The iPhone Wiki - User contributions [en]

Telluride 9A334 (iPod3,1)

2011-10-17T16:28:43Z

Yoniyoni: Created page with "{{keys | version = 5.0GM and 5.0 | build = 9A334 | device = ipod31 | codename = Telluride | rootfsdmg..."

{{keys
| version = 5.0[[Golden Master|GM]] and 5.0
| build = 9A334
| device = ipod31
| codename = Telluride

| rootfsdmg = 018-7994-366
| rootfskey =

| noupdateramdisk = true

| restoredmg = 018-7921-345
| restoreiv =
| restorekey =

| AppleLogoIV = c435e272dda369cc4b7092c62aadad1d
| AppleLogoKey = 4170df432022215513338d91f6eebb65eff9c7e420a3b1b62916747dabe09c89

| BatteryCharging0IV =
| BatteryCharging0Key =

| BatteryCharging1IV =
| BatteryCharging1Key =

| BatteryFullIV =
| BatteryFullKey =

| BatteryLow0IV =
| BatteryLow0Key =

| BatteryLow1IV =
| BatteryLow1Key =

| DeviceTreeIV =
| DeviceTreeKey =

| GlyphChargingIV =
| GlyphChargingKey =

| GlyphPluginIV =
| GlyphPluginKey =

| iBECIV = 55f413e7683fede0a383129fe195aa61
| iBECKey = b47591cfda74819c1d1696bd0ba6b6ff047fe1a7eeb45635d652d8aadf48a21f

| iBootIV =
| iBootKey =

| iBSSIV = 580904dfefa76c52185c1f06a6d7152b
| iBSSKey = fcd9b12b40b5b71c487fe464f67559678c1aea3bdc4de74e6eef236a98d3e3aa

| KernelcacheIV = d302fccd2f70f8f36f9dcf541ce4821d
| KernelcacheKey = cc578a9f47de9904d96cd6c9fa0ff138f8cb14841c082489abe0e4ae4b9ba327

| LLBIV =
| LLBKey =

| RecoveryModeIV =
| RecoveryModeKey =
}}

ITunes Errors/Below 100

2011-10-02T14:23:22Z

Yoniyoni: /* Error 20 */

=== Error 1 ===

* You are attempting to downgrade an iPhone from iOS 5 to iOS 4.x. To resolve, use either custom firmware created by [[PwnageTool]]/[[sn0wbreeze]] or use [[User:semaphore|notcom]]'s [[FixRecovery]] utility available on [http://thefirmwareumbrella.blogspot.com his site].
* On an [[iPhone 4]] downgrading from iOS 5, use the option in [[TinyUmbrella]] to allow a baseband "upgrade" to bypass the error and go back to basband [[4.10.1]].
* Unable to downgrade. Try changing the USB port (the back one of chassis is better) and restart computer.
* The installed version of [[iTunes]] may also be too old. Update iTunes.

=== Error 2 ===
* ASR does not exist on ramdisk or is corrupt/not signed.
* [[sn0wbreeze]] 1.6 Custom Firmware has a [[ASR]] patch problem. Use [[sn0wbreeze]] 1.7+ or [[PwnageTool]]. Device isn't bootable.

=== Error 6 ===
Not enter the downgrading mode, change USB port (the back one of chassis is better) and restart computer.

=== Error 9 ===
* Due to asr being patched, the SHA signature is automatically changed and after being resigned the kernel will refuse to use it. Therefore proper kernel patches are required. If necessary kernel patches are not applied, it will fail to load asr and error 9 would occur during restore.
* Rebooting your Mac or PC may resolve this issue.

=== Error 10 ===
[[LLB]] is missing from the [[IPSW File Format|IPSW]]. The device cannot be booted up. The trick to skip the baseband update no longer works.

=== Error 11 ===
* Removed [[Baseband|BB]]<nowiki />FW file in the firmware folder of an unzipped [[IPSW File Format|IPSW]]. Can also be used to prevent a baseband update. The device is bootable, if you set the auto-boot to true or use TinyUmbrella and use "Kick Device out of Recovery".
* You are trying to update to a custom firmware from [[PwnageTool]] 4.1+. You always have to go into DFU mode and restore from there.

=== Error 13 ===
* Occurs when you want to install a beta firmware with [[iTunes]] for Windows (actively blocked by Apple; beta users are developers and therefore must have a Mac).
* USB problem. Check the USB connection and try other direct ports or maybe the USB cable is an older one. Device isn't bootable.
* The installed version of [[iTunes]] may also be too old. For firmwares 4.0 and higher you need iTunes 9.2 or higher. Update iTunes.

=== Error 14 ===
* Custom firmware update fail ([[PwnageTool]] until 4.0.1). You have to restore the device with a custom firmware. Update to a custom firmware isn't working. Device isn't bootable. <sup>2</sup>
* USB Problem. Check the USB connection and try other direct ports or maybe the USB cable is an older one. Device isn't bootable.
* You're trying to 'update' to a [[Beta Firmware|beta firmware]] instead of performing a restore. Device is still bootable if you kick it out of recovery mode.
* Rebooting your Mac or PC may resolve this issue.

=== Error 17 ===
* Device failed to display the applelogo img3 which results in this error.
* One or more of the nand0/nor0 flash images were missing from the IPSW.

=== Error 18 ===
This occurs when the media library on the device is corrupt and cannot be modified or updated.

Updating to the latest version of iTunes and then restoring should resolve this issue

=== Error 20 ===
Reportedly happens during failed downgrade attempts (iOS 2.0 to 1.1.1, 5 beta to 4.3.3).

I've managed to get around this by doing the downgrade from DFU instead of Recovery.

=== Error 21 ===
Custom firmware restore fail ([[PwnageTool]] since 4.1). You have to put your device into the DFU mode and not into recovery mode. Device won't boot correctly an stuck at the Apple logo after the error. Press and hold power and home button until it reboots.

=== Error 23 ===
Cannot restore or update due to hardware problems.
* In software you have to set default web browser.
* In hardware, it's a communication problem. Check all connections, also try to change battery.
* Faulty [[baseband]] flash or processor
* Happens frequently after water damage. Remove and clean motherboard.

=== Error 26 ===
* Values or variables in the options property list within the ramdisk are incorrect.
* False version of the [[NOR]] flash firmware. Use the correct [[sn0wbreeze]] version.

=== Error 28 ===
* Hardware error. Return your device to Apple if possible. The problem is a bad dock connector on the iPhone. Must change the connector.
* If you have tried almost everything, reset the logic board (leave uncharged for five days or remove battery for half an hour), then pwn and restore. If this doesn't work, the {{wp|flash memory}}/{{wp|hard drive}} of your device is damaged.

=== Error 29 ===
See [http://discussions.apple.com/ Apple's discussion thread] number [http://discussions.apple.com/thread.jspa?threadID=2329795 2329795] about this problem. You might need to change the battery.

=== Error 31 ===
{{main|DFU Loop}}

=== Error 34 ===
Hard disk is run out of space when trying to download. Clear space and then continue downloading.

=== Error 37 ===
* [[N72ap|iPod touch 2G]] [[LLB]] patched with the [[0x24000 Segment Overflow]] was used on an [[N88ap|iPhone 3GS]] custom firmware. Known on damaged bundles from unofficial [[PwnageTool]] distributions or bundles.
* [[sn0wbreeze]] 2.0.1 bug, which was fixed in 2.0.2.
* Recent [[sn0wbreeze]] can cause this issue. Deselect all custom boot logos, recreate [[IPSW File Format|IPSW]]. If received on an [[N88ap|iPhone 3GS]], select "new boot-rom" and deselect all custom bootlogos, then recreate the [[IPSW File Format|IPSW]].

=== Error 40 ===
Hacktivation bug in [[Sn0wbreeze]] 2.0.1, which was fixed in [[Sn0wbreeze]] 2.0.2.

=== Error 46 ===
?

ITunes Errors/Below 100

2011-10-02T14:22:50Z

Yoniyoni: /* Error 20 */

=== Error 1 ===

* You are attempting to downgrade an iPhone from iOS 5 to iOS 4.x. To resolve, use either custom firmware created by [[PwnageTool]]/[[sn0wbreeze]] or use [[User:semaphore|notcom]]'s [[FixRecovery]] utility available on [http://thefirmwareumbrella.blogspot.com his site].
* On an [[iPhone 4]] downgrading from iOS 5, use the option in [[TinyUmbrella]] to allow a baseband "upgrade" to bypass the error and go back to basband [[4.10.1]].
* Unable to downgrade. Try changing the USB port (the back one of chassis is better) and restart computer.
* The installed version of [[iTunes]] may also be too old. Update iTunes.

=== Error 2 ===
* ASR does not exist on ramdisk or is corrupt/not signed.
* [[sn0wbreeze]] 1.6 Custom Firmware has a [[ASR]] patch problem. Use [[sn0wbreeze]] 1.7+ or [[PwnageTool]]. Device isn't bootable.

=== Error 6 ===
Not enter the downgrading mode, change USB port (the back one of chassis is better) and restart computer.

