https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=Oranav
The iPhone Wiki - User contributions [en]
2026-05-05T14:00:27Z
User contributions
MediaWiki 1.31.14
https://www.theiphonewiki.com/w/index.php?title=XMM6180&diff=6706
XMM6180
2010-06-25T17:48:33Z
<p>Oranav: </p>
<hr />
<div>This is the baseband platform used in the iPhone 4. It uses the X-Gold 618.<br />
<br />
The firmware is based on [http://www.rtos.com Thread X], a realtime OS.<br />
<br />
<br />
<br />
[[Category:Baseband]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Main_Page&diff=6643
Main Page
2010-06-22T22:47:14Z
<p>Oranav: </p>
<hr />
<div><!-- Logo by iHassan --><br />
<center>[[Image:Iptwiki.png]]</center><br />
<!-- Added a split column information box- computid --><br />
{{:Main Page/Welcome}}<br />
<table border="1" width="100%" style="background-color:orange;"><tr><br />
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Jailbreak iPhone2,1 / iPod3,1|Find bootrom exploit allowing unsigned code exec via USB (S5L8920+)]]</b></td><br />
<td style="background-color:orange; text-align:center; width:25%;"><b>[[X-Gold 608 Unlock|Break Chain of Trust (X-Gold 608)]]</b></td><br />
<td style="background-color:orange; text-align:center; width:25%;"><b>[[X-Gold 618 Unlock|Break Chain of Trust (X-Gold 618)]]</b></td><br />
</tr><br />
</table><br /><br />
<br />
{{col-begin}}<br />
{{col-2}}<br />
{{HeadingA|Software}}<br />
* [[/|Filesystem]]<br />
* [[Firmware]]<br />
* [[Keys]]<br />
** [[AES Keys]]<br />
** [[Apple Certificate]]<br />
** [[Baseband RSA Keys|RSA Keys]]<br />
** [[Baseband TEA Keys|TEA Keys]]<br />
** [[NCK]]<br />
* [[Protocols]]<br />
** [[Normal Mode]]<br />
** [[Recovery Mode (Protocols)|Recovery Mode]]<br />
** [[Restore Mode]]<br />
** [[DFU (Protocol)|DFU]]<br />
** [[Baseband Bootrom Protocol]]<br />
** [[Interactive Mode|Baseband Bootloader Protocol]]<br />
* [[System Log|System Log (syslog)]]<br />
{{col-2}}<br />
{{HeadingB|Hardware}}<br />
====iPhone====<br />
* [[m68ap|iPhone (m68ap)]]<br />
* [[n82ap|iPhone 3G (n82ap)]]<br />
* [[N88ap|iPhone 3GS (n88ap)]]<br />
* [[N90ap|iPhone 4 (n90ap)]]<br />
<br />
====iPod Touch====<br />
* [[n45ap|iPod touch (n45ap)]]<br />
* [[n72ap|iPod touch 2nd Generation (n72ap)]]<br />
* [[N18ap|iPod touch 3rd Generation (n18ap)]]<br />
<br />
====iPad====<br />
* [[K48ap|iPad (k48ap)]]<br />
<br />
====Processors====<br />
* [[S5L8900]] ([[iPhone]], [[iPod Touch]], [[iPhone 3G]])<br />
* [[S5L8720]] ([[iPod touch 2G]])<br />
* [[S5L8920]] ([[N88AP|iPhone 3GS]])<br />
* [[S5L8922]] ([[N18ap|iPod Touch 3G]])<br />
* [[S5L8930]] ([[k48ap|iPad]], [[n90ap|iPhone 4]])<br />
* [[Baseband Device]]<br />
<br />
====Other====<br />
* [[Bluetooth]]<br />
{{col-end}}<br />
<br />
{{col-begin}}<br />
{{col-2}}<br />
{{HeadingA|Development}}<br />
====Application Development====<br />
* [[Toolchain]] (Includes tutorials)<br />
* [[Toolchain 2.0]] (Includes tutorials)<br />
* [[Frameworks]]<br />
* [[MobileDevice Library]]<br />
* [[Apple Certification Process]]<br />
* [[Bypassing iPhone Code Signatures]]<br />
* [[Distribution Methods]]<br />
<br />
====Application Copy Protection====<br />
* [[Copy Protection Overview]]<br />
* [[Application Structure and Signatures]]<br />
* [[Mach-O Loading Process]]<br />
* [[Bugging Debuggers]]<br />
* [[Defeating Cracks]]<br />
{{col-2}}<br />
{{HeadingB|Help}}<br />
====Guides====<br />
* [[Tutorials]]<br />
* [[Useful Links]]<br />
<br />
====Definitions====<br />
* [[Glossary]]<br />
* [[Jailbreak]]<br />
* [[Activation]]<br />
* [[Unlock]]<br />
* [[Baseband Device|Baseband]]<br />
* [[Baseband Bootloader|Bootloader]]<br />
* [[DFU]]<br />
* [[ECID]]<br />
* [[iBoot]]<br />
* [[iBEC]]<br />
* [[iBSS]]<br />
* [[SHSH]]<br />
* [[NORID]]<br />
* [[CHIPID]]<br />
{{col-end}}<br />
<br />
<br />
<table border="1" width="100%" style="background-color:orange;"><br />
<tr><br />
<td colspan="4" style="background-color:orange; text-align:center;"><br />
<center>[[Disclaimer]]</center><br />
</td><br />
</tr><br />
</table><br />
<br />
__NOTOC____NOEDITSECTION__</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Main_Page&diff=6642
Main Page
2010-06-22T22:46:32Z
<p>Oranav: </p>
<hr />
<div><!-- Logo by iHassan --><br />
<center>[[Image:Iptwiki.png]]</center><br />
<!-- Added a split column information box- computid --><br />
{{:Main Page/Welcome}}<br />
<table border="1" width="100%" style="background-color:orange;"><tr><br />
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Jailbreak iPhone2,1 / iPod3,1|Find bootrom exploit allowing unsigned code exec via USB (S5L8920+)]]</b></td><br />
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Unlock 2.0|Break Chain of Trust (X-Gold 608)]]</b></td><br />
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Unlock X-Gold 618|Break Chain of Trust (X-Gold 618)]]</b></td><br />
</tr><br />
</table><br /><br />
<br />
{{col-begin}}<br />
{{col-2}}<br />
{{HeadingA|Software}}<br />
* [[/|Filesystem]]<br />
* [[Firmware]]<br />
* [[Keys]]<br />
** [[AES Keys]]<br />
** [[Apple Certificate]]<br />
** [[Baseband RSA Keys|RSA Keys]]<br />
** [[Baseband TEA Keys|TEA Keys]]<br />
** [[NCK]]<br />
* [[Protocols]]<br />
** [[Normal Mode]]<br />
** [[Recovery Mode (Protocols)|Recovery Mode]]<br />
** [[Restore Mode]]<br />
** [[DFU (Protocol)|DFU]]<br />
** [[Baseband Bootrom Protocol]]<br />
** [[Interactive Mode|Baseband Bootloader Protocol]]<br />
* [[System Log|System Log (syslog)]]<br />
{{col-2}}<br />
{{HeadingB|Hardware}}<br />
====iPhone====<br />
* [[m68ap|iPhone (m68ap)]]<br />
* [[n82ap|iPhone 3G (n82ap)]]<br />
* [[N88ap|iPhone 3GS (n88ap)]]<br />
* [[N90ap|iPhone 4 (n90ap)]]<br />
<br />
====iPod Touch====<br />
* [[n45ap|iPod touch (n45ap)]]<br />
* [[n72ap|iPod touch 2nd Generation (n72ap)]]<br />
* [[N18ap|iPod touch 3rd Generation (n18ap)]]<br />
<br />
====iPad====<br />
* [[K48ap|iPad (k48ap)]]<br />
<br />
====Processors====<br />
* [[S5L8900]] ([[iPhone]], [[iPod Touch]], [[iPhone 3G]])<br />
* [[S5L8720]] ([[iPod touch 2G]])<br />
* [[S5L8920]] ([[N88AP|iPhone 3GS]])<br />
* [[S5L8922]] ([[N18ap|iPod Touch 3G]])<br />
* [[S5L8930]] ([[k48ap|iPad]], [[n90ap|iPhone 4]])<br />
* [[Baseband Device]]<br />
<br />
====Other====<br />
* [[Bluetooth]]<br />
{{col-end}}<br />
<br />
{{col-begin}}<br />
{{col-2}}<br />
{{HeadingA|Development}}<br />
====Application Development====<br />
* [[Toolchain]] (Includes tutorials)<br />
* [[Toolchain 2.0]] (Includes tutorials)<br />
* [[Frameworks]]<br />
* [[MobileDevice Library]]<br />
* [[Apple Certification Process]]<br />
* [[Bypassing iPhone Code Signatures]]<br />
* [[Distribution Methods]]<br />
<br />
====Application Copy Protection====<br />
* [[Copy Protection Overview]]<br />
* [[Application Structure and Signatures]]<br />
* [[Mach-O Loading Process]]<br />
* [[Bugging Debuggers]]<br />
* [[Defeating Cracks]]<br />
{{col-2}}<br />
{{HeadingB|Help}}<br />
====Guides====<br />
* [[Tutorials]]<br />
* [[Useful Links]]<br />
<br />
====Definitions====<br />
* [[Glossary]]<br />
* [[Jailbreak]]<br />
* [[Activation]]<br />
* [[Unlock]]<br />
* [[Baseband Device|Baseband]]<br />
* [[Baseband Bootloader|Bootloader]]<br />
* [[DFU]]<br />
* [[ECID]]<br />
* [[iBoot]]<br />
* [[iBEC]]<br />
* [[iBSS]]<br />
* [[SHSH]]<br />
* [[NORID]]<br />
* [[CHIPID]]<br />
{{col-end}}<br />
<br />
<br />
<table border="1" width="100%" style="background-color:orange;"><br />
<tr><br />
<td colspan="4" style="background-color:orange; text-align:center;"><br />
<center>[[Disclaimer]]</center><br />
</td><br />
</tr><br />
</table><br />
<br />
__NOTOC____NOEDITSECTION__</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=XMM6180&diff=6641
XMM6180
2010-06-22T21:59:28Z
<p>Oranav: </p>
<hr />
<div>This is the baseband platform used in the iPhone 4. It uses the X-Gold 618.</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Talk:XMM6180&diff=6640
Talk:XMM6180
2010-06-22T21:56:22Z
<p>Oranav: </p>
<hr />
<div>Are we sure this is the baseband? <br />
<br />
The infineon spec-sheet says "HSDPA/HSUPA capabilities of 7.2Mbps/2.9Mbps".<br />
<br />
At the keynote Steve mentioned 5.8Mbps HSUPA.<br />
[[User:Iemit737|Iemit737]] 19:26, 21 June 2010 (UTC)<br />
<br />
Running "string" on the new baseband files shows "XGold 618" multiple times.<br />
--[[User:Miketress|Miketress]] 19:35, 21 June 2010 (UTC)<br />
<br />
Ok, awesome. Thanks for finding this so quickly! [[User:Iemit737|Iemit737]] 19:50, 21 June 2010 (UTC)<br />
<br />
Very unlikely it's the 618 after looking at the spec sheet.<br />
In case anyone is interested, [http://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a39470bb00555 | X-Gold 616 spec sheet], [https://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a3948dc76055b | X-Gold 618 spec sheet].<br />
[[User:D235j|D235j]] 21:43, 22 June 2010 (UTC)<br />
<br />
Actually, it's the XMM 6180. ebl.fls says so. --[[User:Oranav|oranav]] 21:56, 22 June 2010 (UTC)</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Talk:XMM6180&diff=6638
Talk:XMM6180
2010-06-22T21:55:25Z
<p>Oranav: Talk:X-Gold 616 moved to Talk:XMM 6180</p>
<hr />
<div>Are we sure this is the baseband? <br />
<br />
The infineon spec-sheet says "HSDPA/HSUPA capabilities of 7.2Mbps/2.9Mbps".<br />
<br />
At the keynote Steve mentioned 5.8Mbps HSUPA.<br />
[[User:Iemit737|Iemit737]] 19:26, 21 June 2010 (UTC)<br />
<br />
Running "string" on the new baseband files shows "XGold 618" multiple times.<br />
--[[User:Miketress|Miketress]] 19:35, 21 June 2010 (UTC)<br />
<br />
Ok, awesome. Thanks for finding this so quickly! [[User:Iemit737|Iemit737]] 19:50, 21 June 2010 (UTC)<br />
<br />
Very unlikely it's the 618 after looking at the spec sheet.<br />
In case anyone is interested, [http://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a39470bb00555 | X-Gold 616 spec sheet], [https://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a3948dc76055b | X-Gold 618 spec sheet].<br />
[[User:D235j|D235j]] 21:43, 22 June 2010 (UTC)</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=XMM6180&diff=6636
XMM6180
2010-06-22T21:55:24Z
<p>Oranav: X-Gold 616 moved to XMM 6180</p>
<hr />
<div>This is the baseband processor used in the iPhone 4.</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=AT%2BXAPP_Vulnerability&diff=6628
AT+XAPP Vulnerability
2010-06-22T20:55:19Z
<p>Oranav: </p>
<hr />
<div>Used as an injection vector for the current iPhone 3G and iPhone 3GS unlock payloads - ultrasn0w 0.93. Currently available in all baseband versions until 05.13.04.<br />
<br />
== Credit ==<br />
<br />
* '''vulnerability''': [http://twitter.com/sherif_hashim sherif_hashim], also discovered by [http://twitter.com/westbaer westbaer], [[geohot]] and [http://twitter.com/oranav Oranav] (each one independently)<br />
* '''exploitation''': [[iPhone Dev Team]]<br />
<br />
<br />
== Exploit ==<br />
<br />
<br />
There is a stack overflow in the AT+XAPP="..." command, which allows unsigned code execution on the [[X-Gold 608]]<br />
<br />
at+xapp="0000111122223333444455556666777788889999000011112222"<br />
<br />
applying a string of more than 52 characters will trigger the overflow<br />
<br />
<br />
== Implementation ==<br />
<br />
<br />
The exploit was used by [[iPhone Dev Team]] in [[Ultrasn0w]] 0.93 which is able to unlock 4.26.08, 5.11.07, 5.12.01 and 5.13.04 BB firmwares<br />
<br />
----<br />
<br />
Category: Baseband Exploits</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=6626
Ultrasn0w
2010-06-22T18:27:43Z
<p>Oranav: /* Injection Vectors */</p>
<hr />
<div>ultrasn0w (previously: yellowsn0w) is an [[iPhone 3G]] and [[iPhone 3GS]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
MuscleNerd, and [[The dev team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Injection Vectors==<br />
* [[AT+stkprof Exploit]] - used by yellowsn0w<br />
* [[AT+XLOG Vulnerability]] - used by ultrasn0w for 04.26.08 unlock<br />
* [[AT+XAPP Vulnerability]] - used by ultrasn0w for 05.11.07 - 05.13.04 unlock<br />
<br />
==ultrasn0w payload with comments (by Oranav)==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; task_loop_jmp address<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ==<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://yellowsn0w.com yellowsn0w Official Website]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=6593
Ultrasn0w
2010-06-21T19:17:13Z
<p>Oranav: </p>
<hr />
<div>ultrasn0w (previously: yellowsn0w) is an [[iPhone 3G]] and [[iPhone 3GS]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
MuscleNerd, and [[The dev team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Injection Vectors==<br />
* [[AT+stkprof Exploit]] - used by yellowsn0w<br />
* [[AT+XLOG Vulnerability]] - used by ultrasn0w versions till 0.92<br />
* ? - used by ultrasn0w 0.93<br />
<br />
==ultrasn0w payload with comments (by Oranav)==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; task_loop_jmp address<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ==<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://yellowsn0w.com yellowsn0w Official Website]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=N90AP&diff=6489
N90AP
2010-06-08T14:50:26Z
<p>Oranav: </p>
<hr />
<div>This is the iPhone 4. Announced on WWDC keynote in June 2010. It features a new exterior design, 5-megapixel camera with LED flash and 960x640 Retina Display screen.<br />
<br />
== Application Processor ==<br />
It uses the [[S5L8930|Apple A4]] CPU, same as the iPad.<br />
<br />
== Baseband ==<br />
It uses an unknown baseband chip, but it's not the [[X-Gold 608]], since the baseband version in 4.0 GM is 01.59.00.<br />
<br />
== Specifications ==<br />
'''Color:''' Black or white <br><br />
'''Size''': 115.2 mm (4.5 inches) (h), 58.6 mm (2.31 inches) (w), 9.3 mm (0.37 inches) (d) <br><br />
'''Weight''': 135 g (4.8 oz) <br><br />
'''Battery''': Standby up to 300 hours, talk time up to 7 hours on 3G and up to 14 hours on 2G <br><br />
'''Rear camera''': 5MP with Autofocus and manual focus (''Tap to focus''), supporting HD video recording @ 30FPS <br><br />
'''Front camera''': VGA photos and video @ 30 FPS</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=6478
Firmware
2010-06-08T10:00:42Z
<p>Oranav: Added iPhone 4, baseband is 01.59.00</p>
<hr />
<div>This is the operating system the iPhone/iPod Touch runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[M68ap|iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| <code>6e798e906c6590a7521ef89b731569be6d05b3aa</code><br />
