The iPhone Wiki - User contributions [en]

N72AP

2009-08-13T20:10:03Z

Thunderball:

{{DISPLAYTITLE:iPod touch 2G}}
This is the 2nd Generation [[iPod Touch]].

'''Model''': n72ap

'''Application Processor (OS Chip)''': s5l8720x

==Hardware==
See the [[S5L8720_(Hardware)]] for hardware details

==Device IDs==
'''0x1227''' = DFU Mode 2.0 (Basically WTF 2.0 burned into bootrom) 
'''0x1281''' = Recovery Mode 2.0 (iBEC / iBSS / iBoot) 
'''0x1293''' = Normal Mode (comm with iTunes / MobileDev framework)

==Exploits==
See the [[S5L8720]] page for all known exploits

N18AP

2009-08-13T20:07:52Z

Thunderball:

{{DISPLAYTITLE:iPod touch 3G}}
This is the 3rd Generation [[N45ap|iPod Touch]].

'''Model''' (Codename) : Olympic [http://pastie.org/559242]

'''Application Processor (OS Chip)''': unknown

===Wifi Chip===
[[BCM4329]] Wifi A/B/G/N, Bluetooth, FM Transmit/Receive

IPhone Dev Team

2009-08-13T20:03:15Z

Thunderball:

{{DISPLAYTITLE:iPhone Dev Team}}
==Blog==
[http://blog.iphone-dev.org Dev Team blog]

==Current members==
asap18, bgm, Bugout, bushing, c1de0x, chris, CPICH, dinopio, Fred_, ghost_000, gray, iZsh, jim–, marcan, MuscleNerd, netkas, np101137, penisbird, planetbeing, pr3d4t0r, pumpkin, pytey, roxfan, saurik, Turbo, w___, wizdaz, Zf

==Previous Members==
drudge, [[geohot]], gj, kroo, Nate True, NerveGas, sam, Whiterat, [[Zibri]]

==See also==
* [[PwnageTool]]
* [[pwnage]]
* [[pwnage 2.0]]
* [[yellowsn0w]]
* [[redsn0w]]

IBoot (Bootloader)

2009-08-13T20:01:17Z

Thunderball:

{{DISPLAYTITLE:iBoot}}
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial.

== Revisions ==
* [[iBoot-204.3.14]] (1.1.4)
* [[iBoot-320.20]] (2.0.x)
* [[iBoot-385.22]] (2.1 and 2.1.1)
* [[iBoot-385.49]] (2.2 and 2.2.1)
* [[iBoot-596.24]] (3.0 and 3.0.1)

==Commands used as an exploit vector==
* Until 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at written to 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
* In the iPod Touch 2G firmware 2.1.1 iBoot (iBoot version 385.22), the [[ARM7 Go]] command could be used to run a payload on the ARM7 in the iPod Touch 2G.
* The [[iBoot Environment Variable Overflow]] exists in 3.0 iBoot, and is being used by [[purplera1n]] and redsn0w (as of version 0.8) in order to flash the oversized LLB which utilizes the [[24kpwn]] exploit to the iPhone 3GS. While this exploit is present on iPod Touch 2nd Gen, it is not used in favour of the [[ARM7 Go]] exploit.

==OpeniBoot==
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.

==Remappings==
<pre>
// n88
0x4FF00000 => 0x0
0x40000000 => 0xC0000000
</pre>

IPhone Hacking Presentation - History 1.0-1.1.4

2009-08-13T19:57:48Z

Thunderball:

{{DISPLAYTITLE:iPhone Hacking Presentation - History 1.0-1.1.4}}
This page is currently being further documented.

Check back for the full documentation.

George Hotz Presentation on "Hacking the iPhone"
9:30 EST July 17, 2009 irc.osx86.hu #presentation
http://theiphonewiki.com/wiki/index.php?title=Jailbreakme

The Hackers in the Presentation (alphabetical order):
- copumpkin
- geohot
- kroo
- lilstevie
- posixninja
- westbaer

Geohot began the presentation with a potted history of iPhone hacking.

The history of "jailbreaking":

At the start:
- slide for emergency (before lockdownd patches) <- this is activation
- apple generates an activation record when you connect your phone to itunes for the first time
- put in tmoble sim card, didnt work..