=== Error 9 ===
* Due to asr being patched, the SHA signature is automatically changed and after being resigned the kernel will refuse to use it. Therefore proper kernel patches are required. If necessary kernel patches are not applied, it will fail to load asr and error 9 would occur during restore.
* Rebooting your Mac or PC may resolve this issue.

=== Error 10 ===
[[LLB]] is missing from the [[IPSW File Format|IPSW]]. The device cannot be booted up. The trick to skip the baseband update no longer works.

=== Error 11 ===
* Removed [[Baseband|BB]]<nowiki />FW file in the firmware folder of an unzipped [[IPSW File Format|IPSW]]. Can also be used to prevent a baseband update. The device is bootable, if you set the auto-boot to true or use TinyUmbrella and use "Kick Device out of Recovery".
* You are trying to update to a custom firmware from [[PwnageTool]] 4.1+. You always have to go into DFU mode and restore from there.

=== Error 13 ===
* Occurs when you want to install a beta firmware with [[iTunes]] for Windows (actively blocked by Apple; beta users are developers and therefore must have a Mac).
* USB problem. Check the USB connection and try other direct ports or maybe the USB cable is an older one. Device isn't bootable.
* The installed version of [[iTunes]] may also be too old. For firmwares 4.0 and higher you need iTunes 9.2 or higher. Update iTunes.

=== Error 14 ===
* Custom firmware update fail ([[PwnageTool]] until 4.0.1). You have to restore the device with a custom firmware. Update to a custom firmware isn't working. Device isn't bootable. <sup>2</sup>
* USB Problem. Check the USB connection and try other direct ports or maybe the USB cable is an older one. Device isn't bootable.
* You're trying to 'update' to a [[Beta Firmware|beta firmware]] instead of performing a restore. Device is still bootable if you kick it out of recovery mode.
* Rebooting your Mac or PC may resolve this issue.

=== Error 17 ===
* Device failed to display the applelogo img3 which results in this error.
* One or more of the nand0/nor0 flash images were missing from the IPSW.

=== Error 18 ===
This occurs when the media library on the device is corrupt and cannot be modified or updated.

Updating to the latest version of iTunes and then restoring should resolve this issue

=== Error 20 ===
Reportedly happens during failed downgrade attempts (iOS 2.0 to 1.1.1, 5 beta to 4.3.3).
I've managed to get around this by doing the downgrade from DFU instead of Recovery.

=== Error 21 ===
Custom firmware restore fail ([[PwnageTool]] since 4.1). You have to put your device into the DFU mode and not into recovery mode. Device won't boot correctly an stuck at the Apple logo after the error. Press and hold power and home button until it reboots.

=== Error 23 ===
Cannot restore or update due to hardware problems.
* In software you have to set default web browser.
* In hardware, it's a communication problem. Check all connections, also try to change battery.
* Faulty [[baseband]] flash or processor
* Happens frequently after water damage. Remove and clean motherboard.

=== Error 26 ===
* Values or variables in the options property list within the ramdisk are incorrect.
* False version of the [[NOR]] flash firmware. Use the correct [[sn0wbreeze]] version.

=== Error 28 ===
* Hardware error. Return your device to Apple if possible. The problem is a bad dock connector on the iPhone. Must change the connector.
* If you have tried almost everything, reset the logic board (leave uncharged for five days or remove battery for half an hour), then pwn and restore. If this doesn't work, the {{wp|flash memory}}/{{wp|hard drive}} of your device is damaged.

=== Error 29 ===
See [http://discussions.apple.com/ Apple's discussion thread] number [http://discussions.apple.com/thread.jspa?threadID=2329795 2329795] about this problem. You might need to change the battery.

=== Error 31 ===
{{main|DFU Loop}}

=== Error 34 ===
Hard disk is run out of space when trying to download. Clear space and then continue downloading.

=== Error 37 ===
* [[N72ap|iPod touch 2G]] [[LLB]] patched with the [[0x24000 Segment Overflow]] was used on an [[N88ap|iPhone 3GS]] custom firmware. Known on damaged bundles from unofficial [[PwnageTool]] distributions or bundles.
* [[sn0wbreeze]] 2.0.1 bug, which was fixed in 2.0.2.
* Recent [[sn0wbreeze]] can cause this issue. Deselect all custom boot logos, recreate [[IPSW File Format|IPSW]]. If received on an [[N88ap|iPhone 3GS]], select "new boot-rom" and deselect all custom bootlogos, then recreate the [[IPSW File Format|IPSW]].

=== Error 40 ===
Hacktivation bug in [[Sn0wbreeze]] 2.0.1, which was fixed in [[Sn0wbreeze]] 2.0.2.

=== Error 46 ===
?

IBoot (Bootloader)

2011-08-07T13:40:01Z

Yoniyoni: 5.0 beta 4

{{DISPLAYTITLE:iBoot (Bootloader)}}
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial.

==[[Bootrom]]==
The bootrom also goes by the name "iBoot." The list of bootroms can be found on [[Bootrom|their own page]].

== Revisions ==
* [[iBoot-99]] (1A420 a.k.a. Prototype)
* [[iBoot-159]] (1.0.x)
* [[iBoot-204]] (1.1 and 1.1.1 Build 3A109a)
* [[iBoot-204.0.2]] (1.1.1 Build 3A110a)
* [[iBoot-204.2.9]] (1.1.2)
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4)
* [[iBoot-204.3.16]] (1.1.5)
* [[iBoot-320.20]] (2.0.x)
* [[iBoot-385.22]] (2.1 and 2.1.1)
* [[iBoot-385.49]] (2.2 and 2.2.1)
* [[iBoot-596.24]] (3.0 and 3.0.1)
* [[iBoot-636.65]] (3.1)
* [[iBoot-636.66]] (3.1.1 and 3.1.2)
* [[iBoot-636.66.33]] (3.1.3)
* [[iBoot-817.28]] (3.2)
* [[iBoot-817.29]] (3.2.1 and 3.2.2)
* [[iBoot-872]] (4.0 Beta 1)
* [[iBoot-889.3]] (4.0 Beta 2)
* [[iBoot-889.12]] (4.0 Beta 3)
* [[iBoot-889.19]] (4.0 Beta 4)
* [[iBoot-889.24]] (4.0.x)
* [[iBoot-931.18.1]] (4.1 Beta 1)
* [[iBoot-931.18.27]] (4.1 Builds 8B117 and 8B118)
* [[iBoot-931.44.21]] (4.1 Build 8M89)
* [[iBoot-931.67]] (4.2 Beta 1)
* [[iBoot-931.71.13]] (4.2 Beta 3)
* [[iBoot-931.71.16]] (4.2 GM and 4.2.1 Builds 8C148, 8C148a, and 8C154)
* [[iBoot-931.72.14]] (4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9 and 4.2.10)
* [[iBoot-1072.33~1]] (4.3 Beta 1)
* [[iBoot-1072.38]] (4.3 Beta 2)
* [[iBoot-1072.49]] (4.3 Beta 3)
* [[iBoot-1072.58]] (4.3 Build 8F190)
* [[iBoot-1072.59]] (4.3 Builds 8F191, 8F191m, 8F202 and 8F305, and 4.3.1)
* [[iBoot-1072.61]] (4.3.2, 4.3.3, 4.3.4 and 4.3.5)
* [[iBoot-1219.35.80~1]] (5.0 beta 1)
* [[iBoot-1219.40.25]] (5.0 beta 2)
* [[iBoot-1219.41.11~1]] (5.0 beta 3)
* [[iBoot-1219.42.8]] (5.0 beta 4)
* [[iBoot-1219.43.9]] (5.0 beta 5)

==Commands used as an exploit vector==
* '''diags''': Until 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
* '''arm7_go''': For firmware 2.1.1, the [[N72ap|iPod touch 2G]] iBoot contains the [[ARM7 Go]] command, which could be used to run a payload on the ARM7 in the device.

==OpeniBoot==
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.

==Remappings==
// n88 (3GS)
0x4FF00000 => 0x0
0x40000000 => 0xC0000000

== See also ==
* [[iBoot (Enums)]]

IBoot (Bootloader)

2011-08-07T08:20:44Z

Yoniyoni: 5.0 beta 5

{{DISPLAYTITLE:iBoot (Bootloader)}}
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial.

==[[Bootrom]]==
The bootrom also goes by the name "iBoot." The list of bootroms can be found on [[Bootrom|their own page]].