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| {{no}}<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| <code>fb8bb3ee2e9a997affbb97868599f2995c78209c</code><br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| <code>a00b85a7a55d62a94be5fbf5effbc42fd63f3097</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| <code>7f5c0ff1f84a0202b75a55c3fcb362e415334d1e</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| <code>d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>797c02e7d660940e8d9a16cc7229ccf3f67dd8b1</code><br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>b3dec7580bd00dc4faf28449d9618ef40aeacc96</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>000811bac096011b50ebf6ec1ec2285b62fda4cb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| <code>9c510a3cfce789fa5f92a8f763c231bac82ff6d4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| <code>61de6a2bd6ceddc9ecabad1671b91a59b3824bc4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| <code>b84b57bea919bdc720287ec908c1378e7d7b5e1b</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| <code>353b7745767b85932e14e262e69463620939bdf7</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| <code>cbfc6ff886ce89868a55547b9fb980dbf92e6418</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| <code>43b95ebe1e51f8d30eae916053396595c08440d3</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| <code>2afd3f8ede17390737f508473ed205506a0bd23f</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>34c391fbbc7b31b159372766de39ce5c9cc26ebb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,439,502<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]<br />
| <code>b7b5f436f81c6f855410e8b44a3d432ccaacd6fc</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,536,460<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone)|Northstar 7D11]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7268.20091008.32pNe/iPhone1,1_3.1.2_7D11_Restore.ipsw iPhone1,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>e4a1171542dbbd3093516d9c02047b9f7e143050</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,515,888<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone)|SUNorthstarTwo 7E18]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7481.20100202.4orot/iPhone1,1_3.1.3_7E18_Restore.ipsw iPhone1,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>eab23a7f8d2a17cb71046c50fc5f67ec390a3c2b</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 238,319,275<br />
|}<br />
<br />
===[[N82ap|iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{no}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| <code>af9506ca0034e462674f9f59c5406f159eaf9fc1</code><br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| <code>e81c7ac7e334a3e9d81b3b47894bfaa1ec495482</code><br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| <code>bef7fef954293046420fbcf947379839178a195b</code><br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| <code>c6957dcbf2a95ccfd6dce374a727b1b7700a9043</code><br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| <code>f67f8b2b842428bf89456cda0c2d5cf954d111a4</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|yellowsn0w]]}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| <code>e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c</code><br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| <code>94f1fb43de12bff0f168ce690b7e794cc6220ae3</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|ultrasn0w]]}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone 3G)|Kirkwood 7A400]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| <code>a148ff39fa4dea499e7a9dd007b63e90c4f56666</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|ultrasn0w]]}}<br />
| 241,274,617<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]<br />
| <code>9b3b3c148170b012012278efda9ff5c38282d559</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[blacksn0w]]}}<br />
| 253,361,339<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3G)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7265.20091008.Xsd32/iPhone1,2_3.1.2_7D11_Restore.ipsw iPhone1,2_3.1.2_7D11_Restore.ipsw]<br />
| <code>b1a6ab2771bb5da372ba75a8fa3e1d72b71359d0</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]]}}<br />
| 253,340,786<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3G)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7468.20100202.pbnrt/iPhone1,2_3.1.3_7E18_Restore.ipsw iPhone1,2_3.1.3_7E18_Restore.ipsw]<br />
| <code>f5950afca546f93e281ba3cdb08bc0cfed7f0896</code><br />
|<br />
| {{yes}}<br />
| {{no}}<br />
| 239,139,281<br />
|}<br />
<br />
===[[N88ap|iPhone 3GS]]===<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| <code>d8534408c8679c830fd0c4e36ef9762c11ef73df</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|ultrasn0w]]}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>30006575af931e3da0521febace005152cdb8853</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|ultrasn0w]]}}<br />
| 312,330,244<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3GS)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]<br />
| <code>527c74f87588afa1d69c1e2c08eedc88f113013a</code><br />
| Installed on phones produced week 37.<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]]}}<br />
| 321,011,474<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3GS)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7270.20091008.phn32/iPhone2,1_3.1.2_7D11_Restore.ipsw iPhone2,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>6998bb7d9e869b2d89a08853312f9457d070fb1f</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]]}}<br />
| 321,015,700<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3GS)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7472.20100202.8tugj/iPhone2,1_3.1.3_7E18_Restore.ipsw iPhone2,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>8cb3775e62c6f72059a962bf891b4e145b965052</code><br />
|<br />
| {{yes}}<br />
| {{no}}<br />
| 305,122,343<br />
|}<br />
<br />
===[[N90ap|iPhone 4]]===<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 4)|Apex 8A293]]<br />
| 01.59.00<br />
| not released yet<br />
| ?<br />
| Initial shipment.<br />
| {{no}}<br />
| {{no}}<br />
| ?<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| <code>9b0d83c7f8b4328174a3f31e0e93f60e591ae143</code><br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| <code>84bbc6ea8bf29745195bc9926c1874f7c2a36f32</code><br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>108d8ffe9ea75e61cd5e57170ad388b7fa00d923</code><br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6</code><br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>c148d1eb1c979bb6434175411d4a372103a4fdd2</code><br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| <code>1b818911316e4248ee01d3ec67f9d39afc3db240</code><br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| <code>ae82798e85f9953b0f4798bad36187cb020c9d22</code><br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| <code>a81b6e7af4b85ef436d047f9da57c0f694d8964a</code><br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| <code>c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2</code><br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| <code>fc7f6d0972927df502ffca47438ca75dcccffaf3</code><br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| <code>081a7de363230fb38d0ce092cbbe42f2a50c8a5f</code><br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| <code>fc69be9e421bc0630567184506ab771f6b7ef68b</code><br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| <code>dff2bd14931225908a360fb8e60a336f17d2dd6d</code><br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| <code>c6270780c166db4c9f4f0a7fa945754a1f9fe7e8</code><br />
| <br />
| {{yes}}<br />
| 249,755,862<br />
|-<br />
| 3.1.2<br />
| Northstar 7D11<br />
| Download Link Prohibited<br />
| <code>7367dd9ba58a3b9777307368a0128e696fdfc9a6</code><br />
| <br />
| {{yes}} <br />
| 249,780,497<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| Download Link Prohibited<br />
| <code>5f897990f19d2f093b35e0813d7d77806404fb1f</code><br />
|<br />
| {{yes}}<br />
| 235,678,189<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| <code>c3c700be49ad227d1152188e7c1e46b8958fd1e4</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| <code>34a0a489605f34d6cc6c9954edcaaf9a050deedc</code><br />
|<br />
| {{yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| <code>9af5625ea34acdd8abeb6fce71a72651d0c815d5</code><br />
|<br />
| {{yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| <code>0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42</code><br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 270,315,364<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 2G)|Northstar 7C145]]<br />
| Download Link Prohibited<br />
| <code>e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7</code><br />
| <br />
| {{yes}}<br />
| 277,753,989<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 2G)|Northstar 7D11]]<br />
| Download Link Prohibited<br />
| <code>e7c83d4a5baec0e81816ae1cd1caf9a4dc38ebf0</code><br />
| <br />
| {{yes}} <br />
| 277,794,671<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPod touch 2G)|SUNorthstarTwo 7E18]]<br />
| Download Link Prohibited<br />
| <code>5f4f5c01eda2f811f73167e7d1f82dbeed82367b</code><br />
|<br />
| {{yes}}<br />
| 263,275,211<br />
|}<br />
<br />
===[[N18AP|iPod touch (3rd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C145]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]<br />
| <code>a3eddbe2cf77858bae7087dc8b2035f0d3097e57</code><br />
| Initial shipment.<br />
| {{yes}}<br />
<br />
| 311,702,789<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C146]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7238.20090918.23GhT/iPod3,1_3.1.1_7C146_Restore.ipsw iPod3,1_3.1.1_7C146_Restore.ipsw]<br />
| <code>f66a7286b261137f25ddbbd84047f9a7ea181904</code><br />
| <br />
| {{yes}}<br />
| 311,690,768<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 3G)|Northstar 7D11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7271.20091008.Tch23/iPod3,1_3.1.2_7D11_Restore.ipsw iPod3,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>02dcee28d788d594a2939ab564f4f183af6ccdf2</code><br />
| <br />
| {{yes}}<br />
| 311,740,034<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7473.20100202.4i44t/iPod3,1_3.1.3_7E18_Restore.ipsw iPod3,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>375fd469b18bfc0b74c7cfa5b4d5945197b1d106</code><br />
|<br />
| {{yes}}<br />
| 295,870,806<br />
|}<br />
<br />
===[[K48ap|iPad]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.2<br />
| [[Wildcat 7B367 (iPad)|Wildcat 7B367]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPad/061-7987.20100403.mjiTr/iPad1,1_3.2_7B367_Restore.ipsw iPad1,1_3.2_7B367_Restore.ipsw]<br />
| <code>172E8297AF74B91971A802E6AD137C891F553099</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 478,959,325<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=6300
Firmware
2010-05-03T02:05:50Z
<p>Oranav: Spirirt jailbreaks all devices with firmware 3.1.3</p>
<hr />
<div>This is the operating system the iPhone/iPod Touch runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[M68ap|iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| <code>6e798e906c6590a7521ef89b731569be6d05b3aa</code><br />
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| {{no}}<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| <code>fb8bb3ee2e9a997affbb97868599f2995c78209c</code><br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| <code>a00b85a7a55d62a94be5fbf5effbc42fd63f3097</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| <code>7f5c0ff1f84a0202b75a55c3fcb362e415334d1e</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| <code>d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>797c02e7d660940e8d9a16cc7229ccf3f67dd8b1</code><br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>b3dec7580bd00dc4faf28449d9618ef40aeacc96</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>000811bac096011b50ebf6ec1ec2285b62fda4cb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| <code>9c510a3cfce789fa5f92a8f763c231bac82ff6d4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| <code>61de6a2bd6ceddc9ecabad1671b91a59b3824bc4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| <code>b84b57bea919bdc720287ec908c1378e7d7b5e1b</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| <code>353b7745767b85932e14e262e69463620939bdf7</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| <code>cbfc6ff886ce89868a55547b9fb980dbf92e6418</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| <code>43b95ebe1e51f8d30eae916053396595c08440d3</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| <code>2afd3f8ede17390737f508473ed205506a0bd23f</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>34c391fbbc7b31b159372766de39ce5c9cc26ebb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,439,502<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]<br />
| <code>b7b5f436f81c6f855410e8b44a3d432ccaacd6fc</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,536,460<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone)|Northstar 7D11]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7268.20091008.32pNe/iPhone1,1_3.1.2_7D11_Restore.ipsw iPhone1,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>e4a1171542dbbd3093516d9c02047b9f7e143050</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,515,888<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone)|SUNorthstarTwo 7E18]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7481.20100202.4orot/iPhone1,1_3.1.3_7E18_Restore.ipsw iPhone1,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>eab23a7f8d2a17cb71046c50fc5f67ec390a3c2b</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 238,319,275<br />
|}<br />
<br />
===[[N82ap|iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{no}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| <code>af9506ca0034e462674f9f59c5406f159eaf9fc1</code><br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| <code>e81c7ac7e334a3e9d81b3b47894bfaa1ec495482</code><br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| <code>bef7fef954293046420fbcf947379839178a195b</code><br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| <code>c6957dcbf2a95ccfd6dce374a727b1b7700a9043</code><br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| <code>f67f8b2b842428bf89456cda0c2d5cf954d111a4</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|yellowsn0w]]}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| <code>e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c</code><br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| <code>94f1fb43de12bff0f168ce690b7e794cc6220ae3</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|ultrasn0w]]}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone 3G)|Kirkwood 7A400]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| <code>a148ff39fa4dea499e7a9dd007b63e90c4f56666</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|ultrasn0w]]}}<br />
| 241,274,617<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]<br />
| <code>9b3b3c148170b012012278efda9ff5c38282d559</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[blacksn0w]]}}<br />
| 253,361,339<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3G)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7265.20091008.Xsd32/iPhone1,2_3.1.2_7D11_Restore.ipsw iPhone1,2_3.1.2_7D11_Restore.ipsw]<br />
| <code>b1a6ab2771bb5da372ba75a8fa3e1d72b71359d0</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]]}}<br />