Activation record contains:
ICCID (sim card)
IMEI (baseband)
DEVID (UDID, phone/s5l/app processor)

So, then tried...
resending activation record to another phone
lockdownd didn't check that record actually matched anything

dvd jon wrote a program to spoof activation server, that sends his record and since the lockdownd didnt check that the record matched the iPhones IDs, it worked -> people can now activate

iphone dev folks start reversing itunesmobiledevice.dll / MobileDevice.framework
-> AMDeviceActivate (give it an activation record, and it would activate the phone for you)

Through the reversing of the MobileDevice.framework (AFC protocol) it was possible to gain control of the chrooted jailed files in /var/root/media

iTunes uses AFC to send files (music, contacts etc) to the iPhone, inside the /var/mobile/media jail. So the next thing after activation is jailbreak.
("jail" means a chroot jail, more info at: http://en.wikipedia.org/wiki/Chroot, http://docs.freebsd.org/44doc/papers/jail/jail.html )

System Partition mounted at /
User Partition /var/mobile/

First jailbreak was done by using the cp (copy) command in restore mode, which had access to the whole FS. They overwrote fstab and services.plist, and they added a service called afc2 which shared the whole FS.

We could also take a look at the disk image itself inside an ipsw:
unfortunately, the rootfs dmg has encryption that doesn't use the traditional dmg password scheme
so we wrote vfdecrypt

So... then we could touch the filesystem all we wanted, but without a toolchain we couldn't do anything useful.
this is interesting because:
mach-o and ARM: never done before outside apple; we needed to write it ourselves (aka watch in awe as nightwatch did it)

this lead to the days of irc://irc.osx86.hu/iphone-uikit
mentioned neato things:
MobileTerminal, Hello World

George Hotz joined the small group of "iPhone Dev team folks" (#iphone.dev ?ithink?)
things started becoming secretive, and George Hotz decided to release http://chickenenchiladagrilledstuftburrito.info/u.htm , his "manifesto"

Unlocks:

First Unlock:
Hardware
1. Erase baseband firmware
2. Using a hardware test point, pull an address line high, so it thinks it's all erased (fakeblank, more information @ http://www.theiphonewiki.com/wiki/index.php?title=Fakeblank )
3. You can send serial payloads and run your own unsigned code, so patch it to be unlocked

IPSF style unlock:
If code uploaded to baseband had an SHA1 hash ending in 00 00 00 00, it would run (due to buggy coding, they only checked the last four bytes), and the bleichenbacher RSA attack allowed fake unlock tokens to be generated server side

Then there was iUnlock by the Dev-Team, which used -0x400 exploit to unlock.

then along comes 1.1.1: encryption,
i got this:
Restore holes to jailbreak were patched, but this lead to the most simple jailbreak:
jailbreakme.com / TIFF exploit
This was taken from the PSP hacking scene, an old version of libtiff had a buffer overflow (found by taviso, firstly exploited by cmw) on one of the metadata tags iirc.

and 1.1.2 comes along, patching the tiff vuln, things start to get more complex:
initially we started by just insisting that people downgrade to 1.1.1, then update again
this became harder as more phones came preinstalled with 1.1.2, etc.
at 1.1.3 (BB version 4.6), this became unbearable...
george releases gunlock using the -0x20000 w back extend erase exploit
and eventually ZiPhone is released (unsigned ramdisk exploit)

How this works:
hit restore, iphone goes into recovery mode (iBoot, bootloader for the s5l proc)
commence geohot wall-o-text:
your iphone has two major processors, the s5l(which runs the apps, and is targeted by jailbreaks), and the baseband(which runs the phone stuff, and is targeted by unlocks)
recovery mode sending a ramdisk and kernel can boot the device no matter whats on nand
after the ramdisk boots, it enters restore mode
in restore mode, the system dmg(with the OS) is sent
the nor is upgraded to have the latest iboot and llb
and the baseband is upgraded to have the latest baseband firmware
so, imagine being able to write your own ramdisk
everything up to user mode was always sig checked
including the ramdisk

RESOURCES:

Links posted by "the hackers":