== Revisions ==
* [[iBoot-99]] (1A420 a.k.a. Prototype)
* [[iBoot-159]] (1.0.x)
* [[iBoot-204]] (1.1 and 1.1.1 Build 3A109a)
* [[iBoot-204.0.2]] (1.1.1 Build 3A110a)
* [[iBoot-204.2.9]] (1.1.2)
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4)
* [[iBoot-204.3.16]] (1.1.5)
* [[iBoot-320.20]] (2.0.x)
* [[iBoot-385.22]] (2.1 and 2.1.1)
* [[iBoot-385.49]] (2.2 and 2.2.1)
* [[iBoot-596.24]] (3.0 and 3.0.1)
* [[iBoot-636.65]] (3.1)
* [[iBoot-636.66]] (3.1.1 and 3.1.2)
* [[iBoot-636.66.33]] (3.1.3)
* [[iBoot-817.28]] (3.2)
* [[iBoot-817.29]] (3.2.1 and 3.2.2)
* [[iBoot-872]] (4.0 Beta 1)
* [[iBoot-889.3]] (4.0 Beta 2)
* [[iBoot-889.12]] (4.0 Beta 3)
* [[iBoot-889.19]] (4.0 Beta 4)
* [[iBoot-889.24]] (4.0.x)
* [[iBoot-931.18.1]] (4.1 Beta 1)
* [[iBoot-931.18.27]] (4.1 Builds 8B117 and 8B118)
* [[iBoot-931.44.21]] (4.1 Build 8M89)
* [[iBoot-931.67]] (4.2 Beta 1)
* [[iBoot-931.71.13]] (4.2 Beta 3)
* [[iBoot-931.71.16]] (4.2 GM and 4.2.1 Builds 8C148, 8C148a, and 8C154)
* [[iBoot-931.72.14]] (4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9 and 4.2.10)
* [[iBoot-1072.33~1]] (4.3 Beta 1)
* [[iBoot-1072.38]] (4.3 Beta 2)
* [[iBoot-1072.49]] (4.3 Beta 3)
* [[iBoot-1072.58]] (4.3 Build 8F190)
* [[iBoot-1072.59]] (4.3 Builds 8F191, 8F191m, 8F202 and 8F305, and 4.3.1)
* [[iBoot-1072.61]] (4.3.2, 4.3.3, 4.3.4 and 4.3.5)
* [[iBoot-1219.35.80~1]] (5.0 beta 1)
* [[iBoot-1219.40.25]] (5.0 beta 2)
* [[iBoot-1219.41.11~1]] (5.0 beta 3)
* (5.0 beta 4)
* [[iBoot-1219.43.9]] (5.0 beta 5)

==Commands used as an exploit vector==
* '''diags''': Until 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
* '''arm7_go''': For firmware 2.1.1, the [[N72ap|iPod touch 2G]] iBoot contains the [[ARM7 Go]] command, which could be used to run a payload on the ARM7 in the device.

==OpeniBoot==
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.

==Remappings==
// n88 (3GS)
0x4FF00000 => 0x0
0x40000000 => 0xC0000000

== See also ==
* [[iBoot (Enums)]]

Durango 8L1 (iPod3,1)

2011-08-01T12:07:25Z

Yoniyoni: Created page with "== Decryption Keys == === Root Filesystem (038-2261-002.dmg) === *'''VFDecrypt Key''': === Update Ramdisk (038-2263-002.dmg) === * '''IV''': * '''Key''': === [[Resto..."

== Decryption Keys ==
=== Root Filesystem (038-2261-002.dmg) ===
*'''[[VFDecrypt]] Key''':

=== [[Update Ramdisk]] (038-2263-002.dmg) ===
* '''IV''':
* '''Key''':

=== [[Restore Ramdisk]] (038-2286-002.dmg) ===
* '''IV''':
* '''Key''':

=== AppleLogo ===
* '''IV''': f2b82e309b4086eab1ab45b8a33ac9f4
* '''Key''': df1dbdcd3075dd849b7a2eaa327a0702e1f104e65c2e9f76178438144fd40f46

=== BatteryCharging0 ===
* '''IV''':
* '''Key''':

=== BatteryCharging1 ===
* '''IV''':
* '''Key''':

=== BatteryFull ===
* '''IV''':
* '''Key''':

=== BatteryLow0 ===
* '''IV''':
* '''Key''':

=== BatteryLow1 ===
* '''IV''':
* '''Key''':

=== DeviceTree ===
* '''IV''':
* '''Key''':

===GlyphCharging===
* '''IV''':
* '''Key''':

===GlyphPlugin===
* '''IV''':
* '''Key''':

===[[iBEC]]===
* '''IV''':
* '''Key''':

===[[iBoot (Bootloader)|iBoot]]===
* '''IV''':
* '''Key''':

===[[iBSS]]===
* '''IV''': 0883a549b9d4e1bc0b6efd995e91ae20
* '''Key''': 8e01489f416ff819089b1a2027802ea96ca6100107164686fe4c1cbeaa138c3c

===[[Kernelcache]]===
* '''IV''': e95b30ff09aad7c5c065f66e64b57366
* '''Key''': 97489b74ad1a935ab21f7e7bcf723d75b8b6389d60a3c5d4f7b423d1ebae6198

===[[LLB]]===
* '''IV''':
* '''Key''':

===RecoveryMode===
* '''IV''':
* '''Key''':

IBoot (Bootloader)

2011-07-26T14:47:03Z

Yoniyoni: 4.2.10 and 4.3.5

{{DISPLAYTITLE:iBoot (Bootloader)}}
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial.

==[[Bootrom]]==
The bootrom also goes by the name "iBoot." The list of bootroms can be found on [[Bootrom|their own page]].

== Revisions ==
* [[iBoot-99]] (1A420 a.k.a. Prototype)
* [[iBoot-159]] (1.0.x)
* [[iBoot-204]] (1.1 and 1.1.1 Build 3A109a)
* [[iBoot-204.0.2]] (1.1.1 Build 3A110a)
* [[iBoot-204.2.9]] (1.1.2)
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4)
* [[iBoot-204.3.16]] (1.1.5)
* [[iBoot-320.20]] (2.0.x)
* [[iBoot-385.22]] (2.1 and 2.1.1)
* [[iBoot-385.49]] (2.2 and 2.2.1)
* [[iBoot-596.24]] (3.0 and 3.0.1)
* [[iBoot-636.65]] (3.1)
* [[iBoot-636.66]] (3.1.1 and 3.1.2)
* [[iBoot-636.66.33]] (3.1.3)
* [[iBoot-817.28]] (3.2)
* [[iBoot-817.29]] (3.2.1 and 3.2.2)
* [[iBoot-872]] (4.0 Beta 1)
* [[iBoot-889.3]] (4.0 Beta 2)
* [[iBoot-889.12]] (4.0 Beta 3)
* [[iBoot-889.19]] (4.0 Beta 4)
* [[iBoot-889.24]] (4.0.x)
* [[iBoot-931.18.1]] (4.1 Beta 1)
* [[iBoot-931.18.27]] (4.1 Builds 8B117 and 8B118)
* [[iBoot-931.44.21]] (4.1 Build 8M89)
* [[iBoot-931.67]] (4.2 Beta 1)
* [[iBoot-931.71.13]] (4.2 Beta 3)
* [[iBoot-931.71.16]] (4.2 GM and 4.2.1 Builds 8C148, 8C148a, and 8C154)
* [[iBoot-931.72.14]] (4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9 and 4.2.10)
* [[iBoot-1072.33~1]] (4.3 Beta 1)
* [[iBoot-1072.38]] (4.3 Beta 2)
* [[iBoot-1072.49]] (4.3 Beta 3)
* [[iBoot-1072.58]] (4.3 Build 8F190)
* [[iBoot-1072.59]] (4.3 Builds 8F191, 8F191m, 8F202 and 8F305, and 4.3.1)
* [[iBoot-1072.61]] (4.3.2, 4.3.3, 4.3.4 and 4.3.5)
* [[iBoot-1219.35.80~1]] (5.0 beta 1)
* [[iBoot-1219.40.25]] (5.0 beta 2)
* [[iBoot-1219.41.11~1]] (5.0 beta 3)

==Commands used as an exploit vector==
* '''diags''': Until 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
* '''arm7_go''': For firmware 2.1.1, the [[N72ap|iPod touch 2G]] iBoot contains the [[ARM7 Go]] command, which could be used to run a payload on the ARM7 in the device.

==OpeniBoot==
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.

==Remappings==
// n88 (3GS)
0x4FF00000 => 0x0
0x40000000 => 0xC0000000

== See also ==
* [[iBoot (Enums)]]

IBoot (Bootloader)

2011-05-08T20:57:21Z

Yoniyoni: 4.3.3 and 4.2.8

{{DISPLAYTITLE:iBoot (Bootloader)}}
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial.

==[[Bootrom]]==
The bootrom also goes by the name "iBoot." The list of bootroms can be found on [[Bootrom|their own page]].

