https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=PrasysThe iPhone Wiki - User contributions [en]2026-04-27T22:00:30ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=IBoot_(Bootloader)&diff=5135IBoot (Bootloader)2009-10-14T14:53:49Z<p>Prasys: /* Revisions */</p>
<hr />
<div>{{DISPLAYTITLE:iBoot}}<br />
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial.<br />
<br />
== Revisions ==<br />
* [[iBoot-99]] (1A420 a.k.a. Prototype)<br />
* [[iBoot-159]] (1.0.x)<br />
* [[iBoot-204]] (1.1 and 1.1.1 3A109a)<br />
* [[iBoot-204.0.2]] (1.1.1 3A110a)<br />
* [[iBoot-204.2.9]] (1.1.2)<br />
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4)<br />
* [[iBoot-204.3.16]] (1.1.5)<br />
* [[iBoot-240.5.1]] (iPod Touch 2G 8gb *mc* model/3.1)<br />
* [[iBoot-320.20]] (2.0.x)<br />
* [[iBoot-385.22]] (2.1 and 2.1.1)<br />
* [[iBoot-385.49]] (2.2 and 2.2.1)<br />
* [[iBoot-596.24]] (3.0 and 3.0.1)<br />
* [[iBoot-636.65]] (3.1 and 3.1.1)<br />
* [[iBoot-636.66]] (3.1.1 7C146)<br />
<br />
==Commands used as an exploit vector==<br />
* Until 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at written to 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.<br />
* In the iPod Touch 2G firmware 2.1.1 iBoot (iBoot version 385.22), the [[ARM7 Go]] command could be used to run a payload on the ARM7 in the iPod Touch 2G.<br />
* The [[iBoot Environment Variable Overflow]] exists in 3.0 iBoot, and is being used by [[purplera1n]] and [[redsn0w]] (as of version 0.8) in order to flash the oversized [[LLB]] which utilizes the [[24kPwn]] exploit to the iPhone 3GS. While this exploit is present on iPod Touch 2nd Gen, it is not used in favour of the [[ARM7 Go]] exploit.<br />
* The [[usb_control_msg(0x21, 2) Exploit]] exists in 3.1 and 3.1.1 iBoot and is being used by [[greenpois0n]] in order to flash the oversized [[LLB]] which utilizes the [[24kPwn]] exploit to the iPhone 3GS and iPod Touch 3G. While this exploit is present on iPod Touch 2nd Gen, it is not used in favour of the [[ARM7 Go]] exploit.<br />
<br />
<br />
==OpeniBoot==<br />
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.<br />
<br />
==Remappings==<br />
<pre><br />
// n88<br />
0x4FF00000 => 0x0<br />
0x40000000 => 0xC0000000<br />
</pre><br />
<br />
== See also ==<br />
* [[iBoot (Enums)]]</div>Prasys