1) http://nanocr.eu/2007/07/03/iphone-without-att/
Site: Jon "DVD Jon" Lech Johansen’s blog
Entry: "iPhone Independence Day"
Documents Jon's discovery of how to activate a brand new iPhone unofficially.
Originally posted on Tuesday, July 3rd, 2007

2) http://chickenenchiladagrilledstuftburrito.info/u.htm
Site: (mirror)
Entry: George Hotz's "manifesto"
Originally mirrored on Friday, July 27th, 2007

3) http://theiphonewiki.com/wiki/index.php?title=Minus_0x20000_with_Back_Extend_Erase
Site: The iPhone Wiki
Entry: "Minus 0x20000 with Back Extend Erase"
This is the exploit used to unlock all phones with a 4.6 bootloader.
Originally posted on Saturday, July 27th 2008

/* Definitions of terms used:
(links here possibly) */
Jailbreak: Apple makes it so your device can only use one folder on the phone, jailbreak gets out of that single folder jail and lets you use the entire filesystem.

Active Documenters (alphabetical order):

- Izzard 
- Kroo 
- Oranav 
- Veeloc 
- crash-x (only in the beginning)

IBoot Environment Variable Overflow

2009-08-13T19:53:50Z

Thunderball:

{{DISPLAYTITLE:iBoot Environment Variable Overflow}}
This is an exploit in the iBoot parsing of commands and environment variables.

== Credit ==
[[User:Geohot|geohot]]

== Explanation ==
This is a heap overflow in 3.0's [[iBoot]]. I'm really tired right now and will write more tomorrow.

My implementation saves the first 8 bytes in overruns(important or phone crashes), and overwrites the first 8 bytes of the '?' environment variable in the ring buffer. When the ring buffer is freed, it attempts to close the ring. In doing so, it changes the command table to have an entry at 0x41000000, where I then(must be done after or else cmd pointer gets overwritten) upload the geohot command. Run it and enjoy.

== Implementation in purplera1n ==
setenv a bbbbbbbbb1bbbbbbbbb2bbbbbbbbb3bbbbbbbbb4bbbbbbbbb5bbbbbbbbb6bbbbbbbbb7bbbbbbbbb8bbbbbbbbb9bbbbbbbbbAbbbbbbbbbBbbbbbbbbbCbbbbbbbbbDbbbbbbbbbEbbbbbbbbbbbbtbbbbbbbbbubbbbbbbbbvbbbbbbbbbwbbbbbbbbbxbbbbbbbbbybbbbbbbbbzbbbbbbbbbHbbbbbbbbbIbbbbbbbbbJbbbbgeohotbbbbbbbbbLbbbbbbbbbMbbbbbbbbbNbbbbbbbbbObbbbbbbbbPbbbbbbbbbbQbbbbbbbbbRbbbbbbbbbSbbbbbbbbbTbbbbbbbbbUbbbbbbbbbVbbbbbbbbbWbbbbbbb

xxxx $a $a $a $a geohotaaaa \"\x04\x01\" \\ \"\x0c\" \\ \\ \\ \\ \\ \"\x41\x04\xA0\x02\" \\ \\ \\ \\ wwww;echo copyright;echo geohot

[[Category:Exploits]]

List of iPod touches

2009-08-13T18:50:31Z

Thunderball:

{{DISPLAYTITLE:iPod touch}}
There are two iPod touch generations at the time of writing.

The first generation is the [[N45ap]]. This model of the iPod touch is the earliest version.
 
The second generation is the [[N72ap]]. This is the second, re-designed model of the iPod touch with additional features.

For a full comparison, vist [[Comparison of iPod touch 1G and 2G]].

IDroid

2009-08-11T15:12:30Z

Thunderball:

{{DISPLAYTITLE:iPhoneLinux}}
[[Image:Openiboot.png|thumb|right|200px|Device running the OpeniBoot console.]]
[http://iphonelinux.org iPhonelinux] is a project which goals are to port linux on the iPhone and make a Free (free software) OS alternative to the Apple proprietary "[http://en.wikipedia.org/wiki/IPhone_OS iPhone OS]".

iPhonelinux is not actually a hack/exploit neither an unlock, but it is based on the [[Pwnage]] exploit.