== Revisions ==
* [[iBoot-99]] (1A420 a.k.a. Prototype)
* [[iBoot-159]] (1.0.x)
* [[iBoot-204]] (1.1 and 1.1.1 Build 3A109a)
* [[iBoot-204.0.2]] (1.1.1 Build 3A110a)
* [[iBoot-204.2.9]] (1.1.2)
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4)
* [[iBoot-204.3.16]] (1.1.5)
* [[iBoot-320.20]] (2.0.x)
* [[iBoot-385.22]] (2.1 and 2.1.1)
* [[iBoot-385.49]] (2.2 and 2.2.1)
* [[iBoot-596.24]] (3.0 and 3.0.1)
* [[iBoot-636.65]] (3.1)
* [[iBoot-636.66]] (3.1.1 and 3.1.2)
* [[iBoot-636.66.33]] (3.1.3)
* [[iBoot-817.28]] (3.2)
* [[iBoot-817.29]] (3.2.1 and 3.2.2)
* [[iBoot-872]] (4.0 Beta 1)
* [[iBoot-889.3]] (4.0 Beta 2)
* [[iBoot-889.12]] (4.0 Beta 3)
* [[iBoot-889.19]] (4.0 Beta 4)
* [[iBoot-889.24]] (4.0.x)
* [[iBoot-931.18.1]] (4.1 Beta 1)
* [[iBoot-931.18.27]] (4.1 Builds 8B117 and 8B118)
* [[iBoot-931.44.21]] (4.1 Build 8M89)
* [[iBoot-931.67]] (4.2 Beta 1)
* [[iBoot-931.71.13]] (4.2 Beta 3)
* [[iBoot-931.71.16]] (4.2 GM and 4.2.1 Builds 8C148, 8C148a, and 8C154)
* [[iBoot-931.72.14]] (4.2.5, 4.2.6, 4.2.7 and 4.2.8)
* [[iBoot-1072.33~1]] (4.3 Beta 1)
* [[iBoot-1072.38]] (4.3 Beta 2)
* [[iBoot-1072.49]] (4.3 Beta 3)
* [[iBoot-1072.58]] (4.3 Build 8F190)
* [[iBoot-1072.59]] (4.3 Builds 8F191, 8F191m, and 8F202, and 4.3.1)
* [[iBoot-1072.61]] (4.3.2, 4.3.3)

==Commands used as an exploit vector==
* '''diags''': Until 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
* '''arm7_go''': For firmware 2.1.1, the [[N72ap|iPod touch 2G]] iBoot contains the [[ARM7 Go]] command, which could be used to run a payload on the ARM7 in the device.

==OpeniBoot==
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.

==Remappings==
// n88 (3GS)
0x4FF00000 => 0x0
0x40000000 => 0xC0000000

== See also ==
* [[iBoot (Enums)]]

SHSH

2011-04-17T16:11:04Z

Yoniyoni: /* Timeline */

0x80 byte RSA signature of a firmware image.

This often also refers to the backup file with the signature. This signature is needed to restore a specific firmware version. The signature is being created by Apple and is being generated based on some hardware keys of the device and the hash of the firmware. Using a [[wikipedia:replay attack|replay attack]], with the saved signature old firmware can be restored, although Apple doesn't issue the signatures anymore and therefore disallows installing older firmware. Therefore it is recommended to save the signature for your device as long as Apple issues it.

To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to [[Saurik]]'s server instead, if your certificate is there. If you have the file yourself, run [[TinyUmbrella]] on your local machine.

Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[K48ap|iPad]], [[iPad 2]], [[n81ap|iPod touch 4G]], [[K66ap|Apple TV 2G]] and all newer devices. (Note that no versions of the [[iPod touch 2G]] requires SHSH blobs: even the 'MC' models). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the [[N72ap|iPod touch 2G]] and [[N82ap|iPhone 3G]]. Not only does [[DFU Mode]] require the [[iBSS]]/[[iBEC]] files to be signed with an SHSH that includes the device's [[ECID]], but the normal boot-chain requires the [[LLB]] to be fully signed with an [[ECID]]+SHSH, so a downgrade [[IPSW File Format|IPSW]] is not possible without a bootrom exploit of normal boot-chain (e.g. [[0x24000 Segment Overflow]]). See also the [http://blog.iphone-dev.org/post/833937433 Dev Team Blog post] about this.

With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the shsh signature file is stored on [[Cydia Server|Saurik's server]]. If it is stored there, then you can see in the top of [[Cydia Application|Cydia]] (on jailbroken devices) for which version a backup exists.

Users usually make the mistake that (even if they understand all this) they think the shsh firmware version they backup depends on the firmware version they have installed on their device. It does NOT depend on the device which signature you can save - it only depends on which version Apple signs. And that depends on the date. For example in April 2010 you could only backup the certificate for firmware 3.1.3, even if you have still 3.1.2 installed on you phone. Here's a timeline:

==Timeline==
{| class="wikitable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! width="50" | iOS
! width="480" | for Device(s)
! width="130" | From
! width="130" | Until
! width="130" | Status
|-
| <= 3.1.3
| [[M68ap|iPhone 2G]], [[N82ap|3G]], [[N45ap|iPod touch 1G]], [[N72ap|iPod touch 2G]]
| Unused
| Unused
| {{partial|Unused}}
|-
| 3.0
| [[N88ap|iPhone 3GS]]
| 19 June 2009
| 9 September 2009
| {{no|Closed}}
|-
| 3.0.1
| [[N88ap|iPhone 3GS]]
| 31 July 2009
| 9 September 2009
| {{no|Closed}}
|-
| 3.1
| [[N88ap|iPhone 3GS]]
| 9 September 2009
| 8 October 2009
| {{no|Closed}}
|-
| 3.1.1
| [[N18ap|iPod touch 3G]]
| 9 September 2009
| 8 October 2009
| {{no|Closed}}
|-
| 3.1.2
| [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]]
| 8 October 2009
| 2 February 2010
| {{no|Closed}}
|-
| 3.1.3
| [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]]
| 2 February 2010
| 21 June 2010
| {{no|Closed}}
|-
| 3.2
| [[K48ap|iPad]]
| 3 April 2010
| 15 July 2010
| {{no|Closed}}
|-
| 3.2.1
| [[K48ap|iPad]]
| 15 July 2010
| 19 August 2010
| {{no|Closed}}
|-
| 3.2.2
| [[K48ap|iPad]]
| 11 August 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.0
| [[N72ap|iPod touch 2G]]
| 21 June 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.0
| [[N18ap|iPod touch 3G]]
| 21 June 2010
| 19 August 2010
| {{no|Closed}}
|-
| 4.0
| [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]]
| 21 June 2010
| 15 July 2010
| {{no|Closed}}
|-
| 4.0
| [[N90ap|iPhone 4]]
| 24 June 2010
| 15 July 2010
| {{no|Closed}}
|-
| 4.0.1
| [[N82ap|iPhone 3G]]
| 15 July 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.0.1
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]]
| 15 July 2010
| 19 August 2010
| {{no|Closed}}
|-
| 4.0.2
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 11 August 2010
| 18 September 2010
| {{no|Closed}}
|-
| 4.0.2
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]]
| 11 August 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.1
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 8 September 2010
| -
| {{yes|Open}}
|-
| 4.1
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 8 September 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.1
| [[K66ap|Apple TV 2G]]
| 29 September 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.2
| [[K66ap|Apple TV 2G]]
| 22 November 2010
| 14 December 2010
| {{no|Closed}}
|-
| 4.2.1
| [[K48ap|iPad]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 22 November 2010
| 11 March 2011
| {{No|Closed}}
|-
| 4.2.1
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 22 November 2010
| -
| {{yes|Open}}
|-
| 4.2.1
| [[K66ap|Apple TV 2G]]
| 14 December 2010
| 11 March 2011
| {{No|Closed}}
|-
| 4.2.5
| [[N92ap|iPhone 4 CDMA]]
| 11 January 2011
| closed before product release
| {{No|Closed}}
|-
| 4.2.6
| [[N92ap|iPhone 4 CDMA]]
| 1 February 2011
| -
| {{yes|Open}}
|-
| 4.2.7
| [[N92ap|iPhone 4 CDMA]]
| 14 April 2011
| -
| {{yes|Open}}
|-
| 4.3
| [[K48ap|iPad]], [[iPad 2]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 9 March 2011
| 27 March 2011 (?)
| {{No|Closed}}
|-
| 4.3.1
| [[K48ap|iPad]], [[iPad 2]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 25 March 2011
| 17 April 2011 (?)
| {{No|Closed}}
|-
| 4.3.2
| [[K48ap|iPad]], [[iPad 2]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 14 April 2011
| -
| {{yes|Open}}
|}

==Protocol==
To request a SHSH blob from Apple, a simple [[wikipedia:Hypertext Transfer Protocol|HTTP]] request can be made. For a full description, please see the separate article [[SHSH Protocol]].

==Links and Tools==
* [[TinyUmbrella]] (Java needed)
* [http://www.saurik.com/id/12 Detailed background info from Saurik]

[[Category:Firmware Tags]]

SHSH

2011-03-28T14:51:41Z

Yoniyoni: 4.3 signing appears to be closed...

0x80 byte RSA signature of a firmware image.

This often also refers to the backup file with the signature. This signature is needed to restore a specific firmware version. The signature is being created by Apple and is being generated based on some hardware keys of the device and the hash of the firmware. Using a [[wikipedia:replay attack|replay attack]], with the saved signature old firmware can be restored, although Apple doesn't issue the signatures anymore and therefore disallows installing older firmware. Therefore it is recommended to save the signature for your device as long as Apple issues it.