| 253,340,786<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3G)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7468.20100202.pbnrt/iPhone1,2_3.1.3_7E18_Restore.ipsw iPhone1,2_3.1.3_7E18_Restore.ipsw]<br />
| <code>f5950afca546f93e281ba3cdb08bc0cfed7f0896</code><br />
|<br />
| {{yes}}<br />
| {{no}}<br />
| 239,139,281<br />
|}<br />
<br />
===[[N88ap|iPhone 3GS]]===<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| <code>d8534408c8679c830fd0c4e36ef9762c11ef73df</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|ultrasn0w]]}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>30006575af931e3da0521febace005152cdb8853</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|ultrasn0w]]}}<br />
| 312,330,244<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3GS)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]<br />
| <code>527c74f87588afa1d69c1e2c08eedc88f113013a</code><br />
| Installed on phones produced week 37.<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]]}}<br />
| 321,011,474<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3GS)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7270.20091008.phn32/iPhone2,1_3.1.2_7D11_Restore.ipsw iPhone2,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>6998bb7d9e869b2d89a08853312f9457d070fb1f</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]]}}<br />
| 321,015,700<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3GS)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7472.20100202.8tugj/iPhone2,1_3.1.3_7E18_Restore.ipsw iPhone2,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>8cb3775e62c6f72059a962bf891b4e145b965052</code><br />
|<br />
| {{yes}}<br />
| {{no}}<br />
| 305,122,343<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| <code>9b0d83c7f8b4328174a3f31e0e93f60e591ae143</code><br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| <code>84bbc6ea8bf29745195bc9926c1874f7c2a36f32</code><br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>108d8ffe9ea75e61cd5e57170ad388b7fa00d923</code><br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6</code><br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>c148d1eb1c979bb6434175411d4a372103a4fdd2</code><br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| <code>1b818911316e4248ee01d3ec67f9d39afc3db240</code><br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| <code>ae82798e85f9953b0f4798bad36187cb020c9d22</code><br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| <code>a81b6e7af4b85ef436d047f9da57c0f694d8964a</code><br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| <code>c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2</code><br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| <code>fc7f6d0972927df502ffca47438ca75dcccffaf3</code><br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| <code>081a7de363230fb38d0ce092cbbe42f2a50c8a5f</code><br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| <code>fc69be9e421bc0630567184506ab771f6b7ef68b</code><br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| <code>dff2bd14931225908a360fb8e60a336f17d2dd6d</code><br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| <code>c6270780c166db4c9f4f0a7fa945754a1f9fe7e8</code><br />
| <br />
| {{yes}}<br />
| 249,755,862<br />
|-<br />
| 3.1.2<br />
| Northstar 7D11<br />
| Download Link Prohibited<br />
| <code>7367dd9ba58a3b9777307368a0128e696fdfc9a6</code><br />
| <br />
| {{yes}} <br />
| 249,780,497<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| Download Link Prohibited<br />
| <code>5f897990f19d2f093b35e0813d7d77806404fb1f</code><br />
|<br />
| {{yes}}<br />
| 235,678,189<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| <code>c3c700be49ad227d1152188e7c1e46b8958fd1e4</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| <code>34a0a489605f34d6cc6c9954edcaaf9a050deedc</code><br />
|<br />
| {{yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| <code>9af5625ea34acdd8abeb6fce71a72651d0c815d5</code><br />
|<br />
| {{yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| <code>0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42</code><br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 270,315,364<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 2G)|Northstar 7C145]]<br />
| Download Link Prohibited<br />
| <code>e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7</code><br />
| <br />
| {{yes}}<br />
| 277,753,989<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 2G)|Northstar 7D11]]<br />
| Download Link Prohibited<br />
| <code>e7c83d4a5baec0e81816ae1cd1caf9a4dc38ebf0</code><br />
| <br />
| {{yes}} <br />
| 277,794,671<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPod touch 2G)|SUNorthstarTwo 7E18]]<br />
| Download Link Prohibited<br />
| <code>5f4f5c01eda2f811f73167e7d1f82dbeed82367b</code><br />
|<br />
| {{yes}}<br />
| 263,275,211<br />
|}<br />
<br />
===[[N18AP|iPod touch (3rd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C145]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]<br />
| <code>a3eddbe2cf77858bae7087dc8b2035f0d3097e57</code><br />
| Initial shipment.<br />
| {{yes}}<br />
<br />
| 311,702,789<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C146]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7238.20090918.23GhT/iPod3,1_3.1.1_7C146_Restore.ipsw iPod3,1_3.1.1_7C146_Restore.ipsw]<br />
| <code>f66a7286b261137f25ddbbd84047f9a7ea181904</code><br />
| <br />
| {{yes}}<br />
| 311,690,768<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 3G)|Northstar 7D11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7271.20091008.Tch23/iPod3,1_3.1.2_7D11_Restore.ipsw iPod3,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>02dcee28d788d594a2939ab564f4f183af6ccdf2</code><br />
| <br />
| {{yes}}<br />
| 311,740,034<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7473.20100202.4i44t/iPod3,1_3.1.3_7E18_Restore.ipsw iPod3,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>375fd469b18bfc0b74c7cfa5b4d5945197b1d106</code><br />
|<br />
| {{yes}}<br />
| 295,870,806<br />
|}<br />
<br />
===[[K48ap|iPad]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.2<br />
| [[Wildcat 7B367 (iPad)|Wildcat 7B367]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPad/061-7987.20100403.mjiTr/iPad1,1_3.2_7B367_Restore.ipsw iPad1,1_3.2_7B367_Restore.ipsw]<br />
| <code>172E8297AF74B91971A802E6AD137C891F553099</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 478,959,325<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=AT%2BXEMN_Heap_Overflow&diff=5334
AT+XEMN Heap Overflow
2009-10-31T16:34:12Z
<p>Oranav: /* Credit */ looks better :)</p>
<hr />
<div>AT+XEMN is a command on baseband 5.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a coveted Software SIM Unlock on the official 3.1(.2) firmware running 5.11.07<br />
<br />
== Credit ==<br />
* '''Vulnerability''': [[User:Oranav|Oranav]] (July) and ih8sn0w (September) (discovered independently)<br><br />
* '''Exploit''': [[User:geohot|geohot]]<br />
<br />
== Implementation ==<br />
This exploit is used in [[blacksn0w]].<br />
<br />
== Exception Dump == <br />
+XLOG: Exception Number: 1<br />
Trap Class: 0xDDDD (SW GENERATED TRAP)<br />
Identification: 140 (0x008C)<br />
Date: 22.10.2009<br />
Time: 00:30<br />
File: atform/text/_malloc.c<br />
Line: 1036<br />
Logdata:<br />
2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc<br />
20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D.. <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20<br />
<br />
== Timeline ==<br />
=== July 2009 ===<br />
*[[User:Oranav|Oranav]] discovers this crash.<br />
*Shortly after discovered, The [[iPhone Dev Team]], confirms that the crash is non-exploitable.<br />
<br />
=== September 2009 ===<br />
*iH8sn0w discovered this command independently but kept it a secret for about a month. [http://twitter.com/iH8sn0w/status/4353547726 ]<br />
<br />
=== October 2009 ===<br />
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [http://twitter.com/iH8sn0w/status/4954333558]<br />
*Shortly after, Oranav posted his Hash from July. [http://pastebin.ca/1485104]<br />
*MuscleNerd tells iHacker that the crash was received awhile ago and was non-exploitable. [http://twitter.com/MuscleNerd/status/4978871033][http://twitter.com/iHacker/status/4978821448]<br />
*[[User:Geohot|Geohot]] attempts to exploit this crash, but later finds out as well that it is non-exploitable. [http://twitter.com/geohot/status/4979506974]<br />
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.<br />
*Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [http://twitter.com/geohot/status/5196861045]<br />
*Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html]<br />
*Geohot posts a video of an unlocked 05.11.07 device. [http://www.youtube.com/watch?v=g23e9e9zOVI]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=AT%2BXEMN_Heap_Overflow&diff=5333
AT+XEMN Heap Overflow
2009-10-31T16:33:23Z
<p>Oranav: /* Credit */</p>
<hr />
<div>AT+XEMN is a command on baseband 5.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a coveted Software SIM Unlock on the official 3.1(.2) firmware running 5.11.07<br />
<br />
== Credit ==<br />
'''Vulnerability''': [[User:Oranav|Oranav]] (July) and ih8sn0w (September) (discovered independently)<br />
<br />
'''Exploit''': [[User:geohot|geohot]]<br />
<br />
== Implementation ==<br />
This exploit is used in [[blacksn0w]].<br />
<br />
== Exception Dump == <br />
+XLOG: Exception Number: 1<br />
Trap Class: 0xDDDD (SW GENERATED TRAP)<br />
Identification: 140 (0x008C)<br />
Date: 22.10.2009<br />
Time: 00:30<br />
File: atform/text/_malloc.c<br />
Line: 1036<br />
Logdata:<br />
2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc<br />
20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D.. <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20<br />
<br />
== Timeline ==<br />
=== July 2009 ===<br />
*[[User:Oranav|Oranav]] discovers this crash.<br />
*Shortly after discovered, The [[iPhone Dev Team]], confirms that the crash is non-exploitable.<br />
<br />
=== September 2009 ===<br />
*iH8sn0w discovered this command independently but kept it a secret for about a month. [http://twitter.com/iH8sn0w/status/4353547726 ]<br />
<br />
=== October 2009 ===<br />
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [http://twitter.com/iH8sn0w/status/4954333558]<br />
*Shortly after, Oranav posted his Hash from July. [http://pastebin.ca/1485104]<br />
*MuscleNerd tells iHacker that the crash was received awhile ago and was non-exploitable. [http://twitter.com/MuscleNerd/status/4978871033][http://twitter.com/iHacker/status/4978821448]<br />
*[[User:Geohot|Geohot]] attempts to exploit this crash, but later finds out as well that it is non-exploitable. [http://twitter.com/geohot/status/4979506974]<br />
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.<br />
*Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [http://twitter.com/geohot/status/5196861045]<br />
*Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html]<br />
*Geohot posts a video of an unlocked 05.11.07 device. [http://www.youtube.com/watch?v=g23e9e9zOVI]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=AT%2BXEMN_Heap_Overflow&diff=5332
AT+XEMN Heap Overflow
2009-10-31T16:33:04Z
<p>Oranav: /* Credit */</p>
<hr />
<div>AT+XEMN is a command on baseband 5.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a coveted Software SIM Unlock on the official 3.1(.2) firmware running 5.11.07<br />
<br />
== Credit ==<br />
'''Vulnerability''': [[User:Oranav]] (July) and ih8sn0w (September) (discovered independently)<br />
<br />
'''Exploit''': [[User:geohot]]<br />
<br />
== Implementation ==<br />
This exploit is used in [[blacksn0w]].<br />
<br />
== Exception Dump == <br />
+XLOG: Exception Number: 1<br />
Trap Class: 0xDDDD (SW GENERATED TRAP)<br />
Identification: 140 (0x008C)<br />
Date: 22.10.2009<br />
Time: 00:30<br />
File: atform/text/_malloc.c<br />
Line: 1036<br />
Logdata:<br />
2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc<br />
20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D.. <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20<br />
<br />
== Timeline ==<br />
=== July 2009 ===<br />
*[[User:Oranav|Oranav]] discovers this crash.<br />
*Shortly after discovered, The [[iPhone Dev Team]], confirms that the crash is non-exploitable.<br />
<br />
=== September 2009 ===<br />
*iH8sn0w discovered this command independently but kept it a secret for about a month. [http://twitter.com/iH8sn0w/status/4353547726 ]<br />
<br />
=== October 2009 ===<br />
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [http://twitter.com/iH8sn0w/status/4954333558]<br />
*Shortly after, Oranav posted his Hash from July. [http://pastebin.ca/1485104]<br />
*MuscleNerd tells iHacker that the crash was received awhile ago and was non-exploitable. [http://twitter.com/MuscleNerd/status/4978871033][http://twitter.com/iHacker/status/4978821448]<br />
*[[User:Geohot|Geohot]] attempts to exploit this crash, but later finds out as well that it is non-exploitable. [http://twitter.com/geohot/status/4979506974]<br />
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.<br />
*Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [http://twitter.com/geohot/status/5196861045]<br />
*Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html]<br />
*Geohot posts a video of an unlocked 05.11.07 device. [http://www.youtube.com/watch?v=g23e9e9zOVI]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=AT%2BXEMN_Heap_Overflow&diff=5328
AT+XEMN Heap Overflow
2009-10-31T14:52:24Z
<p>Oranav: </p>
<hr />
<div>AT+XEMN is a command on baseband 5.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a coveted Software SIM Unlock on the official 3.1(.2) firmware running 5.11.07<br />
<br />
== Implementation ==<br />
This exploit is used in [[blacksn0w]].<br />
<br />
== Exception Dump == <br />
+XLOG: Exception Number: 1<br />
Trap Class: 0xDDDD (SW GENERATED TRAP)<br />
Identification: 140 (0x008C)<br />
Date: 22.10.2009<br />
Time: 00:30<br />
File: atform/text/_malloc.c<br />
Line: 1036<br />
Logdata:<br />
2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc<br />
20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D.. <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20<br />
<br />
== Timeline ==<br />
=== July 2009 ===<br />
*[[User:Oranav|Oranav]] discovers this crash.<br />
*Shortly after discovered, The [[iPhone Dev Team]], confirms that the crash is non-exploitable.<br />
<br />
=== September 2009 ===<br />
*iH8sn0w discovered this command independently but kept it a secret for about a month. [http://twitter.com/iH8sn0w/status/4353547726 ]<br />
<br />
=== October 2009 ===<br />
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [http://twitter.com/iH8sn0w/status/4954333558]<br />
*Shortly after, Oranav posted his Hash from July. [http://pastebin.ca/1485104]<br />
*MuscleNerd tells iHacker that the crash was received awhile ago and was non-exploitable. [http://twitter.com/MuscleNerd/status/4978871033][http://twitter.com/iHacker/status/4978821448]<br />