There are three steps in the iPhonelinux roadmap : OpeniBoot, linux kernel and long term (GUI, phone...)

== OpeniBoot ==
The Goals of OpeniBoot is to run low-level code, to have low and critical drivers (nand and nor driver, NVRAM...), debugger and development environment (chainloading, upgrading itself and USB mass storage).

== Linux ==
A linux Bootloader, a working linux kernel (just a question of cross-compiler), porting drivers, run wifi and command line thru SSH.

== Long-Term Plans ==
Multi-touch driver, Baseband driver, port X server and create an SDK.
Then have a viable alternative of the iPhone OS.

== Binaries ==

These are utility binaries precompiled on Ubuntu 8.10. They require:

- libpthread
- libncurses
- libusb
- libreadline

You may elect to build them from source by pulling from
iphonelinux/openiboot's git repository.

== Disclaimer ==

BE WARNED THAT THESE STEPS ARE NOT INTENDED FOR NOVICES. YOU ATTEMPT THIS AT
YOUR OWN RISK. AT THIS TIME, WE CANNOT AFFORD THE EFFORT REQUIRED TO GIVE
SUPPORT TO NOVICES AND/OR RESCUE THEM FROM THEIR OWN ACTIONS.

Although unlikely, if the installation goes wrong, you may have to perform a
DFU restore on your iPhone. If you do not know how to do that, you should not
follow these steps. You should also know how to use iRecovery (or similar) and
the fsboot command to "kick an iPhone out of recovery mode". If you do not
know how to do that, you should not follow these steps.

The installation of openiboot itself is safe, but openiboot has the facility
to erase device-specific information from your NOR flash. If you did not make
a backup, and execute the commands necessary to make openiboot erase that
information, it is gone forever and your device may never boot properly again.

The instructions below will show you how to make such a backup before any
changes are made.

== Installing OpeniBoot ==

=== Prerequisites ===
* Having an iPhone (first gen), iPhone 3G or an iPod 1G (the 2G iPod won't work). 
* Being on 2.x+ to have support IMG3 (the iPhonelinux-demo provides IMG3 files, not IMG2 files). 
* Being Pwned : Pwnage comes with jailbreak on 2.x+, so If you used Pwnage Tool, QuickPwn or xPwn, you are good.
* Required libraries (install as a package for Uuntu).:
** libpthread
** libncurses
** libusb
** libreadline

=== Installation ===

1. Put your iPhone in [[Recovery Mode]].

2. sudo ./loadibec openiboot-2g.img3, or -3g, -ipod, depending on your platform.

3. sudo ./oibc

4. nor_read 0x09000000 0x0 1048576

5. ~norbackup.dump:1048576. This will create a file called norbackup.dump in your current directory. GUARD IT WITH YOUR LIFE.

6. install

7. After 'install' has finished, type in: reboot.

8. You ought to see the openiboot menu.

===See===
* [[QuickOIB]]

== Booting Linux ==

Use the Hold button to navigate the menu. Push the Home button
when openiboot client is selected.
sudo ./oibc
!zImage
kernel
!rootfs.arm.ext2.gz
ramdisk 3588
boot "console=tty console=ttyUSB root=/dev/ram0 rw"
sudo ./linux

You should now get a login prompt. Nothing that's happening will show up on
the LCD automatically, but you can redirect it to the display with the
following command:

sh 2>&1 > /dev/tty0

Enjoy!

== iPhone Linux Resources ==

- Framebuffer driver
- Serial driver
- Serial over USB driver
- Interrupts, MMU, clock, etc.

=== OpeniBoot Resources ===

- Read-only support for the NAND

=== OpeniBoot Missing Resources ===

- Write support for the NAND
- Wireless networking
- Touchscreen
- Sound
- Accelerometer
- Baseband support

===QuickOIB===

[[QuickOIB]] is a tool that allows the user to temporarily install OpeniBoot in a device.
It was developed by pH and work perfectly with Mac OS X and Ubuntu 8.10

=== Support ===

The current userland we're using, in the interest of expedience, is a Busybox installation created with buildroot, but glibc works fine as well, and we're going to build a more permanent userland solution.