To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to [[Saurik]]'s server instead, if your certificate is there. If you have the file yourself, run [[TinyUmbrella]] on your local machine.

Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[K48ap|iPad]], [[n81ap|iPod touch 4G]], [[K66ap|Apple TV 2G]]) (later 2010 model) and all newer devices. (Note that no versions of the [[iPod touch 2G]] requires SHSH blobs: even the 'MC' models). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the [[N72ap|iPod touch 2G]] and [[N82ap|iPhone 3G]]. Not only does [[DFU Mode]] require the [[iBSS]]/[[iBEC]] files to be signed with an SHSH that includes the device's [[ECID]], but the normal boot-chain requires the [[LLB]] to be fully signed with an [[ECID]]+SHSH, so a downgrade [[IPSW File Format|IPSW]] is not possible without a bootrom exploit of normal boot-chain (e.g. [[0x24000 Segment Overflow]]). See also the [http://blog.iphone-dev.org/post/833937433 Dev Team Blog post] about this.

With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the shsh signature file is stored on [[Cydia Server|Saurik's server]]. If it is stored there, then you can see in the top of [[Cydia Application|Cydia]] (on jailbroken devices) for which version a backup exists.

Users usually make the mistake that (even if they understand all this) they think the shsh firmware version they backup depends on the firmware version they have installed on their device. It does NOT depend on the device which signature you can save - it only depends on which version Apple signs. And that depends on the date. For example in April 2010 you could only backup the certificate for firmware 3.1.3, even if you have still 3.1.2 installed on you phone. Here's a timeline:

==Timeline==
{| class="wikitable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! width="50" | iOS
! width="480" | for Device(s)
! width="130" | From
! width="130" | Until
! width="130" | Status
|-
| <= 3.1.3
| [[M68ap|iPhone 2G]], [[N82ap|3G]], [[N45ap|iPod touch 1G]], [[N72ap|iPod touch 2G]]
| Unused
| Unused
| {{partial|Unused}}
|-
| 3.0
| [[N88ap|iPhone 3GS]]
| 19 June 2009
| 9 September 2009
| {{no|Closed}}
|-
| 3.0.1
| [[N88ap|iPhone 3GS]]
| 31 July 2009
| 9 September 2009
| {{no|Closed}}
|-
| 3.1
| [[N88ap|iPhone 3GS]]
| 9 September 2009
| 8 October 2009
| {{no|Closed}}
|-
| 3.1.1
| [[N18ap|iPod touch 3G]]
| 9 September 2009
| 8 October 2009
| {{no|Closed}}
|-
| 3.1.2
| [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]]
| 8 October 2009
| 2 February 2010
| {{no|Closed}}
|-
| 3.1.3
| [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]]
| 2 February 2010
| 21 June 2010
| {{no|Closed}}
|-
| 3.2
| [[K48ap|iPad]]
| 3 April 2010
| 15 July 2010
| {{no|Closed}}
|-
| 3.2.1
| [[K48ap|iPad]]
| 15 July 2010
| 19 August 2010
| {{no|Closed}}
|-
| 3.2.2
| [[K48ap|iPad]]
| 11 August 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.0
| [[N72ap|iPod touch 2G]]
| 21 June 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.0
| [[N18ap|iPod touch 3G]]
| 21 June 2010
| 19 August 2010
| {{no|Closed}}
|-
| 4.0
| [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]]
| 21 June 2010
| 15 July 2010
| {{no|Closed}}
|-
| 4.0
| [[N90ap|iPhone 4]]
| 24 June 2010
| 15 July 2010
| {{no|Closed}}
|-
| 4.0.1
| [[N82ap|iPhone 3G]]
| 15 July 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.0.1
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]]
| 15 July 2010
| 19 August 2010
| {{no|Closed}}
|-
| 4.0.2
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 11 August 2010
| 18 September 2010
| {{no|Closed}}
|-
| 4.0.2
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]]
| 11 August 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.1
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 8 September 2010
| -
| {{yes|Open}}
|-
| 4.1
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 8 September 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.1
| [[K66ap|Apple TV 2G]]
| 29 September 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.2
| [[K66ap|Apple TV 2G]]
| 22 November 2010
| 14 December 2010
| {{no|Closed}}
|-
| 4.2.1
| [[K48ap|iPad]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 22 November 2010
| 11 March 2011
| {{No|Closed}}
|-
| 4.2.1
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 22 November 2010
| -
| {{yes|Open}}
|-
| 4.2.1
| [[K66ap|Apple TV 2G]]
| 14 December 2010
| 11 March 2011
| {{No|Closed}}
|-
| 4.2.5
| [[N92ap|iPhone 4 CDMA]]
| 11 January 2011
| closed before product release
| {{No|Closed}}
|-
| 4.2.6
| [[N92ap|iPhone 4 CDMA]]
| 1 February 2011
| -
| {{yes|Open}}
|-
| 4.3
| [[K48ap|iPad]], [[iPad 2]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 9 March 2011
| 27 March 2011 (?)
| {{No|Closed}}
|-
| 4.3.1
| [[K48ap|iPad]], [[iPad 2]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 25 March 2011
| -
| {{yes|Open}}
|}

==Protocol==
To request a SHSH blob from Apple, a simple [[wikipedia:Hypertext Transfer Protocol|HTTP]] request can be made. For a full description, please see the separate article [[SHSH Protocol]].

==Links and Tools==
* [[TinyUmbrella]] (Java needed)
* [http://www.saurik.com/id/12 Detailed background info from Saurik]

[[Category:Firmware Tags]]

Normal Mode

2011-03-28T14:37:53Z

Yoniyoni: corrected device IDs for iPad 2

This is the protocol [[iTunes]] uses to talk to the booted iPhone. It uses usbmux to provide TCP like connectivity over a USB port using SSL. There is a pairing process iTunes uses to establish the secure channel. File transfer is provided by [[AFC]].

==Device IDs==
It appears that it uses different device IDs:
* [[M68ap|iPhone]] - 0x1290
* [[N82ap|iPhone 3G]] - 0x1292
* [[N88ap|iPhone 3GS]] - 0x1294
* [[N90ap|iPhone 4 GSM]] - 0x1297
* [[N92ap|iPhone 4 CDMA]] - 0x129c

* [[N45ap|iPod touch]] - 0x1291
* [[N72ap|iPod touch 2G]] - 0x1293
* [[N18ap|iPod touch 3G]] - 0x1299
* [[N81ap|iPod touch 4G]] - 0x129e

* [[K48ap|iPad]] - 0x129a
* [[K93ap|iPad 2 Wi-Fi]] - 0x129f
* [[K94ap|iPad 2 GSM]] - 0x12a2
* [[K95ap|iPad 2 CDMA]] - 0x12a3

* [[K66ap|Apple TV 2G]] -

==Patch: Disable SSL==
There is a way to disable SSL encyption during iTunes communication on jailbroken devices by patching lockdownd binary:

:(#) Disable SSL protection
:(#) FW 2.1
:(#) binary /usr/libexec/lockdownd
:-0x1000
'''Offset''' 000112F8: 0C 30 98 E5 > 00 30 A0 E3 ; Conn.UseSSL = false

After applying the patch all packets between iPhone and iTunes become plain and clear. Musthave for R&D ppl.
==USBMux Protocol==

===Resources===
* [[MobileDevice Library]]
* [http://wikee.iphwn.org/usb:usbmux The dev team's page on the topic]
* [http://libimobiledevice.org/docs/html/files.html Protocol Documentation]
* [http://libimobiledevice.org/ iFuse]

[[Category:Protocols (S5L)]]

User:Yoniyoni

2011-03-27T15:32:58Z

Yoniyoni: New page: My name is Yoni.

My name is Yoni.

IBoot (Bootloader)

2011-03-27T13:57:09Z

Yoniyoni: 4.3.1

{{DISPLAYTITLE:iBoot (Bootloader)}}
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial.

==[[Bootrom]]==
The bootrom also goes by the name "iBoot." The list of bootroms can be found on [[Bootrom|their own page]].