*[[User:Geohot|Geohot]] attempts to exploit this crash, but later finds out as well that it is non-exploitable. [http://twitter.com/geohot/status/4979506974]<br />
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.<br />
*Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [http://twitter.com/geohot/status/5196861045]<br />
*Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html]<br />
*Geohot posts a video of an unlocked 05.11.07 device. [http://www.youtube.com/watch?v=g23e9e9zOVI]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=AT%2BXEMN_Heap_Overflow&diff=5324
AT+XEMN Heap Overflow
2009-10-31T14:50:54Z
<p>Oranav: AT+XEMN moved to AT+XEMN Heap Overflow: This page is about the overflow hole, not the command.</p>
<hr />
<div>AT+XEMN is a command on baseband 5.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a coveted Software SIM Unlock on the official 3.1(.2) firmware running 5.11.07<br />
<br />
== Exception Dump == <br />
+XLOG: Exception Number: 1<br />
Trap Class: 0xDDDD (SW GENERATED TRAP)<br />
Identification: 140 (0x008C)<br />
Date: 22.10.2009<br />
Time: 00:30<br />
File: atform/text/_malloc.c<br />
Line: 1036<br />
Logdata:<br />
2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc<br />
20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D.. <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20<br />
<br />
== Timeline ==<br />
=== July 2009 ===<br />
*[[User:Oranav|Oranav]] discovers this crash.<br />
*Shortly after discovered, The [[iPhone Dev Team]], confirms that the crash is non-exploitable.<br />
<br />
=== September 2009 ===<br />
*iH8sn0w discovered this command independently but kept it a secret for about a month. [http://twitter.com/iH8sn0w/status/4353547726 ]<br />
<br />
=== October 2009 ===<br />
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [http://twitter.com/iH8sn0w/status/4954333558]<br />
*Shortly after, Oranav posted his Hash from July. [http://pastebin.ca/1485104]<br />
*MuscleNerd tells iHacker that the crash was received awhile ago and was non-exploitable. [http://twitter.com/MuscleNerd/status/4978871033][http://twitter.com/iHacker/status/4978821448]<br />
*[[User:Geohot|Geohot]] attempts to exploit this crash, but later finds out as well that it is non-exploitable. [http://twitter.com/geohot/status/4979506974]<br />
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.<br />
*Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [http://twitter.com/geohot/status/5196861045]<br />
*Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html]<br />
*Geohot posts a video of an unlocked 05.11.07 device. [http://www.youtube.com/watch?v=g23e9e9zOVI]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Talk:AT%2BXEMN_Heap_Overflow&diff=5326
Talk:AT+XEMN Heap Overflow
2009-10-31T14:50:54Z
<p>Oranav: Talk:AT+XEMN moved to Talk:AT+XEMN Heap Overflow: This page is about the overflow hole, not the command.</p>
<hr />
<div>Don't you think that public discussion of this vulnerability will allow Apple to fix it in the upcoming update and make all this discussions totaly useless? --[[User:Redart|Redart]] 16:34, 28 October 2009 (UTC)<br />
:Apple will fix it because iH8sn0w disclosed it, not because we are discussing it here. --[[User:Oranav|oranav]] 17:28, 28 October 2009 (UTC)<br />
:Besides, there is a big install base using the affected baseband. The faster this is converted into a soft unlock, the better. [[User:Haldo|Haldo]] 19:43, 28 October 2009 (UTC)</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=AT%2BXEMN&diff=5325
AT+XEMN
2009-10-31T14:50:54Z
<p>Oranav: AT+XEMN moved to AT+XEMN Heap Overflow: This page is about the overflow hole, not the command.</p>
<hr />
<div>#REDIRECT [[AT+XEMN Heap Overflow]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Talk:AT%2BXEMN&diff=5327
Talk:AT+XEMN
2009-10-31T14:50:54Z
<p>Oranav: Talk:AT+XEMN moved to Talk:AT+XEMN Heap Overflow: This page is about the overflow hole, not the command.</p>
<hr />
<div>#REDIRECT [[Talk:AT+XEMN Heap Overflow]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=AT%2BXEMN_Heap_Overflow&diff=5323
AT+XEMN Heap Overflow
2009-10-31T14:50:02Z
<p>Oranav: /* Timeline */</p>
<hr />
<div>AT+XEMN is a command on baseband 5.11.07 (pushed out with the 3.1 release), which when exploited correctly, causes a heap overflow allowing the crash to be moulded into an injection vector. This injection vector can then be used to inject an unlocking payload to provide a coveted Software SIM Unlock on the official 3.1(.2) firmware running 5.11.07<br />
<br />
== Exception Dump == <br />
+XLOG: Exception Number: 1<br />
Trap Class: 0xDDDD (SW GENERATED TRAP)<br />
Identification: 140 (0x008C)<br />
Date: 22.10.2009<br />
Time: 00:30<br />
File: atform/text/_malloc.c<br />
Line: 1036<br />
Logdata:<br />
2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc<br />
20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D.. <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 <br />
20 20 20 20 20 20 20 20<br />
<br />
== Timeline ==<br />
=== July 2009 ===<br />
*[[User:Oranav|Oranav]] discovers this crash.<br />
*Shortly after discovered, The [[iPhone Dev Team]], confirms that the crash is non-exploitable.<br />
<br />
=== September 2009 ===<br />
*iH8sn0w discovered this command independently but kept it a secret for about a month. [http://twitter.com/iH8sn0w/status/4353547726 ]<br />
<br />
=== October 2009 ===<br />
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter. [http://twitter.com/iH8sn0w/status/4954333558]<br />
*Shortly after, Oranav posted his Hash from July. [http://pastebin.ca/1485104]<br />
*MuscleNerd tells iHacker that the crash was received awhile ago and was non-exploitable. [http://twitter.com/MuscleNerd/status/4978871033][http://twitter.com/iHacker/status/4978821448]<br />
*[[User:Geohot|Geohot]] attempts to exploit this crash, but later finds out as well that it is non-exploitable. [http://twitter.com/geohot/status/4979506974]<br />
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.<br />
*Geohot does more investigation and discovers that this crash is indeed exploitable, and that it's a heap overflow. [http://twitter.com/geohot/status/5196861045]<br />
*Geohot has achieved arbitrary code execution and has begun working on unlock which will be called blacksn0w. [http://iphonejtag.blogspot.com/2009/10/heap-of-trouble.html]<br />
*Geohot posts a video of an unlocked 05.11.07 device. [http://www.youtube.com/watch?v=g23e9e9zOVI]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Talk:AT%2BXEMN_Heap_Overflow&diff=5301
Talk:AT+XEMN Heap Overflow
2009-10-28T17:28:17Z
<p>Oranav: </p>
<hr />
<div>Don't you think that public discussion of this vulnerability will allow Apple to fix it in the upcoming update and make all this discussions totaly useless? --[[User:Redart|Redart]] 16:34, 28 October 2009 (UTC)<br />
:Apple will fix it because iH8sn0w disclosed it, not because we are discussing it here. --[[User:Oranav|oranav]] 17:28, 28 October 2009 (UTC)</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=4853
Firmware
2009-09-16T12:18:24Z
<p>Oranav: /* iPhone 3G */ There's no point for an "unlock" column if we write "yes, stay at X"</p>
<hr />
<div>This is the iPhone OS system the iPhone runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| 6e798e906c6590a7521ef89b731569be6d05b3aa<br />
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| {{no}}<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| fb8bb3ee2e9a997affbb97868599f2995c78209c<br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| a00b85a7a55d62a94be5fbf5effbc42fd63f3097<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| 7f5c0ff1f84a0202b75a55c3fcb362e415334d1e<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 797c02e7d660940e8d9a16cc7229ccf3f67dd8b1<br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| b3dec7580bd00dc4faf28449d9618ef40aeacc96<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| 000811bac096011b50ebf6ec1ec2285b62fda4cb<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| 9c510a3cfce789fa5f92a8f763c231bac82ff6d4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| 61de6a2bd6ceddc9ecabad1671b91a59b3824bc4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| b84b57bea919bdc720287ec908c1378e7d7b5e1b<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| 353b7745767b85932e14e262e69463620939bdf7<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| cbfc6ff886ce89868a55547b9fb980dbf92e6418 <br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| 43b95ebe1e51f8d30eae916053396595c08440d3<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| 2afd3f8ede17390737f508473ed205506a0bd23f<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| 34c391fbbc7b31b159372766de39ce5c9cc26ebb<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,439,502<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]<br />
| 7b5f436f81c6f855410e8b44a3d432ccaacd6fc<br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,536,460<br />
|}<br />
<br />
===[[iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial iPhone 3G shipment.<br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| af9506ca0034e462674f9f59c5406f159eaf9fc1<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| e81c7ac7e334a3e9d81b3b47894bfaa1ec495482<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| bef7fef954293046420fbcf947379839178a195b<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| c6957dcbf2a95ccfd6dce374a727b1b7700a9043<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| f67f8b2b842428bf89456cda0c2d5cf954d111a4<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| 94f1fb43de12bff0f168ce690b7e794cc6220ae3<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]])}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| a148ff39fa4dea499e7a9dd007b63e90c4f56666<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 241,274,617<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]<br />
| 9b3b3c148170b012012278efda9ff5c38282d559<br />
| <br />
| {{yes}}<br />
| {{no|No (Though you can stay at 04.26.08)}}<br />
| 253,361,339<br />
|}<br />
<br />
===[[iPhone2,1|iPhone 3GS]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| d8534408c8679c830fd0c4e36ef9762c11ef73df<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]] or [[purplesn0w]])}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| 30006575af931e3da0521febace005152cdb8853<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 312,330,244<br />
|-<br />
| 3.1<br />
| Northstar 7C144<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]<br />
| 527c74f87588afa1d69c1e2c08eedc88f113013a<br />
| Installed on phones produced week 37.<br />
| style="background:yellow; color:black;" class="table-yes" | Probably, not yet released<br />
| {{no}}<br />
| 321,011,474<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| 9b0d83c7f8b4328174a3f31e0e93f60e591ae143<br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| 84bbc6ea8bf29745195bc9926c1874f7c2a36f32<br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 108d8ffe9ea75e61cd5e57170ad388b7fa00d923<br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| 8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6<br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| c148d1eb1c979bb6434175411d4a372103a4fdd2<br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| 1b818911316e4248ee01d3ec67f9d39afc3db240<br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| ae82798e85f9953b0f4798bad36187cb020c9d22<br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| a81b6e7af4b85ef436d047f9da57c0f694d8964a<br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2<br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| fc7f6d0972927df502ffca47438ca75dcccffaf3<br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| 081a7de363230fb38d0ce092cbbe42f2a50c8a5f<br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| fc69be9e421bc0630567184506ab771f6b7ef68b<br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| dff2bd14931225908a360fb8e60a336f17d2dd6d<br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| c6270780c166db4c9f4f0a7fa945754a1f9fe7e8<br />
| <br />
| {{yes}}<br />
| 249,755,862<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| c3c700be49ad227d1152188e7c1e46b8958fd1e4<br />
| Initial shipment.<br />
| {{yes|Yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| 34a0a489605f34d6cc6c9954edcaaf9a050deedc<br />
|<br />
| {{yes|Yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| 9af5625ea34acdd8abeb6fce71a72651d0c815d5<br />
|<br />
| {{yes|Yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| 0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42<br />
| 3.0+ is a paid upgrade series<br />
| {{yes|Yes}}<br />
| 270,315,364<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7<br />
| <br />
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)<br />
| 277,753,989<br />
|}<br />
<br />
===[[N18AP|iPod touch (3rd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]<br />
| a3eddbe2cf77858bae7087dc8b2035f0d3097e57<br />
| Initial shipment.<br />
| style="background:yellow; color:black;" class="table-yes" | Probably tethered, not yet released<br />
| 311,702,789<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=4840
Firmware
2009-09-15T21:25:11Z
<p>Oranav: </p>
<hr />
<div>This is the iPhone OS system the iPhone runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| 6e798e906c6590a7521ef89b731569be6d05b3aa<br />
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| {{no}}<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| fb8bb3ee2e9a997affbb97868599f2995c78209c<br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| a00b85a7a55d62a94be5fbf5effbc42fd63f3097<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| 7f5c0ff1f84a0202b75a55c3fcb362e415334d1e<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 797c02e7d660940e8d9a16cc7229ccf3f67dd8b1<br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| b3dec7580bd00dc4faf28449d9618ef40aeacc96<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| 000811bac096011b50ebf6ec1ec2285b62fda4cb<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| 9c510a3cfce789fa5f92a8f763c231bac82ff6d4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| 61de6a2bd6ceddc9ecabad1671b91a59b3824bc4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| b84b57bea919bdc720287ec908c1378e7d7b5e1b<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| 353b7745767b85932e14e262e69463620939bdf7<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| cbfc6ff886ce89868a55547b9fb980dbf92e6418 <br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| 43b95ebe1e51f8d30eae916053396595c08440d3<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| 2afd3f8ede17390737f508473ed205506a0bd23f<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| 34c391fbbc7b31b159372766de39ce5c9cc26ebb<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,439,502<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]<br />
| 7b5f436f81c6f855410e8b44a3d432ccaacd6fc<br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,536,460<br />
