https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=Toddyt1
The iPhone Wiki - User contributions [en]
2026-05-01T16:56:59Z
User contributions
MediaWiki 1.31.14
https://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Community_portal&diff=15401
The iPhone Wiki:Community portal
2011-01-28T14:34:12Z
<p>Toddyt1: Adding this. Was opened on archived page.</p>
<hr />
<div>{{Talk Archive|2009|2010|2011}}<br />
<br />
This is the place to post tasks that need to be done on the wiki. Also this is the place for proposed changes. I heard about people wanting a favicon and arranging the main page into categories.<br />
<br />
== Site Related Requests ==<br />
Place you reqests here<br />
<br />
==iPhone Related Requests==<br />
{{main|Unsolved problems}}<br />
Keys/ivs for 4.0 beta 1/2/3 need to be updated. Many of them on are on the Internet, but not on here. Related pages:<br />
*[[Beta Firmware]]<br />
<br />
==Hacking softwares which are fit to be in this wiki==<br />
Some people are just copying other jailbreaks source code/idea, renaming it and they are putting up a iphone wiki page.What to do with them? Seas0npass is an example which copied sn0wbreeze/PwnageTool idea. --[[User:Whiteshinyapple|Whiteshinyapple]] 13:37, 28 January 2011 (UTC)<br />
:They are all just GUIs for xpwn. They are all valid "hacking softwares". --[[User:Toddyt1|Toddyt1]] 14:27, 28 January 2011 (UTC)</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=User:Umbi98&diff=15327
User:Umbi98
2011-01-26T20:17:17Z
<p>Toddyt1: Umbi98 moved to User:Umbi98 over redirect: This is a user page.</p>
<hr />
<div>I'm '''Umbi98''' and I'm an iPhone Hacker and Unlocker.<br />
<br />
I'm from Milan and I love keeping this wiki!! :-)<br />
<br />
I'm a happy iPhoneItalia User and I know a lot about jailbreak and unlock.<br />
<br />
I know HTML.<br />
<br />
I'm Italian and 13.<br />
<br />
== Contact Info ==<br />
{| border=3<br />
|-<br />
| OpenFeint<br />
| umberto98<br />
|-<br />
| [[:/var/stash/Applications.*****/GameCenter~iphone.app|Game Center]]<br />
| umbi98<br />
|-<br />
| Twitter<br />
| http://www.twitter.com/umbi98<br />
|-<br />
|}<br />
<br />
<br />
== Devices ==<br />
{| border=3<br />
|-<br />
! Device<br />
! [[N82ap|iPhone 3G]]<br />
! [[N82ap|iPhone 3G]]<br />
! [[N88ap|iPhone 3GS]]<br />
! [[N90ap|iPhone 4]]<br />
! [[K48ap|iPad WiFi]]<br />
|-<br />
! Paid<br />
| €550<br />
| €500<br />
| Gift<br />
| $200<br />
| Gift<br />
|-<br />
! Size<br />
| 16GB<br />
| 8GB<br />
| 16GB<br />
| 16GB<br />
| 64GB<br />
|-<br />
! Current FW<br />
| [[Jasper 8C148|4.2.1]]<br />
| [[Jasper 8C148|4.2.1]]<br />
| [[Jasper 8C148a|4.2.1]]<br />
| [[Baker 8B117|4.1]]<br />
| [[Jasper 8C148|4.2.1]]<br />
|-<br />
! Jailbroken?<br />
| {{yes|Yes}}<br />
| {{no|No}}<br />
| {{yes|Jailbreak Monte}}<br />
| {{yes|Yes}}<br />
| {{yes|Jailbreak Monte}}<br />
|-<br />
|}<br />
<br />
== My Sites ==<br />
'''These''' sites will be active and fully functional in about a week or two.<br />
{| border=3<br />
|-<br />
! Site Name<br />
! Link<br />
! Description<br />
! Status<br />
|-<br />
| Apple Forum<br />
| [http://www.appleitaly.com/ Apple Italy]<br />
| My site about Apple Device<br />
| {{yes|Online}}<br />
|-<br />
|}<br />
<br />
<br />
==Programing Languages==<br />
{| border="1" class=wikitable<br />
|-<br />
| |<br />
{| border="1" class=wikitable<br />
|-<br />
| {{yes|Known}}<br />
| {{partial|Learning}}<br />
| {{no|Going to learn}}<br />
|}<br />
| |<br />
{| border="1" class=wikitable"<br />
|-<br />
! Visual Studio<br />
| {{yes|[[wikipedia:Visual BASIC|Visual BASIC]]}}<br />
| {{yes|[[wikipedia:Visual BASIC|Visual BASIC]] ([[wikipedia:Windows Presentation Foundation|WPF]])}}<br />
| {{no|[[wikipedia:C (programming language)|C]]}}<br />
| {{no|[[wikipedia:C++ (programming language)|C++]]}}<br />
|-<br />
! Web<br />
| {{yes|[[wikipedia:HTML|HTML]]}}<br />
| {{yes|[[wikipedia:XHTML|XHTML]]}}<br />
| {{partial|[[wikipedia:XML|XML]]}}<br />
| {{partial|[[wikipedia:PHP|PHP]]}}<br />
|-<br />
! Java-based<br />
| {{yes|[[wikipedia:G-java|G-Java]]}}<br />
| {{yes|[[wikipedia:Java|Java]]}}<br />
|}<br />
|}</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Jailbreak&diff=15043
Jailbreak
2011-01-17T11:47:40Z
<p>Toddyt1: /* Userland (used for all devices) */</p>
<hr />
<div>This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching /etc/fstab to mount the System partition as read-write. This is entirely different from an [[unlock]]. Jailbreaking is the first action that must be taken before things like unofficial [[activation]] (hacktivation), and unofficial unlocking can be applied.<br />
<br />
The original jailbreak also included modifying the [[AFC|afc]] service (used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to create a new service ([[AFC|afc2]]) that allows access to the full filesystem.<br />
<br />
Modern jailbreaks also include patching the kernel to get around code signing and other restrictions.<br />
<br />
==Exploits which were used in order to jailbreak (in chronological order)==<br />
=== 1.0.2 ===<br />
* [[Restore Mode]] ([[iBoot (Bootloader)|iBoot]] had a command named cp, which had access to the whole filesystem)<br />
<br />
=== 1.1.1 ===<br />
* [[Symlinks]] (an upgrade jailbreak)<br />
* [[LibTiff | libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]])<br />
=== 1.1.2 ===<br />
* [[Mknod]] (an upgrade jailbreak)<br />
=== 1.1.3 / 1.1.4 ===<br />
* [[Soft Upgrade]] (an upgrade jailbreak)<br />
* [[Ramdisk Hack]]<br />
<br />
==Exploits which are used in order to jailbreak 2.0 and above==<br />
<br />
===[[Userland]] (used for all devices)===<br />
*[[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (together for [[Spirit]])<br />
*[[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (together for [[Star]])<br />
*[[Packet Filter Kernel Exploit]] (together with [[limera1n]]'s bootrom exploit or the [[usb_control_msg(0xA1, 1) Exploit]], for [[untethered jailbreak]])<br />
<br />
===[[M68ap|iPhone]] / [[N82ap|iPhone 3G]] / [[N45ap|iPod touch]]===<br />
* [[Pwnage]] and [[Pwnage 2.0]] (together)<br />
<br />
===[[N72ap|iPod touch 2G]]===<br />
* [[ARM7 Go]] (used by [[tethered jailbreak]]s)<br />
* [[0x24000 Segment Overflow]] (used on "MB" models for an [[untethered jailbreak]])<br />
*[[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak|tethered]] for units with the [[iBoot-240.5.1|new bootrom]])<br />
*[[usb_control_msg(0xA1, 1) Exploit]] (used for a [[tethered jailbreak]] on units with the [[iBoot-240.5.1|new bootrom]])<br />
<br />
===[[N88ap|iPhone 3GS]]===<br />
* [[0x24000 Segment Overflow]] (used on older devices for an [[untethered jailbreak]])<br />
* [[iBoot Environment Variable Overflow]]<br />
* [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak|tethered]] for newer devices)<br />
* [[limera1n]] ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)<br />
<br />
===[[N18ap|iPod touch 3G]]===<br />
*[[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak|tethered]] only)<br />
* [[limera1n]] ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)<br />
<br />
===[[N90ap|iPhone 4]]===<br />
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)<br />
<br />
===[[N81ap|iPod touch 4G]]===<br />
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)<br />
<br />
===[[k48ap|iPad]]===<br />
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)<br />
<br />
===[[k66ap|Apple TV 2G]]===<br />
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=User:Toddyt1&diff=15042
User:Toddyt1
2011-01-17T11:42:08Z
<p>Toddyt1: </p>
<hr />
<div>Hi. :)<br />
<br />
I'm toddyt1. Otherwise known as Thomas Todd. I'am interested in computers and computing related things. I'am also very interested in learning about the iphone. Sorry about multiple, rapid sequential edits i make to pages i often edit from my iPhone. Currently I am not jailbroken but still actively follow what is happening in the scene.<br />
<br />
Im currently learning VB.NET at college. In the future i plan on learning objective-c.</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Jailbreak&diff=15041
Jailbreak
2011-01-17T10:43:31Z
<p>Toddyt1: added ipad and apple tv 2g</p>
<hr />
<div>This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching /etc/fstab to mount the System partition as read-write. This is entirely different from an [[unlock]]. Jailbreaking is the first action that must be taken before things like unofficial [[activation]] (hacktivation), and unofficial unlocking can be applied.<br />
<br />
The original jailbreak also included modifying the [[AFC|afc]] service (used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to create a new service ([[AFC|afc2]]) that allows access to the full filesystem.<br />
<br />
Modern jailbreaks also include patching the kernel to get around code signing and other restrictions.<br />
<br />
==Exploits which were used in order to jailbreak (in chronological order)==<br />
=== 1.0.2 ===<br />
* [[Restore Mode]] ([[iBoot (Bootloader)|iBoot]] had a command named cp, which had access to the whole filesystem)<br />
<br />
=== 1.1.1 ===<br />
* [[Symlinks]] (an upgrade jailbreak)<br />
* [[LibTiff | libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]])<br />
=== 1.1.2 ===<br />
* [[Mknod]] (an upgrade jailbreak)<br />
=== 1.1.3 / 1.1.4 ===<br />
* [[Soft Upgrade]] (an upgrade jailbreak)<br />
* [[Ramdisk Hack]]<br />
<br />
==Exploits which are used in order to jailbreak 2.0 and above==<br />
<br />
===[[Userland]] (used for all devices)===<br />
*[[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (together for [[Spirit]])<br />
*[[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (together for [[Star]])<br />
*[[Packet Filter Kernel Exploit]] (together with [[limera1n]]'s bootrom exploit or the [[usb_control_msg(0xA1, 1) Exploit]])<br />
<br />
===[[M68ap|iPhone]] / [[N82ap|iPhone 3G]] / [[N45ap|iPod touch]]===<br />
* [[Pwnage]] and [[Pwnage 2.0]] (together)<br />
<br />
===[[N72ap|iPod touch 2G]]===<br />
* [[ARM7 Go]] (used by [[tethered jailbreak]]s)<br />
* [[0x24000 Segment Overflow]] (used on "MB" models for an [[untethered jailbreak]])<br />
*[[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak|tethered]] for units with the [[iBoot-240.5.1|new bootrom]])<br />
*[[usb_control_msg(0xA1, 1) Exploit]] (used for a [[tethered jailbreak]] on units with the [[iBoot-240.5.1|new bootrom]])<br />
<br />
===[[N88ap|iPhone 3GS]]===<br />
* [[0x24000 Segment Overflow]] (used on older devices for an [[untethered jailbreak]])<br />
* [[iBoot Environment Variable Overflow]]<br />
* [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak|tethered]] for newer devices)<br />
* [[limera1n]] ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)<br />
<br />
===[[N18ap|iPod touch 3G]]===<br />
*[[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak|tethered]] only)<br />
* [[limera1n]] ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)<br />
<br />
===[[N90ap|iPhone 4]]===<br />
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)<br />
<br />
===[[N81ap|iPod touch 4G]]===<br />
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)<br />
<br />
===[[k48ap|iPad]]===<br />
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)<br />
<br />
===[[k66ap|Apple TV 2G]]===<br />
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=PMB8878&diff=14979
PMB8878
2011-01-15T21:49:19Z
<p>Toddyt1: /* Known iPhone (3G and 3GS) Firmware Versions */</p>
<hr />
<div>This is the baseband processor used in the [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]] and [[K48ap|iPad]] (3G version). It is upgraded with [[BBUpdaterExtreme]]. It is also known as the PMB8878 and is also used on the LG KM900 ARENA. There is a [http://arenoid.com team] working on how to port Android on LG ARENA.<br />
<br />
==Datasheet==<br />
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.<br />
<br />
View Pinouts from Apple iPhone 3G Schematic - http://img218.imageshack.us/img218/149/baseband.jpg<br />
<br />
The firmware is a version of [http://www.mentor.com/products/embedded_software/nucleus_rtos/ Nucleos OS], a realtime OS for embedded platforms. The parser for the AT commands is generated from GNU bison.<br />
<br />
==Secpack 2.0==<br />
This is the security region in the files sent to the [[X-Gold 608]]. This is the first 0xCF8 is new fls and eep files.<br />
<br />
===Layout===<br />
0x634--Memory Map<br />
0x714--Descriptor<br />
0xCD4--Post secpack pointer to name<br />
0xCEC--Data length<br />
<br />
==Endpack==<br />
The fls and eep files also have a footer tacked onto the end containing the loader and signature.<br />
<br />
==Memory Map==<br />
FLASH 0x20000000 0x1000000<br />
CODE 0x20000000 0x40000 0b0010(bootstrapper)<br />
CODE 0x20040000 0xDC0000 0b0100(main firmware)<br />
FFS 0x20A00000 0x100000 0b1100(empty)<br />
DYNFFS 0x20A00000 0x100000 0b1100(empty)<br />
FFS 0x20B00000 0x40000 0b1011(empty)<br />
DYN_EEP 0x20E40000 0x80000 0b0110<br />
SECPACK 0x20EC0000 0x40000<br />
SECZONE 0x20F80000 0x40000<br />
STATIC_EEP 0x20FC0000 0x40000 0b0111<br />
RAM 0x40000000 0x800000<br />
<br />
==MMU relocation table==<br />
===Bootloader===<br />
[[Image:Bltbl.png]]<br />
<br />
===Firmware===<br />
[[Image:Bbmmu.png]]<br />
<br />
== Known [[iPhone]] (3G and 3GS) Firmware Versions ==<br />
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)<br />
[[1.43.02]] 2.0 (Unknown Internal Beta)<br />
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)<br />
[[1.48.02]] 2.0.1 (Build 5B108)<br />
[[2.04.03]] 2.1 (Build 5F90)<br />
[[2.08.01]] 2.0.2 (Build 5C1)<br />
[[2.11.07]] 2.1 (Build 5F136)<br />
[[2.28.00]] 2.2 (Build 5G77)<br />
[[2.30.03]] 2.2.1 (Build 5H11)<br />
[[4.20.01]] 3.0 beta 1 (Build 7A238j)<br />
[[4.22.01]] 3.0 beta 2 (Build 7A259g)<br />
[[4.24.02]] 3.0 beta 3 (Build 7A280f)<br />
[[4.26.08]] 3.0 (Build 7A341) and 3.0.1 (Build 7A400)<br />
[[5.08.01]] 3.1 beta 1 (Build 7C97d)<br />
[[5.10.01]] 3.1 beta 2 (Build 7C106c)<br />
[[5.11.04]] 3.1 beta 3 (Build 7C116a)<br />
[[5.11.07]] 3.1 (Build 7C144) and 3.1.2 (Build 7D11)<br />
[[5.12.01]] 3.1.3 (Build 7E18)<br />
[[5.13.03]] 4.0 beta 1 (Build 8A230m) and 4.0 beta 2 (Build 8A248c)<br />
[[5.13.04]] 4.0 (Build 8A293), 4.0.1 (Build 8A306), and 4.0.2 (Build 8A400)<br />
[[5.14.01]] 4.1 beta 2 (Build 8B5091b)<br />
[[5.14.02]] 4.1 (Build 8B117)<br />
[[5.15.04]] 4.2.1(Build 8C148)<br />
[[5.16.00]] 4.3b1 (Build 8F5148b)<br />
<br />
== Known [[iPad]] Firmware Versions ==<br />
[[6.15.00]] 3.2 (Build 7B367), 3.2.1 (Build 7B405), and 3.2.2 (Build 7B500)<br />
[[7.08.00]] 4.2 beta 1 (Build 8C5091e)<br />
[[7.09.00]] 4.2 beta 2 (Build 8C5101)<br />
[[7.10.00]] 4.2.1 (Build 8C148)<br />
[[7.11.00]] 4.3b1 (Build 8F5148b)<br />
<br />
==Accessing [[Interactive Mode]]==<br />
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.<br />
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset(kAppleBasebandConnectMethodResetModem)<br />
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set(kAppleBasebandConnectMethodRadioOn)<br />
result = IOConnectCallScalarMethod(conn, 2, ?, 0, 0, 0); //configuring mux<br />
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle<br />
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset<br />
result = IOConnectCallScalarMethod(conn, 9, 0, 0, 0, 0); //kAppleBasebandConnectMethodNotifyBasebandPoweringDown<br />
<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=05.15.04&diff=14978
05.15.04
2011-01-15T21:47:36Z
<p>Toddyt1: </p>
<hr />
<div>[[X-Gold 608]] firmware supplied with iOS 4.2.1.<br />
<br />
== Exploits ==<br />
*No exploit compatible with this modem firmware has been publicly released.<br />
*It is possible to upgrade the modem firmware to the exploitable [[6.15.00]], however this action will result in serious side-effects that can't currently be fixed as a baseband downgrade is actively blocked by [[BBUpdaterExtreme]]. [http://blog.iphone-dev.org/post/1718400992/ultra-recycle More info]<br />
<br />
<!-- Proposal: [[Category:X-Gold 608]] --></div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=05.15.04&diff=14977
05.15.04
2011-01-15T21:45:36Z
<p>Toddyt1: </p>
<hr />
<div>[[X-Gold 608]] firmware supplied with iOS 4.2GM.<br />
<br />
== Exploits ==<br />
*No exploit compatible with this modem firmware has been publicly released.<br />
*It is possible to upgrade the modem firmware to the exploitable [[6.15.00]], however this action will result in serious side-effects that can't currently be fixed as a baseband downgrade is actively blocked by [[BBUpdaterExtreme]]. [http://blog.iphone-dev.org/post/1718400992/ultra-recycle More info]<br />
<br />
<!-- Proposal: [[Category:X-Gold 608]] --></div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=14976
Firmware
2011-01-15T21:12:21Z
<p>Toddyt1: /* iPhone 4 */ 1.59.001 doesnt exist</p>
<hr />
<div>Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[K66ap|Apple TV (2nd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="40"| [[IBoot (Bootloader)|iBoot]]<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Publicly available virgin [[jailbreak]]?<br />
!width="70"| File Size<br />
|-<br />
| 4.1<br />
| [[Mojave 8M89 (Apple TV 2G)|Mojave 8M89]]<br />
| [[IBoot-931.44.21|931.44.21]]<br />
| [http://appldnld.apple.com/AppleTV/061-8940.20100926.Tvtnz/AppleTV2,1_4.1_8M89_Restore.ipsw AppleTV2,1_4.1_8M89_Restore.ipsw]<br />
| <code>68647d6ce163fc20891ca5bcff647c8eecc2b8d9</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 253,759,976<br />
|-<br />
| 4.2<br />
| [[jasper 8C150 (Apple TV 2G)|Jasper 8C150]]<br />
| [[IBoot-931.71.16|931.71.16]]<br />
| [http://appldnld.apple.com/AppleTV/061-8747.20101122.Vgtr5/AppleTV2,1_4.2_8C150_Restore.ipsw AppleTV2,1_4.2_8C150_Restore.ipsw]<br />
| <code>58f9ab479783dad3dff3834452abc2917aaef2a5</code><br />
|<br />
| {{no}}<br />
| 279,991,056<br />
|-<br />
| 4.2.1<br />
| [[jasper 8C154 (Apple TV 2G)|Jasper 8C154]]<br />
| [[IBoot-931.71.16|931.71.16]]<br />
| [http://appldnld.apple.com/AppleTV/061-9978.20101214.gmabr/AppleTV2,1_4.2.1_8C154_Restore.ipsw AppleTV2,1_4.2.1_8C154_Restore.ipsw]<br />
| <code>c2b1adea595afa2b9caf633f0a820d3b66424dbf</code><br />
|<br />
| {{no}}<br />
| 280,052,510<br />
|}<br />
<br />
===[[K48ap|iPad]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[X-Gold 608#Known iPad Firmware Versions|Baseband]] (3G only)<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Publicly available virgin [[jailbreak]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.2<br />
| [[Wildcat 7B367 (iPad)|Wildcat 7B367]]<br />
|rowspan="3" | [[6.15.00]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPad/061-7987.20100403.mjiTr/iPad1,1_3.2_7B367_Restore.ipsw iPad1,1_3.2_7B367_Restore.ipsw]<br />
| <code>172e8297af74b91971a802e6ad137c891f553099</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 478,959,325<br />
|-<br />
| 3.2.1<br />
| [[Wildcat 7B405 (iPad)|Wildcat 7B405]]<br />
| [http://appldnld.apple.com/iPad/061-8282.20100713.vgtgh/iPad1,1_3.2.1_7B405_Restore.ipsw iPad1,1_3.2.1_7B405_Restore.ipsw]<br />
| <code>de0a2b64cd335d48fb4abc9ed8700f5dbdf768ca</code><br />
| <br />
| {{yes}}<br />
| 479,012,625<br />
|-<br />
| 3.2.2<br />
| [[Wildcat 7B500 (iPad)|Wildcat 7B500]]<br />
| [http://appldnld.apple.com/iPad/061-8801.20100811.CvfR5/iPad1,1_3.2.2_7B500_Restore.ipsw iPad1,1_3.2.2_7B500_Restore.ipsw]<br />
| <code>68b613f78581d36eab96aa5a007001dff142baa3</code><br />
| Hotfix to prevent malicious misuse of [[Star]]'s exploits.<br />
| {{yes}}<br />
| 479,001,595<br />
|-<br />
| 4.2.1<br />
| [[Jasper 8C148 (iPad)|Jasper 8C148]]<br />
| [[7.10.00]]<br />
| [http://appldnld.apple.com/iPad/061-9857.20101122.VGthy/iPad1,1_4.2.1_8C148_Restore.ipsw iPad1,1_4.2.1_8C148_Restore.ipsw]<br />
| <code>8717b3bedc925b587566442ad375aa65d857e79a</code><br />
| <br />
| {{yes|Yes<sup>1</sup>}}<br />
| 578,084,840<br />
|}<br />
<br />
<sup>1</sup> [[Tethered jailbreak]] only.<br />
<br />
===[[M68ap|iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband Firmware]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="99"| Publicly available virgin [[jailbreak]]?<br />
!width="91"| Publicly available virgin [[unlock]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| <code>6e798e906c6590a7521ef89b731569be6d05b3aa</code><br />
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{no}}<br />
| {{no}}<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.11.02_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| <code>fb8bb3ee2e9a997affbb97868599f2995c78209c</code><br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| <code>a00b85a7a55d62a94be5fbf5effbc42fd63f3097</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| <code>7f5c0ff1f84a0202b75a55c3fcb362e415334d1e</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| <code>d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>797c02e7d660940e8d9a16cc7229ccf3f67dd8b1</code><br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>b3dec7580bd00dc4faf28449d9618ef40aeacc96</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>000811bac096011b50ebf6ec1ec2285b62fda4cb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| [[Big Bear 5A347 (iPhone)|Big Bear 5A347]]<br />
|rowspan="11"| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| <code>9c510a3cfce789fa5f92a8f763c231bac82ff6d4</code><br />
| <br />
| {{yes}}<br />
|rowspan="11" {{yes|[[BootNeuter]]}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| [[Big Bear 5B108 (iPhone)|Big Bear 5B108]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| <code>61de6a2bd6ceddc9ecabad1671b91a59b3824bc4</code><br />
| <br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| [[Big Bear 5C1 (iPhone)|Big Bear 5C1]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| <code>b84b57bea919bdc720287ec908c1378e7d7b5e1b</code><br />
| <br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| [[Sugar Bowl 5F136 (iPhone)|Sugar Bowl 5F136]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| <code>353b7745767b85932e14e262e69463620939bdf7</code><br />
| <br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| [[Timberline 5G77 (iPhone)|Timberline 5G77]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| <code>cbfc6ff886ce89868a55547b9fb980dbf92e6418</code><br />
| <br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| [[SUTimberline 5H11 (iPhone)|SUTimberline 5H11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| <code>43b95ebe1e51f8d30eae916053396595c08440d3</code><br />
| <br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| <code>2afd3f8ede17390737f508473ed205506a0bd23f</code><br />
| <br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>34c391fbbc7b31b159372766de39ce5c9cc26ebb</code><br />
| Hotfix for an SMS exploit.<br />
| {{yes}}<br />
| 240,439,502<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]<br />
| <code>b7b5f436f81c6f855410e8b44a3d432ccaacd6fc</code><br />
|<br />
| {{yes}}<br />
| 252,536,460<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone)|Northstar 7D11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7268.20091008.32pNe/iPhone1,1_3.1.2_7D11_Restore.ipsw iPhone1,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>e4a1171542dbbd3093516d9c02047b9f7e143050</code><br />
|<br />
| {{yes}}<br />
| 252,515,888<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone)|SUNorthstarTwo 7E18]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7481.20100202.4orot/iPhone1,1_3.1.3_7E18_Restore.ipsw iPhone1,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>eab23a7f8d2a17cb71046c50fc5f67ec390a3c2b</code><br />
|<br />
| {{yes}}<br />
| 238,319,275<br />
|}<br />
<br />
===[[N82ap|iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[X-Gold 608#Known iPhone Firmware Versions|Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="99"| Publicly available virgin [[jailbreak]]?<br />
!width="90"| Publicly available virgin [[unlock]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| [[Big Bear 5A345 (iPhone 3G)|Big Bear 5A345]]<br />
|rowspan="2" | [[1.45.00]]<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|rowspan="5" {{partial|Upgrade to 2.2}}<br />
| <br />
|-<br />
| 2.0<br />
| [[Big Bear 5A347 (iPhone 3G)|Big Bear 5A347]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| <code>af9506ca0034e462674f9f59c5406f159eaf9fc1</code><br />
| <br />
| {{yes}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| [[Big Bear 5B108 (iPhone 3G)|Big Bear 5B108]]<br />
| [[1.48.02]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| <code>e81c7ac7e334a3e9d81b3b47894bfaa1ec495482</code><br />
| <br />
| {{yes}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| [[Big Bear 5C1 (iPhone 3G)|Big Bear 5C1]]<br />
| [[2.08.01]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| <code>bef7fef954293046420fbcf947379839178a195b</code><br />
| <br />
| {{yes}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| [[Sugar Bowl 5F136 (iPhone 3G)|Sugar Bowl 5F136]]<br />
| [[2.11.07]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| <code>c6957dcbf2a95ccfd6dce374a727b1b7700a9043</code><br />
| <br />
| {{yes}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| [[Timberline 5G77 (iPhone 3G)|Timberline 5G77]]<br />
| [[2.28.00]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| <code>f67f8b2b842428bf89456cda0c2d5cf954d111a4</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|yellowsn0w]]}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| [[SUTimberline 5H11 (iPhone 3G)|SUTimberline 5H11]]<br />
| [[2.30.03]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| <code>e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c</code><br />
| <br />
| {{yes}}<br />
| {{partial|Upgrade to 3.0}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
|rowspan="2" | [[4.26.08]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| <code>94f1fb43de12bff0f168ce690b7e794cc6220ae3</code><br />
| <br />
| {{yes}}<br />
|rowspan="2" {{yes|[[ultrasn0w]]}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone 3G)|Kirkwood 7A400]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| <code>a148ff39fa4dea499e7a9dd007b63e90c4f56666</code><br />
| Hotfix for an SMS exploit.<br />
| {{yes}}<br />
| 241,274,617<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]<br />
|rowspan="2" | [[5.11.07]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]<br />