== Revisions ==
* [[iBoot-99]] (1A420 a.k.a. Prototype)
* [[iBoot-159]] (1.0.x)
* [[iBoot-204]] (1.1 and 1.1.1 Build 3A109a)
* [[iBoot-204.0.2]] (1.1.1 Build 3A110a)
* [[iBoot-204.2.9]] (1.1.2)
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4)
* [[iBoot-204.3.16]] (1.1.5)
* [[iBoot-320.20]] (2.0.x)
* [[iBoot-385.22]] (2.1 and 2.1.1)
* [[iBoot-385.49]] (2.2 and 2.2.1)
* [[iBoot-596.24]] (3.0 and 3.0.1)
* [[iBoot-636.65]] (3.1)
* [[iBoot-636.66]] (3.1.1 and 3.1.2)
* [[iBoot-636.66.33]] (3.1.3)
* [[iBoot-817.28]] (3.2)
* [[iBoot-817.29]] (3.2.1 and 3.2.2)
* [[iBoot-872]] (4.0 Beta 1)
* [[iBoot-889.3]] (4.0 Beta 2)
* [[iBoot-889.12]] (4.0 Beta 3)
* [[iBoot-889.19]] (4.0 Beta 4)
* [[iBoot-889.24]] (4.0.x)
* [[iBoot-931.18.1]] (4.1 Beta 1)
* [[iBoot-931.18.27]] (4.1 Builds 8B117 and 8B118)
* [[iBoot-931.44.21]] (4.1 Build 8M89)
* [[iBoot-931.67]] (4.2 Beta 1)
* [[iBoot-931.71.13]] (4.2 Beta 3)
* [[iBoot-931.71.16]] (4.2 GM and 4.2.1 Builds 8C148, 8C148a, and 8C154)
* [[iBoot-931.72.14]] (4.2.5 and 4.2.6)
* [[iBoot-1072.33~1]] (4.3 Beta 1)
* [[iBoot-1072.49]] (4.3 Beta 3)
* [[iBoot-1072.58]] (4.3 Build 8F190)
* [[iBoot-1072.59]] (4.3 Build 8F191 and 4.3.1)

==Commands used as an exploit vector==
* '''diags''': Until 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
* '''arm7_go''': For firmware 2.1.1, the [[N72ap|iPod touch 2G]] iBoot contains the [[ARM7 Go]] command, which could be used to run a payload on the ARM7 in the device.

==OpeniBoot==
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.

==Remappings==
// n88 (3GS)
0x4FF00000 => 0x0
0x40000000 => 0xC0000000

== See also ==
* [[iBoot (Enums)]]

Normal Mode

2011-03-21T14:51:23Z

Yoniyoni: /* Device IDs */

This is the protocol [[iTunes]] uses to talk to the booted iPhone. It uses usbmux to provide TCP like connectivity over a USB port using SSL. There is a pairing process iTunes uses to establish the secure channel. File transfer is provided by [[AFC]].

==Device IDs==
It appears that it uses different device IDs:
* [[M68ap|iPhone]] - 0x1290
* [[N82ap|iPhone 3G]] - 0x1292
* [[N88ap|iPhone 3GS]] - 0x1294
* [[N90ap|iPhone 4 GSM]] - 0x1297
* [[N92ap|iPhone 4 CDMA]] - 0x129c

* [[N45ap|iPod touch]] - 0x1291
* [[N72ap|iPod touch 2G]] - 0x1293
* [[N18ap|iPod touch 3G]] - 0x1299
* [[N81ap|iPod touch 4G]] - 0x129e

* [[K48ap|iPad]] - 0x129a
* [[K93ap|iPad 2 Wi-Fi]] - 0x12a1 <-- can someone confirm this?
* [[K94ap|iPad 2 GSM]] - 0x12a2 <-- can someone confirm this?
* [[K95ap|iPad 2 CDMA]] - 0x12a3

* [[K66ap|Apple TV 2G]] -

==Patch: Disable SSL==
There is a way to disable SSL encyption during iTunes communication on jailbroken devices by patching lockdownd binary:

:(#) Disable SSL protection
:(#) FW 2.1
:(#) binary /usr/libexec/lockdownd
:-0x1000
'''Offset''' 000112F8: 0C 30 98 E5 > 00 30 A0 E3 ; Conn.UseSSL = false

After applying the patch all packets between iPhone and iTunes become plain and clear. Musthave for R&D ppl.
==USBMux Protocol==

===Resources===
* [[MobileDevice Library]]
* [http://wikee.iphwn.org/usb:usbmux The dev team's page on the topic]
* [http://libimobiledevice.org/docs/html/files.html Protocol Documentation]
* [http://libimobiledevice.org/ iFuse]

[[Category:Protocols (S5L)]]

IBoot (Bootloader)

2011-02-27T12:50:59Z

Yoniyoni: /* Revisions */

{{DISPLAYTITLE:iBoot (Bootloader)}}
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial.

==[[Bootrom]]==
The bootrom also goes by the name "iBoot." The list of bootroms can be found on [[Bootrom|their own page]].

== Revisions ==
* [[iBoot-99]] (1A420 a.k.a. Prototype)
* [[iBoot-159]] (1.0.x)
* [[iBoot-204]] (1.1 and 1.1.1 Build 3A109a)
* [[iBoot-204.0.2]] (1.1.1 Build 3A110a)
* [[iBoot-204.2.9]] (1.1.2)
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4)
* [[iBoot-204.3.16]] (1.1.5)
* [[iBoot-320.20]] (2.0.x)
* [[iBoot-385.22]] (2.1 and 2.1.1)
* [[iBoot-385.49]] (2.2 and 2.2.1)
* [[iBoot-596.24]] (3.0 and 3.0.1)
* [[iBoot-636.65]] (3.1 and 3.1.1 Build 7C145)
* [[iBoot-636.66]] (3.1.1 Build 7C146 and 3.1.2)
* [[iBoot-636.66.33]] (3.1.3)
* [[iBoot-817.28]] (3.2)
* [[iBoot-817.29]] (3.2.1 and 3.2.2)
* [[iBoot-872]] (4.0 Beta 1)
* [[iBoot-889.3]] (4.0 Beta 2)
* [[iBoot-889.12]] (4.0 Beta 3)
* [[iBoot-889.19]] (4.0 Beta 4)
* [[iBoot-889.24]] (4.0.x)
* [[iBoot-931.18.1]] (4.1 Beta 1)
* [[iBoot-931.18.27]] (4.1 Builds 8B117 and 8B118)
* [[iBoot-931.44.21]] (4.1 Build 8M89)
* [[iBoot-931.67]] (4.2 Beta 1)
* [[iBoot-931.71.13]] (4.2 Beta 3)
* [[iBoot-931.71.16]] (4.2 GM and 4.2.1 Builds 8C148, 8C148a, and 8C154)
* [[iBoot-931.72.14]] (4.2.5 and 4.2.6)
* [[iBoot-1072.33~1]] (4.3 Beta 1)
* [[iBoot-1072.49]] (4.3 Beta 3)

==Commands used as an exploit vector==
* '''diags''': Until 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
* '''arm7_go''': For firmware 2.1.1, the [[N72ap|iPod touch 2G]] iBoot contains the [[ARM7 Go]] command, which could be used to run a payload on the ARM7 in the device.

==OpeniBoot==
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.

==Remappings==
// n88 (3GS)
0x4FF00000 => 0x0
0x40000000 => 0xC0000000

== See also ==
* [[iBoot (Enums)]]

IBoot (Bootloader)

2011-02-14T14:18:03Z

Yoniyoni: added 931.72.14

{{DISPLAYTITLE:iBoot (Bootloader)}}
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial.

==[[Bootrom]]==
The bootrom also goes by the name "iBoot." The list of bootroms can be found on [[Bootrom|their own page]].

== Revisions ==
* [[iBoot-99]] (1A420 a.k.a. Prototype)
* [[iBoot-159]] (1.0.x)
* [[iBoot-204]] (1.1 and 1.1.1 Build 3A109a)
* [[iBoot-204.0.2]] (1.1.1 Build 3A110a)
* [[iBoot-204.2.9]] (1.1.2)
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4)
* [[iBoot-204.3.16]] (1.1.5)
* [[iBoot-320.20]] (2.0.x)
* [[iBoot-385.22]] (2.1 and 2.1.1)
* [[iBoot-385.49]] (2.2 and 2.2.1)
* [[iBoot-596.24]] (3.0 and 3.0.1)
* [[iBoot-636.65]] (3.1 and 3.1.1 Build 7C145)
* [[iBoot-636.66]] (3.1.1 Build 7C146 and 3.1.2)
* [[iBoot-636.66.33]] (3.1.3)
* [[iBoot-817.28]] (3.2)
* [[iBoot-817.29]] (3.2.1 and 3.2.2)
* [[iBoot-872]] (4.0 Beta 1)
* [[iBoot-889.3]] (4.0 Beta 2)
* [[iBoot-889.12]] (4.0 Beta 3)
* [[iBoot-889.19]] (4.0 Beta 4)
* [[iBoot-889.24]] (4.0.x)
* [[iBoot-931.18.1]] (4.1 Beta 1)
* [[iBoot-931.18.27]] (4.1 Builds 8B117 and 8B118)
* [[iBoot-931.44.21]] (4.1 Build 8M89)
* [[iBoot-931.67]] (4.2 Beta 1)
* [[iBoot-931.71.13]] (4.2 Beta 3)
* [[iBoot-931.71.16]] (4.2 GM and 4.2.1 Builds 8C148, 8C148a, and 8C154)
* [[iBoot-931.72.14]] (4.2.6)
* [[iBoot-1072.33~1]] (4.3 Beta 1)
* [[iBoot-1072.49]] (4.3 Beta 3)

==Commands used as an exploit vector==
* '''diags''': Until 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
* '''arm7_go''': For firmware 2.1.1, the [[N72ap|iPod touch 2G]] iBoot contains the [[ARM7 Go]] command, which could be used to run a payload on the ARM7 in the device.