|}<br />
<br />
===[[iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial iPhone 3G shipment.<br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| af9506ca0034e462674f9f59c5406f159eaf9fc1<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| e81c7ac7e334a3e9d81b3b47894bfaa1ec495482<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| bef7fef954293046420fbcf947379839178a195b<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| c6957dcbf2a95ccfd6dce374a727b1b7700a9043<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| f67f8b2b842428bf89456cda0c2d5cf954d111a4<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| 94f1fb43de12bff0f168ce690b7e794cc6220ae3<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]])}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| a148ff39fa4dea499e7a9dd007b63e90c4f56666<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 241,274,617<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]<br />
| 9b3b3c148170b012012278efda9ff5c38282d559<br />
| <br />
| {{yes}}<br />
| {{no}}<br />
| 253,361,339<br />
|}<br />
<br />
===[[iPhone2,1|iPhone 3GS]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| d8534408c8679c830fd0c4e36ef9762c11ef73df<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]] or [[purplesn0w]])}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| 30006575af931e3da0521febace005152cdb8853<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 312,330,244<br />
|-<br />
| 3.1<br />
| Northstar 7C144<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]<br />
| 527c74f87588afa1d69c1e2c08eedc88f113013a<br />
| <br />
| style="background:yellow; color:black;" class="table-yes" | Probably, not yet released<br />
| {{no}}<br />
| 321,011,474<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| 9b0d83c7f8b4328174a3f31e0e93f60e591ae143<br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| 84bbc6ea8bf29745195bc9926c1874f7c2a36f32<br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 108d8ffe9ea75e61cd5e57170ad388b7fa00d923<br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| 8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6<br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| c148d1eb1c979bb6434175411d4a372103a4fdd2<br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| 1b818911316e4248ee01d3ec67f9d39afc3db240<br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| ae82798e85f9953b0f4798bad36187cb020c9d22<br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| a81b6e7af4b85ef436d047f9da57c0f694d8964a<br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2<br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| fc7f6d0972927df502ffca47438ca75dcccffaf3<br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| 081a7de363230fb38d0ce092cbbe42f2a50c8a5f<br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| fc69be9e421bc0630567184506ab771f6b7ef68b<br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| dff2bd14931225908a360fb8e60a336f17d2dd6d<br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| c6270780c166db4c9f4f0a7fa945754a1f9fe7e8<br />
| <br />
| {{yes}}<br />
| 249,755,862<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| c3c700be49ad227d1152188e7c1e46b8958fd1e4<br />
| Initial shipment.<br />
| {{yes|Yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| 34a0a489605f34d6cc6c9954edcaaf9a050deedc<br />
|<br />
| {{yes|Yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| 9af5625ea34acdd8abeb6fce71a72651d0c815d5<br />
|<br />
| {{yes|Yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| 0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42<br />
| 3.0+ is a paid upgrade series<br />
| {{yes|Yes}}<br />
| 270,315,364<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7<br />
| <br />
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)<br />
| 277,753,989<br />
|}<br />
<br />
===[[N18AP|iPod touch (3rd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]<br />
| a3eddbe2cf77858bae7087dc8b2035f0d3097e57<br />
| Initial shipment.<br />
| style="background:yellow; color:black;" class="table-yes" | Probably tethered, not yet released<br />
| 311,702,789<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=4820
Firmware
2009-09-13T20:59:10Z
<p>Oranav: greenpois0n changes everything</p>
<hr />
<div>This is the iPhone OS system the iPhone runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| 6e798e906c6590a7521ef89b731569be6d05b3aa<br />
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| {{no}}<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| fb8bb3ee2e9a997affbb97868599f2995c78209c<br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| a00b85a7a55d62a94be5fbf5effbc42fd63f3097<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| 7f5c0ff1f84a0202b75a55c3fcb362e415334d1e<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 797c02e7d660940e8d9a16cc7229ccf3f67dd8b1<br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| b3dec7580bd00dc4faf28449d9618ef40aeacc96<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| 000811bac096011b50ebf6ec1ec2285b62fda4cb<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| 9c510a3cfce789fa5f92a8f763c231bac82ff6d4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| 61de6a2bd6ceddc9ecabad1671b91a59b3824bc4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| b84b57bea919bdc720287ec908c1378e7d7b5e1b<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| 353b7745767b85932e14e262e69463620939bdf7<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| cbfc6ff886ce89868a55547b9fb980dbf92e6418 <br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| 43b95ebe1e51f8d30eae916053396595c08440d3<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| 2afd3f8ede17390737f508473ed205506a0bd23f<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| 34c391fbbc7b31b159372766de39ce5c9cc26ebb<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,439,502<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]<br />
| 7b5f436f81c6f855410e8b44a3d432ccaacd6fc<br />
|<br />
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)<br />
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)<br />
| 252,536,460<br />
|}<br />
<br />
===[[iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial iPhone 3G shipment.<br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| af9506ca0034e462674f9f59c5406f159eaf9fc1<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| e81c7ac7e334a3e9d81b3b47894bfaa1ec495482<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| bef7fef954293046420fbcf947379839178a195b<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| c6957dcbf2a95ccfd6dce374a727b1b7700a9043<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| f67f8b2b842428bf89456cda0c2d5cf954d111a4<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| 94f1fb43de12bff0f168ce690b7e794cc6220ae3<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]])}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| a148ff39fa4dea499e7a9dd007b63e90c4f56666<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 241,274,617<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]<br />
| 9b3b3c148170b012012278efda9ff5c38282d559<br />
| <br />
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)<br />
| {{no}}<br />
| 253,361,339<br />
|}<br />
<br />
===[[iPhone2,1|iPhone 3GS]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| d8534408c8679c830fd0c4e36ef9762c11ef73df<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]] or [[purplesn0w]])}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| 30006575af931e3da0521febace005152cdb8853<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 312,330,244<br />
|-<br />
| 3.1<br />
| Northstar 7C144<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]<br />
| 527c74f87588afa1d69c1e2c08eedc88f113013a<br />
| <br />
| style="background:yellow; color:black;" class="table-yes" | Probably, not yet released<br />
| {{no}}<br />
| 321,011,474<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| 9b0d83c7f8b4328174a3f31e0e93f60e591ae143<br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| 84bbc6ea8bf29745195bc9926c1874f7c2a36f32<br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 108d8ffe9ea75e61cd5e57170ad388b7fa00d923<br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| 8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6<br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| c148d1eb1c979bb6434175411d4a372103a4fdd2<br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| 1b818911316e4248ee01d3ec67f9d39afc3db240<br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| ae82798e85f9953b0f4798bad36187cb020c9d22<br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| a81b6e7af4b85ef436d047f9da57c0f694d8964a<br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2<br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| fc7f6d0972927df502ffca47438ca75dcccffaf3<br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| 081a7de363230fb38d0ce092cbbe42f2a50c8a5f<br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| fc69be9e421bc0630567184506ab771f6b7ef68b<br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| dff2bd14931225908a360fb8e60a336f17d2dd6d<br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| c6270780c166db4c9f4f0a7fa945754a1f9fe7e8<br />
| <br />
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)<br />
| 249,755,862<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| c3c700be49ad227d1152188e7c1e46b8958fd1e4<br />
| Initial shipment.<br />
| {{yes|Yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| 34a0a489605f34d6cc6c9954edcaaf9a050deedc<br />
|<br />
| {{yes|Yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| 9af5625ea34acdd8abeb6fce71a72651d0c815d5<br />
|<br />
| {{yes|Yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| 0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42<br />
| 3.0+ is a paid upgrade series<br />
| {{yes|Yes}}<br />
| 270,315,364<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7<br />
| <br />
| style="background:yellow; color:black;" class="table-yes" | Yes (but not yet released)<br />
| 277,753,989<br />
|}<br />
<br />
===[[N18AP|iPod touch (3rd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]<br />
| a3eddbe2cf77858bae7087dc8b2035f0d3097e57<br />
| Initial shipment.<br />
| style="background:yellow; color:black;" class="table-yes" | Probably tethered, not yet released<br />
| 311,702,789<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Talk:AT%2BFNS&diff=4676
Talk:AT+FNS
2009-08-28T05:13:34Z
<p>Oranav: </p>
<hr />
<div>If the leaked-exploit was still in 3.1b3, why hasn't the jailbreak community assembled with pitchforks around Nitrokey? [[User:Iemit737|Iemit737]] 23:19, 27 August 2009 (UTC)<br />
<br />
Because we aren't 4chan --[[User:Geohot|geohot]] 23:41, 27 August 2009 (UTC)<br />
<br />
First off it was leaked awhile ago but not many people knew about it, second off, I am pretty sure it was closed earlier anyway. [[User:ChronicDev|ChronicDev]] 23:42, 27 August 2009 (UTC)<br />
<br />
It was already closed in 3.1b1, thanks to NitroKey (but it was available in 3.0). Interestingly, NitroKey posted their hashes the next day after I found it. Anyway, it doesn't really matter as Apple would have removed it anyway (AT+FNS isn't used by the iPhone itself). --[[User:Oranav|oranav]] 05:13, 28 August 2009 (UTC)</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Redsn0w&diff=4570
Redsn0w
2009-08-07T15:11:32Z
<p>Oranav: /* Exploit */</p>
<hr />
<div>The redsn0w program (at version 0.1) was originally a [[QuickPwn]]-like implementation of the [[0x24000 Segment Overflow]] for the [[N72ap|iPod Touch 2G]]. However, due to the theft and exploitation of the name (as QuickPWN) by quickpwn.com, as of firmware 3.0, QuickPwn was discontinued and redsn0w (at the time, version 0.7) was converted into a jailbreaking tool for all current devices as well as providing unlock support the iPhone 2G. As of version 0.8, the [[N88ap|iPhone 3GS]] can also be jailbroken through redsn0w. It is currently closed-sourced but the executable is being worked into several third-party GUIs as the underlying engine can also be used as a commandline tool.<br />
<br />
== Credit ==<br />
[[iPhone Dev Team]]<br />
<br />
== Exploit ==<br />
For [[iPod Touch]], [[iPhone]] and [[iPhone 3G]], see:<br />
*[[Pwnage]]<br />
*[[Pwnage_2.0|Pwnage 2.0]]<br />
<br />
For [[N72ap|iPod Touch 2G]], see:<br />
*[[0x24000 Segment Overflow]] - Credit the work on this exploit goes to planetbeing, MuscleNerd, and Chronic Dev.<br />
*[[ARM7_Go]] - used to upload the oversized LLB required to take advantage of [[24kPwn]].<br />
<br />
For [[iPhone 3GS]], see:<br />
*[[0x24000 Segment Overflow]]<br />
*[[iBoot Environment Variable Overflow]] - Exploited independently, different implementation than the version that [[User:geohot|geohot]] released, [[purplera1n]].<br />
<br />
== Download ==<br />
* http://redsn0w.com/</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=4528
Firmware
2009-08-01T09:15:21Z
<p>Oranav: </p>
<hr />
<div>This is the iPhone OS system the iPhone runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| 6e798e906c6590a7521ef89b731569be6d05b3aa<br />
| Prototype seen on [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| ?<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| fb8bb3ee2e9a997affbb97868599f2995c78209c<br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| a00b85a7a55d62a94be5fbf5effbc42fd63f3097<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| 7f5c0ff1f84a0202b75a55c3fcb362e415334d1e<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48a<br />
| 04.02.13_G<br />
| No download available<br />
|<br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| <br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 797c02e7d660940e8d9a16cc7229ccf3f67dd8b1<br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| b3dec7580bd00dc4faf28449d9618ef40aeacc96<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| 000811bac096011b50ebf6ec1ec2285b62fda4cb<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| 9c510a3cfce789fa5f92a8f763c231bac82ff6d4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| 61de6a2bd6ceddc9ecabad1671b91a59b3824bc4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| b84b57bea919bdc720287ec908c1378e7d7b5e1b<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| 353b7745767b85932e14e262e69463620939bdf7<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| cbfc6ff886ce89868a55547b9fb980dbf92e6418 <br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| 43b95ebe1e51f8d30eae916053396595c08440d3<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| 2afd3f8ede17390737f508473ed205506a0bd23f<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| 7A400<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| 34c391fbbc7b31b159372766de39ce5c9cc26ebb<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,439,502<br />
|}<br />
<br />