| <code>9b3b3c148170b012012278efda9ff5c38282d559</code><br />
| <br />
| {{yes}}<br />
|rowspan="2" {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 253,361,339<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3G)|Northstar 7D11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7265.20091008.Xsd32/iPhone1,2_3.1.2_7D11_Restore.ipsw iPhone1,2_3.1.2_7D11_Restore.ipsw]<br />
| <code>b1a6ab2771bb5da372ba75a8fa3e1d72b71359d0</code><br />
|<br />
| {{yes}}<br />
| 253,340,786<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3G)|SUNorthstarTwo 7E18]]<br />
| [[5.12.01]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7468.20100202.pbnrt/iPhone1,2_3.1.3_7E18_Restore.ipsw iPhone1,2_3.1.3_7E18_Restore.ipsw]<br />
| <code>f5950afca546f93e281ba3cdb08bc0cfed7f0896</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 239,139,281<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 3G)|Apex 8A293]]<br />
|rowspan="3" | [[5.13.04]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7436.20100621.58Yt4/iPhone1,2_4.0_8A293_Restore.ipsw iPhone1,2_4.0_8A293_Restore.ipsw]<br />
| <code>ee1eba9281b902d7ff3f24d50f9aebff0df27f92</code><br />
|<br />
| {{yes}}<br />
|rowspan="3" {{yes|[[ultrasn0w]]}}<br />
| 306,274,631<br />
|-<br />
| 4.0.1<br />
| [[Apex 8A306 (iPhone 3G)|Apex 8A306]]<br />
| [http://appldnld.apple.com/iPhone4/061-8616.20100715.phnt4/iPhone1,2_4.0.1_8A306_Restore.ipsw iPhone1,2_4.0.1_8A306_Restore.ipsw]<br />
| <code>940bd2b36c646f6673419eab661ac1f13248e592</code><br />
| New formula to calculate bars. Otherwise, it's the same as 4.0.<br />
| {{yes}}<br />
| 320,237,975<br />
|-<br />
| 4.0.2<br />
| [[Apex 8A400 (iPhone 3G)|Apex 8A400]]<br />
| [http://appldnld.apple.com/iPhone4/061-8802.20100811.XcfpR/iPhone1,2_4.0.2_8A400_Restore.ipsw iPhone1,2_4.0.2_8A400_Restore.ipsw]<br />
| <code>ee2bc74719170a7a2440b593b6f300727c930c69</code><br />
| Hotfix to prevent malicious misuse of [[Star]]'s exploits.<br />
| {{yes}}<br />
| 320,216,794<br />
|-<br />
| 4.1<br />
| [[Baker 8B117 (iPhone 3G)|Baker 8B117]]<br />
| [[5.14.02]]<br />
| [http://appldnld.apple.com/iPhone4/061-7932.20100908.3fgt5/iPhone1,2_4.1_8B117_Restore.ipsw iPhone1,2_4.1_8B117_Restore.ipsw]<br />
|<code>d87bab469dd1146ab83ddcc23f03b3164d7e09d4</code><br />
| <br />
| {{Yes}}<br />
| {{partial|Upgrade baseband to [[6.15.00]]}}<br />
| 323,137,556<br />
|-<br />
|-<br />
| 4.2.1<br />
| [[Jasper 8C148 (iPhone 3G)|Jasper 8C148]]<br />
| [[5.15.04]]<br />
| [http://appldnld.apple.com/iPhone4/061-9853.20101122.Vfgt5/iPhone1,2_4.2.1_8C148_Restore.ipsw iPhone1,2_4.2.1_8C148_Restore.ipsw]<br />
|<code>d2ed58586e8ca2153f2e2ec585bba8afc5173378</code><br />
| <br />
| {{Yes}}<br />
| {{partial|Upgrade baseband to [[6.15.00]]}}<br />
| 338,579,762<br />
|-<br />
|}<br />
<br />
===[[N88ap|iPhone 3GS]]===<br />
Units with the new bootrom began shipping around September 2009.<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[X-Gold 608#Known iPhone Firmware Versions|Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Publicly available virgin [[jailbreak]]? ([[IBoot-359.3|old bootrom]])<br />
!width="100"| Publicly available virgin [[jailbreak]]? ([[IBoot-359.3.2|new bootrom]])<br />
!width="80"| Publicly available virgin [[unlock]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
|rowspan="2" | [[4.26.08]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| <code>d8534408c8679c830fd0c4e36ef9762c11ef73df</code><br />
| Initial shipment.<br />
| {{yes}}<br />
|rowspan="2" {{no|[[SHSH]]s unavailable at release}}<br />
|rowspan="2" {{yes|[[ultrasn0w]]}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone_3GS)|Kirkwood 7A400]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>30006575af931e3da0521febace005152cdb8853</code><br />
| Hotfix for an SMS exploit.<br />
| {{yes}}<br />
| 312,330,244<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3GS)|Northstar 7C144]]<br />
|rowspan="2" | [[5.11.07]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]<br />
| <code>527c74f87588afa1d69c1e2c08eedc88f113013a</code><br />
| <br />
| {{yes}}<br />
| {{yes|Yes<sup>1</sup>}}<br />
|rowspan="2" {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 321,011,474<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3GS)|Northstar 7D11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7270.20091008.phn32/iPhone2,1_3.1.2_7D11_Restore.ipsw iPhone2,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>6998bb7d9e869b2d89a08853312f9457d070fb1f</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 321,015,700<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3GS)|SUNorthstarTwo 7E18]]<br />
| [[5.12.01]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7472.20100202.8tugj/iPhone2,1_3.1.3_7E18_Restore.ipsw iPhone2,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>8cb3775e62c6f72059a962bf891b4e145b965052</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 305,122,343<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 3GS)|Apex 8A293]]<br />
|rowspan="3" | [[5.13.04]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7437.20100621.5urG8/iPhone2,1_4.0_8A293_Restore.ipsw iPhone2,1_4.0_8A293_Restore.ipsw]<br />
| <code>e065245874c73510ceb8fa4bd9388b60d46eb252</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
|rowspan="3" {{yes|[[ultrasn0w]]}}<br />
| 396,281,280<br />
|-<br />
| 4.0.1<br />
| [[Apex 8A306 (iPhone 3GS)|Apex 8A306]]<br />
| [http://appldnld.apple.com/iPhone4/061-8618.20100715.Zapn4/iPhone2,1_4.0.1_8A306_Restore.ipsw iPhone2,1_4.0.1_8A306_Restore.ipsw]<br />
| <code>c2b6fb9a158547ce726baa1bf8f0558a71518fec</code><br />
| New formula to calculate bars. Otherwise, it's the same as 4.0.<br />
| {{yes}}<br />
| {{yes}}<br />
| 396,322,891<br />
|-<br />
| 4.0.2<br />
| [[Apex 8A400 (iPhone 3GS)|Apex 8A400]]<br />
| [http://appldnld.apple.com/iPhone4/061-8805.20100811.Dcr4e/iPhone2,1_4.0.2_8A400_Restore.ipsw iPhone2,1_4.0.2_8A400_Restore.ipsw]<br />
| <code>61d21363ced6e006cc226f9a0a0e9c6ed8e048ab</code><br />
| Hotfix to prevent malicious misuse of [[Star]]'s exploits.<br />
| {{yes}}<br />
| {{yes}}<br />
| 396,310,640<br />
|-<br />
| 4.1<br />
| [[Baker 8B117 (iPhone 3GS)|Baker 8B117]]<br />
| [[5.14.02]]<br />
| [http://appldnld.apple.com/iPhone4/061-7938.20100908.F3rCk/iPhone2,1_4.1_8B117_Restore.ipsw iPhone2,1_4.1_8B117_Restore.ipsw]<br />
|<code>2d1657cd33ae23b8d4e79e41fe758d09d3c52e30</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| {{partial|Upgrade baseband to [[6.15.00]]}}<br />
| 400,572,133<br />
|-<br />
| 4.2.1+<br />
| [[Jasper 8C148a (iPhone 3GS)|Jasper 8C148a]]<br />
| [[5.15.04]]<br />
| [http://appldnld.apple.com/iPhone4/061-9895.20101122.Cdew2/iPhone2,1_4.2.1_8C148a_Restore.ipsw iPhone2,1_4.2.1_8C148a_Restore.ipsw]<br />
| <code>2787bb9fbf18594279d05682e6fd16d2b9612a2a</code><br />
| <br />
| {{yes}}<br />
| {{yes|Yes<sup>1</sup>}}<br />
| {{partial|Upgrade baseband to [[6.15.00]]}}<br />
| 420,813,164<br />
|}<br />
<sup>1</sup> [[Tethered jailbreak]] only.<br />
<br />
===[[N90ap|iPhone 4]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[XMM 6180#Known Firmware Versions|Baseband]]<br />
!width="40"| [[IBoot (Bootloader)|iBoot]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Publicly available virgin [[jailbreak]]?<br />
!width="95"| Publicly available virgin [[unlock]]?<br />
!width="70"| File Size<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 4)|Apex 8A293]]<br />
|rowspan="3" | [[1.59.00]]<br />
| ?<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7380.20100621,Vfgb5/iPhone3,1_4.0_8A293_Restore.ipsw iPhone3,1_4.0_8A293_Restore.ipsw]<br />
| <code>171c2a3995fa149f2a369ccd87f82c5c30da3f88</code><br />
| Initial shipment.<br />
| {{yes}}<br />
|rowspan="3" {{Yes|[[ultrasn0w]]}}<br />
| 607,363,121<br />
|-<br />
| 4.0.1<br />
| [[Apex 8A306 (iPhone 4)|Apex 8A306]]<br />
| [[iBoot-889.24|889.24]]<br />
| [http://appldnld.apple.com/iPhone4/061-8619.20100715.4Pnsx/iPhone3,1_4.0.1_8A306_Restore.ipsw iPhone3,1_4.0.1_8A306_Restore.ipsw]<br />
| <code>a9cf20679273b7e502ab384854ba96cc2a54d532</code><br />
| New formula to calculate bars. Otherwise, it's the same as 4.0.<br />
| {{yes}}<br />
| 607,380,127<br />
|-<br />
| 4.0.2<br />
| [[Apex 8A400 (iPhone 4)|Apex 8A400]]<br />
| [[iBoot-889.24|889.24]]<br />
| [http://appldnld.apple.com/iPhone4/061-8807.20100811.3Edre/iPhone3,1_4.0.2_8A400_Restore.ipsw iPhone3,1_4.0.2_8A400_Restore.ipsw]<br />
| <code>19eb071cdb9f1601b106825d0a16b1449c6eef8c</code><br />
| Hotfix to prevent malicious misuse of [[Star]]'s exploits.<br />
| {{yes}}<br />
| 607,375,880<br />
|-<br />
| 4.1<br />
| [[Baker 8B117 (iPhone 4)|Baker 8B117]]<br />
| [[2.10.04]]<br />
| [[iBoot-931.18.27|931.18.27]]<br />
| [http://appldnld.apple.com/iPhone4/061-7939.20100908.Lcyg3/iPhone3,1_4.1_8B117_Restore.ipsw iPhone3,1_4.1_8B117_Restore.ipsw]<br />
|<code>a3f8a333ca181146b862ca6a59c9a6e7c27eba0b</code><br />
|<br />
| {{yes}}<br />
| {{No}}<br />
| 618,501,195<br />
|-<br />
| 4.2.1<br />
| [[Jasper 8C148 (iPhone 4)|Jasper 8C148]]<br />
| [[3.10.01]]<br />
| [[931.71.16]]<br />
| [http://appldnld.apple.com/iPhone4/061-9858.20101122.Er456/iPhone3,1_4.2.1_8C148_Restore.ipsw iPhone3,1_4.2.1_8C148_Restore.ipsw]<br />
|<code>366b28e9c95936bd4b11a84d54fefaf079fd6411</code><br />
| <br />
| {{yes|Yes<sup>1</sup>}}<br />
| {{No}}<br />
| 654,550,096<br />
|}<br />
<sup>1</sup> [[Tethered jailbreak]] only.<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Publicly available virgin [[jailbreak]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{no}}<br />
|<br />
|-<br />
| 1.1<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| <code>9b0d83c7f8b4328174a3f31e0e93f60e591ae143</code><br />
|<br />
| {{no}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| <code>84bbc6ea8bf29745195bc9926c1874f7c2a36f32</code><br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>108d8ffe9ea75e61cd5e57170ad388b7fa00d923</code><br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6</code><br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>c148d1eb1c979bb6434175411d4a372103a4fdd2</code><br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| <code>1b818911316e4248ee01d3ec67f9d39afc3db240</code><br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| [[Big Bear 5A347 (iPod touch 1G)|Big Bear 5A347]]<br />
| Download Link Prohibited<br />
| <code>ae82798e85f9953b0f4798bad36187cb020c9d22</code><br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| [[Big Bear 5B108 (iPod touch 1G)|Big Bear 5B108]]<br />
| Download Link Prohibited<br />
| <code>a81b6e7af4b85ef436d047f9da57c0f694d8964a</code><br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| [[Big Bear 5C1 (iPod touch 1G)|Big Bear 5C1]]<br />
| Download Link Prohibited<br />
| <code>c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2</code><br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| [[Sugar Bowl 5F137 (iPod touch 1G)|Sugar Bowl 5F137]]<br />
| Download Link Prohibited<br />
| <code>fc7f6d0972927df502ffca47438ca75dcccffaf3</code><br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| [[Timberline 5G77 (iPod touch 1G)|Timberline 5G77]]<br />
| Download Link Prohibited<br />
| <code>081a7de363230fb38d0ce092cbbe42f2a50c8a5f</code><br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| [[SUTimberline 5H11 (iPod touch 1G)|SUTimberline 5H11]]<br />
| Download Link Prohibited<br />
| <code>fc69be9e421bc0630567184506ab771f6b7ef68b</code><br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 1G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| <code>dff2bd14931225908a360fb8e60a336f17d2dd6d</code><br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 1G)|Northstar 7C145]]<br />
| Download Link Prohibited<br />
| <code>c6270780c166db4c9f4f0a7fa945754a1f9fe7e8</code><br />
| <br />
| {{yes}}<br />
| 249,755,862<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 1G)|Northstar 7D11]]<br />
| Download Link Prohibited<br />
| <code>7367dd9ba58a3b9777307368a0128e696fdfc9a6</code><br />
| <br />
| {{yes}} <br />
| 249,780,497<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPod touch 1G)|SUNorthstarTwo 7E18]]<br />
| Download Link Prohibited<br />
| <code>5f897990f19d2f093b35e0813d7d77806404fb1f</code><br />
|<br />
| {{yes}}<br />
| 235,678,189<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
Units with the new bootrom have model numbers that start with "MC."<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="95"| Publicly available virgin [[jailbreak]]? ([[IBoot-240.4|old bootrom]])<br />
!width="100"| Publicly available virgin [[jailbreak]]? ([[IBoot-240.5.1|new bootrom]])<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl 5F138 (iPod touch 2G)|Sugar Bowl 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| <code>c3c700be49ad227d1152188e7c1e46b8958fd1e4</code><br />
| Initial shipment.<br />
| {{yes|Yes<sup>1</sup>}}<br />
|rowspan="4" {{no|Incompatible device/<br />
firmware match}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| [[Timberline 5G77a (iPod touch 2G)|Timberline 5G77a]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| <code>34a0a489605f34d6cc6c9954edcaaf9a050deedc</code><br />
|<br />
| {{no}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| [[SUTimberline 5H11a (iPod touch 2G)|SUTimberline 5H11a]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| <code>9af5625ea34acdd8abeb6fce71a72651d0c815d5</code><br />
|<br />
| {{yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| <code>0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42</code><br />
| 3.x is a paid upgrade series<br />
| {{yes}}<br />
| 270,315,364<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 2G)|Northstar 7C145]]<br />
| Download Link Prohibited<br />
| <code>e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7</code><br />
| Initial shipment for units with the new bootrom.<br />
| {{yes}}<br />
| {{yes|Yes<sup>1</sup>}}<br />
| 277,753,989<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 2G)|Northstar 7D11]]<br />
| Download Link Prohibited<br />
| <code>e7c83d4a5baec0e81816ae1cd1caf9a4dc38ebf0</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 277,794,671<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPod touch 2G)|SUNorthstarTwo 7E18]]<br />
| Download Link Prohibited<br />
| <code>5f4f5c01eda2f811f73167e7d1f82dbeed82367b</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 263,275,211<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPod touch 2G)|Apex 8A293]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7435.20100621.tr49t/iPod2,1_4.0_8A293_Restore.ipsw iPod2,1_4.0_8A293_Restore.ipsw]<br />
| <code>c026c373bc535496a6f901de2ba37d4a487413bf</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 330,278,777<br />
|-<br />
| 4.0.2<br />
| [[Apex 8A400 (iPod touch 2G)|Apex 8A400]]<br />
| [http://appldnld.apple.com/iPhone4/061-8551.20100811.Xcder/iPod2,1_4.0.2_8A400_Restore.ipsw iPod2,1_4.0.2_8A400_Restore.ipsw]<br />
| <code>06a42297d94461264eb64d7c8640cc5d1c19edeb</code><br />
| Hotfix to prevent malicious misuse of [[Star]]'s exploits.<br />
| {{yes}}<br />
| {{yes|Yes<sup>1</sup>}}<br />
| 344,248,876<br />
|-<br />
| 4.1<br />
| [[Baker 8B117 (iPod touch 2G)|Baker 8B117]]<br />
| [http://appldnld.apple.com/iPhone4/061-7937.20100908.ghj4f/iPod2,1_4.1_8B117_Restore.ipsw iPod2,1_4.1_8B117_Restore.ipsw]<br />
|<code>97abde6207660bd876fd476275dd526d0dcf3d19</code><br />
| <br />
| {{Yes}}<br />
| {{yes}}<br />
| 348,027,174<br />
|-<br />
| 4.2.1<br />
| [[Jasper 8C148 (iPod touch 2G)|Jasper 8C148]]<br />
| [http://appldnld.apple.com/iPhone4/061-9855.20101122.Lrft6/iPod2,1_4.2.1_8C148_Restore.ipsw iPod2,1_4.2.1_8C148_Restore.ipsw]<br />
|<code>b9efddc7bb4350c237a8d3846af61bbfc8a2f647</code><br />
|<br />
| {{yes}}<br />
| {{no}}<br />
|363,553,480<br />
|}<br />
<sup>1</sup> [[Tethered jailbreak]] only.<br />
<br />
===[[N18ap|iPod touch (3rd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="99"| Publicly available virgin [[jailbreak]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C145]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]<br />
| <code>a3eddbe2cf77858bae7087dc8b2035f0d3097e57</code><br />
| Initial shipment.<br />
| {{yes|Yes<sup>1</sup>}}<br />
<br />
| 311,702,789<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C146 (iPod touch 3G)|Northstar 7C146]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7238.20090918.23GhT/iPod3,1_3.1.1_7C146_Restore.ipsw iPod3,1_3.1.1_7C146_Restore.ipsw]<br />
| <code>f66a7286b261137f25ddbbd84047f9a7ea181904</code><br />
| <br />
| {{yes|Yes<sup>1</sup>}}<br />
| 311,690,768<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 3G)|Northstar 7D11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7271.20091008.Tch23/iPod3,1_3.1.2_7D11_Restore.ipsw iPod3,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>02dcee28d788d594a2939ab564f4f183af6ccdf2</code><br />
| <br />
| {{yes}}<br />
| 311,740,034<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPod touch 3G)|SUNorthstarTwo 7E18]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7473.20100202.4i44t/iPod3,1_3.1.3_7E18_Restore.ipsw iPod3,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>375fd469b18bfc0b74c7cfa5b4d5945197b1d106</code><br />
|<br />
| {{yes}}<br />
| 295,870,806<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPod touch 3G)|Apex 8A293]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7381.20100621.AzSP9/iPod3,1_4.0_8A293_Restore.ipsw iPod3,1_4.0_8A293_Restore.ipsw]<br />
| <code>36fe02b83f87d6305db572e1644841e3cd64cc7d</code><br />
|<br />
| {{yes}}<br />
| 384,178,784<br />
|-<br />
| 4.0.2<br />
| [[Apex 8A400 (iPod touch 3G)|Apex 8A400]]<br />
| [http://appldnld.apple.com/iPhone4/061-8554.20100811.Bgt54/iPod3,1_4.0.2_8A400_Restore.ipsw iPod3,1_4.0.2_8A400_Restore.ipsw]<br />
| <code>481b21044130125b117d53207f725b70fb061855</code><br />
| Hotfix to prevent malicious misuse of [[Star]]'s exploits.<br />
| {{yes}}<br />
| 384,203,993<br />
|-<br />
| 4.1<br />
| [[Baker 8B117 (iPod touch 3G)|Baker 8B117]]<br />
| [http://appldnld.apple.com/iPhone4/061-7941.20100908.sV9KE/iPod3,1_4.1_8B117_Restore.ipsw iPod3,1_4.1_8B117_Restore.ipsw]<br />
|<code>3162bad4060b7a58c9942ddb483e5bd9bcc5269f</code><br />
| <br />
| {{yes}}<br />
| 388,255,189<br />
|-<br />
| 4.2.1<br />
| [[Jasper 8C148 (iPod touch 3G)|Jasper 8C148]]<br />
| [http://appldnld.apple.com/iPhone4/061-9860.20101122.Xsde3/iPod3,1_4.2.1_8C148_Restore.ipsw iPod3,1_4.2.1_8C148_Restore.ipsw]<br />
|<code>1127a042c535f7cf0be950ff8946862d5fb05b36</code><br />
| <br />
| {{yes|Yes<sup>1</sup>}}<br />
| 408,118,620<br />
|}<br />
<br />
<sup>1</sup> [[Tethered jailbreak]] only.<br />
<br />
===[[N81ap|iPod touch (4th generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="99"| Publicly available virgin [[jailbreak]]?<br />
!width="70"| File Size<br />
|-<br />
| 4.1<br />
| [[Baker 8B117 (iPod touch 4G)|Baker 8B117]]<br />
| [http://appldnld.apple.com/iPhone4/061-8490.20100901.hyjtR/iPod4,1_4.1_8B117_Restore.ipsw iPod4,1_4.1_8B117_Restore.ipsw]<br />
| <code>a464492bf6ad25d65b378c85d8b181f973ede38a</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 608,360,672<br />
|-<br />
| 4.1<br />
| [[Baker 8B118 (iPod touch 4G)|Baker 8B118]]<br />
| [http://appldnld.apple.com/iPhone4/061-9344.20100922.Urgt43/iPod4,1_4.1_8B118_Restore.ipsw iPod4,1_4.1_8B118_Restore.ipsw]<br />
| <code>331fb1342f5dab8c04cead74384a1e0fc1145952</code><br />
| <br />
| {{yes}}<br />
| 608,360,927<br />
|-<br />
| 4.2.1<br />
| [[Jasper 8C148 (iPod touch 4G)|Jasper 8C148]]<br />
| [http://appldnld.apple.com/iPhone4/061-9859.20101122.$erft/iPod4,1_4.2.1_8C148_Restore.ipsw iPod4,1_4.2.1_8C148_Restore.ipsw]<br />
| <code>6a890696126d0cb7f9ccd6b913ecb09cf2029820</code><br />
| <br />
| {{yes|Yes<sup>1</sup>}}<br />
|638,177,119<br />
|}<br />
<br />
<sup>1</sup> [[Tethered jailbreak]] only.<br />
<br />
==See also==<br />
* [[VFDecrypt]]<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://itunes.com/version Apple Firmware XML]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Redsn0w&diff=14893
Redsn0w
2011-01-12T16:33:23Z
<p>Toddyt1: Undo revision 14891 by Ryccardo (Talk). Windows version was never released.</p>
<hr />
<div>{{DISPLAYTITLE:redsn0w}}<br />
[[Image:Redsn0w.png|thumb|redsn0w on Mac OS X]]<br />
redsn0w was originally called [[QuickPwn]] but due to the theft and exploitation of the name, QuickPWN by quickpwn.com, as of iOS 3.0, QuickPwn was discontinued and redsn0w (at the time, version 0.7) was converted into a [[jailbreak]]ing tool for all current devices as well as providing [[unlock]] support the [[M68ap|iPhone 2G]]. As of version 0.8, the [[N88ap|iPhone 3GS]] can also be jailbroken through redsn0w.<br />
<br />
Version 0.9 beta 3 was released for Windows and Mac OS X, and it allows iOS 3.0 through 3.1.2 to be jailbroken. It includes support for all devices except the [[N18ap|iPod touch 3G]], and supports a [[tethered jailbreak]] on [[N88ap|iPhone 3GS]] units and [[N72ap|iPod touch 2G]] units with new bootroms. In addition, this version supports custom boot and recovery mode logos, as well as verbose mode on bootup.<br />
<br />
Version [http://wikee.iphwn.org/howto:rs9 0.9.2] supports jailbreaking of all iDevices (at the time) with iOS 3.0 through 3.1.2 on Windows and Mac OS X, as well as 3.1.3 on [[S5L8900]] devices. Version 0.9.3 adds support of internet tethering IPCC hack on those devices and 0.9.4 allows jailbreaking of early [[N72ap|iPod touch 2G]] with iOS 3.1.3.<br />
<br />
Version [http://wikee.iphwn.org/howto:rsbeta 0.9.5b5-5] supports jailbreaking the [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]]) with iOS 4.0 on Windows and Mac OS X.<br />
<br />
redsn0w [http://blog.iphone-dev.org/post/1718400992 0.9.6b6] can jailbreak iOS 3.2.2, 4.1, and 4.2.1 for every device that supports those versions (except Apple TV 2G), on Windows and Mac OS X.<br />
<br />
== Credit ==<br />
[[iPhone Dev Team]]<br />
<br />
== Versions ==<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.1 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Jailbreak for the [[n72ap|iPod touch 2G]].<br />
|-<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.7 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.8 ====<br />
| style="white-space: nowrap;" | July 2009<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Jailbreaks iPhone OS 3.0 on the [[n88ap|iPhone 3GS]] only.<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.2 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Supports 3.0-3.1.2 on all iPhones and iPod touches ([[tethered jailbreak|tethered]] for newer devices with [[0x24000 Segment Overflow]] closed)<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.3 beta ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Contains the IPCC hack to enable tethering on the iPhone 3G and 3GS.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.4 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Supports jailbreaking iOS 3.1.3 on [[M68ap|iPhone 2G]], [[N82ap|iPhone 3G]], [[N45ap|iPod touch 1G]], [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]])<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.5 beta 3 ====<br />
| style="white-space: nowrap;" | June 21, 2010<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Supports jailbreaking iOS 4.0 on [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]])<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.5 beta 4 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Resolved a problem with iBooks.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.5 beta 5 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Supposed to fix any APN or MMS issues that users were seeing.<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 1 ====<br />
| style="white-space: nowrap;" | September 21, 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Supports jailbreaking iOS 4.0-4.1 on [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] ([[tethered jailbreak|tethered]] on [[iBoot-240.5.1|new bootrom]])<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 2 ====<br />
| style="white-space: nowrap;" | October 31, 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Supports jailbreaking iOS 3.2.2 and 4.0-4.1 on every device that supports those firmwares (except [[N72ap|iPod touch 2G]] with [[iBoot-240.5.1|new bootrom]]) .<br />
** The [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]]), and [[N88ap|iPhone 3GS]] ([[iBoot-359.3|old bootrom]]) can also have custom boot logos.<br />
* The Windows version also includes a function that permits users to restore to a custom [[IPSW File Format|IPSW]], akin to [[PwnageTool]]'s DFU button.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 3 ====<br />
| style="white-space: nowrap;" | November 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Supports the installation of custom bundles<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 4 ====<br />
| style="white-space: nowrap;" | November 23, 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Jailbreaks iOS 4.1-4.2.1 on all supported devices.<br />
** [[Tethered jailbreak]] on devices that are not vulnerable to [[Pwnage 2.0]] or [[0x24000 Segment Overflow]].<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 5 ====<br />
| style="white-space: nowrap;" | November 28, 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Jailbreaks iOS 4.1-4.2.1 on all supported devices.<br />
** [[Tethered jailbreak]] on devices that are not vulnerable to [[Pwnage 2.0]] or [[0x24000 Segment Overflow]].<br />
* Can update the baseband on the [[X-Gold 608]] to [[6.15.00]], allowing the reuse of the [[AT+XAPP Vulnerability]]<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 6 ====<br />
| style="white-space: nowrap;" | December 1, 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Jailbreaks iOS 4.1-4.2.1 on all supported devices.<br />
** [[Tethered jailbreak]] on devices that are not vulnerable to [[Pwnage 2.0]] or [[0x24000 Segment Overflow]].<br />
* Can update the baseband on the [[X-Gold 608]] to [[6.15.00]], allowing the reuse of the [[AT+XAPP Vulnerability]]<br />
* Allows you to "deactivate" a hacktivated phone, so sbinger's [http://www.bingner.com/SAM.html Subscriber Artificial Module] (SAM) can trick your iPhone and [[iTunes]] into creating legitimate activation tickets.<br />