==OpeniBoot==
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.

==Remappings==
// n88 (3GS)
0x4FF00000 => 0x0
0x40000000 => 0xC0000000

== See also ==
* [[iBoot (Enums)]]

DurangoVail 8F5148b (iPad1,1)

2011-01-13T17:18:11Z

Yoniyoni: The provided kernelcache key is for kernelcache.release.n81 (iPod 4G). This page needs the key for kernelcache.release.k48.

=== Root Filesystem (038-0435-002.dmg) ===
* '''[[VFDecrypt]] Key''': 7620a160832d8ed43aee376179d28eccf51d50ac38caccd5990db6f10849aa39e3fdc942

=== [[Update Ramdisk]] (038-0402-002.dmg) ===
* '''IV''': 394fe1c81e0019a333801eeb425de5cf
* '''Key''': 2470bd829d27c6ad0f7c69d6f50dc5d59d913bc6c9cf7d8bac1c89f0854786bc
* '''[[KBAG]]''': 1BD9A4D4CF71C7A5A270CABA4C99258B925C230675A7D02274B6BEB3BE3119A8A2F981969ECAC2121D846C48DD0D68BA

=== [[Restore Ramdisk]] (038-0408-002.dmg) ===
* '''IV''': fe41a6392984738f32aca55a0352995d
* '''Key''': 2a8e07268f713840e0e0b32413ee10dde933d630948b5107d7dcb66cff612d04
* '''[[KBAG]]''': 7CE19E8083660112005D478A9D1C3F26E12CDCEB67AF4F0F5B4B341A8D6B9D9EC7D1E33296C2BDEE6B1BE21037307F2A

=== AppleLogo (applelogo.s5l8930x.img3) ===
* '''IV''': 4f8022112673d4875c32b050198cb945
* '''Key''': 0159008eeeeca0cee87cb80def3df9d1a87c0e67536e86c49c7a8e5307b0c3e5
* '''[[KBAG]]''': 08C2BCC21A137983F8F3C629794CFC35D989C8B0BC54926B34695B8E818B9C5441B45A9C295317A140E6B09E36808464

=== BatteryCharging0 (batterycharging0.s5l8930x.img3) ===
* '''IV''': 262b8ffc3c7ea14d0839df1dfc3b05e3
* '''Key''': de28e91de5700c04a0285d5e600071781f669e6b2f8b80474f452c05372a5f1d
* '''[[KBAG]]''': C67D5AE9AFE3BE2F34C63324AF1D84E08EC1154EE2CB4659731D4D32F56F6424FCE0EE5CFD866DBA9CEDB9B060AA7EDE

=== BatteryCharging1 (batterycharging1.s5l8930x.img3) ===
* '''IV''': be07c62978ea1679051dbda9684b6dc0
* '''Key''': 30a0651f475ee5ecfb462d2d14b3551bb95011a2f311ed69a1f2dc29a6c00225
* '''[[KBAG]]''': 3B2AA85F9C67744621FB71A996A65C972C390B179377D7232D68FF956377688D7FC48E46D874F3F2A7E7CC6D2E987642

=== BatteryLow0 (batterylow0.s5l8930x.img3) ===
* '''IV''': e8707fc37f506cdb5f39af46f53e1602
* '''Key''': d23285f6bb26b417fac2fb313cabf836ce4000b4827251e689eabc9100248f3a
* '''[[KBAG]]''': EC4613A2A07209E2CE74EBCDF51BC0845F141F002666631C1A97892CBD0D1F5B43DB208E76B4467E0F5F59E179FBC545

=== BatteryLow1 (batterylow1.s5l8930x.img3) ===
* '''IV''': d7e0a5f2d09c9faca57f1857171941a5
* '''Key''': cb6ddd774d8de039ed97a215411fa537d285dd49b4728fbf70b6b80d767b5f48
* '''[[KBAG]]''': C90206143F71392D1B080C361110BEF019BAF06847C0CAAF3C47D0E1F02ABEAAD516D3E131474A901EE5246435140391

=== DeviceTree (DeviceTree.k48ap.img3) ===
* '''IV''': 61e23d3f401db153db316c2dc74b3023
* '''Key''': c3c8b404f87a6d702976d52cd622aa6bd5bc59d65119df5e716c1d9f1182e585
* '''[[KBAG]]''': 708A20705C2CFEE2BCD5F4B90BF07D9A6A1FC19416AA36D9C1D811FC1AF16FAE2995EDC14101CF3A22236FEA0F09C189

=== GlyphCharging (glyphcharging.s5l8930x.img3) ===
* '''IV''': 7ee1f50315f96f81e1bb9d79a026da6e
* '''Key''': a63f8ee4e0f1866366a0eec428eef40591b2598ca5e604bd92809106a05d2124
* '''[[KBAG]]''': 1CC02922FD1AA1FCD1A4BCD0272B500C574703CFF5EF8A4E1F3462703A74CA6F1E379F9D612E1A21193B70D717F75C74

=== GlyphPlugin (glyphplugin.s5l8930x.img3) ===
* '''IV''': 496e1704c998eec03e0ff51425e83662
* '''Key''': 39aad1cfc86c43dbb4e1099bbb8a0325b072481de5a311f8ff135b0df92e3084
* '''[[KBAG]]''': 0AC4A32904CCCC43C64454F44D264A904A2AAAE0F83353BDA06A9E6B5F4ADA6C9647CA15DA15ED0ACB6895136DA302BC

=== [[iBEC]] (iBEC.k48ap.RELEASE.dfu) ===
* '''IV''': d8144d23e61b72c791ea665daeacb2e8
* '''Key''': 2a8be2832f95b7173423cbd67686ec4e0bdeb0ee1db669b6a82b05a43d76f0ff
* '''[[KBAG]]''': F28ACD74EAE9DD015988A787091072A442310CFE69A9A2AAC263A56841FB5BD9D1A395AE3663AFD1F517873156DFAF4C

=== [[IBoot (Bootloader)|iBoot]] (iBoot.k48ap.RELEASE.img3) ===
* '''IV''': 6569032be7b6bc71e264696a6d862108
* '''Key''': 5e3b655dda6e92e1500fb1761d19bc4409cba5e2a1166a70266dfba4c6a13460
* '''[[KBAG]]''': 98ED320BCDFA183BD4B1452916372CA4B797ABF813C99DA93A4DA482B1E48252D577235101F6F149FC812EB6AA1D687A

=== [[iBSS]] (iBSS.k48ap.RELEASE.dfu) ===
* '''IV''': c37807797069a32b0a67cb43f8c52def
* '''Key''': d4cffe812550982ae1a37b042857b50a1e00a661958e2c71616a1255115eb9c2
* '''[[KBAG]]''': 8E54ED6944D15E83DE7D6EBDE6FD4E77C4762EAE0303DE4CFB86CBE665D27DF9290216B29723219471ADD3D31083ABB3

=== [[Kernelcache]] (kernelcache.release.k48) ===
* '''IV''':
* '''Key''':
* '''[[KBAG]]''':

=== [[LLB]] (LLB.k48ap.RELEASE.img3) ===
* '''IV''': bd7ac9ff1fd0777fb4baeb6464c2cec2
* '''Key''': 839b7848eb96eb91c1ac8d0f3e45b72d5c711ff529fa107e29ff99d57fa7312f
* '''[[KBAG]]''': 8F40ED4D9610C05653CC48C9D5A08CD1C05D758E4CB3A43FD24D8A8FA0CBE797E5D9BC27F972634F193721BF18C36038

=== [[Recovery_Mode]] (recoverymode-768x1024.s5l8930x.img3) ===
* '''IV''': d7759a381a06975ff4087b97a73dc38a
* '''Key''': 849aabd88a2dc909a4c3118a94c5e257db1439f045ba06b7e4a6911dbd6a562b
* '''[[KBAG]]''': 11DDE9DCB929845605B1B0A50AC6BE24FB1501772E2F03904F6AF29F3320FDDB64965A11717017CC773ACFB114128C44

DurangoVail 8F5148b (iPhone3,1)

2011-01-13T17:15:38Z

Yoniyoni: The provided kernelcache key was for kernelcache.release.n81. iPhone 4 needs the kernelcache key for kernelcache.release.n90, which is different.