===[[iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial iPhone 3G shipment.<br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| af9506ca0034e462674f9f59c5406f159eaf9fc1<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| e81c7ac7e334a3e9d81b3b47894bfaa1ec495482<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| bef7fef954293046420fbcf947379839178a195b<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| c6957dcbf2a95ccfd6dce374a727b1b7700a9043<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| f67f8b2b842428bf89456cda0c2d5cf954d111a4<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| 94f1fb43de12bff0f168ce690b7e794cc6220ae3<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]])}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| a148ff39fa4dea499e7a9dd007b63e90c4f56666<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 241,274,617<br />
|}<br />
<br />
===[[iPhone2,1|iPhone 3GS]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| d8534408c8679c830fd0c4e36ef9762c11ef73df<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]] or [[purplesn0w]])}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| 30006575af931e3da0521febace005152cdb8853<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 312,330,244<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| 9b0d83c7f8b4328174a3f31e0e93f60e591ae143<br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| 84bbc6ea8bf29745195bc9926c1874f7c2a36f32<br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 108d8ffe9ea75e61cd5e57170ad388b7fa00d923<br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| 8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6<br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| c148d1eb1c979bb6434175411d4a372103a4fdd2<br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| 1b818911316e4248ee01d3ec67f9d39afc3db240<br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| ae82798e85f9953b0f4798bad36187cb020c9d22<br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| a81b6e7af4b85ef436d047f9da57c0f694d8964a<br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2<br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| fc7f6d0972927df502ffca47438ca75dcccffaf3<br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| 081a7de363230fb38d0ce092cbbe42f2a50c8a5f<br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| fc69be9e421bc0630567184506ab771f6b7ef68b<br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| dff2bd14931225908a360fb8e60a336f17d2dd6d<br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl - 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| c3c700be49ad227d1152188e7c1e46b8958fd1e4<br />
|<br />
| {{yes|Yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline - 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| 34a0a489605f34d6cc6c9954edcaaf9a050deedc<br />
|<br />
| {{yes|Yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline - 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| 9af5625ea34acdd8abeb6fce71a72651d0c815d5<br />
|<br />
| {{yes|Yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| 0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42<br />
| 3.0+ is a paid upgrade series<br />
| {{yes|Yes}}<br />
| 270,315,364<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Bluetooth&diff=4448
Bluetooth
2009-07-26T08:50:50Z
<p>Oranav: </p>
<hr />
<div>Bluetooth is a short-range, wireless technology, popular for its Personal Area Networking capability. Bluetooth hardware is provided on all iPhone platforms and the second generation iPod Touch platform. Apple has severely restricted the functions of Bluetooth to the end-user, for seemingly no reason, as the hardware supplied is capable of most if not all current bluetooth 2.0/2.1 functions.<br />
<br />
With iPhoneOS 3.0, support for 3G internet bridging (PAN) or 'tethering' and A2DP over Bluetooth has been added, however the file sharing OBEX protocol is notably still missing.<br />
<br />
== Access ==<br />
<br />
Developers have been able to successfully access and interface the Bluetooth hardware to achieve an OBEX solution, however this is still quite underground. The device nodes of relevance here, are <br />
* /dev/uart.bluetooth<br />
* /dev/cu.bluetooth<br />
* /dev/tty.bluetooth<br />
<br />
== iPhone/iPods Bluetooth Hardware Summary==<br />
<br />
* iPhone (iPhone1,1) (m68ap) - Bluetooth (r) 2.0 + EDR<br />
* iPhone 3G (iPhone1,2) (n82ap) - Bluetooth (r) 2.0 + EDR - chip specific link [[Bluetooth iPhone2,1]]<br />
* iPhone 3GS (iPhone2,1) (n88ap) - Bluetooth (r) 2.1 + EDR - chip specific link [[BCM4325]]<br />
<br />
* iPod Touch (iPod1,1) (n45ap) - No Bluetooth Hardware<br />
* iPod Touch 2G (iPod2,1) (n72ap) - Bluetooth (r) 2.1 + EDR<br />
* Unreleased iPod Touch 3G (iPod3,1) - Bluetooth (r) 2.1 + EDR forcasted - chip specific link [[BCM4329]]<br />
<br />
== Unreleased iPod3,1 ==<br />
<br />
As of iPhoneOS 3.0 an iPod3,1 is mentioned, with a [[BCM4329]] WiFi/Bluetooth/FM wireless solution chip... this is strong evidence for a new iPod model in the near future.<br />
<br />
This chip can transmit FM as well as receive. It also has low-power 802.11A and 802.11N in addition to 802.11B/G.</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=N18AP&diff=4447
N18AP
2009-07-26T08:49:04Z
<p>Oranav: </p>
<hr />
<div>This is the 3rd Generation [[iPod Touch]]. <br />
<br />
<br />
'''Model''' (Codename) : Olympic [http://pastie.org/559242]<br />
<br />
'''Application Processor (OS Chip)''': unknown<br />
<br />
===Wifi Chip===<br />
[[BCM4329]] Wifi A/B/G/N, Bluetooth, FM Transmit/Receive</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=BCM4329&diff=4446
BCM4329
2009-07-26T08:48:44Z
<p>Oranav: /* External links */</p>
<hr />
<div>This is the radio chip that will be used in the [[iPod touch 3G]].<br />
<br />
== Features ==<br />
* WiFi 802.11a/b/g/n<br />
* FM receiver and transmitter (76MHz - 108MHz) with RDS support<br />
* Bluetooth 2.1 + EDR<br />
* Support for 2 simultaneous A2DP profiles<br />
<br />
== External links ==<br />
* [http://www.broadcom.com/products/Bluetooth/Bluetooth-RF-Silicon-and-Software-Solutions/BCM4329 Official page]<br />
* [http://www.broadcom.com/collateral/pb/4329-PB00-R.pdf Product brief]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=BCM4329&diff=4445
BCM4329
2009-07-26T08:48:23Z
<p>Oranav: New page: This is the radio chip that will be used in the iPod touch 3G. == Features == * WiFi 802.11a/b/g/n * FM receiver and transmitter (76MHz - 108MHz) with RDS support * Bluetooth 2.1 + ED...</p>
<hr />
<div>This is the radio chip that will be used in the [[iPod touch 3G]].<br />
<br />
== Features ==<br />
* WiFi 802.11a/b/g/n<br />
* FM receiver and transmitter (76MHz - 108MHz) with RDS support<br />
* Bluetooth 2.1 + EDR<br />
* Support for 2 simultaneous A2DP profiles<br />
<br />
== External links ==<br />
* [http://www.broadcom.com/products/Bluetooth/Bluetooth-RF-Silicon-and-Software-Solutions/BCM4329#tab=productinfo-tab Official page]<br />
* [http://www.broadcom.com/collateral/pb/4329-PB00-R.pdf Product brief]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=NitroKey&diff=4437
NitroKey
2009-07-24T16:28:59Z
<p>Oranav: </p>
<hr />
<div>NitroKey was a product released in late February of 2009, by the company "NitroKey," in order to aid those with a tethered jailbroken iPod touch 2G to boot their iPods. It consisted of a small dongle that looked EXACTLY like the end of an iPod cable, with no cord on it. The product was being sold for an outrageous price of $55.00 to those unfortunate enough to have made the decision to purchase one, as it went obsolete not two weeks after its release.<br />
<br />
They also released a supposedly "leaked" version of the 24kpwn untethered iPod Touch 2G jailbreak, giving Apple enough time to fix the 3rd generation iPod Touch so that it CANNOT be directly jailbroken from its release. In addition, Apple had the time to add the [[ECID]] tag to the [[IMG3 File Format|IMG3 format]].<br />
<br />
NitroKey has also leaked a baseband hole which was meant to be kept in secret - [[AT+FNS]]. [http://nitrokey.com/Hash.html] The hash was posted by NitroKey one day after the exploit was found, making things very suspicious.</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=0x24000_Segment_Overflow&diff=4436
0x24000 Segment Overflow
2009-07-24T16:25:16Z
<p>Oranav: /* Timing Impact */</p>
<hr />
<div>Also known by its codename, "24kpwn", this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].<br />
<br />
==Note==<br />
It is unclear how, but the company known as "NitroKey" is selling this. We were planning on holding back for the new iPhone (which subsequently could mean an iPod touch 3G as well), but now that they are profiteering off of this we would like to explain exactly how this works as soon as possible so people do not have to waste their good money on it.<br />
<br />
==Credit==<br />
A "hybrid" dev team, in alphabetical order: '''chronic''', '''CPICH''', '''ius''', '''MuscleNerd''', '''planetbeing''', '''pod2g''', '''posixninja''', et al. (anyone wishing to be unnamed)<br />
<br />
==Background==<br />
<br />
Upon boot-up, the [[S5L8720]] and [[S5L8920]] SoC have a MIU configuration which maps the [[VROM (S5L8720)|Secure ROM]] to 0x0, providing the newly turned on device with an ARM exception vector and the first code to execute. This MIU configuration also maps a small amount of SRAM to 0x22000000 for the [[S5L8720]], and 0x84000000 for the [[S5L8920]]. Statically allocated variables, heap, and stack must use the SRAM, as "[[VROM (S5L8720)|Secure ROM]]" is unwritable. A region of memory starting from (SRAM Start)+24000 is used for this purpose. The region of memory from the start of SRAM to (SRAM Start)+0x24000 is used as a buffer for loading the [[LLB|next stage bootloader]] code. The [[LLB]] code is stored in [[NOR]], along with code for all other bootloader stages, as well as art resources (boot logos) and the [[DeviceTree|OpenFirmware device tree]] to provide to the XNU [[kernel]]. The first portion (first 0x160 bytes) of memory at (SRAM Start)+0x24000 is used for initialized statically allocated variables. Shortly after boot, values for that region are initialized from [[VROM (S5L8720)|Secure ROM]].<br />
<br />
==Vulnerability==<br />
<br />
The code that reads the [[LLB]] img3 from [[NOR]] into memory does not check the size of the [[LLB]] image being loaded, instead taking the size directly from the non-signature checked portion of its img3 header on the [[NOR]] (see ROM offset 0x2178). Any image greater than 0x24000 bytes in length will begin overwriting the portion of memory used to store Secure ROM statically allocated variables. Immediately vulnerable data includes USB data structures for [[DFU]] mode, a pointer to the bdev list structure, task list structures for the Secure ROM's scheduler, as well as the addresses of the hardware SHA1 registers. All of the above are potential avenues for exploitation. The method described below uses the SHA1 register addresses.<br />
<br />
This vulnerability was discovered independently by '''pod2g''' and '''MuscleNerd'''.<br />
<br />
== Exploit==<br />
<br />
The goal of the exploit is to gain arbitrary code execution capability.<br />
<br />
The exploit, as proposed by '''planetbeing''', uses the overflow to overwrite one of the addresses of the SHA1 registers. The particular register is the only one that directly copies data to be hashed into the hardware (or into an arbitrary memory location, once the destination address has been overwritten). Code execution is achieved by writing data into the stack, specifically by overwriting the LR of the function performing the write to the "SHA1 register" so that instead of returning to the main SHA1 routine, it returns to a chosen location in memory that contains the payload code. The location chosen is within the range of memory that is filled with the [[LLB]] img3, so that the payload code can be placed within the [[LLB]] img3.<br />
<br />
The challenge is determining what to put in as the SHA1 register location so that the right portion of stack can be overwritten with the payload LR. This can be challenging without having access to any sort of exception dump (crash register dumps in the bootrom had been disabled by Apple). '''planetbeing''' performed a static analysis of a very detailed IDB produced by '''chronic''' and '''CPICH''' and determined the theoretical call stack for both of the invocations of the SHA1 hardware within the bootrom code [http://pastie.org/414981].<br />
<br />
In-situ verification of the LR location was performed by '''posixninja'''. '''CPICH''' discovered a way to alter the img3 DER so that the second invocation of the SHA1 hardware was not performed without affecting the first, allowing better confirmation that this step was performed properly.<br />
<br />
The final SHA1 register address was chosen so that the first dword of the DATA tag of the [[LLB]] img3 would replace sub_5E54's LR. This is because this is the first dword of the img3 that can be altered without substantially changing the img3's structure (and possibly disrupting earlier parsing code). The LR replacement must be done the first time the exploit is triggered (by the invocation of sub_5E54), or else the bootrom would crash. Since sub_5E54 takes 0x40 bytes of data at a time, the replacement LR thus must be within the first 0x40 bytes of data to be hashed. Data to be hashed starts at 0xC bytes from the start of the img3, and the first dword of the DATA tag is 0x20 bytes from the start of the img3. Thus, the SHA1 register address chosen should be 0x20 - 0xC = 0x14 bytes before sub_5E54's LR. So, it must be 0x2202FE24. Note that the exploit will also trash up to 0x2202FE24 + 0x40 = 0x2202FE64. So a sizeable portion of doComputeSHA1's stack will be trashed as well.<br />
<br />
The final exploit img3 was verified by '''posixninja''' under '''planetbeing''''s instructions to allow arbitrary code execution. It was a regular Img3 with padding up to 0x24000 bytes. The next 0x100 bytes were taken from the original initialization values for 0x22024000. However, 0x240FC, the offset of the SHA1 register address, was altered to 0x2202FE24. The first dword of the DATA tag (offset 0x20) was altered to 0x22023000. Payload code was placed at offset 0x23000.<br />
<br />
==Payload==<br />
<br />
The goal of the payload is to allow an unsigned [[LLB]] to be loaded.<br />
<br />
There are several ways that can be used, including directly calling the JumpToMemory function which is designed to prepare the SoC and invoke the [[LLB]] code. However, it's designed to be used on decrypted, unpacked code, and the [[LLB]] code currently resides in an encrypted from within the img3's DATA tag. The simplest solution is thus to use the bootrom's own machinery to decrypt and execute the code.<br />
<br />
The final payload evolved out of a discussion between '''pod2g''' and '''planetbeing''', based on an IDB documented by '''pod2g''', '''chronic''', '''CPICH''', et al. The lowest impact solution is to apply the pwnage patch to the rsaCheck subroutine of the bootrom, and returning from the payload from computing the SHA1 without crashing the bootrom. However, in this case, since bootrom text is unwritable, this was not a viable solution.<br />