|-<br />
! style="white-space: nowrap;" |<br />
==== 0.9.6 release candidate 7 ====<br />
| style="white-space: nowrap;" | January 2, 2011<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Introduced command-line arguments to bypass some screens.<br />
** -b <filename> to specify your own boot logo PNG<br />
** -i <filename> to specify your reference IPSW<br />
** -j to ask redsn0w to “Just boot now tethered for now”<br />
** -o for [[N88ap|iPhone 3GS]] and [[N72ap|iPod touch 2G]] units vulnerable to [[0x24000 Segment Overflow]].<br />
|-<br />
! style="white-space: nowrap;" |<br />
==== 0.9.6 release candidate 8 ====<br />
| style="white-space: nowrap;" | January 5, 2011<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Informs users if a boot logo PNG is invalid, and why.<br />
* Introduced the "-a" command-line argument to eliminate clicking.<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.7 beta 1 ====<br />
| style="white-space: nowrap;" | December 26, 2010<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Jailbreaks iOS 4.1-4.2.1 on all supported devices.<br />
** Able to achieve an [[untethered jailbreak]] on 4.2.1, provided the user has 4.2b3 [[SHSH]]s and the 4.2b3 [[IPSW File Format|IPSW]].<br />
*** This version of "Jailbreak Monte" has quite a number of bugs, particularly app switcher crashes and disabled [[Bluetooth]].<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.7 beta 2 ====<br />
| style="white-space: nowrap;" | December 26, 2010<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Fixes crashing bugs on GUI apps.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.7 beta 3 ====<br />
| style="white-space: nowrap;" | December 27, 2010<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Fixes crashing bugs completely.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.7 beta 4 ====<br />
| style="white-space: nowrap;" | December 31, 2010<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* ubsmuxd integrated.<br />
|-<br />
! style="white-space: nowrap;" |<br />
==== 0.9.7 beta 5 ====<br />
| style="white-space: nowrap;" | January 8, 2011<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Issues related to [[Bluetooth]] and the sandbox are resolved.<br />
|-<br />
! style="white-space: nowrap;" |<br />
==== 0.9.7 beta 6 ====<br />
| style="white-space: nowrap;" | January 10, 2011<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* fixes Skype<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
|}<br />
<br />
== Exploits used ==<br />
For [[M68ap|iPhone]], [[N45ap|iPod touch]], and [[N82ap|iPhone 3G]], see:<br />
*[[Pwnage]]<br />
*[[Pwnage 2.0]]<br />
<br />
For [[N72ap|iPod touch 2G]], see:<br />
*[[0x24000 Segment Overflow]]<br />
*[[ARM7 Go]] - used to upload the oversized [[LLB]] required to utilize the 0x24000 Segment Overflow.<br />
*[[usb_control_msg(0xA1, 1) Exploit]] - used (in redsn0w 0.9.6 beta 1) to upload the oversized [[LLB]] to utilize the 0x24000 Segment Overflow, as well as a [[tethered jailbreak]] on units with the [[iBoot-240.5.1|new bootrom]].<br />
<br />
For [[N88ap|iPhone 3GS]], see:<br />
*[[0x24000 Segment Overflow]]<br />
*[[iBoot Environment Variable Overflow]] - Exploit has a different implementation from [[User:geohot|geohot]]'s implementation in [[purplera1n]].<br />
*[[usb_control_msg(0x21, 2) Exploit]]<br />
*limera1n exploit<br />
<br />
For [[N18ap|iPod touch 3G]]<br />
*[[usb_control_msg(0x21, 2) Exploit]]<br />
*limera1n exploit<br />
<br />
for [[N90ap|iPhone 4]], [[N81ap|iPod touch 4G]], [[K48ap|iPad]] and [[K66ap|Apple TV 2G]]<br />
*limera1n exploit<br />
<br />
[[Category:Hacking Software]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Talk:Unlock&diff=14845
Talk:Unlock
2011-01-09T20:45:43Z
<p>Toddyt1: /* Page naming */</p>
<hr />
<div>== Page naming ==<br />
<br />
I propose we name this page iPhone(2G) unlock due to links to this page on xgold 608 unlock page (and others) that may be confusing to some. Or we could move the contentets of this page and replace it with some basic info about unlock (what unlocking is. And some links to more specific pages) --[[User:Toddyt1|Toddyt1]] 20:24 (edited 20:45), 9 January 2011 (UTC)</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=S5L8900&diff=14844
S5L8900
2011-01-09T20:28:20Z
<p>Toddyt1: </p>
<hr />
<div>This is the Application Processor shared between the [[M68ap|iPhone]], [[N45ap|iPod touch]], and the [[N82ap|iPhone 3G]]. Not much is known about it through official sources. This processor is not used in any of the newest devices, being replaced by the [[S5L8720]], [[S5L8920]], [[S5L8922]] and [[S5L8930]].<br />
<br />
==[[S5L File Formats|Firmware File Formats]]==<br />
<br />
== Exploits ==<br />
===[[iBoot (Bootloader)|iBoot]]===<br />
* [[Restore Mode]] - Works up to [[iOS]] 1.0.2<br />
* [[Ramdisk Hack]] - Works up to [[iOS]] 2.0 beta 3<br />
* [[diags]] - Works up to [[iOS]] 2.0 beta 5<br />
* [[iBoot Environment Variable Overflow]] - Works up to [[iOS]] 3.1 beta 3<br />
* [[usb_control_msg(0x21, 2) Exploit]] - Works up to [[iOS]] 3.1.2<br />
<br />
===[[VROM (S5L8900)|Bootrom]]===<br />
* [[pwnage|Pwnage 1.0 (Ramdisk + AppleImage2NORAccess)]]<br />
* [[Pwnage 2.0|Pwnage 2.0 (DFU + Malformed Certificate)]]<br />
<br />
=== [[Kernel]] ===<br />
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.1.3<br />
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0.1<br />
<br />
=== [[Userland]] ===<br />
* [[Symlinks]] - Works up to [[iOS]] 1.1.1<br />
* [[LibTiff]] - Works up to [[iOS]] 1.1.1<br />
* [[Mknod]] - Works up to [[iOS]] 1.1.2<br />
* [[Dual Boot Exploit]] - Works up to [[iOS]] 2.0 beta 3<br />
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.1.3<br />
* [[Malformed CFF Vulnerability]] - Works up to [[iOS]] 4.0.1<br />
<br />
==Boot Chain==<br />
[[VROM (S5L8900)]]->[[LLB]]->[[iBoot (Bootloader)|iBoot]]->[[Kernel]]->[[Firmware|System Software]]<br />
<br />
<br />
One of the [[iPhoneLinux]] goals are to replace that Boot Chain after iBoot:<br />
<br />
[[VROM (S5L8900)]]->OpeniBoot->Linux Kernel->X Server->Window Manager<br />
<br />
==Upgrade Process==<br />
<br />
=== [[Restore Mode]] ===<br />
The common upgrade process chain is [[VROM]]->[[DFU Mode]]->[[WTF]]->[[iBoot (Bootloader)|iBoot]]->[[Kernel]]->[[Ramdisk]]->[[Restore Mode]].<br />
<br />
=== [[DFU Mode]] ===<br />
To flash an older version of the iPhone software you have to let your phone reside in [[DFU Mode]]. In iTunes you have to press the option key (Mac) or the shift key (Windows) when pressing 'Restore' to be able to manually chose an [[IPSW File Format|IPSW]].<br />
<br />
==== Boot Chain ====<br />
[[VROM]]->[[DFU Mode]]<br />
<br />
==External Links==<br />
* [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0301h/DDI0301H_arm1176jzfs_r0p7_trm.pdf Technical Reference Manual: ARM1176JZF-S]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Talk:Unlock&diff=14843
Talk:Unlock
2011-01-09T20:24:02Z
<p>Toddyt1: New page: == Page naming == I propose we name this page iPhone(2G) unlock due to links to this page on xgold 608 unlock page (and others) that may be confusing to some. --~~~~</p>
<hr />
<div>== Page naming ==<br />
<br />
I propose we name this page iPhone(2G) unlock due to links to this page on xgold 608 unlock page (and others) that may be confusing to some. --[[User:Toddyt1|Toddyt1]] 20:24, 9 January 2011 (UTC)</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=User_talk:Beau&diff=14842
User talk:Beau
2011-01-09T20:14:09Z
<p>Toddyt1: </p>
<hr />
<div>hi Beau, i'm thankful for your theiphonewiki twitter bot :) is it a known issue that it'll often post duplicates and updates out of order? --[[User:Beej|Beej]] 23:39, 28 December 2010 (UTC)<br />
<br />
:Hey Beej! Sorry for the incredibly delayed reply, I've been lazy. I believe I've fixed the twitter bots now; originally it was a caching problem but now I believe I've fixed it. If there's any more problems, don't hesitate to shout! --[[User:Beau|Beau]] 11:23, 9 January 2011 (UTC)<br />
<br />
::Hey. We are still getting duplicate tweets. --[[User:Toddyt1|Toddyt1]] 20:12, 9 January 2011 (UTC)</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=User_talk:Beau&diff=14841
User talk:Beau
2011-01-09T20:12:49Z
<p>Toddyt1: </p>
<hr />
<div>hi Beau, i'm thankful for your theiphonewiki twitter bot :) is it a known issue that it'll often post duplicates and updates out of order? --[[User:Beej|Beej]] 23:39, 28 December 2010 (UTC)<br />
<br />
:Hey Beej! Sorry for the incredibly delayed reply, I've been lazy. I believe I've fixed the twitter bots now; originally it was a caching problem but now I believe I've fixed it. If there's any more problems, don't hesitate to shout! --[[User:Beau|Beau]] 11:23, 9 January 2011 (UTC)<br />
<br />
:Hey. We are still getting duplicate tweets. --[[User:Toddyt1|Toddyt1]] 20:12, 9 January 2011 (UTC)</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Talk:X-Gold_608_Unlock&diff=14840
Talk:X-Gold 608 Unlock
2011-01-09T20:09:15Z
<p>Toddyt1: /* NCK Bruteforcer? */</p>
<hr />
<div>== Getting some sensitive BB info ? ==<br />
Q: How do I get (Which AT Command to use maybe ?) to sensitive baseband information (like battery consumption/RX/TX power) ?<br />
<br />
== current 3G unlock status?? ==<br />
<br />
just citing:<br />
<br />
:'''Q:''' You can take 1.45.00 (or at least 1.43.00), patch it somewhere, flash this file and it's run? Yes or no?<br />
<br />
:'''A:''' No(t yet as easy as that, but be sure we're on it) :p Zf<br />
<br />
So, that's very good news :) -caique2001-<br />
<br />
To speak more technical... The X-Gold 608 has TPM features. So normally one would expect it only to run signed code. This in turn means, it doesn't matter if the code is interchangeable, because only original Apple code can be run. The crucial hack needed is the hack to run ''unsigned'' code, say patched code (as Apple's private key to sign is not known of course).<br />
<br />
TPM doesn't come into play here. We're running unsigned code, and convincing s-gold3 bootrom we deserve a downgrade. It happily complies.<br />
<br />
Wow! Even more good news :-) Where do we have to send the beer to :-) ?? If it should not go to much into detail, could you shortly explain what issue you are currently working on? The fact you have the possibility to run patched unsigned code, does it imply you are currently working on a patch that actually does the unlock? And does TPM come into play here or are there other issues to be solved? caique2001<br />
<br />
I would assume that with unsigned code, you could patch the 3G equivalant of Simple Unlock. IIRC, geohot has already found the bits. we just need a way to patch them. About bypassing TPM...it would be interesting to see how this is done. Perhaps a malformed sig like with pwnage 2.0 and DFU mode? guess we will just have to wait and see :P [[User:ChronicDev|ChronicDev]]<br />
<br />
== opensource baseband? ==<br />
Is to make one? With 3G support? or modify the 4.6 baseband to have have 3g support?<br />
<br />
4.6 is on different platform, you cannot modify that for 3G.<br />
<br />
== get unlocked bootloader ?? ==<br />
<br />
as in countrys like belgium, the 3g is sold without any carrier lock. (belgium law)<br />
<br />
wouldnt it be possible to get the bootloader from such an iphone and transfer it to any other device ??<br />
<br />
/harald<br />
<br />
"Bootloader" has NOTHING todo with official unlock (or unlock). Official Unlock is IMHO done by IMEI and NCK. ~wEsTbAeR--<br />
<br />
== Find the theorized algorithm of NCK generation ==<br />
<br />
Isn't this what the thousands of keygens for PC apps do? Why is it so much harder to do it for the iPhone? Is it because you would normally decompile the software that does the validation, and this is run on apple servers and so is inaccessible? Sorry, just thinking out loud...<br />
<br />
Reply: In softwares we can (after a good amount of work) see the routine that is used to verify the numbers you input. In the iPhone it's not that simple. We know the routine but we don't know what the iPhone starts with (or even if it's generated of the iPhone's serial or just a number in a database)<br />
<br />
Example: In a software, you input your name and a serial number. The software gets your name, translates it to numbers and does some math like (FirstLetter)*(SecondLetter)/(ThirdLetter + FourthLetter)<br />
<br />
So by knowing those rules, we run the same routine in a software and find out what the original software will expect when you input a name such as "funny". Then you use "funny" and 129837987239187 as serial and it works.<br />
<br />
On the iPhone we don't know what the "name" is. We know your iphone will do something like TEA(RSA(token+"name")) and will compare the response of that with what is has stored in it.<br />
<br />
Some people believe the NCK (aka "name" in the above example) doesn't have any relation to the numbers on the phone, such as the serial, IMEI, etc. Some people believe Apple has a big table of numbers relating one NCK for each SERIAL but the NCK isn't formed from the serial.<br />
<br />
I don't believe so...I think it's a number generated by the IMEI,Serial and any other unique numbers. Either with all of them, or parts of each. I started coding a program that would do a different search than Geohot's NCKBruteForcer. He was trying all the combinations and would eventually find the correct answer for each iPhone but it would take a million years with the computing power we have. I thought of it in a different way. I would assume that the NCK is made by a rule out of the combination of the following "items" [-, +, /, *, ^, Log, Ln, Log(2), exp, mod, imei, serial] and then code something to search for all the rules inside that space such as imei*serial/log(serial)+imei for instance. Another idea was that they could use only a couple digits of each, so something like this would be possible: (3 digits of imei)*(first digit of serial)^(4 last digits of imei) mod (2 last digits of serial) .. and so on. This would be a smaller search than Geohots but would not work if Apple has a table with all the NCKs.<br />
<br />
I was coding this for the 1.1.4 OOTB when Geohot found the exploit and unlocked it. So I gave up..but maybe it's time to look at it again. ~ Deco<br />
<br />
== Unlock by changing model and serial number ==<br />
<br />
Chinese grey-market importers are reportedly unlocking the iPhone 3G by changing the model and serial numbers stored in the phone to match the Hong Kong version. Can someone please test if this method works? {{unsigned|Cynix|11:14, November 6, 2008 (UTC)}}<br />
<br />
== Bootrom dump ==<br />
<br />
In the article: "The Dev-Team successfully dumped the bootrom, but they won't release it as it's copyrighted code."<br />
What does this mean? Copyrighted by Dev-Team??? If copyright by Apple is meant, then we should be able to get it from somewhere. Right? -- [[User:Http|http]] 22:23, 14 April 2010 (UTC)<br />
:It's copyrighted by either Infineon or Apple. I've never seen any download link for it, so you'll probably have a tough time finding it. --[[User:Dialexio|Dialexio]] 22:57, 14 April 2010 (UTC)<br />
<br />
== NCK Bruteforcer? ==<br />
<br />
Just curious as to why this is included on this page (and the x-gold 618 unlock page aswell) as it is stated on the [[NCK]] page "Network Control Key. The 15-digit key required to "legitimately" unlock the iPhone 2G. Every other iPhone revision is unlocked with a WildcardTicket which permits every MNC/MCC/ICCID combination". Thought it was best not to remove it encase i missing something --[[User:Toddyt1|Toddyt1]] 21:44, 8 January 2011 (UTC)</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=X-Gold_608_Unlock&diff=14839
X-Gold 608 Unlock
2011-01-09T20:06:11Z
<p>Toddyt1: Removed "until recently..." due to 3g software unlock having been out 2 years.</p>
<hr />
<div>The 3G software [[unlock]] proved more difficult than the previous unlocks due to the fact that the [[Baseband Bootloader|baseband bootloader]] is signature checked by the bootrom. The [[iPhone Dev Team]] has successfully unlocked baseband firmwares by overriding carrier locks on-the-fly in RAM, therefore at boot the baseband bootrom can validate the bootloader, and the bootloader can validate the baseband.<br />
<br />
==RAM Unlock History==<br />
On December 21, 2008, [[User:MuscleNerd|MuscleNerd]] demonstrated [[yellowsn0w]], the first unlock.[http://qik.com/video/729275] Originally, yellowsn0w was designed for basebands [[2.04.03]] and earlier, until [[User:Geohot|geohot]] shared the [[AT+stkprof Exploit]] with them. On January 27, 2009, Apple released iOS 2.2.1, which contained baseband [[2.30.03]] and patched said exploit.<br />
<br />
[[User:Oranav|Oranav]] discovered another exploit (the [[AT+XLOG Vulnerability]]), and shared it with the iPhone Dev Team for the next unlock. The iPhone Dev Team kept it under wraps to target firmware 3.0 and the [[N88ap|iPhone 3GS]]. The unlock, codenamed [[ultrasn0w]], was released to the public on 23 June 2009 for baseband [[4.26.08]] only. [http://blog.iphone-dev.org/post/128573459]<br />
<br />
iOS 3.1 contained a baseband [[5.11.07]], which patched the [[AT+XLOG Vulnerability]]. The [[AT+XEMN Heap Overflow]] was exploited in a new unlock named [[blacksn0w]], released by [[User:Geohot|geohot]] on 3 November 2009. A few months later, the vulnerability was patched in baseband [[5.12.01]].<br />
<br />
When iOS 4.0 was publicly released, an updated release of [[ultrasn0w]] was released, using the [[AT+XAPP Vulnerability]] to unlock all basebands found in firmwares 3.0 through 4.0. Apple countered this with [[5.14.02|a baseband update]] in iOS 4.1.<br />
<br />
==Possible Methods==<br />
===Class 1===<br />
* Find an exploit in the [[Baseband Bootrom|bootrom]] to break the chain of trust. The [[iPhone Dev Team|Dev-Team]] successfully dumped the [[Baseband Bootrom|bootrom]], but they won't release it as it's copyrighted code.<br />
* Improve by several orders of magnitude the [[NCK Brute Force|NCK brute forcer]], and find a way to extract the [[CHIPID]] and [[NORID]]<br />
* Find the theorized algorithm of [[NCK]] generation<br />
* Factorize the [[Baseband_RSA_Keys|RSA keys]] used for signing<br />
* Find a [[wikipedia:Preimage_attack|second preimage]] for a signature<br />
<br />
===Class 2===<br />
* Use a [[SIM hacks|SIM hack]] such as the [[Unlock iPhone 3G with TurboSim|TurboSIM Unlock]]<br />
* Find a way to patch running memory to "unlock" the phone on every bootup. This is how [[ultrasn0w]] works.<br />
* Find an exploit in the [[Baseband Bootloader]] so you can downgrade the baseband, then use ultrasn0w. [[User:Geohot|Geohot]] and the [[iPhone Dev Team]] found (independently) an exploit in bootloader 5.8, but it isn't useful enough as only very-early (week<30) iPhone 3G units have bootloader 5.8.<br />
<br />
==Resources==<br />
* Read about the [[X-Gold 608]]<br />
* Read geohot's [http://iphonejtag.blogspot.com/2008/07/infineon-we-have-problem.html blog post]<br />
* Read dogbert's [http://dogber1.blogspot.com/2010/06/how-to-protect-better-apple-iphone.html blog post]<br />
* [[25C3 presentation "Hacking the iPhone"]]<br />
<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Redsn0w&diff=14831
Redsn0w
2011-01-09T10:54:15Z
<p>Toddyt1: /* 0.9.7 beta 5 */</p>
<hr />
<div>{{DISPLAYTITLE:redsn0w}}<br />
[[Image:Redsn0w.png|thumb|redsn0w on Mac OS X]]<br />
redsn0w was originally called [[QuickPwn]] but due to the theft and exploitation of the name, QuickPWN by quickpwn.com, as of iOS 3.0, QuickPwn was discontinued and redsn0w (at the time, version 0.7) was converted into a [[jailbreak]]ing tool for all current devices as well as providing [[unlock]] support the [[M68ap|iPhone 2G]]. As of version 0.8, the [[N88ap|iPhone 3GS]] can also be jailbroken through redsn0w.<br />
<br />
Version 0.9 beta 3 was released for Windows and Mac OS X, and it allows iOS 3.0 through 3.1.2 to be jailbroken. It includes support for all devices except the [[N18ap|iPod touch 3G]], and supports a [[tethered jailbreak]] on [[N88ap|iPhone 3GS]] units and [[N72ap|iPod touch 2G]] units with new bootroms. In addition, this version supports custom boot and recovery mode logos, as well as verbose mode on bootup.<br />
<br />
Version [http://wikee.iphwn.org/howto:rs9 0.9.2] supports jailbreaking of all iDevices (at the time) with iOS 3.0 through 3.1.2 on Windows and Mac OS X, as well as 3.1.3 on [[S5L8900]] devices. Version 0.9.3 adds support of internet tethering IPCC hack on those devices and 0.9.4 allows jailbreaking of early [[N72ap|iPod touch 2G]] with iOS 3.1.3.<br />
<br />
Version [http://wikee.iphwn.org/howto:rsbeta 0.9.5b5-5] supports jailbreaking the [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]]) with iOS 4.0 on Windows and Mac OS X.<br />
<br />
redsn0w [http://blog.iphone-dev.org/post/1718400992 0.9.6b6] can jailbreak iOS 3.2.2, 4.1, and 4.2.1 for every device that supports those versions (except Apple TV 2G), on Windows and Mac OS X.<br />
<br />
== Credit ==<br />
[[iPhone Dev Team]]<br />
<br />
== Versions ==<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.1 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| ?<br />
|<br />
* Jailbreak for the [[n72ap|iPod touch 2G]].<br />
|-<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.7 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.8 ====<br />
| style="white-space: nowrap;" | July 2009<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Jailbreaks iPhone OS 3.0 on the [[n88ap|iPhone 3GS]] only.<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.2 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Supports 3.0-3.1.2 on all iPhones and iPod touches ([[tethered jailbreak|tethered]] for newer devices with [[0x24000 Segment Overflow]] closed)<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.3 beta ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Contains the IPCC hack to enable tethering on the iPhone 3G and 3GS.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.4 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Supports jailbreaking iOS 3.1.3 on [[M68ap|iPhone 2G]], [[N82ap|iPhone 3G]], [[N45ap|iPod touch 1G]], [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]])<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.5 beta 3 ====<br />
| style="white-space: nowrap;" | June 21, 2010<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Supports jailbreaking iOS 4.0 on [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]])<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.5 beta 4 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Resolved a problem with iBooks.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.5 beta 5 ====<br />
| style="white-space: nowrap;" | Unknown<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Supposed to fix any APN or MMS issues that users were seeing.<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 1 ====<br />
| style="white-space: nowrap;" | September 21, 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Supports jailbreaking iOS 4.0-4.1 on [[N82ap|iPhone 3G]] and [[N72ap|iPod touch 2G]] ([[tethered jailbreak|tethered]] on [[iBoot-240.5.1|new bootrom]])<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 2 ====<br />
| style="white-space: nowrap;" | October 31, 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Supports jailbreaking iOS 3.2.2 and 4.0-4.1 on every device that supports those firmwares (except [[N72ap|iPod touch 2G]] with [[iBoot-240.5.1|new bootrom]]) .<br />
** The [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]] ([[iBoot-240.4|old bootrom]]), and [[N88ap|iPhone 3GS]] ([[iBoot-359.3|old bootrom]]) can also have custom boot logos.<br />
* The Windows version also includes a function that permits users to restore to a custom [[IPSW File Format|IPSW]], akin to [[PwnageTool]]'s DFU button.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 3 ====<br />
| style="white-space: nowrap;" | November 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Supports the installation of custom bundles<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 4 ====<br />
| style="white-space: nowrap;" | November 23, 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Jailbreaks iOS 4.1-4.2.1 on all supported devices.<br />
** [[Tethered jailbreak]] on devices that are not vulnerable to [[Pwnage 2.0]] or [[0x24000 Segment Overflow]].<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 5 ====<br />
| style="white-space: nowrap;" | November 28, 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Jailbreaks iOS 4.1-4.2.1 on all supported devices.<br />
** [[Tethered jailbreak]] on devices that are not vulnerable to [[Pwnage 2.0]] or [[0x24000 Segment Overflow]].<br />
* Can update the baseband on the [[X-Gold 608]] to [[6.15.00]], allowing the reuse of the [[AT+XAPP Vulnerability]]<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.6 beta 6 ====<br />
| style="white-space: nowrap;" | December 1, 2010<br />
| {{yes}}<br />
| {{yes}}<br />
|<br />
* Jailbreaks iOS 4.1-4.2.1 on all supported devices.<br />
** [[Tethered jailbreak]] on devices that are not vulnerable to [[Pwnage 2.0]] or [[0x24000 Segment Overflow]].<br />
* Can update the baseband on the [[X-Gold 608]] to [[6.15.00]], allowing the reuse of the [[AT+XAPP Vulnerability]]<br />
* Allows you to "deactivate" a hacktivated phone, so sbinger's [http://www.bingner.com/SAM.html Subscriber Artificial Module] (SAM) can trick your iPhone and [[iTunes]] into creating legitimate activation tickets.<br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.7 beta 1 ====<br />
| style="white-space: nowrap;" | December 26, 2010<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Jailbreaks iOS 4.1-4.2.1 on all supported devices.<br />
** Able to achieve an [[untethered jailbreak]] on 4.2.1, provided the user has 4.2b3 [[SHSH]]s and the 4.2b3 [[IPSW File Format|IPSW]].<br />
*** This version of "Jailbreak Monte" has quite a number of bugs, particularly app switcher crashes and disabled [[Bluetooth]].<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.7 beta 2 ====<br />
| style="white-space: nowrap;" | December 26, 2010<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Fixes crashing bugs on GUI apps from redsn0w 0.9.7b1.<br />
