]]'s jailbreak is tethered) with iOS 4.0 through 4.1 on Mac OS X.

== Credit ==
[[iPhone Dev Team]]

== Versions ==
{| class="wikitable" width="100%" style="font-size: 90%"
! style="background-color:#E9E9E9; text-align:center; width:150px;" |Version
! style="background-color:#E9E9E9; text-align:center; width:175px;" |Release date
! style="background-color:#E9E9E9; text-align:center;" |Changes
|-
! style="white-space: nowrap;" |

==== 0.9.2 ====
| style="white-space: nowrap;" | Unknown
|
* Supports 3.0-3.1.2 on all iPhones and iPod touches (still a tethered-only JB for late-model devices though)
|-
! style="white-space: nowrap;" |

==== 0.9.3 beta ====
| style="white-space: nowrap;" | Unknown
|
* Contains the IPCC hack to enable tethering on the iPhone 3G and 3GS.
|-
! style="white-space: nowrap;" |

==== 0.9.4 ====
| style="white-space: nowrap;" | Unknown
|
* Supports jailbreaking iOS 3.1.3 on [[M68ap|iPhone 2G]], [[N82ap|iPhone 3G]], [[N45ap|iPod touch 1G]], [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom/MB model]])
|-
! style="white-space: nowrap;" |

==== 0.9.5 beta 5-3 ====
| style="white-space: nowrap;" | June 21, 2010
|
* Supports jailbreaking iOS 4.0 on [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom/MB model]])
|-
! style="white-space: nowrap;" |

==== 0.9.5 beta 5-4 ====
| style="white-space: nowrap;" | Unknown
|
* Resolved a problem with iBooks.
|-
! style="white-space: nowrap;" |

==== 0.9.5 beta 5-5 ====
| style="white-space: nowrap;" | Unknown
|
* Supposed to fix any APN or MMS issues that users were seeing.
|-
! style="white-space: nowrap;" |

==== 0.9.6 beta 1 ====
| style="white-space: nowrap;" | September 21, 2010
|
* Supports jailbreaking iOS 4.0/4.1 on [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] (Tethered on New Bootrom)
|}

== Exploits used ==
For [[N45ap|iPod touch]], [[M68ap|iPhone]] and [[N82ap|iPhone 3G]], see:
*[[Pwnage]]
*[[Pwnage 2.0]]

For [[N72ap|iPod touch 2G]], see:
*[[0x24000 Segment Overflow]]
*[[ARM7 Go]] - was used to upload the oversized [[LLB]] required to utilize the 0x24000 Segment Overflow.
*[[usb_control_msg(0xA1, 1) Exploit]] - used to upload the oversized [[LLB]] to utilize the 0x24000 Segment Overflow. It is also used for a [[tethered jailbreak]] on units with the [[iBoot-240.5.1|new bootrom]].

For [[N88ap|iPhone 3GS]], see:
*[[0x24000 Segment Overflow]]
*[[iBoot Environment Variable Overflow]] - Exploit has a different implementation from [[User:geohot|geohot]]'s implementation in [[purplera1n]].
*[[usb_control_msg(0x21, 2) Exploit]]

For [[N18ap|iPod touch 3G]]
*[[usb_control_msg(0x21, 2) Exploit]]

[[Category:Hacking Software]]

Bootrom

2010-09-26T07:55:22Z

Malontop: /* Check bootrom version */

==Introduction / old+new==
The bootrom (called "SecureROM" by Apple) is the first significant code that runs on an iDevice. The bootrom is unwritable. Finding exploits in the bootrom level is a big achievement since Apple won't be able to fix it without a hardware revision.

Often users refer to '''old bootrom''' or '''new bootrom''' devices. The '''new bootrom''' devices were released after [[Timeline#September|9 September 2009]] and have the [[0x24000 Segment Overflow]] fixed. Therefore these newer versions of the [[N72ap|iPod touch 2G]] and [[N88ap|iPhone 3GS]] are not vulnerable to this exploit and had only a [[tethered jailbreak]]/[[unlock]] until [[Spirit]] came out. Currently, these devices can be jailbroken on iOS 4.0 with [[Star]].

Please see also [[IBoot|Apple's stage 2 bootloader]], which also uses the "iBoot" name.

==Check bootrom version==
To find out if you have an old or new bootrom, the easiest way is to look at the serial number. If the 4th and 5th digits are lower than 40, then you probably have an old bootrom. If they are higher than 45, then you probably have a new bootrom. These two digits show the production week. For refurbished phones and for numbers inbetween, the result is undefined and you have to make the following exact check.

To check your device's bootrom version, you must put your device into [[DFU Mode]]. Make sure it is '''not''' in [[Recovery Mode]], as Recovery Mode does not mention the bootrom version. If you have Mac OS X, go to System Profiler, and under the "Hardware" category, go to USB, and click on "Apple Mobile Device (DFU Mode)." If you have Windows, go to Device Manager, find USB controller, subitem Apple Mobile Device USB Driver. In Properties, Details, select Device Instance Path in the dropdown. The end of the info string will show the bootrom version.

If you're on Linux and have a Desktop Environment setup, install gnome-device-manager and start it. Connect you're device in DFU Mode, search in the left tree-view for "USB Device" and look at Summary -> Model until it says "Apple Mobile Device (DFU Mode)". If it does go to Properties (next to Summary) and search for "usb_device.serial". The end of the String will show you the bootrom version.

== Revisions ==
===[[S5L8900]], used in the [[M68ap|iPhone]], [[N45ap|iPod touch 1G]], and [[N82ap|iPhone 3G]]===

===[[S5L8720]], used in the [[N72ap|iPod touch 2G]]===
* [[iBoot-240.4]] "old bootrom"
* [[iBoot-240.5.1]] "new bootrom"

===[[S5L8920]], used in the [[N88ap|iPhone 3GS]]===
* [[iBoot-359.3]] "old bootrom"
* [[iBoot-359.3.2]] "new bootrom"

===[[S5L8922]], used in the [[N18ap|iPod touch 3G]]===
* [[iBoot-359.5]]

===[[S5L8930]], used in the [[K48ap|iPad]], [[N90ap|iPhone 4]], and [[N81ap|iPod touch 4G]]===
* [[iBoot-574.4]]

User:Malontop

2010-09-08T06:39:20Z

Malontop: New page: I am interested in programming Linux, OS X and iOS Apps.

I am interested in programming Linux, OS X and iOS Apps.