== Decryption Keys ==
=== Root Filesystem (038-0437-003.dmg) ===
*'''[[VFDecrypt]] Key''': d457db4790e7126428ed4fb053f84f25e89f8135129d0ff81b0d6b580cde1bc5d794e5af

=== [[Update Ramdisk]] (038-0402-002.dmg) ===
* '''IV''': 394fe1c81e0019a333801eeb425de5cf
* '''Key''': 2470bd829d27c6ad0f7c69d6f50dc5d59d913bc6c9cf7d8bac1c89f0854786bc

=== [[Restore Ramdisk]] (038-0408-002.dmg) ===
* '''IV''': fe41a6392984738f32aca55a0352995d
* '''Key''': 2a8e07268f713840e0e0b32413ee10dde933d630948b5107d7dcb66cff612d04

=== AppleLogo ===
* '''IV''': 4ffe0f61382b72de5d59caf386a100d9
* '''Key''': 33ea000f7238f46f6098e72936da2120b802fe52a444cdc380a26940e76be906

=== BatteryCharging0 ===
* '''IV''': 2144d0edb65e04591b88bc45a606018f
* '''Key''': b1f581f25540fae52221891d28ce39c6cb39b050dda34bbcc5cc7fd02afcfb23

=== BatteryCharging1 ===
* '''IV''': 6caf61b577abba2e5c120c476f160d67
* '''Key''': cb888fd39eeed5bc4bdd3a8314912cf7a08b4dbdd66165380804bad38bfa6e93

=== BatteryFull ===
* '''IV''': c21f5f6879ca47c578c32baf25018072
* '''Key''': 2604bfcbf99ba65b6f54e86b155c3060138b51e0fccd17907690d5506f81ad8d

=== BatteryLow0 ===
* '''IV''': 81d668a4601d4ac2368b580d8c542a93
* '''Key''': 779677998eb3f0985d88519d5c402e0c81d41ab17976124da1cc6509961b1859

=== BatteryLow1 ===
* '''IV''': bd831d7f660694de8a8baec15695207a
* '''Key''': dfae5279a7b5ad1be377874088b75c2c913696c8ba4c4ddb11b40cef20f6d6fe

=== DeviceTree ===
* '''IV''': fb806971be00151d6cd294b4b88d22c4
* '''Key''': 32f0414688bc943a3a49b4ef3c8c19cff115ae77cc3aba2d3340cd0a177cb6cf

=== GlyphCharging ===
* '''IV''': 5d1d628dddc3415680b828f29d9ff6a9
* '''Key''': 1b140e0262cd4f3e5517c5fce5291e7d497095edbf7acd81f3066db75b13bc97

=== GlyphPlugin ===
* '''IV''': f717cff855e057020e080837283be0bf
* '''Key''': 066cb756433644479a381a3f90f25776d3acfe912a21214ca641f12fd324e4b9

=== [[iBEC]] ===
* '''IV''': 2c69d74317e2ade05e368dd70ca23f5d
* '''Key''': 16c478490b555fa67db4441d03b3616a6d71a6d055785d09abfae6c9e3e9339d

=== [[iBoot (Bootloader)|iBoot]] ===
* '''IV''': 88abaa8e21ede6a97fd547ea5edc02e7
* '''Key''': 4d87a79f4520074b27b344eea11da2a0d62bcbffa45fa35b4884bf68a4993e37

=== [[iBSS]] ===
* '''IV''': 09a87275ed5f49757d6fd9cfdeb16a9e
* '''Key''': 9119845f4534b1f351ed1bcc05e5bc5e93b459ca2cd9be7cf3c34d4d076872c0

=== [[Kernelcache]] ===
* '''IV''':
* '''Key''':

=== [[LLB]] ===
* '''IV''': 4b7a331704632d6e601df130e09c0e7b
* '''Key''': 456861c0c597dfd57fd8c3cb17cf104f4e2f48a3fd6b7729416a6a10b351b467

=== RecoveryMode ===
* '''IV''': 23ba400f925e9cbab395edf40b605fae
* '''Key''': 7ad21b53138c53cec727c43aed0837d76953b9b496f7913cd3c9724198a8b9ea

Apex 8A400 (iPhone1,2)

2011-01-13T12:52:21Z

Yoniyoni: /* applelogo */

==Decryption Keys==
=== Root Filesystem ===
* '''VFDecrypt''': aa5ea4b38e5a7d9f2d95ab7c015e5531050af66f82a30e6a83994f8f802d352e236a0250

===Update Ramdisk (018-8383-002.dmg)===
* '''IV''': ff8f6e76c72d24ec44568fd88e112e0f
* '''Key''': 3b4e09f595984bc89e4c524a504866df

===Restore Ramdisk (018-8389-002.dmg)===
* '''IV''': d464c589db4c00bfe2c844e5cce76e23
* '''Key''': db611a918217b941e4736fb806cf8e95

=== AppleLogo ===
* '''IV''': 6cd67432902ddf1129feb49c48a427ed
* '''Key''': 13545fd4d707ed1e88436d7164f354e3

===DeviceTree===
* '''IV''':
* '''Key''':

===iBEC===
* '''IV''':
* '''Key''':

===iBoot===
* '''IV''':
* '''Key''':

===iBSS===
* '''IV''':
* '''Key''':

===kernelcache===
* '''IV''': 9746365b664b2ab8cb8ed1b283cd63c5
* '''Key''': e869b1323671babf3f94998225a3c88f

===LLB===
* '''IV''':
* '''Key''':

===recoverymode===
* '''IV''':
* '''Key''':

Apex 8A306 (iPhone1,2)

2011-01-13T12:52:12Z

Yoniyoni: /* applelogo */

==Decryption Keys==
=== Root Filesystem ===
* '''VFDecrypt''': 38a4937108c1c271c82013dff870bab10793292ab594ae7878175cf2bfb6bb9633419ff9

===[[Update Ramdisk]] (0018-8230-001.dmg)===
* '''IV''': 0c90b80e2c59667bb368f20c90b6eb25
* '''Key''': 414fcce1c9282ce85217b7bbabfc31b0

===[[Restore Ramdisk]] (018-8233-001.dmg)===
* '''IV''': cefc2ee02478de0ad2a9fb6d4f040ebe
* '''Key''': 3d757af42d4ef3c8f80f38ef67257e54

=== AppleLogo ===
* '''IV''': 6cd67432902ddf1129feb49c48a427ed
* '''Key''': 13545fd4d707ed1e88436d7164f354e3

===DeviceTree===
* '''IV''':
* '''Key''':

===[[iBEC]]===
* '''IV''':
* '''Key''':

===[[iBoot (Bootloader)|iBoot]]===
* '''IV''':
* '''Key''':

===[[iBSS]]===
* '''IV''':
* '''Key''':

===[[kernelcache]]===
* '''IV''': 41c48897f7aaac8beabecc756538da3c
* '''Key''': a943efa20d4b9fc4d8d21a0a2b8159ea

===[[LLB]]===
* '''IV''':
* '''Key''':

===recoverymode===
* '''IV''':
* '''Key''':

Baker 8B117 (iPhone2,1)

2011-01-12T16:28:54Z

Yoniyoni: added missing DeviceTree key

==Decryption Keys==
=== Root Filesystem (018-7061-122.dmg)===
* '''VFDecrypt''': 01155a88dc41d6bdb6ba368719853e7e68fb0076dbfaafe8e0801256c724b103f2e271ca

===Update Ramdisk (018-7073-079.dmg)===
* '''IV''': f2169e17ca185c29d5e3f06898a51692
* '''Key''': c8f511134a5b8e7154bb3b8a66fbf1f837da55c8cda2f397a30209dbf4d88b6b6

===Restore Ramdisk (018-7080-079.dmg)===
* '''IV''': 214388b7e0589464bf59966524ae2ea4
* '''Key''': 581f739963fc3fdbf70dfc695b35d43662a0069b501cb715264c32428e759cba

===applelogo===
* '''IV''': 4223d5a6bc4d358031df8958c427a369
* '''Key''': fdd2a888a079b6421e19bc7e03d5242ffe7822029bab5c030377e9eb5a98ccb3

===iBEC===
* '''IV''': 434539b5e293220a6b43862689fcefb4
* '''Key''': aec9e91b1cb738115371804fa13ee2710fa83c4d1b9203d36586dbe88579a630

===iBoot===
* '''IV''': 7106d9c8e81c4d6bed474f5f3caef4bb
* '''Key''': 45c562f5250aa5537e77772b87704a9162a55e78d73ccf18324b6e1386a693f1

===iBSS===
* '''IV''': 966fdb6312a3cd35703e7a1e8bb4cce6
* '''Key''': 81d26076947f2a50c0d31766f7e5f3b73ec198a1e0c50064a03b9e74bd0cbf91

===kernelcache===
* '''IV''': 401e9002de3d0d0f76cb7c0927700714
* '''Key''': 0400cdef4c3a31feee7ff283ccc0c5b66432cd92430a07a1835143e53ed1e088

===LLB===
* '''IV''': 3db3ccef9c2bbb1bc6f86568d28b5c73
* '''Key''': f56b34c613699b1fea7fae9ad9978e8b90be1f1045a8e908269d75db0527dea0

===recoverymode===
* '''IV''': e8c3811707b35b14431f1e8a72923a77
* '''Key''': b29af745abac499138e73642a5259cd71dde3640ed981ae9728dfefe59e876bf

// Keys by [http://pastie.org/1132614 iH8sn0w]

===DeviceTree===
* '''IV''': ef9bf37e07697d1f81b39c56573bd567
* '''Key''': 12c935cbdb6d5ea5d9847c43851432a39ccd1123a24678047082da0982db6d71