* [[Bluetooth]] is non-functional due to a [[sandbox]] issue.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.7 beta 3 ====<br />
| style="white-space: nowrap;" | December 27, 2010<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* Fixes crashing bugs completely from redsn0w 0.9.7b2.<br />
* [[Bluetooth]] is non-functional due to a [[sandbox]] issue.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.7 beta 4 ====<br />
| style="white-space: nowrap;" | December 31, 2010<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* ubsmuxd integrated.<br />
* [[Bluetooth]] is non-functional due to a [[sandbox]] issue.<br />
|-<br />
! style="white-space: nowrap;" |<br />
<br />
==== 0.9.7 beta 5 ====<br />
| style="white-space: nowrap;" | january 8, 2011<br />
| {{yes}}<br />
| {{no}}<br />
|<br />
* ubsmuxd integrated.<br />
* [[Bluetooth]] is functional <br />
|-<br />
! style="background-color:#E9E9E9; text-align:center; width:150px;" | Version<br />
! style="background-color:#E9E9E9; text-align:center; width:175px;" | Release date<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Mac OS X-compatible?<br />
! style="background-color:#E9E9E9; text-align:center; width:75px;" | Windows-compatible?<br />
! style="background-color:#E9E9E9; text-align:center;" | Changes<br />
|}<br />
<br />
== Exploits used ==<br />
For [[N45ap|iPod touch]], [[M68ap|iPhone]] and [[N82ap|iPhone 3G]], see:<br />
*[[Pwnage]]<br />
*[[Pwnage 2.0]]<br />
<br />
For [[N72ap|iPod touch 2G]], see:<br />
*[[0x24000 Segment Overflow]]<br />
*[[ARM7 Go]] - used to upload the oversized [[LLB]] required to utilize the 0x24000 Segment Overflow.<br />
*[[usb_control_msg(0xA1, 1) Exploit]] - used (in redsn0w 0.9.6 beta 1) to upload the oversized [[LLB]] to utilize the 0x24000 Segment Overflow, as well as a [[tethered jailbreak]] on units with the [[iBoot-240.5.1|new bootrom]].<br />
<br />
For [[N88ap|iPhone 3GS]], see:<br />
*[[0x24000 Segment Overflow]]<br />
*[[iBoot Environment Variable Overflow]] - Exploit has a different implementation from [[User:geohot|geohot]]'s implementation in [[purplera1n]].<br />
*[[usb_control_msg(0x21, 2) Exploit]]<br />
*limera1n exploit<br />
<br />
For [[N18ap|iPod touch 3G]]<br />
*[[usb_control_msg(0x21, 2) Exploit]]<br />
*limera1n exploit<br />
<br />
for [[N90ap|iPhone 4]], [[N81ap|iPod touch 4G]], [[K48ap|iPad]] and [[K66ap|Apple TV 2G]]<br />
*limera1n exploit<br />
<br />
[[Category:Hacking Software]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Bootrom&diff=14818
Bootrom
2011-01-08T22:38:42Z
<p>Toddyt1: </p>
<hr />
<div>==Introduction / old+new==<br />
The bootrom (called "SecureROM" by Apple) is the first significant code that runs on an iDevice. The bootrom is read-only. Finding exploits in the bootrom level is a big achievement since Apple won't be able to fix it without a hardware revision.<br />
<br />
Certain models, including the [[N72ap|iPod touch 2G]] and [[N88ap|iPhone 3GS]], have different bootrom versions. These are most commonly referred to with the terms "old bootrom" and "new bootrom." These "new bootrom" devices were released after [[Timeline#September|9 September 2009]] and have the [[0x24000 Segment Overflow]] fixed. While the new bootrom revisions have an exploit, the exploit needs the assistance of a firmware-based exploit to achieve an [[untethered jailbreak]].<br />
<br />
You might also be looking for [[iBoot (Bootloader)|Apple's stage 2 bootloader]], which also uses the "iBoot" name.<br />
<br />
==Finding bootrom version==<br />
===From the model number ([[n72ap|iPod Touch 2G]])===<br />
If the second character of your Model Number is "B" (as in "MB533" or "PB533"), your iPod has the old bootrom. If the second character is "C" (as in "MC086" or "PC086"), your iPod has the new bootrom.<br />
<br />
===From the serial number ([[n88ap|iPhone 3GS]])===<br />
The third digit of the serial number identifies the year of manufacture (9=2009, 0=2010), while the fourth and the fifth indicate the week. The first "new bootrom" devices are from week 40 of 2009 (??940?????? or higher serials). Any iPhone made after Week 45 of 2009 (??945?????? and higher or ??0???????? serials) has the new bootrom.<br />
<br />
===From the iBoot version ([[n88ap|iPhone 3GS]])===<br />
If a '''.2''' (eg. 636.66.2) is behind the [[iBoot (Bootloader)|iBoot Version]] then it contains the Newer iPhone 3GS Bootrom.<br />
<br />
===From the DFU Device descriptors (All devices)===<br />
====Windows====<br />
# Connect Device & Enter [[DFU Mode]] <br />
# Open Device Manager, find USB controller, subitem Apple Mobile Device USB Driver<br />
# Right-Click & click Properties<br />
# Go to Details tab & select Device Instance Path in the dropdown box<br />
# The end of the info string will show the bootrom version<br />
<br />
====Mac OS X====<br />
# Connect Device & Enter [[DFU Mode]]<br />
# Go to System Profiler, and under the Hardware category, go to USB, and click on Apple Mobile Device (DFU Mode)<br />
# The end of the info string will show the bootrom version<br />
<br />
====Linux====<br />
# Install gnome-device-manager and start it<br />
# Connect Device & Enter [[DFU Mode]] <br />
# Search in the left tree-view for USB Device and look at Summary -> Model until it says Apple Mobile Device (DFU Mode)<br />
# If it does go to Properties (next to Summary) and search for usb_device.serial<br />
# The end of the String will show you the bootrom version<br />
<br />
== Revisions ==<br />
===[[S5L8720]], used in the [[N72ap|iPod touch 2G]]===<br />
* [[iBoot-240.4]] "old bootrom"<br />
* [[iBoot-240.5.1]] "new bootrom"<br />
<br />
===[[S5L8920]], used in the [[N88ap|iPhone 3GS]]===<br />
* [[iBoot-359.3]] "old bootrom"<br />
* [[iBoot-359.3.2]] "new bootrom"<br />
<br />
===[[S5L8922]], used in the [[N18ap|iPod touch 3G]]===<br />
* [[iBoot-359.5]]<br />
<br />
===[[S5L8930]], used in the [[K48ap|iPad]], [[N90ap|iPhone 4]], [[K66ap|Apple TV 2G]] and [[N81ap|iPod touch 4G]]===<br />
* [[iBoot-574.4]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=User:Toddyt1&diff=14812
User:Toddyt1
2011-01-08T22:00:46Z
<p>Toddyt1: </p>
<hr />
<div>Hi. :)<br />
<br />
I'm toddyt1. Otherwise known as Thomas Todd. I'am interested in computers and computing related things. I'am also very interested in learning about the iphone. Sorry about multiple, rapid sequential edits i make to pages i often edit from my iPhone. Currently I am not jailbroken but still actively follow what is happening in the scene</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=User:Toddyt1&diff=14811
User:Toddyt1
2011-01-08T22:00:16Z
<p>Toddyt1: </p>
<hr />
<div>Hi. :)<br />
<br />
== About Me ==<br />
I'm toddyt1. Otherwise known as Thomas Todd. I'am interested in computers and computing related things. I'am also very interested in learning about the iphone. Sorry about multiple, rapid sequential edits i make to pages i often edit from my iPhone. Currently I am not jailbroken but still actively follow what is happening in the scene</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=User:Toddyt1&diff=14809
User:Toddyt1
2011-01-08T21:54:12Z
<p>Toddyt1: New page: == About Me == I'm toddyt1. Otherwise known as Thomas Todd. I'am interested in computers and computing related things. I'am also very interested in learning about the iphone. Sorry about m...</p>
<hr />
<div>== About Me ==<br />
I'm toddyt1. Otherwise known as Thomas Todd. I'am interested in computers and computing related things. I'am also very interested in learning about the iphone. Sorry about multiple, rapid sequential edits i make to pages i often edit from my iPhone. Currently I am not jailbroken but still actively follow what is happening in the scene</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Talk:X-Gold_608_Unlock&diff=14808
Talk:X-Gold 608 Unlock
2011-01-08T21:44:58Z
<p>Toddyt1: </p>
<hr />
<div>== Getting some sensitive BB info ? ==<br />
Q: How do I get (Which AT Command to use maybe ?) to sensitive baseband information (like battery consumption/RX/TX power) ?<br />
<br />
== current 3G unlock status?? ==<br />
<br />
just citing:<br />
<br />
:'''Q:''' You can take 1.45.00 (or at least 1.43.00), patch it somewhere, flash this file and it's run? Yes or no?<br />
<br />
:'''A:''' No(t yet as easy as that, but be sure we're on it) :p Zf<br />
<br />
So, that's very good news :) -caique2001-<br />
<br />
To speak more technical... The X-Gold 608 has TPM features. So normally one would expect it only to run signed code. This in turn means, it doesn't matter if the code is interchangeable, because only original Apple code can be run. The crucial hack needed is the hack to run ''unsigned'' code, say patched code (as Apple's private key to sign is not known of course).<br />
<br />
TPM doesn't come into play here. We're running unsigned code, and convincing s-gold3 bootrom we deserve a downgrade. It happily complies.<br />
<br />
Wow! Even more good news :-) Where do we have to send the beer to :-) ?? If it should not go to much into detail, could you shortly explain what issue you are currently working on? The fact you have the possibility to run patched unsigned code, does it imply you are currently working on a patch that actually does the unlock? And does TPM come into play here or are there other issues to be solved? caique2001<br />
<br />
I would assume that with unsigned code, you could patch the 3G equivalant of Simple Unlock. IIRC, geohot has already found the bits. we just need a way to patch them. About bypassing TPM...it would be interesting to see how this is done. Perhaps a malformed sig like with pwnage 2.0 and DFU mode? guess we will just have to wait and see :P [[User:ChronicDev|ChronicDev]]<br />
<br />
== opensource baseband? ==<br />
Is to make one? With 3G support? or modify the 4.6 baseband to have have 3g support?<br />
<br />
4.6 is on different platform, you cannot modify that for 3G.<br />
<br />
== get unlocked bootloader ?? ==<br />
<br />
as in countrys like belgium, the 3g is sold without any carrier lock. (belgium law)<br />
<br />
wouldnt it be possible to get the bootloader from such an iphone and transfer it to any other device ??<br />
<br />
/harald<br />
<br />
"Bootloader" has NOTHING todo with official unlock (or unlock). Official Unlock is IMHO done by IMEI and NCK. ~wEsTbAeR--<br />
<br />
== Find the theorized algorithm of NCK generation ==<br />
<br />
Isn't this what the thousands of keygens for PC apps do? Why is it so much harder to do it for the iPhone? Is it because you would normally decompile the software that does the validation, and this is run on apple servers and so is inaccessible? Sorry, just thinking out loud...<br />
<br />
Reply: In softwares we can (after a good amount of work) see the routine that is used to verify the numbers you input. In the iPhone it's not that simple. We know the routine but we don't know what the iPhone starts with (or even if it's generated of the iPhone's serial or just a number in a database)<br />
<br />
Example: In a software, you input your name and a serial number. The software gets your name, translates it to numbers and does some math like (FirstLetter)*(SecondLetter)/(ThirdLetter + FourthLetter)<br />
<br />
So by knowing those rules, we run the same routine in a software and find out what the original software will expect when you input a name such as "funny". Then you use "funny" and 129837987239187 as serial and it works.<br />
<br />
On the iPhone we don't know what the "name" is. We know your iphone will do something like TEA(RSA(token+"name")) and will compare the response of that with what is has stored in it.<br />
<br />
Some people believe the NCK (aka "name" in the above example) doesn't have any relation to the numbers on the phone, such as the serial, IMEI, etc. Some people believe Apple has a big table of numbers relating one NCK for each SERIAL but the NCK isn't formed from the serial.<br />
<br />
I don't believe so...I think it's a number generated by the IMEI,Serial and any other unique numbers. Either with all of them, or parts of each. I started coding a program that would do a different search than Geohot's NCKBruteForcer. He was trying all the combinations and would eventually find the correct answer for each iPhone but it would take a million years with the computing power we have. I thought of it in a different way. I would assume that the NCK is made by a rule out of the combination of the following "items" [-, +, /, *, ^, Log, Ln, Log(2), exp, mod, imei, serial] and then code something to search for all the rules inside that space such as imei*serial/log(serial)+imei for instance. Another idea was that they could use only a couple digits of each, so something like this would be possible: (3 digits of imei)*(first digit of serial)^(4 last digits of imei) mod (2 last digits of serial) .. and so on. This would be a smaller search than Geohots but would not work if Apple has a table with all the NCKs.<br />
<br />
I was coding this for the 1.1.4 OOTB when Geohot found the exploit and unlocked it. So I gave up..but maybe it's time to look at it again. ~ Deco<br />
<br />
== Unlock by changing model and serial number ==<br />
<br />
Chinese grey-market importers are reportedly unlocking the iPhone 3G by changing the model and serial numbers stored in the phone to match the Hong Kong version. Can someone please test if this method works? {{unsigned|Cynix|11:14, November 6, 2008 (UTC)}}<br />
<br />
== Bootrom dump ==<br />
<br />
In the article: "The Dev-Team successfully dumped the bootrom, but they won't release it as it's copyrighted code."<br />
What does this mean? Copyrighted by Dev-Team??? If copyright by Apple is meant, then we should be able to get it from somewhere. Right? -- [[User:Http|http]] 22:23, 14 April 2010 (UTC)<br />
:It's copyrighted by either Infineon or Apple. I've never seen any download link for it, so you'll probably have a tough time finding it. --[[User:Dialexio|Dialexio]] 22:57, 14 April 2010 (UTC)<br />
<br />
== NCK Bruteforcer? ==<br />
<br />
Just curious as to why this is included on this page as it is stated on the [[NCK]] page "Network Control Key. The 15-digit key required to "legitimately" unlock the iPhone 2G. Every other iPhone revision is unlocked with a WildcardTicket which permits every MNC/MCC/ICCID combination". Thought it was best not to remove it encase i missing something --[[User:Toddyt1|Toddyt1]] 21:44, 8 January 2011 (UTC)</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=PwnageTool&diff=13774
PwnageTool
2010-11-29T11:40:18Z
<p>Toddyt1: /* 4.x: Fourth Major Release of PwnageTool */</p>
<hr />
<div>'''PwnageTool''' is a [[iOS]] [[jailbreak]] tool for Mac OS X that jailbreaks by creating a custom [[IPSW File Format|IPSW]]. You are allowed to change boot logos and add pre-installed packages to the IPSW. After an IPSW is created you can use it to restore to in [[iTunes]].<br />
<br />
==Exploits Used==<br />
===Version 4.0===<br />
* Bootrom exploit (used by [[limera1n]] and [[greenpois0n]])<br />
<br />
===Version 2.0===<br />
* [[Pwnage 2.0]]<br />
* [[Pwnage]]<br />
<br />
===Version 1.0===<br />
* [[Pwnage]]<br />
* [[Ramdisk Hack]]<br />
<br />
== Models Supported ==<br />
{| class="wikitable"<br />
|-<br />
! Model<br />
! Since<br />
|-<br />
| [[M68ap|iPhone 2G]]<br />
| April 3, 2008<br />
|-<br />
| [[N45ap|iPod touch 1G]]<br />
| April 3, 2008<br />
|-<br />
| [[N82ap|iPhone 3G]]<br />
| Jul 19, 2008<br />
|-<br />
| [[N72ap|iPod touch 2G]]<br />
| Oct 2, 2009<br />
|-<br />
| [[N88ap|iPhone 3GS]]<br />
| Oct 2, 2009<br />
|}<br />
Note that the [[N18ap|iPod touch 3G]] and subsequent devices are not supported. With the iPod touch 2G and iPhone 3GS you must be jailbroken prior to using PwnageTool. The [[S5L8900]] devices you can go into [[DFU Mode]] and restore with [[iTunes]] without being jailbroken.<br />
<br />
==Versions==<br />
<br />
PwnageTool was released April 3, 2008 but largely unused until version 2.0 was released July 19, 2008.<br />
The following versions that are shown here are not beta, alpha, or in development. <br />
<br />
===1.x: First release of PwnageTool===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.1.4 ====<br />
| style="white-space: nowrap;" | April 3, 2008<br />
| |<br />
* Initial release<br />
* Jailbreaks 1.1.4 firmware<br />
* Supports iPod touch 1G and iPhone 2G.<br />
* Add [[BootNeuter]] in the IPSW to unlock iPhone 2G.<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
<br />
=== 2.x: Second major release of Pwnagetool ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0 ====<br />
| style="white-space: nowrap;" | Jul 19, 2008<br />
| |<br />
* Added iPhone 3G support [http://www.engadget.com/2008/07/19/iphone-dev-team-unleashes-pwnage-tool-2-0/]<br />
* Jailbreaks 2.0 Firmware<br />
* Change boot logos<br />
* Adds Cydia by default<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0.1 ====<br />
| style="white-space: nowrap;" | Aug 4, 2008<br />
| |<br />
* Jailbreaks 2.0.1 firmware<br />
* Works for 2.0 and 2.0.1.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0.2 ====<br />
| style="white-space: nowrap;" | Aug 21, 2008<br />
| |<br />
* Jailbreaks 2.0.2 firmware [http://www.iphonehacks.com/2008/08/pwnage-tool-202.html]<br />
* Works for 2.0, 2.0.1, and 2.0.2.<br />
* Bug fixes - for when it doesn't go to the next page when you click on something.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0.3 ====<br />
| style="white-space: nowrap;" | Aug 25, 2008<br />
| |<br />
* Jailbreaks 2.0.2 firmware<br />
* Works for 2.0, 2.0.1, and 2.0.2.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.1 ====<br />
| style="white-space: nowrap;" | Sep 13, 2008<br />
| |<br />
* Jailbreaks 2.1 firmware<br />
* Removed backwards compatibility<br />
* Download packages from a valid Cydia source, and add them onto your custom IPSW.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.2 ====<br />
| style="white-space: nowrap;" | Nov 21, 2008<br />
| |<br />
* Jailbreaks 2.2 firmware<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.2.5 ====<br />
| style="white-space: nowrap;" | Jan 30, 2009<br />
| |<br />
* Jailbreaks 2.2.1<br />
* Not updated by [[iPhone Dev Team]] but made official.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
<br />
=== 3.x: Third Major Release of PwnageTool ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.0 ====<br />
| style="white-space: nowrap;" | Jun 19, 2009<br />
| |<br />
* Jailbreaks 3.0 firmware<br />
* DFU mode instructions included<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.1 ====<br />
| style="white-space: nowrap;" | Sep 15, 2009<br />
| |<br />
* Jailbreaks 3.1 firmware for iPhone 2G and 3G<br />
* Jailbreaks 3.1.1 firmware for iPod touch 1G<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.1.3 ====<br />
| style="white-space: nowrap;" | Oct 2, 2009<br />
| |<br />
* Support for iPhone 3GS with [[iBoot-359.3]] bootrom and iPod touch 2G with [[iBoot-240.4]] bootrom (these devices need to be pwned from 3.0/3.0.1)<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.1.4 ====<br />
| style="white-space: nowrap;" | Oct 13, 2009<br />
| |<br />
* Jailbreaks 3.1.2 firmware for iPhone 2G, 3G, 3GS with [[iBoot-359.3]] bootrom, iPod touch 1G, iPod touch 2G with [[iBoot-240.4]] bootrom<br />
* iPod touch 3G not supported.<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
<br />
==== 3.1.5 ====<br />
| style="white-space: nowrap;" | Feb 7, 2010<br />
| |<br />
* Jailbreaks 3.1.3 firmware for devices supported in 3.1.4.<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
=== 4.x: Fourth Major Release of PwnageTool ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.0 ====<br />
| style="white-space: nowrap;" | Jun 22, 2010<br />
| |<br />
* Jailbreaks 4.0 firmware for devices supported in 3.1.4.<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.01 ====<br />
| style="white-space: nowrap;" | Jun 23, 2010<br />
| |<br />
* Fixes iBooks issue in 4.0<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1 ====<br />
| style="white-space: nowrap;" | Oct 20, 2010<br />
| |<br />
* Jailbreaks 4.1 firmware for [[K66ap|Apple TV 2G]], [[K48ap|iPad 1G]], [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]] (both bootroms), [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], and [[N81ap|iPod touch 4G]].<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1.1 ====<br />
| style="white-space: nowrap;" | Oct 22, 2010<br />
| |<br />
* Fixes issues with Leopard.<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1.2 ====<br />
| style="white-space: nowrap;" | Oct 22, 2010<br />
| |<br />
* Fixes more issues with Leopard.<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1.3 ====<br />
| style="white-space: nowrap;" | Nov 28, 2010<br />
| |<br />
* Enables installing the [[6.15.00]] baseband on the [[iPhone 3G]]<br />
|<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
|}<br />
<br />
==Creating the Firmware==<br />
PwnageTool takes the IPSW file and patches it, creating a custom version. This enables a lot more features such as pre-installed packages, [[BootNeuter]] ([[M68ap|iPhone]] software unlock), custom packages and boot logos. This method is usually less secure than the quick exploits such ([[redsn0w]], [[QuickPwn]], [[purplera1n]], [[blackra1n]], etc.).<br />
<br />
==How to create Custom Firmware Bundles==<br />
[[Making_PwnageTool_Bundles]]<br />
<br />
==Problems==<br />
This method does have negative aspects. The most common errors are the [[ITunes Errors#Errors 16xx|16xx range of errors]], which mean that the either the firmware file is corrupt or you didn't put it in the right mode (Recovery, DFU Mode). Sometimes the problems could just be a computer problem such as the memory is full or the USB port is broken. The most common error is [[ITunes Errors#Error 1604|Error 1604]] which means that the firmware file is corrupt.<br />
<br />
==Windows==<br />
PwnageTool is expected to remain exclusive to Mac OS X. As of October 2009, [[User:ih8sn0w|iH8sn0w]], et. al. has announced that they made a project that will bring PwnageTool's functionality to Windows, called [[sn0wbreeze]]. [http://ih8sn0w.com/]<br />
<br />
== License ==<br />
PwnageTool is freeware.<br />
<br />
[[Category:Hacking Software]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=PwnageTool&diff=13773
PwnageTool
2010-11-29T11:39:30Z
<p>Toddyt1: /* 4.x: Fourth Major Release of PwnageTool */</p>
<hr />
<div>'''PwnageTool''' is a [[iOS]] [[jailbreak]] tool for Mac OS X that jailbreaks by creating a custom [[IPSW File Format|IPSW]]. You are allowed to change boot logos and add pre-installed packages to the IPSW. After an IPSW is created you can use it to restore to in [[iTunes]].<br />
<br />
==Exploits Used==<br />
===Version 4.0===<br />
* Bootrom exploit (used by [[limera1n]] and [[greenpois0n]])<br />
<br />
===Version 2.0===<br />
* [[Pwnage 2.0]]<br />
* [[Pwnage]]<br />
<br />
===Version 1.0===<br />
* [[Pwnage]]<br />
* [[Ramdisk Hack]]<br />
<br />
== Models Supported ==<br />
{| class="wikitable"<br />
|-<br />
! Model<br />
! Since<br />
|-<br />
| [[M68ap|iPhone 2G]]<br />
| April 3, 2008<br />
|-<br />
| [[N45ap|iPod touch 1G]]<br />
| April 3, 2008<br />
|-<br />
| [[N82ap|iPhone 3G]]<br />
| Jul 19, 2008<br />
|-<br />
| [[N72ap|iPod touch 2G]]<br />
| Oct 2, 2009<br />
|-<br />
| [[N88ap|iPhone 3GS]]<br />
| Oct 2, 2009<br />
|}<br />
Note that the [[N18ap|iPod touch 3G]] and subsequent devices are not supported. With the iPod touch 2G and iPhone 3GS you must be jailbroken prior to using PwnageTool. The [[S5L8900]] devices you can go into [[DFU Mode]] and restore with [[iTunes]] without being jailbroken.<br />
<br />
==Versions==<br />
<br />
PwnageTool was released April 3, 2008 but largely unused until version 2.0 was released July 19, 2008.<br />
The following versions that are shown here are not beta, alpha, or in development. <br />
<br />
===1.x: First release of PwnageTool===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.1.4 ====<br />
| style="white-space: nowrap;" | April 3, 2008<br />
| |<br />
* Initial release<br />
* Jailbreaks 1.1.4 firmware<br />
* Supports iPod touch 1G and iPhone 2G.<br />
* Add [[BootNeuter]] in the IPSW to unlock iPhone 2G.<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
<br />
=== 2.x: Second major release of Pwnagetool ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0 ====<br />
| style="white-space: nowrap;" | Jul 19, 2008<br />
| |<br />
* Added iPhone 3G support [http://www.engadget.com/2008/07/19/iphone-dev-team-unleashes-pwnage-tool-2-0/]<br />
* Jailbreaks 2.0 Firmware<br />
* Change boot logos<br />
* Adds Cydia by default<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0.1 ====<br />
| style="white-space: nowrap;" | Aug 4, 2008<br />
| |<br />
* Jailbreaks 2.0.1 firmware<br />
* Works for 2.0 and 2.0.1.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0.2 ====<br />
| style="white-space: nowrap;" | Aug 21, 2008<br />
| |<br />
* Jailbreaks 2.0.2 firmware [http://www.iphonehacks.com/2008/08/pwnage-tool-202.html]<br />
* Works for 2.0, 2.0.1, and 2.0.2.<br />
* Bug fixes - for when it doesn't go to the next page when you click on something.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0.3 ====<br />
| style="white-space: nowrap;" | Aug 25, 2008<br />
| |<br />
* Jailbreaks 2.0.2 firmware<br />
* Works for 2.0, 2.0.1, and 2.0.2.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.1 ====<br />
| style="white-space: nowrap;" | Sep 13, 2008<br />
| |<br />
* Jailbreaks 2.1 firmware<br />
* Removed backwards compatibility<br />
* Download packages from a valid Cydia source, and add them onto your custom IPSW.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.2 ====<br />
| style="white-space: nowrap;" | Nov 21, 2008<br />
| |<br />
* Jailbreaks 2.2 firmware<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.2.5 ====<br />
| style="white-space: nowrap;" | Jan 30, 2009<br />
| |<br />
* Jailbreaks 2.2.1<br />
* Not updated by [[iPhone Dev Team]] but made official.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
<br />
=== 3.x: Third Major Release of PwnageTool ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.0 ====<br />