<br />
The next lowest impact solution is to return from the entire parseFirmwareFooter function with a successful value, instead of the failure value it would normally return if signature checks fail. This would skip any remaining code in that subroutine. This solution did not work in-situ. Failures checking the epoch tags prevented the firmware from being executed. The cause of this was not investigated.<br />
<br />
The final payload was to return past the verification of epoch and other tags in the [[LLB]] img3 to a spot right before the DATA tag was loaded from memory and decrypted. R5 was set to 0 to ensure decryption would not be skipped. The original value for the first DATA dword (before we had to overwrite it with the exploit LR) is written back to 0x22000020 by the payload, and the original SHA1 register value was written back to 0x2202FE24 to ensure the payload only activates once.<br />
<br />
==Deployment==<br />
<br />
Although the exploitive [[LLB]] can be manually written to [[NOR]] by bootstrapping from a tethered jailbreak, the easiest way is to use the Apple restore process itself. Apple's Restore process will write arbitrary img3s onto the [[NOR]], even if they fail signature checks. However, the "total size" value of the img3 is fixed up by the kernel before it is written to [[NOR]]. This would negate the exploit. However, '''MuscleNerd''' discovered that this could be bypassed by including the padding in another tag, such as CERT. Then, the written exploit [[LLB]] would have the "correct", exploitive total size.<br />
<br />
==Timing Impact==<br />
This exploit would have allowed the [[pwnage]] of the next generation iPhone without the discovery of an additional code execution vulnerability (required to write the exploit [[LLB]]), provided that the bug still existed in the next generation's bootrom. Even if it is too late to patch the bootrom now, it is not too late for Apple to repair the restore process in the stock IPSW so that we have no way to get the exploitive [[LLB]] onto the device. Before, Apple would have no reason to fix this, since writing arbitrary data to [[NOR]] does not negate their chain of trust. However, now that a way has been found, they now can prioritize a fix for this oversight.<br />
<br />
Thanks to irresponsible handling of the exploit by a third-party company known as [[NitroKey]], this eventuality is a near-certainty and pretty much erased the possibility of a day-of-release jailbreak for the third-generation iPod Touch. In addition, Apple has added the [[ECID]] to the [[IMG3 File Format|IMG3 format]] in the iPhone 3GS, because they knew that in order to utilize 24kpwn an iBoot exploit is needed. May NitroKey burn in hell for all eternity.<br />
<br />
==3GS Implementation==<br />
<br />
The exploit remains the same in spirit.<br />
<br />
The call tree and stacks analysis is very similar although a few bytes here and there changed it slightly. It was again done manually but afterward, and out of fun, an IDA Python Script was written to automate the process. The new static analysis can be seen here [http://pastie.org/551212], and the IDA Python Script for it there [http://github.com/iZsh/IDA-Python-Scripts/].<br />
<br />
The main differences are:<br />
<br />
* the SRAM is at 0x84000000 instead of 0x22000000<br />
* the Original value of the first DATA dword is written back to 0x84000040 (which was overwritten by the LR address)<br />
* the SHA1 register original value is written back to 0x840241CC<br />
* '''The decrypt flag is not held in R5 anymore''', but in a local variable of the function "my_process_module" (sub_2564). An extra static analysis tells us this variable is held at 0x84033F30, thus that's where you have to store your 0x0 value before returning to this function.<br />
<br />
[[Category:Exploits]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=4404
Ultrasn0w
2009-07-22T16:06:30Z
<p>Oranav: </p>
<hr />
<div>ultrasn0w (previously: yellowsn0w) is an [[iPhone 3G]] and [[iPhone 3GS]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
MuscleNerd, and [[The dev team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Current Injection Vector==<br />
ultrasn0w refers to the reuseable '''payload''', but it requires an injection vector in order to be inserted into the baseband. yellowsn0w was originally to be released with an injection vector that works on pre-2.28.00 baseband versions. However, [[geohot]] had an injection vector for 2.28.00 and the decision was made to release yellowsn0w with this injection vector to benefit the most people. This injection vector is discussed [[AT+stkprof Exploit|here]]. ultrasn0w uses a different injection vector - [[AT+XLOG Vulnerability]].<br />
<br />
==ultrasn0w payload with comments (by Oranav)==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; task_loop_jmp address<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ===<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://yellowsn0w.com yellowsn0w Official Website]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=4402
Firmware
2009-07-22T15:55:40Z
<p>Oranav: /* iPhone 3GS */</p>
<hr />
<div>This is the iPhone OS system the iPhone runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[PurpleSkank 1A420|"PurpleSkank" 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| 6e798e906c6590a7521ef89b731569be6d05b3aa<br />
| Prototype seen on [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| ?<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| fb8bb3ee2e9a997affbb97868599f2995c78209c<br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| a00b85a7a55d62a94be5fbf5effbc42fd63f3097<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| 7f5c0ff1f84a0202b75a55c3fcb362e415334d1e<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48a<br />
| 04.02.13_G<br />
| No download available<br />
|<br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| <br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 797c02e7d660940e8d9a16cc7229ccf3f67dd8b1<br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| b3dec7580bd00dc4faf28449d9618ef40aeacc96<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| 000811bac096011b50ebf6ec1ec2285b62fda4cb<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| 9c510a3cfce789fa5f92a8f763c231bac82ff6d4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| 61de6a2bd6ceddc9ecabad1671b91a59b3824bc4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| b84b57bea919bdc720287ec908c1378e7d7b5e1b<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| 353b7745767b85932e14e262e69463620939bdf7<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| cbfc6ff886ce89868a55547b9fb980dbf92e6418 <br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| 43b95ebe1e51f8d30eae916053396595c08440d3<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| 2afd3f8ede17390737f508473ed205506a0bd23f<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|}<br />
<br />
===[[iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial iPhone 3G shipment.<br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| af9506ca0034e462674f9f59c5406f159eaf9fc1<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| e81c7ac7e334a3e9d81b3b47894bfaa1ec495482<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| bef7fef954293046420fbcf947379839178a195b<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| c6957dcbf2a95ccfd6dce374a727b1b7700a9043<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| f67f8b2b842428bf89456cda0c2d5cf954d111a4<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| 94f1fb43de12bff0f168ce690b7e794cc6220ae3<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]])}}<br />
| 241,229,233<br />
|}<br />
<br />
===[[iPhone2,1|iPhone 3GS]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| d8534408c8679c830fd0c4e36ef9762c11ef73df<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]] or [[purplesn0w]])}}<br />
| 312,292,933<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| 9b0d83c7f8b4328174a3f31e0e93f60e591ae143<br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| 84bbc6ea8bf29745195bc9926c1874f7c2a36f32<br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 108d8ffe9ea75e61cd5e57170ad388b7fa00d923<br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| 8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6<br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| c148d1eb1c979bb6434175411d4a372103a4fdd2<br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| 1b818911316e4248ee01d3ec67f9d39afc3db240<br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| ae82798e85f9953b0f4798bad36187cb020c9d22<br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| a81b6e7af4b85ef436d047f9da57c0f694d8964a<br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2<br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| fc7f6d0972927df502ffca47438ca75dcccffaf3<br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| 081a7de363230fb38d0ce092cbbe42f2a50c8a5f<br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| fc69be9e421bc0630567184506ab771f6b7ef68b<br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| dff2bd14931225908a360fb8e60a336f17d2dd6d<br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl - 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| c3c700be49ad227d1152188e7c1e46b8958fd1e4<br />
|<br />
| {{yes|Yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline - 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| 34a0a489605f34d6cc6c9954edcaaf9a050deedc<br />
|<br />
| {{yes|Yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline - 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| 9af5625ea34acdd8abeb6fce71a72651d0c815d5<br />
|<br />
| {{yes|Yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| 0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42<br />
| 3.0+ is a paid upgrade series<br />
| {{yes|Yes}}<br />
| 270,315,364<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=4401
Firmware
2009-07-22T15:55:26Z
<p>Oranav: /* iPod touch (1st generation) */</p>
<hr />
<div>This is the iPhone OS system the iPhone runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[PurpleSkank 1A420|"PurpleSkank" 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| 6e798e906c6590a7521ef89b731569be6d05b3aa<br />
| Prototype seen on [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| ?<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| fb8bb3ee2e9a997affbb97868599f2995c78209c<br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| a00b85a7a55d62a94be5fbf5effbc42fd63f3097<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| 7f5c0ff1f84a0202b75a55c3fcb362e415334d1e<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48a<br />
| 04.02.13_G<br />
| No download available<br />
|<br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| <br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 797c02e7d660940e8d9a16cc7229ccf3f67dd8b1<br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| b3dec7580bd00dc4faf28449d9618ef40aeacc96<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| 000811bac096011b50ebf6ec1ec2285b62fda4cb<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| 9c510a3cfce789fa5f92a8f763c231bac82ff6d4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| 61de6a2bd6ceddc9ecabad1671b91a59b3824bc4<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| b84b57bea919bdc720287ec908c1378e7d7b5e1b<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| 353b7745767b85932e14e262e69463620939bdf7<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| cbfc6ff886ce89868a55547b9fb980dbf92e6418 <br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| 43b95ebe1e51f8d30eae916053396595c08440d3<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| 2afd3f8ede17390737f508473ed205506a0bd23f<br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|}<br />
<br />
===[[iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial iPhone 3G shipment.<br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| af9506ca0034e462674f9f59c5406f159eaf9fc1<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| e81c7ac7e334a3e9d81b3b47894bfaa1ec495482<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| bef7fef954293046420fbcf947379839178a195b<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| c6957dcbf2a95ccfd6dce374a727b1b7700a9043<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| f67f8b2b842428bf89456cda0c2d5cf954d111a4<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (Upgrade to 04.26.08)}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| 94f1fb43de12bff0f168ce690b7e794cc6220ae3<br />
| <br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]])}}<br />
| 241,229,233<br />
|}<br />
<br />
===[[iPhone2,1|iPhone 3GS]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="100"| Build<br />
!width="65"| [[Baseband]]<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="80"| Can be [[jailbreak|jailbroken]]?<br />
!width="125"| Can be [[unlock|unlocked]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| d8534408c8679c830fd0c4e36ef9762c11ef73df<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|Yes (with [[ultrasn0w]])}}<br />
| 312,292,933<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1.0<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| 9b0d83c7f8b4328174a3f31e0e93f60e591ae143<br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| 84bbc6ea8bf29745195bc9926c1874f7c2a36f32<br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| 108d8ffe9ea75e61cd5e57170ad388b7fa00d923<br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| 8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6<br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| c148d1eb1c979bb6434175411d4a372103a4fdd2<br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| 1b818911316e4248ee01d3ec67f9d39afc3db240<br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| ae82798e85f9953b0f4798bad36187cb020c9d22<br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| a81b6e7af4b85ef436d047f9da57c0f694d8964a<br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2<br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| fc7f6d0972927df502ffca47438ca75dcccffaf3<br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| 081a7de363230fb38d0ce092cbbe42f2a50c8a5f<br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| fc69be9e421bc0630567184506ab771f6b7ef68b<br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| dff2bd14931225908a360fb8e60a336f17d2dd6d<br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="50"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="235"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="208"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl - 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| c3c700be49ad227d1152188e7c1e46b8958fd1e4<br />
|<br />
| {{yes|Yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline - 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| 34a0a489605f34d6cc6c9954edcaaf9a050deedc<br />