A demonstration video can be seen here: http://www.vimeo.com/2373142

Download here: http://localhostr.com/files/b00133/iphonelinux-demo.tar.gz

Project leader: '''planetbeing'''

Contributors: '''CPICH, cmw, poorlad, ius, saurik'''

If you're experienced with '''hacking/porting Linux''' and especially if you're experienced with porting '''Android''', I'd definitely like to hear from you. Come chill in the ''#iphonelinux'' channel on ''irc.osx86.hu'' . If you're not experienced, and still want to help, you can digg/slashdot this posting to heaven so our little project gets more visibility. Thanks. :)

ITunes

2009-08-11T15:10:47Z

Thunderball:

{{DISPLAYTITLE:iTunes}}
iTunes is Apple's music and video management software. It also serves as a desktop client for the iTunes Store and handles iPod/iPhone synchronization.

It consists of 3 major components: iTunes itself, QuickTime and Apple Mobile Device Support (AMDS).
QuickTime is used for audio/video playback and encoding, while AMDS is the component responsible for synchronizing with iPhone/iPod Touch.

== Mac OS X versions ==
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
!iTunes version
!AMDS version
!Download URL
!SHA-1 hash
!File size
!Comments
|-
|8.0.1.?
|???
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-5553.20081002.kjy65/iTunes801.dmg iTunes801.dmg] (defunct)
|722f5603bd12808d895cf822f3c4267febc56b74
|???
|This was deleted by Apple.
|-
|8.0.1.12
|1.8.5.7
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-5649.20081008.hji9O/iTunes801.dmg iTunes801.dmg]
|35c736471228e0b47a0fb54a52447ec8ff11681f
|58,696,603
|
|-
|8.0.2.20
|1.8.5.13
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-5810.20081120.wm3n4/iTunes802.dmg iTunes802.dmg]
|ad1d027ec850af8c70a3af39eb3c47e1192067df
|60,559,358
|
|-
|8.1.0.50
|2.0.5.7
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-5641.20090311.Cfe4r/iTunes81.dmg iTunes81.dmg]
|6c9ee64741158c9f45417b965b38b01ea3b51af1
|66,440,133
|
|-
|8.1.1.10
|2.0.5.7
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6171.20090406.i98u7/iTunes811.dmg iTunes811.dmg]
|447933eee85feca7b8a2335e441202794c19b966
|69,231,745
|
|-
|8.2.0.23
|2.3.8.0
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6183.20090601.Pldj3/iTunes8.2.dmg iTunes8.2.dmg]
|a07c4fb0dfd94ba238024cf8d448165da24e5be5
|81,038,040
|The first public version to support iPhone OS 3.0
|-
|8.2.1.6
|2.3.8.0
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6715.20090715.cfR54/iTunes8.2.1.dmg iTunes8.2.1.dmg]
|f6d1e5453b7c2ae9a85fe61a7d0eaf972e4d7266
|81,050,406
|Disables syncing with Palm Pre. Does not put signed iBSS/iBEC in temp folder on 3GS restores.
|}