| style="white-space: nowrap;" | Jun 19, 2009<br />
| |<br />
* Jailbreaks 3.0 firmware<br />
* DFU mode instructions included<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.1 ====<br />
| style="white-space: nowrap;" | Sep 15, 2009<br />
| |<br />
* Jailbreaks 3.1 firmware for iPhone 2G and 3G<br />
* Jailbreaks 3.1.1 firmware for iPod touch 1G<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.1.3 ====<br />
| style="white-space: nowrap;" | Oct 2, 2009<br />
| |<br />
* Support for iPhone 3GS with [[iBoot-359.3]] bootrom and iPod touch 2G with [[iBoot-240.4]] bootrom (these devices need to be pwned from 3.0/3.0.1)<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.1.4 ====<br />
| style="white-space: nowrap;" | Oct 13, 2009<br />
| |<br />
* Jailbreaks 3.1.2 firmware for iPhone 2G, 3G, 3GS with [[iBoot-359.3]] bootrom, iPod touch 1G, iPod touch 2G with [[iBoot-240.4]] bootrom<br />
* iPod touch 3G not supported.<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
<br />
==== 3.1.5 ====<br />
| style="white-space: nowrap;" | Feb 7, 2010<br />
| |<br />
* Jailbreaks 3.1.3 firmware for devices supported in 3.1.4.<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
=== 4.x: Fourth Major Release of PwnageTool ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.0 ====<br />
| style="white-space: nowrap;" | Jun 22, 2010<br />
| |<br />
* Jailbreaks 4.0 firmware for devices supported in 3.1.4.<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.01 ====<br />
| style="white-space: nowrap;" | Jun 23, 2010<br />
| |<br />
* Fixes iBooks issue in 4.0<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1 ====<br />
| style="white-space: nowrap;" | Oct 20, 2010<br />
| |<br />
* Jailbreaks 4.1 firmware for [[K66ap|Apple TV 2G]], [[K48ap|iPad 1G]], [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]] (both bootroms), [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], and [[N81ap|iPod touch 4G]].<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1.1 ====<br />
| style="white-space: nowrap;" | Oct 22, 2010<br />
| |<br />
* Fixes issues with Leopard.<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1.2 ====<br />
| style="white-space: nowrap;" | Oct 22, 2010<br />
| |<br />
* Fixes more issues with Leopard.<br />
|<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1.3 ====<br />
| style="white-space: nowrap;" | Nov 28, 2010<br />
| |<br />
* Enables installing the [[6.15.00]] baseband on the [[iPhone 3G]]<br />
|<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
|}<br />
<br />
==Creating the Firmware==<br />
PwnageTool takes the IPSW file and patches it, creating a custom version. This enables a lot more features such as pre-installed packages, [[BootNeuter]] ([[M68ap|iPhone]] software unlock), custom packages and boot logos. This method is usually less secure than the quick exploits such ([[redsn0w]], [[QuickPwn]], [[purplera1n]], [[blackra1n]], etc.).<br />
<br />
==How to create Custom Firmware Bundles==<br />
[[Making_PwnageTool_Bundles]]<br />
<br />
==Problems==<br />
This method does have negative aspects. The most common errors are the [[ITunes Errors#Errors 16xx|16xx range of errors]], which mean that the either the firmware file is corrupt or you didn't put it in the right mode (Recovery, DFU Mode). Sometimes the problems could just be a computer problem such as the memory is full or the USB port is broken. The most common error is [[ITunes Errors#Error 1604|Error 1604]] which means that the firmware file is corrupt.<br />
<br />
==Windows==<br />
PwnageTool is expected to remain exclusive to Mac OS X. As of October 2009, [[User:ih8sn0w|iH8sn0w]], et. al. has announced that they made a project that will bring PwnageTool's functionality to Windows, called [[sn0wbreeze]]. [http://ih8sn0w.com/]<br />
<br />
== License ==<br />
PwnageTool is freeware.<br />
<br />
[[Category:Hacking Software]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=PwnageTool&diff=13772
PwnageTool
2010-11-29T11:38:22Z
<p>Toddyt1: /* 4.x: Fourth Major Release of PwnageTool */</p>
<hr />
<div>'''PwnageTool''' is a [[iOS]] [[jailbreak]] tool for Mac OS X that jailbreaks by creating a custom [[IPSW File Format|IPSW]]. You are allowed to change boot logos and add pre-installed packages to the IPSW. After an IPSW is created you can use it to restore to in [[iTunes]].<br />
<br />
==Exploits Used==<br />
===Version 4.0===<br />
* Bootrom exploit (used by [[limera1n]] and [[greenpois0n]])<br />
<br />
===Version 2.0===<br />
* [[Pwnage 2.0]]<br />
* [[Pwnage]]<br />
<br />
===Version 1.0===<br />
* [[Pwnage]]<br />
* [[Ramdisk Hack]]<br />
<br />
== Models Supported ==<br />
{| class="wikitable"<br />
|-<br />
! Model<br />
! Since<br />
|-<br />
| [[M68ap|iPhone 2G]]<br />
| April 3, 2008<br />
|-<br />
| [[N45ap|iPod touch 1G]]<br />
| April 3, 2008<br />
|-<br />
| [[N82ap|iPhone 3G]]<br />
| Jul 19, 2008<br />
|-<br />
| [[N72ap|iPod touch 2G]]<br />
| Oct 2, 2009<br />
|-<br />
| [[N88ap|iPhone 3GS]]<br />
| Oct 2, 2009<br />
|}<br />
Note that the [[N18ap|iPod touch 3G]] and subsequent devices are not supported. With the iPod touch 2G and iPhone 3GS you must be jailbroken prior to using PwnageTool. The [[S5L8900]] devices you can go into [[DFU Mode]] and restore with [[iTunes]] without being jailbroken.<br />
<br />
==Versions==<br />
<br />
PwnageTool was released April 3, 2008 but largely unused until version 2.0 was released July 19, 2008.<br />
The following versions that are shown here are not beta, alpha, or in development. <br />
<br />
===1.x: First release of PwnageTool===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 1.1.4 ====<br />
| style="white-space: nowrap;" | April 3, 2008<br />
| |<br />
* Initial release<br />
* Jailbreaks 1.1.4 firmware<br />
* Supports iPod touch 1G and iPhone 2G.<br />
* Add [[BootNeuter]] in the IPSW to unlock iPhone 2G.<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
<br />
=== 2.x: Second major release of Pwnagetool ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0 ====<br />
| style="white-space: nowrap;" | Jul 19, 2008<br />
| |<br />
* Added iPhone 3G support [http://www.engadget.com/2008/07/19/iphone-dev-team-unleashes-pwnage-tool-2-0/]<br />
* Jailbreaks 2.0 Firmware<br />
* Change boot logos<br />
* Adds Cydia by default<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0.1 ====<br />
| style="white-space: nowrap;" | Aug 4, 2008<br />
| |<br />
* Jailbreaks 2.0.1 firmware<br />
* Works for 2.0 and 2.0.1.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0.2 ====<br />
| style="white-space: nowrap;" | Aug 21, 2008<br />
| |<br />
* Jailbreaks 2.0.2 firmware [http://www.iphonehacks.com/2008/08/pwnage-tool-202.html]<br />
* Works for 2.0, 2.0.1, and 2.0.2.<br />
* Bug fixes - for when it doesn't go to the next page when you click on something.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.0.3 ====<br />
| style="white-space: nowrap;" | Aug 25, 2008<br />
| |<br />
* Jailbreaks 2.0.2 firmware<br />
* Works for 2.0, 2.0.1, and 2.0.2.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.1 ====<br />
| style="white-space: nowrap;" | Sep 13, 2008<br />
| |<br />
* Jailbreaks 2.1 firmware<br />
* Removed backwards compatibility<br />
* Download packages from a valid Cydia source, and add them onto your custom IPSW.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.2 ====<br />
| style="white-space: nowrap;" | Nov 21, 2008<br />
| |<br />
* Jailbreaks 2.2 firmware<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 2.2.5 ====<br />
| style="white-space: nowrap;" | Jan 30, 2009<br />
| |<br />
* Jailbreaks 2.2.1<br />
* Not updated by [[iPhone Dev Team]] but made official.<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
<br />
=== 3.x: Third Major Release of PwnageTool ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.0 ====<br />
| style="white-space: nowrap;" | Jun 19, 2009<br />
| |<br />
* Jailbreaks 3.0 firmware<br />
* DFU mode instructions included<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.1 ====<br />
| style="white-space: nowrap;" | Sep 15, 2009<br />
| |<br />
* Jailbreaks 3.1 firmware for iPhone 2G and 3G<br />
* Jailbreaks 3.1.1 firmware for iPod touch 1G<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.1.3 ====<br />
| style="white-space: nowrap;" | Oct 2, 2009<br />
| |<br />
* Support for iPhone 3GS with [[iBoot-359.3]] bootrom and iPod touch 2G with [[iBoot-240.4]] bootrom (these devices need to be pwned from 3.0/3.0.1)<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
==== 3.1.4 ====<br />
| style="white-space: nowrap;" | Oct 13, 2009<br />
| |<br />
* Jailbreaks 3.1.2 firmware for iPhone 2G, 3G, 3GS with [[iBoot-359.3]] bootrom, iPod touch 1G, iPod touch 2G with [[iBoot-240.4]] bootrom<br />
* iPod touch 3G not supported.<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
<br />
==== 3.1.5 ====<br />
| style="white-space: nowrap;" | Feb 7, 2010<br />
| |<br />
* Jailbreaks 3.1.3 firmware for devices supported in 3.1.4.<br />
|<br />
|-<br />
! rowspan=1 style="white-space: nowrap;nowrap;" |<br />
|}<br />
=== 4.x: Fourth Major Release of PwnageTool ===<br />
{| class="wikitable" width="100%" style="font-size: 90%"<br />
! style="background-color:#E9E9E9;" align="center" |Version<br />
! style="background-color:#E9E9E9;" align="center" |Release date<br />
! style="background-color:#E9E9E9;" align="center" |Features<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.0 ====<br />
| style="white-space: nowrap;" | Jun 22, 2010<br />
| |<br />
* Jailbreaks 4.0 firmware for devices supported in 3.1.4.<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.01 ====<br />
| style="white-space: nowrap;" | Jun 23, 2010<br />
| |<br />
* Fixes iBooks issue in 4.0<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1 ====<br />
| style="white-space: nowrap;" | Oct 20, 2010<br />
| |<br />
* Jailbreaks 4.1 firmware for [[K66ap|Apple TV 2G]], [[K48ap|iPad 1G]], [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]] (both bootroms), [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], and [[N81ap|iPod touch 4G]].<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1.1 ====<br />
| style="white-space: nowrap;" | Oct 22, 2010<br />
| |<br />
* Fixes issues with Leopard.<br />
|<br />
|-<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1.2 ====<br />
| style="white-space: nowrap;" | Oct 22, 2010<br />
| |<br />
* Fixes more issues with Leopard.<br />
|<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
==== 4.1.3 ====<br />
| style="white-space: nowrap;" | Nov 28, 2010<br />
| |<br />
* Enables installing the [[6.15.00]] baseband on the [[iPhone 3G]]<br />
|<br />
! rowspan="1" style="white-space: nowrap;nowrap;" |<br />
<br />
==Creating the Firmware==<br />
PwnageTool takes the IPSW file and patches it, creating a custom version. This enables a lot more features such as pre-installed packages, [[BootNeuter]] ([[M68ap|iPhone]] software unlock), custom packages and boot logos. This method is usually less secure than the quick exploits such ([[redsn0w]], [[QuickPwn]], [[purplera1n]], [[blackra1n]], etc.).<br />
<br />
==How to create Custom Firmware Bundles==<br />
[[Making_PwnageTool_Bundles]]<br />
<br />
==Problems==<br />
This method does have negative aspects. The most common errors are the [[ITunes Errors#Errors 16xx|16xx range of errors]], which mean that the either the firmware file is corrupt or you didn't put it in the right mode (Recovery, DFU Mode). Sometimes the problems could just be a computer problem such as the memory is full or the USB port is broken. The most common error is [[ITunes Errors#Error 1604|Error 1604]] which means that the firmware file is corrupt.<br />
<br />
==Windows==<br />
PwnageTool is expected to remain exclusive to Mac OS X. As of October 2009, [[User:ih8sn0w|iH8sn0w]], et. al. has announced that they made a project that will bring PwnageTool's functionality to Windows, called [[sn0wbreeze]]. [http://ih8sn0w.com/]<br />
<br />
== License ==<br />
PwnageTool is freeware.<br />
<br />
[[Category:Hacking Software]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=13769
Ultrasn0w
2010-11-29T08:59:07Z
<p>Toddyt1: /* Injection Vectors */</p>
<hr />
<div>ultrasn0w (previously: yellowsn0w) is an [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]] and [[N90ap|iPhone 4]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
[[MuscleNerd]], and [[iPhone Dev Team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Injection Vectors==<br />
* [[AT+stkprof Exploit]] - used by yellowsn0w to unlock [[X-Gold 608]] baseband [[2.28.00]].<br />
* [[AT+XLOG Vulnerability]] - used by ultrasn0w to unlock [[X-Gold 608]] baseband [[4.26.08]].<br />
* [[AT+XAPP Vulnerability]] - used by ultrasn0w 1.0-1 and 1.2 to unlock public releases of [[X-Gold 608]] basebands [[4.26.08]] through [[5.13.04]] and [[6.15.00]] (ultrasn0w 1.2 only), and [[XMM 6180]] baseband [[1.59.00]])<br />
<br />
==ultrasn0w payload with comments (by [[User:Oranav|Oranav]])==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; task_loop_jmp address<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ==<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband Device]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=AT%2BXAPP_Vulnerability&diff=13768
AT+XAPP Vulnerability
2010-11-29T08:58:26Z
<p>Toddyt1: /* Implementation */</p>
<hr />
<div>Used as an injection vector for the [[X-Gold 608]] and [[XMM 6180]] [[unlock]] payload. Currently available in all X-Gold 608 basebands until [[5.13.04]] and [[6.15.00]], and XMM 6180 baseband [[1.59.00]].<br />
<br />
== Credit ==<br />
* '''vulnerability''': [[sherif_hashim]], also discovered by [[westbaer]], [[User:Geohot|geohot]] and [[User:Oranav|Oranav]] (each one independently)<br />
* '''exploitation''': [[iPhone Dev Team]]<br />
<br />
== Exploit ==<br />
There is a stack overflow in the AT+XAPP="..." command, which allows unsigned code execution on the [[X-Gold 608]] and [[XMM 6180]].<br />
<br />
at+xapp="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa4444555566667777PPPP"<br />
<br />
Applying a string of more than 52 characters will trigger the overflow.<br />
<br />
== Implementation ==<br />
The exploit was used by [[iPhone Dev Team]] in [[ultrasn0w]] 1.0-1 and 1.2, which is able to unlock the [[X-Gold 608]] basebands [[4.26.08]], [[5.11.07]], [[5.12.01]], [[5.13.04]] and [[6.15.00]](ultrasn0w 1.2 only), and [[XMM 6180]] baseband [[1.59.00]].<br />
----<br />
[[Category:Baseband Exploits]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=06.15.00&diff=13733
06.15.00
2010-11-28T22:53:29Z
<p>Toddyt1: /* iPhone((3G and 3Gs)) */</p>
<hr />
<div>This is the shipping baseband for the [[K48ap|Wi-Fi+3G iPad]].<br />
<br />
==[[iPhone]]((3G and 3Gs))==<br />
It can be installed via [[PwnageTool]] or [[Redsn0w]] on the [[N82ap|iPhone 3G]] and [[N88ap|iPhone 3GS]]. It is required for unlockers who updated beyond baseband version [[5.13.04]].</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=06.15.00&diff=13732
06.15.00
2010-11-28T22:52:38Z
<p>Toddyt1: </p>
<hr />
<div>This is the shipping baseband for the [[K48ap|Wi-Fi+3G iPad]].<br />
<br />
==[[iPhone]]((3G and 3Gs))==<br />
It can be installed via [[PwnageTool]] or [[Redsn0w]] on the [[N82ap|iPhone 3G]] and [[N88ap|iPhone 3GS]]. It is required for unlockers who updated beyond [[5.13.04]].</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=06.15.00&diff=13731
06.15.00
2010-11-28T22:51:47Z
<p>Toddyt1: /* iPhone((3G and 3Gs)) */</p>
<hr />
<div>== [[K48ap|Wi-Fi+3G iPad]]==<br />
This is the shipping baseband for the [[K48ap|Wi-Fi+3G iPad]].<br />
<br />
==[[iPhone]]((3G and 3Gs))==<br />
It can be installed via [[PwnageTool]] or [[Redsn0w]] on the [[N82ap|iPhone 3G]] and [[N88ap|iPhone 3GS]]. It is required for unlockers who updated beyond [[5.13.04]].</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=06.15.00&diff=13730
06.15.00
2010-11-28T22:33:26Z
<p>Toddyt1: /* iPhone((3G and 3Gs)) */</p>
<hr />
<div>== [[K48ap|Wi-Fi+3G iPad]]==<br />
This is the shipping baseband for the [[K48ap|Wi-Fi+3G iPad]].<br />
<br />
==[[iPhone]]((3G and 3Gs))==<br />
It can be installed via [[PwnageTool]] or [[Redsn0w]] on the [[N82ap|iPhone 3G]] and [[N88ap|iPhone 3GS]. It is required for unlockers who updated beyond [[5.13.04]].</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=06.15.00&diff=13729
06.15.00
2010-11-28T22:32:50Z
<p>Toddyt1: </p>
<hr />
<div>== [[K48ap|Wi-Fi+3G iPad]]==<br />
This is the shipping baseband for the [[K48ap|Wi-Fi+3G iPad]].<br />
<br />
==[[iPhone]]((3G and 3Gs))==<br />
It can be installed via [[Pwnage Tool]] or [[Redsn0w]] on the [[N82ap|iPhone 3G]] and [[N88ap|iPhone 3GS]. It is required for unlockers who updated beyond [[5.13.04]].</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=06.15.00&diff=13728
06.15.00
2010-11-28T22:30:35Z
<p>Toddyt1: </p>
<hr />
<div>This is the shipping baseband for the [[K48ap|Wi-Fi+3G iPad]].<br />
<br />
It can be installed via [[Pwnage Tool]] or [[Redsn0w]] on the [[N82ap|iPhone 3G]] and [[N88ap|iPhone 3GS]. It is required for unlockers who updated beyond [[5.13.04]].</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=AT%2BXAPP_Vulnerability&diff=13727
AT+XAPP Vulnerability
2010-11-28T22:25:10Z
<p>Toddyt1: </p>
<hr />
<div>Used as an injection vector for the [[X-Gold 608]] and [[XMM 6180]] [[unlock]] payload. Currently available in all X-Gold 608 basebands until [[5.13.04]] and [[6.15.00]], and XMM 6180 baseband [[1.59.00]].<br />
<br />
== Credit ==<br />
* '''vulnerability''': [[sherif_hashim]], also discovered by [[westbaer]], [[User:Geohot|geohot]] and [[User:Oranav|Oranav]] (each one independently)<br />
* '''exploitation''': [[iPhone Dev Team]]<br />
<br />
== Exploit ==<br />
There is a stack overflow in the AT+XAPP="..." command, which allows unsigned code execution on the [[X-Gold 608]] and [[XMM 6180]].<br />
<br />
at+xapp="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa4444555566667777PPPP"<br />
<br />
Applying a string of more than 52 characters will trigger the overflow.<br />
<br />
== Implementation ==<br />
The exploit was used by [[iPhone Dev Team]] in [[ultrasn0w]] 1.0-1, which is able to unlock the [[X-Gold 608]] basebands [[4.26.08]], [[5.11.07]], [[5.12.01]], [[5.13.04]] and [[6.15.00]], and [[XMM 6180]] baseband [[1.59.00]].<br />
----<br />
[[Category:Baseband Exploits]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=13726
Ultrasn0w
2010-11-28T22:22:52Z
<p>Toddyt1: /* Injection Vectors */</p>
<hr />
<div>ultrasn0w (previously: yellowsn0w) is an [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]] and [[N90ap|iPhone 4]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
[[MuscleNerd]], and [[iPhone Dev Team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Injection Vectors==<br />
* [[AT+stkprof Exploit]] - used by yellowsn0w to unlock [[X-Gold 608]] baseband [[2.28.00]].<br />
* [[AT+XLOG Vulnerability]] - used by ultrasn0w to unlock [[X-Gold 608]] baseband [[4.26.08]].<br />
* [[AT+XAPP Vulnerability]] - used by ultrasn0w 0.93 and 1.2 to unlock public releases of [[X-Gold 608]] basebands [[4.26.08]] through [[5.13.04]] and [[6.15.00]] (ultrasn0w 1.2 only), and [[XMM 6180]] baseband [[1.59.00]])<br />
<br />
==ultrasn0w payload with comments (by [[User:Oranav|Oranav]])==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; task_loop_jmp address<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ==<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband Device]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=13725
Ultrasn0w
2010-11-28T22:22:05Z
<p>Toddyt1: /* Injection Vectors */</p>
<hr />
<div>ultrasn0w (previously: yellowsn0w) is an [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]] and [[N90ap|iPhone 4]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
[[MuscleNerd]], and [[iPhone Dev Team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Injection Vectors==<br />
* [[AT+stkprof Exploit]] - used by yellowsn0w to unlock [[X-Gold 608]] baseband [[2.28.00]].<br />
* [[AT+XLOG Vulnerability]] - used by ultrasn0w to unlock [[X-Gold 608]] baseband [[4.26.08]].<br />
* [[AT+XAPP Vulnerability]] - used by ultrasn0w 0.93 anf 1.2 to unlock public releases of [[X-Gold 608]] basebands [[4.26.08]] through [[5.13.04]] and [[6.15.00]] (ultrasn0w 01.2 only), and [[XMM 6180]] baseband [[1.59.00]])<br />
<br />
==ultrasn0w payload with comments (by [[User:Oranav|Oranav]])==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; task_loop_jmp address<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ==<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband Device]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=13724
Ultrasn0w
2010-11-28T22:18:14Z
<p>Toddyt1: /* Injection Vectors */</p>
<hr />
<div>ultrasn0w (previously: yellowsn0w) is an [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]] and [[N90ap|iPhone 4]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
[[MuscleNerd]], and [[iPhone Dev Team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Injection Vectors==<br />
* [[AT+stkprof Exploit]] - used by yellowsn0w to unlock [[X-Gold 608]] baseband [[2.28.00]].<br />
* [[AT+XLOG Vulnerability]] - used by ultrasn0w to unlock [[X-Gold 608]] baseband [[4.26.08]].<br />
* [[AT+XAPP Vulnerability]] - used by ultrasn0w 0.93 to unlock public releases of [[X-Gold 608]] basebands [[4.26.08]] through [[5.13.04]] and [[06.15.00]], and [[XMM 6180]] baseband [[1.59.00]])<br />
<br />
==ultrasn0w payload with comments (by [[User:Oranav|Oranav]])==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; task_loop_jmp address<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ==<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband Device]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Baseband_Firmware&diff=13589
Baseband Firmware
2010-11-24T17:11:25Z
<p>Toddyt1: </p>
<hr />
<div>The main instruction set of the [[Baseband Device|baseband]]. You can get these files from /usr/local/standalone/firmware on the corresponding firmware's ramdisk.<br />
<br />
The baseband version that comes with each iPhone firmware is listed on the [[firmware]] page, and also on the [[X-Gold 608#Known_Firmware_Versions|X-Gold 608]] article for the [[N82ap|iPhone 3G]]/[[N88ap|3GS]].<br />
<br />
The EEP files is the external EEPROM file. The FLS is the firmware.<br />
<br />
The [[N90ap|iPhone 4]] has a single baseband firmware file. For example, the 4.0 baseband firmware filename is ICE3_01.59.00_BOOT_02.06.Release.bbfw. This is actually a .zip file which contains four baseband firmware files. As of [[iOS]] version 4.2.1 the baseband version is now checked by iOS.<br />
<br />
==Other links==<br />
[http://www.deloware.com/iphone/doku.php?id=bbupdater bbupdater]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Baseband_Bootloader&diff=13526
Baseband Bootloader
2010-11-23T22:26:44Z
<p>Toddyt1: /* 2.08 */</p>
<hr />
<div>The baseband bootloader is the code which runs before the baseband FW, it is responsible for signature checking and updating the baseband. See also [[bootloader]].<br />
<br />
==[[S-Gold 2]] Revisions==<br />
===3.1===<br />
Found in the iOS 1.0 and 1.1.1 [[Restore/Update Ramdisks|ramdisk]]s for the [[M68ap|iPhone 2G]].<br />
<br />
===3.8===<br />
Found in the iOS 1.0 and 1.1.1 [[Restore/Update Ramdisks|ramdisk]]s for the [[M68ap|iPhone 2G]]. It was often (unintentionally) installed when someone with a [[Fakeblank]]ed bootloader 3.9 downgraded to 1.0 or 1.1.1. This can be re-updated with [[BootNeuter]].<br />
<br />
===3.9===<br />
This is the old bootloader from the [[M68ap|iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x400]] and [[IPSF]]<br />
<br />
===4.6===<br />
This is the new bootloader from the [[M68ap|iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x20000 with Back Extend Erase]]<br />
<br />
==[[X-Gold 608]] Revisions==<br />
===5.8===<br />
This is the bootloader from the [[N82ap|iPhone 3G]]/[[X-Gold 608]]. It is, in contrast to 3.9 and 4.6, sig checked on startup. There is an exploit where the main fw cert is passed with the loader instead of the loader cert, and it checks the main firmware instead, allowing you to upload unsigned loader code. This has been fixed in 5.9. You can downgrade from 02.30.03 to 02.28.00 using [[pHaseBanDowngrader]] (by pH) in the Bootloader 5.8.<br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.8.fls.<br />
<br />
===5.9===<br />
This is the bootloader of version 2.1 and 2.2 OTB (and some 2.0 OTB) [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could downgrade their iPhone 3G baseband from 1.48 to 1.45. Now, all the iPhone 3G has bootloader 5.9 and higher. <br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.9.fls<br />
<br />
===6.2===<br />
This is the latest bootloader of version 2.2.1 OTB in 2008 [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could unlock their iPhone 3G baseband version 2.28 by yellowsn0w. Now, all the iPhone 3G 2.2.1 OTB has bootloader 6.2. <br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.2.fls<br />
===6.4===<br />
This is the latest bootloader of version 2.2.1 OTB in 2009 [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple released firmware 3.x beta for testing. [[N88ap|iPhone 3GS]] and [[K48ap|iPad 3G+WiFi]] units contain this bootloader as well. As of the 3.x firmwares (baseband v. 4.x), the baseband now contains the loader of bootloader 6.4.<br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.4.fls<br />
00.00:00.00:04.24 DRV_ICE2_IFWD_04.24.00 DUALMODE SGOLD3 Apr 7 2009 ÿÿÿÿ <br />
<br />
==[[X-Gold 618]] Revisions==<br />
===2.06===<br />
This is the bootloader that ships with the [[N90ap|iPhone 4]]. It has no known exploits. It is in a zip file with the baseband in the iPhone firmware. The name of the zip file in iOS 4.0-4.0.2 is ICE3_01.59.00_BOOT_02.06.Release.bbfw.<br />
<br />
===2.08===<br />
This is a new bootloader for the [[N90ap|iPhone 4]], it is unknown when the bootloader was updated (4.1 OOTB?). It has no known exploits. It is in a zip file with the baseband in the iPhone firmware. The name of the zip file in iOS 4.1 is ICE3_02.10.04_BOOT_02.08.Release.bbfw.<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Baseband_Bootloader&diff=13500