|<br />
| {{yes|Yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline - 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| 9af5625ea34acdd8abeb6fce71a72651d0c815d5<br />
|<br />
| {{yes|Yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| 0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42<br />
| 3.0+ is a paid upgrade series<br />
| {{yes|Yes}}<br />
| 270,315,364<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Talk:Alpine_1A420&diff=4384
Talk:Alpine 1A420
2009-07-21T13:10:36Z
<p>Oranav: /* Disassembler frameworks? */</p>
<hr />
<div>== Disassembler frameworks? ==<br />
<br />
Has anyone noticed the ARMDisassembler, NDISASM and PPCDisasm PrivateFrameworks? --[[User:Oranav|Oranav]] 13:07, 21 July 2009 (UTC)</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Talk:Alpine_1A420&diff=4383
Talk:Alpine 1A420
2009-07-21T13:07:10Z
<p>Oranav: Disassembler frameworks?</p>
<hr />
<div>== Disassembler frameworks? ==<br />
<br />
Have anyone noticed the ARMDisassembler, NDISASM and PPCDisasm PrivateFrameworks? --[[User:Oranav|Oranav]] 13:07, 21 July 2009 (UTC)</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=4363
Ultrasn0w
2009-07-19T13:08:05Z
<p>Oranav: /* Task creator (thanks Darkmen for the comments!) */</p>
<hr />
<div>ultrasn0w (previously: '''yellowsn0w''') is the only [[iPhone 3G]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
MuscleNerd, and [[The dev team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Current Injection Vector==<br />
ultrasn0w refers to the reuseable '''payload''', but it requires an injection vector in order to be inserted into the baseband. yellowsn0w was originally to be released with an injection vector that works on pre-2.28.00 baseband versions. However, [[geohot]] had an injection vector for 2.28.00 and the decision was made to release yellowsn0w with this injection vector to benefit the most people. This injection vector is discussed [[AT+stkprof Exploit|here]]. ultrasn0w uses a different injection vector - [[AT+XLOG Vulnerability]].<br />
<br />
==ultrasn0w payload with comments (by Oranav)==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; R0 = task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; task_loop_jmp address<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ===<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://yellowsn0w.com yellowsn0w Official Website]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=4362
Ultrasn0w
2009-07-19T13:02:31Z
<p>Oranav: /* Handler replace */</p>
<hr />
<div>ultrasn0w (previously: '''yellowsn0w''') is the only [[iPhone 3G]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
MuscleNerd, and [[The dev team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Current Injection Vector==<br />
ultrasn0w refers to the reuseable '''payload''', but it requires an injection vector in order to be inserted into the baseband. yellowsn0w was originally to be released with an injection vector that works on pre-2.28.00 baseband versions. However, [[geohot]] had an injection vector for 2.28.00 and the decision was made to release yellowsn0w with this injection vector to benefit the most people. This injection vector is discussed [[AT+stkprof Exploit|here]]. ultrasn0w uses a different injection vector - [[AT+XLOG Vulnerability]].<br />
<br />
==ultrasn0w payload with comments (by Oranav)==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
I'm also missing here a comment.<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; R0 = task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; ???<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ===<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://yellowsn0w.com yellowsn0w Official Website]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Kirkwood_7A341_(iPhone2,1)&diff=4338
Kirkwood 7A341 (iPhone2,1)
2009-07-18T17:50:37Z
<p>Oranav: </p>
<hr />
<div>== Exploits ==<br />
* [[iBoot Environment Variable Overflow]]<br />
<br />
== Developer Patches ==<br />
=== Kernel ===<br />
<pre><br />
0x1973AE: 5C B9 => 0B E0 // allow on the fly kernel patching and dumping (tfp0)<br />
0x20D638: 00 00 00 00 => 01 00 00 00 // allow on the fly kernel patching and dumping (/dev/kmem)<br />
0x2DEDF2: 00 F0 51 80 => 00 BF 00 BF // allow aes module to access uid key (key mask = 2000)<br />
0x2DEE02: 06 D1 48 E0 => 06 E0 00 BF // allow aes module to access gid key (key mask = 1000)<br />
</pre><br />
<br />
== Decryption Keys ==<br />
<br />
=== Root Filesystem ===<br />
* '''VFDecrypt''': 7d779fed28961506ca9443de210224f211790192b2a2308b8bc0e7d4a2ca61a68e26200e<br />
<br />
=== LLB ===<br />
* '''Key''': 783970ed70d151e65cdd0f52019f026cbc0ece5c604603117d677b6a85ea4d95<br />
* '''IV''': fc4efef9fd245dc038ecb26f25f795c7<br />
<br />
=== iBoot ===<br />
* '''Key''': c160ff26cf0cdb1c0b5d821e4102cab8a3e62687f39ab8c456907694e3c4834e<br />
* '''IV''': 948a3d82419c9d4dde404cb4a788da70<br />
<br />
=== DeviceTree ===<br />
* '''Key''': 14370497f039b5caf3583cfa89cfd626147df4c37c63ab3a3fc110765d3d0585<br />
* '''IV''': c6f3b155a71d2a61d14f78f6230bb20e<br />
<br />
=== Kernel ===<br />
* '''Key''': f49e50a630397ed72592f5c9874b33ca1e0e5a499d2a6a0f2746c8e7f1dbf470<br />
* '''IV ''': cd41286890df601bfcd87f8a09b009c8<br />
<br />
=== Logo ===<br />
* '''Key''': d4598b90b842817d34f4eb2e741bfb965d73986ac0c1ec99f9d73c67fef787e3<br />
* '''IV''': 02a124ab2522762fdb0e2dceebd69c4e<br />
<br />
=== Recovery Logo ===<br />
* '''Key''': da2324a7f8341c26b550a674a0d8566a9ebc9eda9c22cf37b1fc7d702ee6aab5<br />
* '''IV''': 2e314503ca4f2bd03ac17c8b8eecf072<br />
<br />
=== iBEC ===<br />
* '''Key''': 711ffd7e4cc4ea56150749e085d065f6efe83bc40c506eb17648c3e68ac4ed6c<br />
* '''IV''': 414cd466c85886181881880d66b9535a<br />
<br />
=== iBSS ===<br />
* '''Key''': ebc56070f923799c06fc696fe5b8335517eb2fc13d1e8fcdb16be784db6b4a36<br />
* '''IV''': d7815d19a90b84677fc757aa4abf9343<br />
<br />
=== Update Ramdisk - 018-5304-002.dmg ===<br />
* '''Key''': 8ffbef98cc28b4aa14d18783faa6a8c95c94b1a4536fbfb7485f0d54cdec358b<br />
* '''IV''': d9b8d8f798cd50ba72d434b271d2f181<br />
<br />
=== Restore Ramdisk - 018-5306-002.dmg ===<br />
* '''Key''': 44514633ce2aead62bcfa8836cda4a3c7bde483f8b1e9f19d22f9d8fdf753e02<br />
* '''IV''': e345e23bb266fcc2ba23a2e0be77a3bf</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Pwnage&diff=4336
Pwnage
2009-07-18T16:48:49Z
<p>Oranav: /* 2.0+ (S5L8720) */</p>
<hr />
<div>This exploit is in the [[S5L8900]] bootrom, thus available in the iPhone, iPod Touch and iPhone 3G. The exploit is that the bootrom doesn't signature check [[LLB]].<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
===Pre-2.0 ([[S5L8900]])===<br />
The [[NOR]] was set up in a way that when the firmware images were flashed there, the RSA signatures were dropped along with the rest of the firmware container. So although [[iBoot]] signature checked the [[kernel]], [[LLB]] did not signature check [[iBoot]], and the [[VROM]] did not signature check [[LLB]].<br />
<br />
===2.0+ ([[S5L8900]])===<br />
The [[VROM]] doesn't sig check the stuff it jumps to in the [[NOR]]. So to use the exploit, one finds a way of writing to the [[NOR]] unsigned, either with [[iBoot]] hacks or kernel patches. While images are now written to [[NOR]] in a way that one can verify the other, like LLB verifying iBoot, the bootrom cannot be written to, so it still defaults to just reading LLB normally, un-signature checked.<br />
<br />
===2.0+ ([[S5L8720]])===<br />
This exploit has been fixed on the [[n72ap|iPod Touch 2G]] and the [[n82ap|iPhone 3GS]]. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU mode. So in order to fully jailbreak the device, a bootrom exploit must be found.<br />
<br />
==Implementation==<br />
* [[PwnageTool]]<br />
* [[iPhoneLinux]]<br />
<br />
[[Category:Jailbreaks]]<br />
[[Category:Exploits]]<br />
[[Category:VROM]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Pwnage&diff=4335
Pwnage
2009-07-18T16:42:10Z
<p>Oranav: </p>
<hr />
<div>This exploit is in the [[S5L8900]] bootrom, thus available in the iPhone, iPod Touch and iPhone 3G. The exploit is that the bootrom doesn't signature check [[LLB]].<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
===Pre-2.0 ([[S5L8900]])===<br />
The [[NOR]] was set up in a way that when the firmware images were flashed there, the RSA signatures were dropped along with the rest of the firmware container. So although [[iBoot]] signature checked the [[kernel]], [[LLB]] did not signature check [[iBoot]], and the [[VROM]] did not signature check [[LLB]].<br />
<br />
===2.0+ ([[S5L8900]])===<br />
The [[VROM]] doesn't sig check the stuff it jumps to in the [[NOR]]. So to use the exploit, one finds a way of writing to the [[NOR]] unsigned, either with [[iBoot]] hacks or kernel patches. While images are now written to [[NOR]] in a way that one can verify the other, like LLB verifying iBoot, the bootrom cannot be written to, so it still defaults to just reading LLB normally, un-signature checked.<br />
<br />
===2.0+ ([[S5L8720]])===<br />
This exploit has been fixed on the [[n72ap|iPod Touch 2G]]. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU mode.<br />
<br />
==Implementation==<br />
* [[PwnageTool]]<br />
* [[iPhoneLinux]]<br />
<br />
[[Category:Jailbreaks]]<br />
[[Category:Exploits]]<br />
[[Category:VROM]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Pwnage_2.0&diff=4334
Pwnage 2.0
2009-07-18T16:39:52Z
<p>Oranav: </p>
<hr />
<div>This exploit in the [[S5L8900]] bootrom is really the ultimate exploit, since it allows unsigned code to be run at the lowest level. It is available in all S5L8900 devices - iPhone, iPod Touch and iPhone 3G.<br />
<br />
==Credit==<br />
[[The dev team]]<br />
<br />
==Exploit==<br />
There is a stack overflow in the certificate parsing code. By passing a malformed certificate, unsigned code can be run.<br />
<br />
==Implementations==<br />
*[[PwnageTool]]<br />
*[[QuickPwn]]<br />
*[[WinPwn]]<br />
*[[redsn0w]]<br />
*[http://lpahome.com/geohot/iran.rar iran]<br />
<br />
[[Category:Exploits]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Jailbreak&diff=4333
Jailbreak
2009-07-18T16:38:19Z
<p>Oranav: </p>
<hr />
<div>This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching /etc/fstab to mount the System partition as read-write. This is entirely different to an [[unlock]]. Jailbreaking is the first action that must be taken before things like non-official [[activation]], and non-official unlocking, can proceed.<br />
<br />
The original jailbreak also included modifying the [[AFC|afc]] service (service used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to creating a new service (afc2) that allows access to the full filesystem.<br />
<br />
Modern jailbreaks also include patching the OS kernel to get around code-signing and other restrictions.<br />
<br />
<br />
==Exploits which were used in order to jailbreak (in chronological order)==<br />
=== 1.0.2 ===<br />
* [[Restore Mode]] (iBoot had a command named cp, which had access to the whole filesystem)<br />
=== 1.1.1 ===<br />
* [[Symlinks]] (an update jailbreak)<br />
* [[libtiff exploit]] (Adapted from the PSP scene, used by [[Jailbreakme]])<br />
=== 1.1.2 / 1.1.3 ===<br />
* [[Mknod]] (an update jailbreak)<br />
=== 1.1.4 ===<br />
* [[Ramdisk Hack]]<br />
<br />
==Exploits which are used in order to jailbreak 2.0 and above==<br />
===iPhone / iPhone 3G / iPod Touch===<br />
* [[Pwnage]] and [[Pwnage 2.0]] (together)<br />
===iPod Touch 2G===<br />
* [[ARM7 Go]] (used by tethered jailbreaks)<br />
* [[24kpwn]]<br />
===iPhone 3GS===<br />
All jailbreaks are using the [[24kpwn]] exploit, but you need an iBoot exploit as well because of [[ECID]].<br />
====3.0====<br />
* [[iBoot Environment Variable Overflow]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Restore_Mode&diff=4332
Restore Mode
2009-07-18T16:29:16Z
<p>Oranav: /* Exploits */</p>
<hr />
<div>This is the mode the Apple ramdisk enters to restore the iPhone.<br />
<br />
==Exploits==<br />
The original jailbreaks were done by booting the phone into restore mode and copying an /etc/fstab and afcd plist from the user partition. This was done by using the cp iBoot command, a command which had access to the whole filesystem.<br />
<br />
==Implementations==<br />
*[[itunesmobiledevice.dll]]<br />
*[http://lpahome.com/geohot/gshell.rar gshell]<br />
<br />
[[Category:Jailbreaks]]<br />
[[Category:Protocols (S5L)]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Jailbreak&diff=4331
Jailbreak
2009-07-18T16:28:07Z
<p>Oranav: /* Exploits which was used in order to jailbreak (in chronological order) */</p>
<hr />
<div>This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching /etc/fstab to mount the System partition as read-write. This is entirely different to an [[unlock]]. Jailbreaking is the first action that must be taken before things like non-official [[activation]], and non-official unlocking, can proceed.<br />
<br />
The original jailbreak also included modifying the [[AFC|afc]] service (service used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to creating a new service (afc2) that allows access to the full filesystem.<br />
<br />
Modern jailbreaks also include patching the OS kernel to get around code-signing and other restrictions.<br />
<br />
<br />
==Exploits which were used in order to jailbreak (in chronological order)==<br />
=== 1.0.2 ===<br />
* [[Restore Mode]] (iBoot had a command named cp, which had access to the whole filesystem)<br />
=== 1.1.1 ===<br />
* [[Symlinks]] (an update jailbreak)<br />
* [[libtiff exploit]] (Adapted from the PSP scene, used by [[Jailbreakme]])<br />
=== 1.1.2 / 1.1.3 ===<br />
* [[Mknod]] (an update jailbreak)<br />
=== 1.1.4 ===<br />
* [[Ramdisk Hack]]</div>
Oranav
https://www.theiphonewiki.com/w/index.php?title=Jailbreak&diff=4330
Jailbreak
2009-07-18T16:27:57Z
<p>Oranav: </p>
<hr />
<div>This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching /etc/fstab to mount the System partition as read-write. This is entirely different to an [[unlock]]. Jailbreaking is the first action that must be taken before things like non-official [[activation]], and non-official unlocking, can proceed.<br />
<br />
The original jailbreak also included modifying the [[AFC|afc]] service (service used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to creating a new service (afc2) that allows access to the full filesystem.<br />
<br />
Modern jailbreaks also include patching the OS kernel to get around code-signing and other restrictions.<br />
<br />
<br />
==Exploits which was used in order to jailbreak (in chronological order)==<br />
=== 1.0.2 ===<br />
* [[Restore Mode]] (iBoot had a command named cp, which had access to the whole filesystem)<br />
=== 1.1.1 ===<br />
* [[Symlinks]] (an update jailbreak)<br />
* [[libtiff exploit]] (Adapted from the PSP scene, used by [[Jailbreakme]])<br />
=== 1.1.2 / 1.1.3 ===<br />
* [[Mknod]] (an update jailbreak)<br />
=== 1.1.4 ===<br />
* [[Ramdisk Hack]]</div>
Oranav