== Windows versions (32-bit) ==
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
!iTunes version
!QuickTime version
!AMDS version
!Download URL
!SHA-1 hash
!File size
!Comments
|-
|8.0.0.35
|7.55.90.70
|2.1.0.25
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-4746.20080909.Detnz/iTunes8Setup.exe iTunes8Setup.exe]
|5d4ff8ffbe9feeaed67deb317797c1d71a03c359
|67,822,888
|The first public release of 8.0. Introduced many new features, including Genius playlists.
|-
|8.0.0.35
|7.55.90.70
|2.1.0.25
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-5525.20080911.bnj78/iTunes8Setup.exe iTunes8Setup.exe]
|09bd8dd0b055f1b63205d5c9c9a00e4d42e38a3e
|67,110,184
|This version was released only 2 days after the official 8.0 release, supposedly to fix blue screen errors. Also removed device icons for iPhones and iPods.
|-
|8.0.1.11
|7.55.90.70
|2.1.1.13
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-5555.20081002.5Kij7/iTunes801Setup.exe iTunes801Setup.exe]
|7342c1aa7c458db14c67e8635ee475adcc1d38be
|67,167,528
|
|-
|8.0.2.20
|7.55.90.70
|2.1.2.7
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-5812.20081120.3mv63/iTunesSetup.exe iTunesSetup.exe]
|96113274f450dfe2893805353663b2436161b15a
|68,756,776
|CoreFP library was moved from the QuickTime installer into iTunes
|-
|8.0.2.20
|7.60.92.0
|2.1.2.7
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-5856.20090121.fvgtr/iTunesSetup.exe iTunesSetup.exe]
|50c0e31eda9ab0a5902d2242ba2fd74ef5be7c99
|69,076,264
|
|-
|8.1.0.51
|7.60.92.0
|2.4.0.27
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6166.20090311.znt32/iTunesSetup.exe iTunesSetup.exe]
|562bcc78760c4055f84d53730089a62dfa9c3fcf
|73,336,104
|Version 8.1 was notable for significant performance improvements on Windows. Also brought back device icons.
|-
|8.1.0.52
|7.60.92.0
|2.4.0.27
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6190.20090313.Cf9iK/iTunesSetup.exe iTunesSetup.exe]
|00bd8842cf0f2026cc4590ef434f6846eeca7fa4
|73,332,008
|
|-
|8.1.1.10
|7.60.92.0
|2.4.1.7
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6172.20090406.Xdcfr/iTunesSetup.exe iTunesSetup.exe]
|cad92e6882b5fb49d710d342f315d7d6293e2b0a
|74,302,760
|
|-
|8.2.0.23
|7.62.14.0
|2.5.0.31
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6184.20090601.Bhyit/iTunesSetup.exe iTunesSetup.exe]
|16f5b1e787b36aece842ea5ae80bfc6bf2b32b19
|77,690,152
|The first public version to support iPhone OS 3.0
|-
|8.2.0.23
|7.62.14.0
|2.5.1.3
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6664.20090608.dfrtg/iTunesSetup.exe iTunesSetup.exe]
|b1fbcba068c32c25d8987b81ce60cc660b90ccd8
|77,690,152
|
|-
|8.2.1.6
|7.62.14.0
|2.5.2.2
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6717.20090715.XsE4R/iTunesSetup.exe iTunesSetup.exe]
|797da9711caf87d114e2a5b88523fa825753b530
|77,976,864
|Disables syncing with Palm Pre. Does not put signed iBSS/iBEC in temp folder on 3GS restores.
|}

== Windows versions (64-bit) ==
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
!iTunes version
!QuickTime version
!AMDS version
!Download URL
!SHA-1 hash
!File size
!Comments
|-
|8.0.2.20
|7.55.90.70
|2.1.2.7
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-5813.20081120.v8d4k/iTunes64Setup.exe iTunes64Setup.exe]
|3c0de1135a6f7324ff691e99a8fefa385219bb0a
|69,323,048
|CoreFP library was moved from the QuickTime installer into iTunes
|-
|8.1.0.52
|7.6.0.92
|2.4.0.27
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6167.20090311.tnz64/iTunes64Setup.exe iTunes64Setup.exe]
|fb07309a0196b424ed434be1143f9e8bcd978d62
|73,855,272
|
|-
|8.1.1.10
|7.6.0.92
|2.4.1.7
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6173.20090406.Aidol/iTunes64Setup.exe iTunes64Setup.exe]
|40a82ba08885bd8797f70b8199df5526f3f2d409
|74,820,904
|
|-
|8.2.0.23
|7.6.2.14
|2.5.0.31
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6185.20060601.Fkje9g/iTunes64Setup.exe iTunes64Setup.exe]
|b8739f847f2b66835f4f4b542b3308de96d418ed
|78,721,320
|The first public version to support iPhone OS 3.0
|-
|8.2.1.6
|7.6.2.14
|2.5.2.2
|[http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iTunes8/061-6718.20090715.MJwE3/iTunes64Setup.exe iTunes64Setup.exe]
|8985afce9ab6d4483c43308cf34e6217e903000a
|78,999,840
|Disables syncing with Palm Pre. Does not put signed iBSS/iBEC in temp folder on 3GS restores.
|}