Baseband Bootloader
2010-11-23T16:21:56Z
<p>Toddyt1: /* 2.08 */</p>
<hr />
<div>The baseband bootloader is the code which runs before the baseband FW, it is responsible for signature checking and updating the baseband. See also [[bootloader]].<br />
<br />
==[[S-Gold 2]] Revisions==<br />
===3.1===<br />
Found in the iOS 1.0 and 1.1.1 [[Restore/Update Ramdisks|ramdisk]]s for the [[M68ap|iPhone 2G]].<br />
<br />
===3.8===<br />
Found in the iOS 1.0 and 1.1.1 [[Restore/Update Ramdisks|ramdisk]]s for the [[M68ap|iPhone 2G]]. It was often (unintentionally) installed when someone with a [[Fakeblank]]ed bootloader 3.9 downgraded to 1.0 or 1.1.1. This can be re-updated with [[BootNeuter]].<br />
<br />
===3.9===<br />
This is the old bootloader from the [[M68ap|iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x400]] and [[IPSF]]<br />
<br />
===4.6===<br />
This is the new bootloader from the [[M68ap|iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x20000 with Back Extend Erase]]<br />
<br />
==[[X-Gold 608]] Revisions==<br />
===5.8===<br />
This is the bootloader from the [[N82ap|iPhone 3G]]/[[X-Gold 608]]. It is, in contrast to 3.9 and 4.6, sig checked on startup. There is an exploit where the main fw cert is passed with the loader instead of the loader cert, and it checks the main firmware instead, allowing you to upload unsigned loader code. This has been fixed in 5.9. You can downgrade from 02.30.03 to 02.28.00 using [[pHaseBanDowngrader]] (by pH) in the Bootloader 5.8.<br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.8.fls.<br />
<br />
===5.9===<br />
This is the bootloader of version 2.1 and 2.2 OTB (and some 2.0 OTB) [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could downgrade their iPhone 3G baseband from 1.48 to 1.45. Now, all the iPhone 3G has bootloader 5.9 and higher. <br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.9.fls<br />
<br />
===6.2===<br />
This is the latest bootloader of version 2.2.1 OTB in 2008 [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could unlock their iPhone 3G baseband version 2.28 by yellowsn0w. Now, all the iPhone 3G 2.2.1 OTB has bootloader 6.2. <br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.2.fls<br />
===6.4===<br />
This is the latest bootloader of version 2.2.1 OTB in 2009 [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple released firmware 3.x beta for testing. [[N88ap|iPhone 3GS]] and [[K48ap|iPad 3G+WiFi]] units contain this bootloader as well. As of the 3.x firmwares (baseband v. 4.x), the baseband now contains the loader of bootloader 6.4.<br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.4.fls<br />
00.00:00.00:04.24 DRV_ICE2_IFWD_04.24.00 DUALMODE SGOLD3 Apr 7 2009 ÿÿÿÿ <br />
<br />
==[[X-Gold 618]] Revisions==<br />
===2.06===<br />
This is the bootloader that ships with the [[N90ap|iPhone 4]]. It has no known exploits. It is in a zip file with the baseband in the iPhone firmware. The name of the zip file in iOS 4.0-4.0.2 is ICE3_01.59.00_BOOT_02.06.Release.bbfw.<br />
<br />
===2.08===<br />
This is a new bootloader for the [[N90ap|iPhone 4]], it is unknown when the bootloader was updated. It has no known exploits. It is in a zip file with the baseband in the iPhone firmware. The name of the zip file in iOS 4.1 is ICE3_02.10.04_BOOT_02.08.Release.bbfw.<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Baseband_Bootloader&diff=13499
Baseband Bootloader
2010-11-23T16:06:08Z
<p>Toddyt1: /* X-Gold 618 Revisions */</p>
<hr />
<div>The baseband bootloader is the code which runs before the baseband FW, it is responsible for signature checking and updating the baseband. See also [[bootloader]].<br />
<br />
==[[S-Gold 2]] Revisions==<br />
===3.1===<br />
Found in the iOS 1.0 and 1.1.1 [[Restore/Update Ramdisks|ramdisk]]s for the [[M68ap|iPhone 2G]].<br />
<br />
===3.8===<br />
Found in the iOS 1.0 and 1.1.1 [[Restore/Update Ramdisks|ramdisk]]s for the [[M68ap|iPhone 2G]]. It was often (unintentionally) installed when someone with a [[Fakeblank]]ed bootloader 3.9 downgraded to 1.0 or 1.1.1. This can be re-updated with [[BootNeuter]].<br />
<br />
===3.9===<br />
This is the old bootloader from the [[M68ap|iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x400]] and [[IPSF]]<br />
<br />
===4.6===<br />
This is the new bootloader from the [[M68ap|iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x20000 with Back Extend Erase]]<br />
<br />
==[[X-Gold 608]] Revisions==<br />
===5.8===<br />
This is the bootloader from the [[N82ap|iPhone 3G]]/[[X-Gold 608]]. It is, in contrast to 3.9 and 4.6, sig checked on startup. There is an exploit where the main fw cert is passed with the loader instead of the loader cert, and it checks the main firmware instead, allowing you to upload unsigned loader code. This has been fixed in 5.9. You can downgrade from 02.30.03 to 02.28.00 using [[pHaseBanDowngrader]] (by pH) in the Bootloader 5.8.<br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.8.fls.<br />
<br />
===5.9===<br />
This is the bootloader of version 2.1 and 2.2 OTB (and some 2.0 OTB) [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could downgrade their iPhone 3G baseband from 1.48 to 1.45. Now, all the iPhone 3G has bootloader 5.9 and higher. <br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.9.fls<br />
<br />
===6.2===<br />
This is the latest bootloader of version 2.2.1 OTB in 2008 [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could unlock their iPhone 3G baseband version 2.28 by yellowsn0w. Now, all the iPhone 3G 2.2.1 OTB has bootloader 6.2. <br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.2.fls<br />
===6.4===<br />
This is the latest bootloader of version 2.2.1 OTB in 2009 [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple released firmware 3.x beta for testing. [[N88ap|iPhone 3GS]] and [[K48ap|iPad 3G+WiFi]] units contain this bootloader as well. As of the 3.x firmwares (baseband v. 4.x), the baseband now contains the loader of bootloader 6.4.<br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.4.fls<br />
00.00:00.00:04.24 DRV_ICE2_IFWD_04.24.00 DUALMODE SGOLD3 Apr 7 2009 ÿÿÿÿ <br />
<br />
==[[X-Gold 618]] Revisions==<br />
===2.06===<br />
This is the bootloader that ships with the [[N90ap|iPhone 4]]. It has no known exploits. It is in a zip file with the baseband in the iPhone firmware. The name of the zip file in iOS 4.0-4.0.2 is ICE3_01.59.00_BOOT_02.06.Release.bbfw.<br />
<br />
===2.08===<br />
This is a new bootloader [[N90ap|iPhone 4]], it is unknown when the bootloader was updated. It has no known exploits. It is in a zip file with the baseband in the iPhone firmware. The name of the zip file in iOS 4.1 is ICE3_02.10.04_BOOT_02.08.Release.bbfw.<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Baseband_Bootloader&diff=13498
Baseband Bootloader
2010-11-23T16:04:54Z
<p>Toddyt1: /* 2.08 */</p>
<hr />
<div>The baseband bootloader is the code which runs before the baseband FW, it is responsible for signature checking and updating the baseband. See also [[bootloader]].<br />
<br />
==[[S-Gold 2]] Revisions==<br />
===3.1===<br />
Found in the iOS 1.0 and 1.1.1 [[Restore/Update Ramdisks|ramdisk]]s for the [[M68ap|iPhone 2G]].<br />
<br />
===3.8===<br />
Found in the iOS 1.0 and 1.1.1 [[Restore/Update Ramdisks|ramdisk]]s for the [[M68ap|iPhone 2G]]. It was often (unintentionally) installed when someone with a [[Fakeblank]]ed bootloader 3.9 downgraded to 1.0 or 1.1.1. This can be re-updated with [[BootNeuter]].<br />
<br />
===3.9===<br />
This is the old bootloader from the [[M68ap|iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x400]] and [[IPSF]]<br />
<br />
===4.6===<br />
This is the new bootloader from the [[M68ap|iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x20000 with Back Extend Erase]]<br />
<br />
==[[X-Gold 608]] Revisions==<br />
===5.8===<br />
This is the bootloader from the [[N82ap|iPhone 3G]]/[[X-Gold 608]]. It is, in contrast to 3.9 and 4.6, sig checked on startup. There is an exploit where the main fw cert is passed with the loader instead of the loader cert, and it checks the main firmware instead, allowing you to upload unsigned loader code. This has been fixed in 5.9. You can downgrade from 02.30.03 to 02.28.00 using [[pHaseBanDowngrader]] (by pH) in the Bootloader 5.8.<br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.8.fls.<br />
<br />
===5.9===<br />
This is the bootloader of version 2.1 and 2.2 OTB (and some 2.0 OTB) [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could downgrade their iPhone 3G baseband from 1.48 to 1.45. Now, all the iPhone 3G has bootloader 5.9 and higher. <br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.9.fls<br />
<br />
===6.2===<br />
This is the latest bootloader of version 2.2.1 OTB in 2008 [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could unlock their iPhone 3G baseband version 2.28 by yellowsn0w. Now, all the iPhone 3G 2.2.1 OTB has bootloader 6.2. <br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.2.fls<br />
===6.4===<br />
This is the latest bootloader of version 2.2.1 OTB in 2009 [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple released firmware 3.x beta for testing. [[N88ap|iPhone 3GS]] and [[K48ap|iPad 3G+WiFi]] units contain this bootloader as well. As of the 3.x firmwares (baseband v. 4.x), the baseband now contains the loader of bootloader 6.4.<br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.4.fls<br />
00.00:00.00:04.24 DRV_ICE2_IFWD_04.24.00 DUALMODE SGOLD3 Apr 7 2009 ÿÿÿÿ <br />
<br />
==[[X-Gold 618]] Revisions==<br />
===2.06===<br />
This is the bootloader that ships with the [[N90ap|iPhone 4]]. It has no known exploits. It is in a zip file with the baseband in the iPhone firmware. The name of the zip file in iOS 4.0-4.0.2 is ICE3_01.59.00_BOOT_02.06.Release.bbfw.<br />
<br />
===2.08===<br />
This is a new bootloader, it is unknown when apple updated. It has no known exploits. It is in a zip file with the baseband in the iPhone firmware. The name of the zip file in iOS 4.1 is ICE3_02.10.04_BOOT_02.08.Release.bbfw.<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Baseband_Bootloader&diff=13497
Baseband Bootloader
2010-11-23T16:04:08Z
<p>Toddyt1: /* X-Gold 618 Revisions */</p>
<hr />
<div>The baseband bootloader is the code which runs before the baseband FW, it is responsible for signature checking and updating the baseband. See also [[bootloader]].<br />
<br />
==[[S-Gold 2]] Revisions==<br />
===3.1===<br />
Found in the iOS 1.0 and 1.1.1 [[Restore/Update Ramdisks|ramdisk]]s for the [[M68ap|iPhone 2G]].<br />
<br />
===3.8===<br />
Found in the iOS 1.0 and 1.1.1 [[Restore/Update Ramdisks|ramdisk]]s for the [[M68ap|iPhone 2G]]. It was often (unintentionally) installed when someone with a [[Fakeblank]]ed bootloader 3.9 downgraded to 1.0 or 1.1.1. This can be re-updated with [[BootNeuter]].<br />
<br />
===3.9===<br />
This is the old bootloader from the [[M68ap|iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x400]] and [[IPSF]]<br />
<br />
===4.6===<br />
This is the new bootloader from the [[M68ap|iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x20000 with Back Extend Erase]]<br />
<br />
==[[X-Gold 608]] Revisions==<br />
===5.8===<br />
This is the bootloader from the [[N82ap|iPhone 3G]]/[[X-Gold 608]]. It is, in contrast to 3.9 and 4.6, sig checked on startup. There is an exploit where the main fw cert is passed with the loader instead of the loader cert, and it checks the main firmware instead, allowing you to upload unsigned loader code. This has been fixed in 5.9. You can downgrade from 02.30.03 to 02.28.00 using [[pHaseBanDowngrader]] (by pH) in the Bootloader 5.8.<br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.8.fls.<br />
<br />
===5.9===<br />
This is the bootloader of version 2.1 and 2.2 OTB (and some 2.0 OTB) [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could downgrade their iPhone 3G baseband from 1.48 to 1.45. Now, all the iPhone 3G has bootloader 5.9 and higher. <br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.9.fls<br />
<br />
===6.2===<br />
This is the latest bootloader of version 2.2.1 OTB in 2008 [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could unlock their iPhone 3G baseband version 2.28 by yellowsn0w. Now, all the iPhone 3G 2.2.1 OTB has bootloader 6.2. <br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.2.fls<br />
===6.4===<br />
This is the latest bootloader of version 2.2.1 OTB in 2009 [[N82ap|iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple released firmware 3.x beta for testing. [[N88ap|iPhone 3GS]] and [[K48ap|iPad 3G+WiFi]] units contain this bootloader as well. As of the 3.x firmwares (baseband v. 4.x), the baseband now contains the loader of bootloader 6.4.<br />
<br />
DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.4.fls<br />
00.00:00.00:04.24 DRV_ICE2_IFWD_04.24.00 DUALMODE SGOLD3 Apr 7 2009 ÿÿÿÿ <br />
<br />
==[[X-Gold 618]] Revisions==<br />
===2.06===<br />
This is the bootloader that ships with the [[N90ap|iPhone 4]]. It has no known exploits. It is in a zip file with the baseband in the iPhone firmware. The name of the zip file in iOS 4.0-4.0.2 is ICE3_01.59.00_BOOT_02.06.Release.bbfw.<br />
<br />
===2.08===<br />
This is a new bootloader. It has no known exploits. It is in a zip file with the baseband in the iPhone firmware. The name of the zip file in iOS 4.1 is ICE3_02.10.04_BOOT_02.08.Release.bbfw.<br />
[[Category:Baseband]]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=6782
Firmware
2010-06-29T09:39:32Z
<p>Toddyt1: /* iPod touch (3rd generation) */</p>
<hr />
<div>This is the operating system the iPhone/iPod Touch runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[K48ap|iPad]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="70"| [[Baseband]] (3G only)<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.2<br />
| [[Wildcat 7B367 (iPad)|Wildcat 7B367]]<br />
| 06.15.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPad/061-7987.20100403.mjiTr/iPad1,1_3.2_7B367_Restore.ipsw iPad1,1_3.2_7B367_Restore.ipsw]<br />
| <code>172e8297af74b91971a802e6ad137c891f553099</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 478,959,325<br />
|}<br />
<br />
===[[M68ap|iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| <code>6e798e906c6590a7521ef89b731569be6d05b3aa</code><br />
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| {{yes}}<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.11.02_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| <code>fb8bb3ee2e9a997affbb97868599f2995c78209c</code><br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| <code>a00b85a7a55d62a94be5fbf5effbc42fd63f3097</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| <code>7f5c0ff1f84a0202b75a55c3fcb362e415334d1e</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| <code>d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>797c02e7d660940e8d9a16cc7229ccf3f67dd8b1</code><br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>b3dec7580bd00dc4faf28449d9618ef40aeacc96</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>000811bac096011b50ebf6ec1ec2285b62fda4cb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| <code>9c510a3cfce789fa5f92a8f763c231bac82ff6d4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| <code>61de6a2bd6ceddc9ecabad1671b91a59b3824bc4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| <code>b84b57bea919bdc720287ec908c1378e7d7b5e1b</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| <code>353b7745767b85932e14e262e69463620939bdf7</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| <code>cbfc6ff886ce89868a55547b9fb980dbf92e6418</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| <code>43b95ebe1e51f8d30eae916053396595c08440d3</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| <code>2afd3f8ede17390737f508473ed205506a0bd23f</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>34c391fbbc7b31b159372766de39ce5c9cc26ebb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,439,502<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]<br />
| <code>b7b5f436f81c6f855410e8b44a3d432ccaacd6fc</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,536,460<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone)|Northstar 7D11]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7268.20091008.32pNe/iPhone1,1_3.1.2_7D11_Restore.ipsw iPhone1,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>e4a1171542dbbd3093516d9c02047b9f7e143050</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,515,888<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone)|SUNorthstarTwo 7E18]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7481.20100202.4orot/iPhone1,1_3.1.3_7E18_Restore.ipsw iPhone1,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>eab23a7f8d2a17cb71046c50fc5f67ec390a3c2b</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 238,319,275<br />
|}<br />
<br />
===[[N82ap|iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| <code>af9506ca0034e462674f9f59c5406f159eaf9fc1</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| <code>e81c7ac7e334a3e9d81b3b47894bfaa1ec495482</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| <code>bef7fef954293046420fbcf947379839178a195b</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| <code>c6957dcbf2a95ccfd6dce374a727b1b7700a9043</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| <code>f67f8b2b842428bf89456cda0c2d5cf954d111a4</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|yellowsn0w]]}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| <code>e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| <code>94f1fb43de12bff0f168ce690b7e794cc6220ae3</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone 3G)|Kirkwood 7A400]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| <code>a148ff39fa4dea499e7a9dd007b63e90c4f56666</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 241,274,617<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]<br />
| <code>9b3b3c148170b012012278efda9ff5c38282d559</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 253,361,339<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3G)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7265.20091008.Xsd32/iPhone1,2_3.1.2_7D11_Restore.ipsw iPhone1,2_3.1.2_7D11_Restore.ipsw]<br />
| <code>b1a6ab2771bb5da372ba75a8fa3e1d72b71359d0</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 253,340,786<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3G)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7468.20100202.pbnrt/iPhone1,2_3.1.3_7E18_Restore.ipsw iPhone1,2_3.1.3_7E18_Restore.ipsw]<br />
| <code>f5950afca546f93e281ba3cdb08bc0cfed7f0896</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 239,139,281<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 3G)|Apex 8A293]]<br />
| 05.13.04<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7436.20100621.58Yt4/iPhone1,2_4.0_8A293_Restore.ipsw iPhone1,2_4.0_8A293_Restore.ipsw]<br />
| <code>ee1eba9281b902d7ff3f24d50f9aebff0df27f92</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 306,274,631<br />
|}<br />
<br />
===[[N88ap|iPhone 3GS]]===<br />
'''*'''Jailbreak on 4.0 is only possible with Pwnagetool, as long as it has the older bootroom (iBoot-359.3) and wasn't jailbroken using Spirit. See [[Untethered jailbreak|untethered-jailbreak]]<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| <code>d8534408c8679c830fd0c4e36ef9762c11ef73df</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>30006575af931e3da0521febace005152cdb8853</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 312,330,244<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3GS)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]<br />
| <code>527c74f87588afa1d69c1e2c08eedc88f113013a</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 321,011,474<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3GS)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7270.20091008.phn32/iPhone2,1_3.1.2_7D11_Restore.ipsw iPhone2,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>6998bb7d9e869b2d89a08853312f9457d070fb1f</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 321,015,700<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3GS)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7472.20100202.8tugj/iPhone2,1_3.1.3_7E18_Restore.ipsw iPhone2,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>8cb3775e62c6f72059a962bf891b4e145b965052</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 305,122,343<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 3GS)|Apex 8A293]]<br />
| 05.13.04<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7437.20100621.5urG8/iPhone2,1_4.0_8A293_Restore.ipsw iPhone2,1_4.0_8A293_Restore.ipsw]<br />
| <code>e065245874c73510ceb8fa4bd9388b60d46eb252</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 396,281,280<br />
|}<br />
<br />
===[[N90ap|iPhone 4]]===<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 4)|Apex 8A293]]<br />
| 01.59.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7380.20100621,Vfgb5/iPhone3,1_4.0_8A293_Restore.ipsw iPhone3,1_4.0_8A293_Restore.ipsw]<br />
| <code>171c2a3995fa149f2a369ccd87f82c5c30da3f88</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| {{no}}<br />
| 607,363,121<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| <code>9b0d83c7f8b4328174a3f31e0e93f60e591ae143</code><br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| <code>84bbc6ea8bf29745195bc9926c1874f7c2a36f32</code><br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>108d8ffe9ea75e61cd5e57170ad388b7fa00d923</code><br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6</code><br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>c148d1eb1c979bb6434175411d4a372103a4fdd2</code><br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| <code>1b818911316e4248ee01d3ec67f9d39afc3db240</code><br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| <code>ae82798e85f9953b0f4798bad36187cb020c9d22</code><br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| <code>a81b6e7af4b85ef436d047f9da57c0f694d8964a</code><br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| <code>c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2</code><br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| <code>fc7f6d0972927df502ffca47438ca75dcccffaf3</code><br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| <code>081a7de363230fb38d0ce092cbbe42f2a50c8a5f</code><br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| <code>fc69be9e421bc0630567184506ab771f6b7ef68b</code><br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| <code>dff2bd14931225908a360fb8e60a336f17d2dd6d</code><br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| <code>c6270780c166db4c9f4f0a7fa945754a1f9fe7e8</code><br />
| <br />
| {{yes}}<br />
| 249,755,862<br />
|-<br />
| 3.1.2<br />
| Northstar 7D11<br />
| Download Link Prohibited<br />
| <code>7367dd9ba58a3b9777307368a0128e696fdfc9a6</code><br />
| <br />
| {{yes}} <br />
| 249,780,497<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| Download Link Prohibited<br />
| <code>5f897990f19d2f093b35e0813d7d77806404fb1f</code><br />
|<br />
| {{yes}}<br />
| 235,678,189<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
<code>*</code>Due to a new bootrom designed to close the [[0x24000 Segment Overflow]], an iPod touch 2G with a model number beginning with "MC" cannot be jailbroken on 4.0.<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| <code>c3c700be49ad227d1152188e7c1e46b8958fd1e4</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| <code>34a0a489605f34d6cc6c9954edcaaf9a050deedc</code><br />
|<br />
| {{yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| <code>9af5625ea34acdd8abeb6fce71a72651d0c815d5</code><br />
|<br />
| {{yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| <code>0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42</code><br />
| 3.x is a paid upgrade series<br />
| {{yes}}<br />
| 270,315,364<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 2G)|Northstar 7C145]]<br />
| Download Link Prohibited<br />
| <code>e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7</code><br />
| <br />
| {{yes}}<br />
| 277,753,989<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 2G)|Northstar 7D11]]<br />
| Download Link Prohibited<br />
| <code>e7c83d4a5baec0e81816ae1cd1caf9a4dc38ebf0</code><br />
| <br />
| {{yes}} <br />
| 277,794,671<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPod touch 2G)|SUNorthstarTwo 7E18]]<br />
| Download Link Prohibited<br />
| <code>5f4f5c01eda2f811f73167e7d1f82dbeed82367b</code><br />
|<br />
| {{yes}}<br />
| 263,275,211<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPod touch 2G)|Apex 8A293]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7435.20100621.tr49t/iPod2,1_4.0_8A293_Restore.ipsw iPod2,1_4.0_8A293_Restore.ipsw]<br />
| <code>c026c373bc535496a6f901de2ba37d4a487413bf</code><br />
|<br />
| {{yes}}<br />
| 330,278,777<br />
|}<br />
<br />
===[[N18AP|iPod touch (3rd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C145]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]<br />
| <code>a3eddbe2cf77858bae7087dc8b2035f0d3097e57</code><br />
| Initial shipment.<br />
| {{yes}}<br />
<br />
| 311,702,789<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C146]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7238.20090918.23GhT/iPod3,1_3.1.1_7C146_Restore.ipsw iPod3,1_3.1.1_7C146_Restore.ipsw]<br />
| <code>f66a7286b261137f25ddbbd84047f9a7ea181904</code><br />
| <br />
| {{yes}}<br />
| 311,690,768<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 3G)|Northstar 7D11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7271.20091008.Tch23/iPod3,1_3.1.2_7D11_Restore.ipsw iPod3,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>02dcee28d788d594a2939ab564f4f183af6ccdf2</code><br />
| <br />
| {{yes}}<br />
| 311,740,034<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7473.20100202.4i44t/iPod3,1_3.1.3_7E18_Restore.ipsw iPod3,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>375fd469b18bfc0b74c7cfa5b4d5945197b1d106</code><br />
|<br />
| {{yes}}<br />
| 295,870,806<br />
|-<br />
| 4.0<br />
| Apex 8A293<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7381.20100621.AzSP9/iPod3,1_4.0_8A293_Restore.ipsw iPod3,1_4.0_8A293_Restore.ipsw]<br />
| <code>36fe02b83f87d6305db572e1644841e3cd64cc7d</code><br />
|<br />
| {{yes}}<br />
| 384,178,784<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=6781
Firmware
2010-06-29T09:39:13Z
<p>Toddyt1: /* iPod touch (3rd generation) */</p>
<hr />
<div>This is the operating system the iPhone/iPod Touch runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[K48ap|iPad]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="70"| [[Baseband]] (3G only)<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.2<br />
| [[Wildcat 7B367 (iPad)|Wildcat 7B367]]<br />
| 06.15.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPad/061-7987.20100403.mjiTr/iPad1,1_3.2_7B367_Restore.ipsw iPad1,1_3.2_7B367_Restore.ipsw]<br />
| <code>172e8297af74b91971a802e6ad137c891f553099</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 478,959,325<br />
|}<br />
<br />
===[[M68ap|iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| <code>6e798e906c6590a7521ef89b731569be6d05b3aa</code><br />
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| {{yes}}<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.11.02_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| <code>fb8bb3ee2e9a997affbb97868599f2995c78209c</code><br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| <code>a00b85a7a55d62a94be5fbf5effbc42fd63f3097</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| <code>7f5c0ff1f84a0202b75a55c3fcb362e415334d1e</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| <code>d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>797c02e7d660940e8d9a16cc7229ccf3f67dd8b1</code><br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>b3dec7580bd00dc4faf28449d9618ef40aeacc96</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>000811bac096011b50ebf6ec1ec2285b62fda4cb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| <code>9c510a3cfce789fa5f92a8f763c231bac82ff6d4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| <code>61de6a2bd6ceddc9ecabad1671b91a59b3824bc4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| <code>b84b57bea919bdc720287ec908c1378e7d7b5e1b</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| <code>353b7745767b85932e14e262e69463620939bdf7</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| <code>cbfc6ff886ce89868a55547b9fb980dbf92e6418</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| <code>43b95ebe1e51f8d30eae916053396595c08440d3</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| <code>2afd3f8ede17390737f508473ed205506a0bd23f</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>34c391fbbc7b31b159372766de39ce5c9cc26ebb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,439,502<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]<br />
| <code>b7b5f436f81c6f855410e8b44a3d432ccaacd6fc</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,536,460<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone)|Northstar 7D11]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7268.20091008.32pNe/iPhone1,1_3.1.2_7D11_Restore.ipsw iPhone1,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>e4a1171542dbbd3093516d9c02047b9f7e143050</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,515,888<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone)|SUNorthstarTwo 7E18]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7481.20100202.4orot/iPhone1,1_3.1.3_7E18_Restore.ipsw iPhone1,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>eab23a7f8d2a17cb71046c50fc5f67ec390a3c2b</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 238,319,275<br />
|}<br />
<br />
===[[N82ap|iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| <code>af9506ca0034e462674f9f59c5406f159eaf9fc1</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| <code>e81c7ac7e334a3e9d81b3b47894bfaa1ec495482</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| <code>bef7fef954293046420fbcf947379839178a195b</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| <code>c6957dcbf2a95ccfd6dce374a727b1b7700a9043</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| <code>f67f8b2b842428bf89456cda0c2d5cf954d111a4</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|yellowsn0w]]}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| <code>e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| <code>94f1fb43de12bff0f168ce690b7e794cc6220ae3</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone 3G)|Kirkwood 7A400]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| <code>a148ff39fa4dea499e7a9dd007b63e90c4f56666</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 241,274,617<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]<br />
| <code>9b3b3c148170b012012278efda9ff5c38282d559</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 253,361,339<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3G)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7265.20091008.Xsd32/iPhone1,2_3.1.2_7D11_Restore.ipsw iPhone1,2_3.1.2_7D11_Restore.ipsw]<br />
| <code>b1a6ab2771bb5da372ba75a8fa3e1d72b71359d0</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 253,340,786<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3G)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7468.20100202.pbnrt/iPhone1,2_3.1.3_7E18_Restore.ipsw iPhone1,2_3.1.3_7E18_Restore.ipsw]<br />
| <code>f5950afca546f93e281ba3cdb08bc0cfed7f0896</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 239,139,281<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 3G)|Apex 8A293]]<br />
| 05.13.04<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7436.20100621.58Yt4/iPhone1,2_4.0_8A293_Restore.ipsw iPhone1,2_4.0_8A293_Restore.ipsw]<br />
| <code>ee1eba9281b902d7ff3f24d50f9aebff0df27f92</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 306,274,631<br />
|}<br />
<br />
===[[N88ap|iPhone 3GS]]===<br />
'''*'''Jailbreak on 4.0 is only possible with Pwnagetool, as long as it has the older bootroom (iBoot-359.3) and wasn't jailbroken using Spirit. See [[Untethered jailbreak|untethered-jailbreak]]<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| <code>d8534408c8679c830fd0c4e36ef9762c11ef73df</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>30006575af931e3da0521febace005152cdb8853</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 312,330,244<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3GS)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]<br />
| <code>527c74f87588afa1d69c1e2c08eedc88f113013a</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 321,011,474<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3GS)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7270.20091008.phn32/iPhone2,1_3.1.2_7D11_Restore.ipsw iPhone2,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>6998bb7d9e869b2d89a08853312f9457d070fb1f</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 321,015,700<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3GS)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7472.20100202.8tugj/iPhone2,1_3.1.3_7E18_Restore.ipsw iPhone2,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>8cb3775e62c6f72059a962bf891b4e145b965052</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 305,122,343<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 3GS)|Apex 8A293]]<br />
| 05.13.04<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7437.20100621.5urG8/iPhone2,1_4.0_8A293_Restore.ipsw iPhone2,1_4.0_8A293_Restore.ipsw]<br />
| <code>e065245874c73510ceb8fa4bd9388b60d46eb252</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 396,281,280<br />
|}<br />
<br />
===[[N90ap|iPhone 4]]===<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 4)|Apex 8A293]]<br />
| 01.59.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7380.20100621,Vfgb5/iPhone3,1_4.0_8A293_Restore.ipsw iPhone3,1_4.0_8A293_Restore.ipsw]<br />
| <code>171c2a3995fa149f2a369ccd87f82c5c30da3f88</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| {{no}}<br />
| 607,363,121<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| <code>9b0d83c7f8b4328174a3f31e0e93f60e591ae143</code><br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| <code>84bbc6ea8bf29745195bc9926c1874f7c2a36f32</code><br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>108d8ffe9ea75e61cd5e57170ad388b7fa00d923</code><br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6</code><br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>c148d1eb1c979bb6434175411d4a372103a4fdd2</code><br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| <code>1b818911316e4248ee01d3ec67f9d39afc3db240</code><br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| <code>ae82798e85f9953b0f4798bad36187cb020c9d22</code><br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| <code>a81b6e7af4b85ef436d047f9da57c0f694d8964a</code><br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| <code>c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2</code><br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| <code>fc7f6d0972927df502ffca47438ca75dcccffaf3</code><br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| <code>081a7de363230fb38d0ce092cbbe42f2a50c8a5f</code><br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| <code>fc69be9e421bc0630567184506ab771f6b7ef68b</code><br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| <code>dff2bd14931225908a360fb8e60a336f17d2dd6d</code><br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| <code>c6270780c166db4c9f4f0a7fa945754a1f9fe7e8</code><br />
| <br />
| {{yes}}<br />
| 249,755,862<br />
|-<br />
| 3.1.2<br />
| Northstar 7D11<br />
| Download Link Prohibited<br />
| <code>7367dd9ba58a3b9777307368a0128e696fdfc9a6</code><br />
| <br />
| {{yes}} <br />
| 249,780,497<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| Download Link Prohibited<br />
| <code>5f897990f19d2f093b35e0813d7d77806404fb1f</code><br />
|<br />
| {{yes}}<br />
| 235,678,189<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
<code>*</code>Due to a new bootrom designed to close the [[0x24000 Segment Overflow]], an iPod touch 2G with a model number beginning with "MC" cannot be jailbroken on 4.0.<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| <code>c3c700be49ad227d1152188e7c1e46b8958fd1e4</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| <code>34a0a489605f34d6cc6c9954edcaaf9a050deedc</code><br />
|<br />
| {{yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| <code>9af5625ea34acdd8abeb6fce71a72651d0c815d5</code><br />
|<br />
| {{yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| <code>0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42</code><br />
| 3.x is a paid upgrade series<br />
| {{yes}}<br />
| 270,315,364<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 2G)|Northstar 7C145]]<br />
| Download Link Prohibited<br />
| <code>e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7</code><br />
| <br />
| {{yes}}<br />
| 277,753,989<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 2G)|Northstar 7D11]]<br />
| Download Link Prohibited<br />
| <code>e7c83d4a5baec0e81816ae1cd1caf9a4dc38ebf0</code><br />
| <br />
| {{yes}} <br />
| 277,794,671<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPod touch 2G)|SUNorthstarTwo 7E18]]<br />
| Download Link Prohibited<br />
| <code>5f4f5c01eda2f811f73167e7d1f82dbeed82367b</code><br />
|<br />
| {{yes}}<br />
| 263,275,211<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPod touch 2G)|Apex 8A293]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7435.20100621.tr49t/iPod2,1_4.0_8A293_Restore.ipsw iPod2,1_4.0_8A293_Restore.ipsw]<br />
| <code>c026c373bc535496a6f901de2ba37d4a487413bf</code><br />
|<br />
| {{yes}}<br />
| 330,278,777<br />
|}<br />
<br />
===[[N18AP|iPod touch (3rd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C145]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]<br />
| <code>a3eddbe2cf77858bae7087dc8b2035f0d3097e57</code><br />
| Initial shipment.<br />
| {{yes}}<br />
<br />
| 311,702,789<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C146]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7238.20090918.23GhT/iPod3,1_3.1.1_7C146_Restore.ipsw iPod3,1_3.1.1_7C146_Restore.ipsw]<br />
| <code>f66a7286b261137f25ddbbd84047f9a7ea181904</code><br />
| <br />
| {{yes}}<br />
| 311,690,768<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 3G)|Northstar 7D11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7271.20091008.Tch23/iPod3,1_3.1.2_7D11_Restore.ipsw iPod3,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>02dcee28d788d594a2939ab564f4f183af6ccdf2</code><br />
| <br />
| {{yes}}<br />
| 311,740,034<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7473.20100202.4i44t/iPod3,1_3.1.3_7E18_Restore.ipsw iPod3,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>375fd469b18bfc0b74c7cfa5b4d5945197b1d106</code><br />
|<br />
| {{yes}}<br />
| 295,870,806<br />
|-<br />
| 4.0<br />
| Apex 8A293<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7381.20100621.AzSP9/iPod3,1_4.0_8A293_Restore.ipsw iPod3,1_4.0_8A293_Restore.ipsw]<br />
| <code>36fe02b83f87d6305db572e1644841e3cd64cc7d</code><br />
|<br />
| {{yes, not publicly available}}<br />
| 384,178,784<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=6780
Firmware
2010-06-29T09:38:30Z
<p>Toddyt1: /* iPod touch (3rd generation) */</p>
<hr />
<div>This is the operating system the iPhone/iPod Touch runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[K48ap|iPad]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="70"| [[Baseband]] (3G only)<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.2<br />
| [[Wildcat 7B367 (iPad)|Wildcat 7B367]]<br />
| 06.15.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPad/061-7987.20100403.mjiTr/iPad1,1_3.2_7B367_Restore.ipsw iPad1,1_3.2_7B367_Restore.ipsw]<br />
| <code>172e8297af74b91971a802e6ad137c891f553099</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 478,959,325<br />
|}<br />
<br />
===[[M68ap|iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| <code>6e798e906c6590a7521ef89b731569be6d05b3aa</code><br />
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| {{yes}}<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.11.02_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| <code>fb8bb3ee2e9a997affbb97868599f2995c78209c</code><br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| <code>a00b85a7a55d62a94be5fbf5effbc42fd63f3097</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| <code>7f5c0ff1f84a0202b75a55c3fcb362e415334d1e</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| <code>d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>797c02e7d660940e8d9a16cc7229ccf3f67dd8b1</code><br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>b3dec7580bd00dc4faf28449d9618ef40aeacc96</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>000811bac096011b50ebf6ec1ec2285b62fda4cb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| <code>9c510a3cfce789fa5f92a8f763c231bac82ff6d4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| <code>61de6a2bd6ceddc9ecabad1671b91a59b3824bc4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| <code>b84b57bea919bdc720287ec908c1378e7d7b5e1b</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| <code>353b7745767b85932e14e262e69463620939bdf7</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| <code>cbfc6ff886ce89868a55547b9fb980dbf92e6418</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| <code>43b95ebe1e51f8d30eae916053396595c08440d3</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| <code>2afd3f8ede17390737f508473ed205506a0bd23f</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>34c391fbbc7b31b159372766de39ce5c9cc26ebb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,439,502<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]<br />
| <code>b7b5f436f81c6f855410e8b44a3d432ccaacd6fc</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,536,460<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone)|Northstar 7D11]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7268.20091008.32pNe/iPhone1,1_3.1.2_7D11_Restore.ipsw iPhone1,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>e4a1171542dbbd3093516d9c02047b9f7e143050</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,515,888<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone)|SUNorthstarTwo 7E18]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7481.20100202.4orot/iPhone1,1_3.1.3_7E18_Restore.ipsw iPhone1,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>eab23a7f8d2a17cb71046c50fc5f67ec390a3c2b</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 238,319,275<br />
|}<br />
<br />
===[[N82ap|iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| <code>af9506ca0034e462674f9f59c5406f159eaf9fc1</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| <code>e81c7ac7e334a3e9d81b3b47894bfaa1ec495482</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| <code>bef7fef954293046420fbcf947379839178a195b</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| <code>c6957dcbf2a95ccfd6dce374a727b1b7700a9043</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| <code>f67f8b2b842428bf89456cda0c2d5cf954d111a4</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|yellowsn0w]]}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| <code>e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| <code>94f1fb43de12bff0f168ce690b7e794cc6220ae3</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone 3G)|Kirkwood 7A400]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| <code>a148ff39fa4dea499e7a9dd007b63e90c4f56666</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 241,274,617<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]<br />
| <code>9b3b3c148170b012012278efda9ff5c38282d559</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 253,361,339<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3G)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7265.20091008.Xsd32/iPhone1,2_3.1.2_7D11_Restore.ipsw iPhone1,2_3.1.2_7D11_Restore.ipsw]<br />
| <code>b1a6ab2771bb5da372ba75a8fa3e1d72b71359d0</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 253,340,786<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3G)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7468.20100202.pbnrt/iPhone1,2_3.1.3_7E18_Restore.ipsw iPhone1,2_3.1.3_7E18_Restore.ipsw]<br />
| <code>f5950afca546f93e281ba3cdb08bc0cfed7f0896</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 239,139,281<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 3G)|Apex 8A293]]<br />
| 05.13.04<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7436.20100621.58Yt4/iPhone1,2_4.0_8A293_Restore.ipsw iPhone1,2_4.0_8A293_Restore.ipsw]<br />
| <code>ee1eba9281b902d7ff3f24d50f9aebff0df27f92</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 306,274,631<br />
|}<br />
<br />
===[[N88ap|iPhone 3GS]]===<br />
'''*'''Jailbreak on 4.0 is only possible with Pwnagetool, as long as it has the older bootroom (iBoot-359.3) and wasn't jailbroken using Spirit. See [[Untethered jailbreak|untethered-jailbreak]]<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| <code>d8534408c8679c830fd0c4e36ef9762c11ef73df</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>30006575af931e3da0521febace005152cdb8853</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 312,330,244<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3GS)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]<br />
| <code>527c74f87588afa1d69c1e2c08eedc88f113013a</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 321,011,474<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3GS)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7270.20091008.phn32/iPhone2,1_3.1.2_7D11_Restore.ipsw iPhone2,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>6998bb7d9e869b2d89a08853312f9457d070fb1f</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 321,015,700<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3GS)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7472.20100202.8tugj/iPhone2,1_3.1.3_7E18_Restore.ipsw iPhone2,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>8cb3775e62c6f72059a962bf891b4e145b965052</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 305,122,343<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 3GS)|Apex 8A293]]<br />
| 05.13.04<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7437.20100621.5urG8/iPhone2,1_4.0_8A293_Restore.ipsw iPhone2,1_4.0_8A293_Restore.ipsw]<br />
| <code>e065245874c73510ceb8fa4bd9388b60d46eb252</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 396,281,280<br />
|}<br />
<br />
===[[N90ap|iPhone 4]]===<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 4)|Apex 8A293]]<br />
| 01.59.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7380.20100621,Vfgb5/iPhone3,1_4.0_8A293_Restore.ipsw iPhone3,1_4.0_8A293_Restore.ipsw]<br />
| <code>171c2a3995fa149f2a369ccd87f82c5c30da3f88</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| {{no}}<br />
| 607,363,121<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| <code>9b0d83c7f8b4328174a3f31e0e93f60e591ae143</code><br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| <code>84bbc6ea8bf29745195bc9926c1874f7c2a36f32</code><br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>108d8ffe9ea75e61cd5e57170ad388b7fa00d923</code><br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6</code><br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>c148d1eb1c979bb6434175411d4a372103a4fdd2</code><br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| <code>1b818911316e4248ee01d3ec67f9d39afc3db240</code><br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| <code>ae82798e85f9953b0f4798bad36187cb020c9d22</code><br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| <code>a81b6e7af4b85ef436d047f9da57c0f694d8964a</code><br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| <code>c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2</code><br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| <code>fc7f6d0972927df502ffca47438ca75dcccffaf3</code><br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| <code>081a7de363230fb38d0ce092cbbe42f2a50c8a5f</code><br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| <code>fc69be9e421bc0630567184506ab771f6b7ef68b</code><br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| <code>dff2bd14931225908a360fb8e60a336f17d2dd6d</code><br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| <code>c6270780c166db4c9f4f0a7fa945754a1f9fe7e8</code><br />
| <br />
| {{yes}}<br />
| 249,755,862<br />
|-<br />
| 3.1.2<br />
| Northstar 7D11<br />
| Download Link Prohibited<br />
| <code>7367dd9ba58a3b9777307368a0128e696fdfc9a6</code><br />
| <br />
| {{yes}} <br />
| 249,780,497<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| Download Link Prohibited<br />
| <code>5f897990f19d2f093b35e0813d7d77806404fb1f</code><br />
|<br />
| {{yes}}<br />
| 235,678,189<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
<code>*</code>Due to a new bootrom designed to close the [[0x24000 Segment Overflow]], an iPod touch 2G with a model number beginning with "MC" cannot be jailbroken on 4.0.<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| <code>c3c700be49ad227d1152188e7c1e46b8958fd1e4</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| <code>34a0a489605f34d6cc6c9954edcaaf9a050deedc</code><br />
|<br />
| {{yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| <code>9af5625ea34acdd8abeb6fce71a72651d0c815d5</code><br />
|<br />
| {{yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| <code>0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42</code><br />
| 3.x is a paid upgrade series<br />
| {{yes}}<br />
| 270,315,364<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 2G)|Northstar 7C145]]<br />
| Download Link Prohibited<br />
| <code>e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7</code><br />
| <br />
| {{yes}}<br />
| 277,753,989<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 2G)|Northstar 7D11]]<br />
| Download Link Prohibited<br />
| <code>e7c83d4a5baec0e81816ae1cd1caf9a4dc38ebf0</code><br />
| <br />
| {{yes}} <br />
| 277,794,671<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPod touch 2G)|SUNorthstarTwo 7E18]]<br />
| Download Link Prohibited<br />
| <code>5f4f5c01eda2f811f73167e7d1f82dbeed82367b</code><br />
|<br />
| {{yes}}<br />
| 263,275,211<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPod touch 2G)|Apex 8A293]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7435.20100621.tr49t/iPod2,1_4.0_8A293_Restore.ipsw iPod2,1_4.0_8A293_Restore.ipsw]<br />
| <code>c026c373bc535496a6f901de2ba37d4a487413bf</code><br />
|<br />
| {{yes}}<br />
| 330,278,777<br />
|}<br />
<br />
===[[N18AP|iPod touch (3rd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C145]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]<br />
| <code>a3eddbe2cf77858bae7087dc8b2035f0d3097e57</code><br />
| Initial shipment.<br />
| {{yes}}<br />
<br />
| 311,702,789<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C146]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7238.20090918.23GhT/iPod3,1_3.1.1_7C146_Restore.ipsw iPod3,1_3.1.1_7C146_Restore.ipsw]<br />
| <code>f66a7286b261137f25ddbbd84047f9a7ea181904</code><br />
| <br />
| {{yes}}<br />
| 311,690,768<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 3G)|Northstar 7D11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7271.20091008.Tch23/iPod3,1_3.1.2_7D11_Restore.ipsw iPod3,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>02dcee28d788d594a2939ab564f4f183af6ccdf2</code><br />
| <br />
| {{yes}}<br />
| 311,740,034<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7473.20100202.4i44t/iPod3,1_3.1.3_7E18_Restore.ipsw iPod3,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>375fd469b18bfc0b74c7cfa5b4d5945197b1d106</code><br />
|<br />
| {{yes}}<br />
| 295,870,806<br />
|-<br />
| 4.0<br />
| Apex 8A293<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7381.20100621.AzSP9/iPod3,1_4.0_8A293_Restore.ipsw iPod3,1_4.0_8A293_Restore.ipsw]<br />
| <code>36fe02b83f87d6305db572e1644841e3cd64cc7d</code><br />
|<br />
| {{yes(not publicly available)}}<br />
| 384,178,784<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Firmware&diff=6779
Firmware
2010-06-29T09:34:58Z
<p>Toddyt1: /* iPod touch (3rd generation) */</p>
<hr />
<div>This is the operating system the iPhone/iPod Touch runs. Latest Apple download links can be found [http://www.itunes.com/version here].<br />
<br />
==Comparison of firmware versions==<br />
<br />
===[[K48ap|iPad]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="70"| [[Baseband]] (3G only)<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.2<br />
| [[Wildcat 7B367 (iPad)|Wildcat 7B367]]<br />
| 06.15.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPad/061-7987.20100403.mjiTr/iPad1,1_3.2_7B367_Restore.ipsw iPad1,1_3.2_7B367_Restore.ipsw]<br />
| <code>172e8297af74b91971a802e6ad137c891f553099</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 478,959,325<br />
|}<br />
<br />
===[[M68ap|iPhone]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 1.0<br />
| [[Alpine 1A420]]<br />
| [http://img399.imageshack.us/i/iphone2go0.jpg/ 03.06.01_G]<br />
| iphoneproto.zip<br />
| <code>6e798e906c6590a7521ef89b731569be6d05b3aa</code><br />
| Prototype; [http://forums.macrumors.com/showthread.php?t=627449 macrumors]<br />
| {{yes}}<br />
| {{yes}}<br />
| 109,813,128<br />
|-<br />
| 1.0.0<br />
| Heavenly 1A543a<br />
| 03.11.02_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3538.20070629.B7vXa/iPhone1,1_1.0_1A543a_Restore.ipsw iPhone1,1_1.0_1A543a_Restore.ipsw]<br />
| <code>fb8bb3ee2e9a997affbb97868599f2995c78209c</code><br />
| Initial US shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 95,604,348<br />
|-<br />
| 1.0.1<br />
| Heavenly 1C25<br />
| 03.12.06_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3614.20070731.Nt6Y7/iPhone1,1_1.0.1_1C25_Restore.ipsw iPhone1,1_1.0.1_1C25_Restore.ipsw]<br />
| <code>a00b85a7a55d62a94be5fbf5effbc42fd63f3097</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,958<br />
|-<br />
| 1.0.2<br />
| Heavenly 1C28<br />
| 03.14.08_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3823.20070821.vormd/iPhone1,1_1.0.2_1C28_Restore.ipsw iPhone1,1_1.0.2_1C28_Restore.ipsw]<br />
| <code>7f5c0ff1f84a0202b75a55c3fcb362e415334d1e</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 95,627,324<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A109a<br />
| 04.01.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-3883.20070927.In76t/iPhone1,1_1.1.1_3A109a_Restore.ipsw iPhone1,1_1.1.1_3A109a_Restore.ipsw]<br />
| <code>d441dd1c71ce18f25d8fc4faa71c1e6eaa02d02c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 159,668,150<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| 04.02.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4037.20071107.5Bghn/iPhone1,1_1.1.2_3B48b_Restore.ipsw iPhone1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>797c02e7d660940e8d9a16cc7229ccf3f67dd8b1</code><br />
| Initial Euro shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| 167,927,501<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| 04.03.13_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4061.20080115.4Fvn7/iPhone1,1_1.1.3_4A93_Restore.ipsw iPhone1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>b3dec7580bd00dc4faf28449d9618ef40aeacc96</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,950,551<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| 04.04.05_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4313.20080226.Sw39i/iPhone1,1_1.1.4_4A102_Restore.ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>000811bac096011b50ebf6ec1ec2285b62fda4cb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 169,946,442<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4956.20080710.V50OI/iPhone1,1_2.0_5A347_Restore.ipsw iPhone1,1_2.0_5A347_Restore.ipsw]<br />
| <code>9c510a3cfce789fa5f92a8f763c231bac82ff6d4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 228,768,637<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5135.20080729.Vfgtr/iPhone1,1_2.0.1_5B108_Restore.ipsw iPhone1,1_2.0.1_5B108_Restore.ipsw]<br />
| <code>61de6a2bd6ceddc9ecabad1671b91a59b3824bc4</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 254,048,068<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5246.20080818.2V0hO/iPhone1,1_2.0.2_5C1_Restore.ipsw iPhone1,1_2.0.2_5C1_Restore.ipsw]<br />
| <code>b84b57bea919bdc720287ec908c1378e7d7b5e1b</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 253,589,000<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5202.20080909.gkbEj/iPhone1,1_2.1_5F136_Restore.ipsw iPhone1,1_2.1_5F136_Restore.ipsw]<br />
| <code>353b7745767b85932e14e262e69463620939bdf7</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 242,171,241<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5779.20081120.Pt5yH/iPhone1,1_2.2_5G77_Restore.ipsw iPhone1,1_2.2_5G77_Restore.ipsw]<br />
| <code>cbfc6ff886ce89868a55547b9fb980dbf92e6418</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,576,980<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5830.20090127.Mmni6/iPhone1,1_2.2.1_5H11_Restore.ipsw iPhone1,1_2.2.1_5H11_Restore.ipsw]<br />
| <code>43b95ebe1e51f8d30eae916053396595c08440d3</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 257,593,705<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone)|Kirkwood 7A341]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6580.20090617.XsP76/iPhone1,1_3.0_7A341_Restore.ipsw iPhone1,1_3.0_7A341_Restore.ipsw]<br />
| <code>2afd3f8ede17390737f508473ed205506a0bd23f</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,394,111<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone)|Kirkwood 7A400]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6974.20090731.Cf4Tg/iPhone1,1_3.0.1_7A400_Restore.ipsw iPhone1,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>34c391fbbc7b31b159372766de39ce5c9cc26ebb</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 240,439,502<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone)|Northstar 7C144]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6605.20090909.PQ3ws/iPhone1,1_3.1_7C144_Restore.ipsw iPhone1,1_3.1_7C144_Restore.ipsw]<br />
| <code>b7b5f436f81c6f855410e8b44a3d432ccaacd6fc</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,536,460<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone)|Northstar 7D11]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7268.20091008.32pNe/iPhone1,1_3.1.2_7D11_Restore.ipsw iPhone1,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>e4a1171542dbbd3093516d9c02047b9f7e143050</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 252,515,888<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone)|SUNorthstarTwo 7E18]]<br />
| 04.05.04_G<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7481.20100202.4orot/iPhone1,1_3.1.3_7E18_Restore.ipsw iPhone1,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>eab23a7f8d2a17cb71046c50fc5f67ec390a3c2b</code><br />
|<br />
| {{yes}}<br />
| {{yes}}<br />
| 238,319,275<br />
|}<br />
<br />
===[[N82ap|iPhone 3G]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 2.0<br />
| Big Bear 5A345<br />
| 01.45.00<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes}}<br />
| <br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| 01.45.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-4955.20080710.bgt53/iPhone1,2_2.0_5A347_Restore.ipsw iPhone1,2_2.0_5A347_Restore.ipsw]<br />
| <code>af9506ca0034e462674f9f59c5406f159eaf9fc1</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 235,957,125<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| 01.48.02<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5134.20080729.Q2W3E/iPhone1,2_2.0.1_5B108_Restore.ipsw iPhone1,2_2.0.1_5B108_Restore.ipsw]<br />
| <code>e81c7ac7e334a3e9d81b3b47894bfaa1ec495482</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 261,224,227<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| 02.08.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5241.20080818.t5Fv3/iPhone1,2_2.0.2_5C1_Restore.ipsw iPhone1,2_2.0.2_5C1_Restore.ipsw]<br />
| <code>bef7fef954293046420fbcf947379839178a195b</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 260,761,030<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F136<br />
| 02.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5198.20080909.K3294/iPhone1,2_2.1_5F136_Restore.ipsw iPhone1,2_2.1_5F136_Restore.ipsw]<br />
| <code>c6957dcbf2a95ccfd6dce374a727b1b7700a9043</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 249,341,655<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| 02.28.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5778.20081120.Aqw4R/iPhone1,2_2.2_5G77_Restore.ipsw iPhone1,2_2.2_5G77_Restore.ipsw]<br />
| <code>f67f8b2b842428bf89456cda0c2d5cf954d111a4</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[Ultrasn0w|yellowsn0w]]}}<br />
| 258,342,348<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| 02.30.03<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5828.20090127.aQLi8/iPhone1,2_2.2.1_5H11_Restore.ipsw iPhone1,2_2.2.1_5H11_Restore.ipsw]<br />
| <code>e0098e6fab5c90b59e067e03ae3ccd4a7cd0f39c</code><br />
| <br />
| {{yes}}<br />
| {{yes}}<br />
| 258,359,073<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3G)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6578.20090617.VfgtU/iPhone1,2_3.0_7A341_Restore.ipsw iPhone1,2_3.0_7A341_Restore.ipsw]<br />
| <code>94f1fb43de12bff0f168ce690b7e794cc6220ae3</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 241,229,233<br />
|-<br />
| 3.0.1<br />
| [[Kirkwood 7A400 (iPhone 3G)|Kirkwood 7A400]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6972.20090731.Zx3Rr/iPhone1,2_3.0.1_7A400_Restore.ipsw iPhone1,2_3.0.1_7A400_Restore.ipsw]<br />
| <code>a148ff39fa4dea499e7a9dd007b63e90c4f56666</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 241,274,617<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3G)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6600.20090909.AwndZ/iPhone1,2_3.1_7C144_Restore.ipsw iPhone1,2_3.1_7C144_Restore.ipsw]<br />
| <code>9b3b3c148170b012012278efda9ff5c38282d559</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 253,361,339<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3G)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7265.20091008.Xsd32/iPhone1,2_3.1.2_7D11_Restore.ipsw iPhone1,2_3.1.2_7D11_Restore.ipsw]<br />
| <code>b1a6ab2771bb5da372ba75a8fa3e1d72b71359d0</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 253,340,786<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3G)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7468.20100202.pbnrt/iPhone1,2_3.1.3_7E18_Restore.ipsw iPhone1,2_3.1.3_7E18_Restore.ipsw]<br />
| <code>f5950afca546f93e281ba3cdb08bc0cfed7f0896</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 239,139,281<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 3G)|Apex 8A293]]<br />
| 05.13.04<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7436.20100621.58Yt4/iPhone1,2_4.0_8A293_Restore.ipsw iPhone1,2_4.0_8A293_Restore.ipsw]<br />
| <code>ee1eba9281b902d7ff3f24d50f9aebff0df27f92</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 306,274,631<br />
|}<br />
<br />
===[[N88ap|iPhone 3GS]]===<br />
'''*'''Jailbreak on 4.0 is only possible with Pwnagetool, as long as it has the older bootroom (iBoot-359.3) and wasn't jailbroken using Spirit. See [[Untethered jailbreak|untethered-jailbreak]]<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPhone 3GS)|Kirkwood 7A341]]<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6582.20090617.LlI87/iPhone2,1_3.0_7A341_Restore.ipsw iPhone2,1_3.0_7A341_Restore.ipsw] <br />
| <code>d8534408c8679c830fd0c4e36ef9762c11ef73df</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 312,292,933<br />
|-<br />
| 3.0.1<br />
| Kirkwood 7A400<br />
| 04.26.08<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6976.20090731.Vgbt5/iPhone2,1_3.0.1_7A400_Restore.ipsw iPhone2,1_3.0.1_7A400_Restore.ipsw]<br />
| <code>30006575af931e3da0521febace005152cdb8853</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 312,330,244<br />
|-<br />
| 3.1<br />
| [[Northstar 7C144 (iPhone 3GS)|Northstar 7C144]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-6609.20090909.mwws4/iPhone2,1_3.1_7C144_Restore.ipsw iPhone2,1_3.1_7C144_Restore.ipsw]<br />
| <code>527c74f87588afa1d69c1e2c08eedc88f113013a</code><br />
| <br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 321,011,474<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPhone 3GS)|Northstar 7D11]]<br />
| 05.11.07<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7270.20091008.phn32/iPhone2,1_3.1.2_7D11_Restore.ipsw iPhone2,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>6998bb7d9e869b2d89a08853312f9457d070fb1f</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[blacksn0w]] or [[ultrasn0w]]}}<br />
| 321,015,700<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPhone 3GS)|SUNorthstarTwo 7E18]]<br />
| 05.12.01<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7472.20100202.8tugj/iPhone2,1_3.1.3_7E18_Restore.ipsw iPhone2,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>8cb3775e62c6f72059a962bf891b4e145b965052</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 305,122,343<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 3GS)|Apex 8A293]]<br />
| 05.13.04<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7437.20100621.5urG8/iPhone2,1_4.0_8A293_Restore.ipsw iPhone2,1_4.0_8A293_Restore.ipsw]<br />
| <code>e065245874c73510ceb8fa4bd9388b60d46eb252</code><br />
|<br />
| {{yes}}<br />
| {{yes|[[ultrasn0w]]}}<br />
| 396,281,280<br />
|}<br />
<br />
===[[N90ap|iPhone 4]]===<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="120"| Build<br />
!width="70"| [[Baseband]]<br />
!width="210"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="140"| Comments<br />
!width="95"| Can be [[jailbreak|jailbroken]]?<br />
!width="95"| Can be [[unlock|unlocked]] OTB?<br />
!width="70"| File Size<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPhone 4)|Apex 8A293]]<br />
| 01.59.00<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7380.20100621,Vfgb5/iPhone3,1_4.0_8A293_Restore.ipsw iPhone3,1_4.0_8A293_Restore.ipsw]<br />
| <code>171c2a3995fa149f2a369ccd87f82c5c30da3f88</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| {{no}}<br />
| 607,363,121<br />
|}<br />
<br />
===[[N45ap|iPod touch (1st generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 1.1<br />
| Snowbird 3A100a<br />
| No download available<br />
|<br />
| Initial shipment.<br />
| {{yes}}<br />
|<br />
|-<br />
| 1.1<br />
| Snowbird 3A101a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3882.20070910.N8uyT/iPod1,1_1.1_3A101a_Restore.ipsw iPod1,1_1.1_3A101a_Restore.ipsw]<br />
| <code>9b0d83c7f8b4328174a3f31e0e93f60e591ae143</code><br />
|<br />
| {{yes}}<br />
| 157,890,186<br />
|-<br />
| 1.1.1<br />
| Snowbird 3A110a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw iPod1,1_1.1.1_3A110a_Restore.ipsw]<br />
| <code>84bbc6ea8bf29745195bc9926c1874f7c2a36f32</code><br />
|<br />
| {{yes}}<br />
| 157,906,686<br />
|-<br />
| 1.1.2<br />
| Oktoberfest 3B48b<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw iPod1,1_1.1.2_3B48b_Restore.ipsw]<br />
| <code>108d8ffe9ea75e61cd5e57170ad388b7fa00d923</code><br />
|<br />
| {{yes}}<br />
| 165,567,897<br />
|-<br />
| 1.1.3<br />
| Little Bear 4A93<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-4060.20080115.9Iuh5/iPod1,1_1.1.3_4A93_Restore.ipsw iPod1,1_1.1.3_4A93_Restore.ipsw]<br />
| <code>8dca23eec69d5ae58fbf3d4a23276e46cbb2e3c6</code><br />
|<br />
| {{yes}}<br />
| 173,511,411<br />
|-<br />
| 1.1.4<br />
| Little Bear 4A102<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4312.20080226.Btu45/iPod1,1_1.1.4_4A102_Restore.ipsw iPod1,1_1.1.4_4A102_Restore.ipsw]<br />
| <code>c148d1eb1c979bb6434175411d4a372103a4fdd2</code><br />
| <br />
| {{yes}}<br />
| 173,519,589<br />
|-<br />
| 1.1.5<br />
| Little Bear 4B1<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4841.20080714.bgy8O/iPod1,1_1.1.5_4B1_Restore.ipsw iPod1,1_1.1.5_4B1_Restore.ipsw]<br />
| <code>1b818911316e4248ee01d3ec67f9d39afc3db240</code><br />
|<br />
| {{yes}}<br />
| 173,519,637<br />
|-<br />
| 2.0<br />
| Big Bear 5A347<br />
| Download Link Prohibited<br />
| <code>ae82798e85f9953b0f4798bad36187cb020c9d22</code><br />
| 2.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 233,409,573<br />
|-<br />
| 2.0.1<br />
| Big Bear 5B108<br />
| Download Link Prohibited<br />
| <code>a81b6e7af4b85ef436d047f9da57c0f694d8964a</code><br />
| <br />
| {{yes}}<br />
| 258,660,321<br />
|-<br />
| 2.0.2<br />
| Big Bear 5C1<br />
| Download Link Prohibited<br />
| <code>c8b6f9fefa3f3777c56285dfe4c735b1e08a81a2</code><br />
| <br />
| {{yes}}<br />
| 258,201,218<br />
|-<br />
| 2.1<br />
| Sugar Bowl 5F137<br />
| Download Link Prohibited<br />
| <code>fc7f6d0972927df502ffca47438ca75dcccffaf3</code><br />
| <br />
| {{yes}}<br />
| 251,155,156<br />
|-<br />
| 2.2<br />
| Timberline 5G77<br />
| Download Link Prohibited<br />
| <code>081a7de363230fb38d0ce092cbbe42f2a50c8a5f</code><br />
| <br />
| {{yes}}<br />
| 260,186,851<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11<br />
| Download Link Prohibited<br />
| <code>fc69be9e421bc0630567184506ab771f6b7ef68b</code><br />
| <br />
| {{yes}}<br />
| 260,166,688<br />
|-<br />
| 3.0<br />
| Kirkwood 7A341<br />
| Download Link Prohibited<br />
| <code>dff2bd14931225908a360fb8e60a336f17d2dd6d</code><br />
| 3.0+ is a paid upgrade series<br />
| {{yes}}<br />
| 242,458,552<br />
|-<br />
| 3.1.1<br />
| Northstar 7C145<br />
| Download Link Prohibited<br />
| <code>c6270780c166db4c9f4f0a7fa945754a1f9fe7e8</code><br />
| <br />
| {{yes}}<br />
| 249,755,862<br />
|-<br />
| 3.1.2<br />
| Northstar 7D11<br />
| Download Link Prohibited<br />
| <code>7367dd9ba58a3b9777307368a0128e696fdfc9a6</code><br />
| <br />
| {{yes}} <br />
| 249,780,497<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| Download Link Prohibited<br />
| <code>5f897990f19d2f093b35e0813d7d77806404fb1f</code><br />
|<br />
| {{yes}}<br />
| 235,678,189<br />
|}<br />
<br />
===[[N72ap|iPod touch (2nd generation)]]===<br />
<code>*</code>Due to a new bootrom designed to close the [[0x24000 Segment Overflow]], an iPod touch 2G with a model number beginning with "MC" cannot be jailbroken on 4.0.<br />
<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 2.1.1<br />
| [[Sugar Bowl 5F138]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5494.20080909.8i9o0/iPod2,1_2.1.1_5F138_Restore.ipsw iPod2,1_2.1.1_5F138_Restore.ipsw]<br />
| <code>c3c700be49ad227d1152188e7c1e46b8958fd1e4</code><br />
| Initial shipment.<br />
| {{yes}}<br />
| 282,083,944<br />
|-<br />
| 2.2<br />
| Timberline 5G77a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/061-5358.20081120.Gtghy/iPod2,1_2.2_5G77a_Restore.ipsw iPod2,1_2.2_5G77a_Restore.ipsw]<br />
| <code>34a0a489605f34d6cc6c9954edcaaf9a050deedc</code><br />
|<br />
| {{yes}}<br />
| 291,123,491<br />
|-<br />
| 2.2.1<br />
| SUTimberline 5H11a<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-5863.20090127.rt56K/iPod2,1_2.2.1_5H11a_Restore.ipsw iPod2,1_2.2.1_5H11a_Restore.ipsw]<br />
| <code>9af5625ea34acdd8abeb6fce71a72651d0c815d5</code><br />
|<br />
| {{yes}}<br />
| 291,140,244<br />
|-<br />
| 3.0<br />
| [[Kirkwood 7A341 (iPod touch 2G)|Kirkwood 7A341]]<br />
| Download Link Prohibited<br />
| <code>0f7fc76d9b9aa826b5ab14be9821a315d3d9dc42</code><br />
| 3.x is a paid upgrade series<br />
| {{yes}}<br />
| 270,315,364<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 2G)|Northstar 7C145]]<br />
| Download Link Prohibited<br />
| <code>e0d8800a4fc7cc5be6976ddbceb43c2d2a7120d7</code><br />
| <br />
| {{yes}}<br />
| 277,753,989<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 2G)|Northstar 7D11]]<br />
| Download Link Prohibited<br />
| <code>e7c83d4a5baec0e81816ae1cd1caf9a4dc38ebf0</code><br />
| <br />
| {{yes}} <br />
| 277,794,671<br />
|-<br />
| 3.1.3<br />
| [[SUNorthstarTwo 7E18 (iPod touch 2G)|SUNorthstarTwo 7E18]]<br />
| Download Link Prohibited<br />
| <code>5f4f5c01eda2f811f73167e7d1f82dbeed82367b</code><br />
|<br />
| {{yes}}<br />
| 263,275,211<br />
|-<br />
| 4.0<br />
| [[Apex 8A293 (iPod touch 2G)|Apex 8A293]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7435.20100621.tr49t/iPod2,1_4.0_8A293_Restore.ipsw iPod2,1_4.0_8A293_Restore.ipsw]<br />
| <code>c026c373bc535496a6f901de2ba37d4a487413bf</code><br />
|<br />
| {{yes}}<br />
| 330,278,777<br />
|}<br />
<br />
===[[N18AP|iPod touch (3rd generation)]]===<br />
{| class="wikitable sortable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
!width="40"| Version<br />
!width="168"| Build<br />
!width="200"| IPSW Download URL<br />
!width="220"| SHA1 Hash<br />
!width="150"| Comments<br />
!width="100"| Can be [[jailbreak|jailbroken]]?<br />
!width="70"| File Size<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C145]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7163.20090909.NtstR/iPod3,1_3.1.1_7C145_Restore.ipsw iPod3,1_3.1.1_7C145_Restore.ipsw]<br />
| <code>a3eddbe2cf77858bae7087dc8b2035f0d3097e57</code><br />
| Initial shipment.<br />
| {{yes}}<br />
<br />
| 311,702,789<br />
|-<br />
| 3.1.1<br />
| [[Northstar 7C145 (iPod touch 3G)|Northstar 7C146]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7238.20090918.23GhT/iPod3,1_3.1.1_7C146_Restore.ipsw iPod3,1_3.1.1_7C146_Restore.ipsw]<br />
| <code>f66a7286b261137f25ddbbd84047f9a7ea181904</code><br />
| <br />
| {{yes}}<br />
| 311,690,768<br />
|-<br />
| 3.1.2<br />
| [[Northstar 7D11 (iPod touch 3G)|Northstar 7D11]]<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7271.20091008.Tch23/iPod3,1_3.1.2_7D11_Restore.ipsw iPod3,1_3.1.2_7D11_Restore.ipsw]<br />
| <code>02dcee28d788d594a2939ab564f4f183af6ccdf2</code><br />
| <br />
| {{yes}}<br />
| 311,740,034<br />
|-<br />
| 3.1.3<br />
| SUNorthstarTwo 7E18<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone/061-7473.20100202.4i44t/iPod3,1_3.1.3_7E18_Restore.ipsw iPod3,1_3.1.3_7E18_Restore.ipsw]<br />
| <code>375fd469b18bfc0b74c7cfa5b4d5945197b1d106</code><br />
|<br />
| {{yes}}<br />
| 295,870,806<br />
|-<br />
| 4.0<br />
| Apex 8A293<br />
| [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPhone4/061-7381.20100621.AzSP9/iPod3,1_4.0_8A293_Restore.ipsw iPod3,1_4.0_8A293_Restore.ipsw]<br />
| <code>36fe02b83f87d6305db572e1644841e3cd64cc7d</code><br />
|<br />
| {{no}}<br />
| 384,178,784<br />
|}<br />
<br />
==See also==<br />
* [[VFDecrypt Keys]]<br />
<br />
==Resources==<br />
*[http://www.trejan.com/projects/ipod/ Firmware List]<br />
*[http://pastebin.ca/1209360 A link of interest...]</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Jailbreak&diff=6771
Jailbreak
2010-06-28T16:22:19Z
<p>Toddyt1: /* iPod Touch 3g */</p>
<hr />
<div>This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching /etc/fstab to mount the System partition as read-write. This is entirely different from an [[unlock]]. Jailbreaking is the first action that must be taken before things like unofficial [[activation]] (hacktivation), and unofficial unlocking can be applied.<br />
<br />
The original jailbreak also included modifying the [[AFC|afc]] service (used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to create a new service ([[AFC|afc2]]) that allows access to the full filesystem.<br />
<br />
Modern jailbreaks also include patching the kernel to get around code signing and other restrictions.<br />
<br />
==Exploits which were used in order to jailbreak (in chronological order)==<br />
=== 1.0.2 ===<br />
* [[Restore Mode]] (iBoot had a command named cp, which had access to the whole filesystem)<br />
=== 1.1.1 ===<br />
* [[Symlinks]] (an upgrade jailbreak)<br />
* [[LibTiff | libtiff exploit]] (Adapted from the PSP scene, used by [[Jailbreakme]])<br />
=== 1.1.2 ===<br />
* [[Mknod]] (an upgrade jailbreak)<br />
=== 1.1.3 / 1.1.4 ===<br />
* [[Soft Upgrade]] (an upgrade jailbreak)<br />
* [[Ramdisk Hack]]<br />
<br />
==Exploits which are used in order to jailbreak 2.0 and above==<br />
===iPhone / iPhone 3G / iPod Touch===<br />
* [[Pwnage]] and [[Pwnage 2.0]] (together)<br />
<br />
===iPod Touch 2G===<br />
* [[ARM7 Go]] (used by tethered jailbreaks)<br />
* [[0x24000 Segment Overflow]]<br />
<br />
===iPhone 3GS===<br />
* [[iBoot Environment Variable Overflow]] (also uses the [[24kPwn]] exploit to make it untethered)<br />
* [[usb_control_msg(0x21, 2) Exploit]] (also uses the [[24kPwn]] exploit to make it untethered)<br />
<br />
===iPod Touch 3g===<br />
*[[usb_control_msg(0x21, 2) Exploit]] (tethered only)</div>
Toddyt1
https://www.theiphonewiki.com/w/index.php?title=Jailbreak&diff=6770
Jailbreak
2010-06-28T16:21:47Z
<p>Toddyt1: /* Exploits which are used in order to jailbreak 2.0 and above */</p>
<hr />
<div>This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching /etc/fstab to mount the System partition as read-write. This is entirely different from an [[unlock]]. Jailbreaking is the first action that must be taken before things like unofficial [[activation]] (hacktivation), and unofficial unlocking can be applied.<br />
<br />
The original jailbreak also included modifying the [[AFC|afc]] service (used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to create a new service ([[AFC|afc2]]) that allows access to the full filesystem.<br />
<br />
Modern jailbreaks also include patching the kernel to get around code signing and other restrictions.<br />
<br />
==Exploits which were used in order to jailbreak (in chronological order)==<br />
=== 1.0.2 ===<br />
* [[Restore Mode]] (iBoot had a command named cp, which had access to the whole filesystem)<br />
=== 1.1.1 ===<br />
* [[Symlinks]] (an upgrade jailbreak)<br />
* [[LibTiff | libtiff exploit]] (Adapted from the PSP scene, used by [[Jailbreakme]])<br />
=== 1.1.2 ===<br />
* [[Mknod]] (an upgrade jailbreak)<br />
=== 1.1.3 / 1.1.4 ===<br />
* [[Soft Upgrade]] (an upgrade jailbreak)<br />
* [[Ramdisk Hack]]<br />
<br />
==Exploits which are used in order to jailbreak 2.0 and above==<br />
===iPhone / iPhone 3G / iPod Touch===<br />
* [[Pwnage]] and [[Pwnage 2.0]] (together)<br />
<br />
===iPod Touch 2G===<br />
* [[ARM7 Go]] (used by tethered jailbreaks)<br />
* [[0x24000 Segment Overflow]]<br />
<br />
===iPhone 3GS===<br />
* [[iBoot Environment Variable Overflow]] (also uses the [[24kPwn]] exploit to make it untethered)<br />
* [[usb_control_msg(0x21, 2) Exploit]] (also uses the [[24kPwn]] exploit to make it untethered)<br />
<br />
===iPod Touch 3g===<br />
*[[usb_control_msg(0x21, 2) exploit]] (tethered only)</div>
Toddyt1