Difference between revisions of "Bootrom"

From The iPhone Wiki
Jump to: navigation, search
m
Line 70: Line 70:
 
* [[Bootrom 2651.0.0.1.31]] in [[T8002]]
 
* [[Bootrom 2651.0.0.1.31]] in [[T8002]]
 
* [[Bootrom 2696.0.0.1.33]] in [[T8010]]
 
* [[Bootrom 2696.0.0.1.33]] in [[T8010]]
  +
* [[Bootrom 3332.0.0.1.23]] in [[T8015]]
   
   
Line 142: Line 143:
 
===[[T8010]], used in the [[iPhone 7]] and [[iPhone 7 Plus]]===
 
===[[T8010]], used in the [[iPhone 7]] and [[iPhone 7 Plus]]===
 
* [[Bootrom 2696.0.0.1.33]]
 
* [[Bootrom 2696.0.0.1.33]]
  +
  +
===[[T8015]], used in the [[iPhone 8]], [[iPhone 8 Plus]], and [[iPhone X]]===
  +
* [[Bootrom 3332.0.0.1.23]]
   
 
== References ==
 
== References ==

Revision as of 00:03, 9 October 2017

The bootrom (called "SecureROM" by Apple) is the first significant code that runs on an iDevice. The bootrom is read-only. Finding exploits in the bootrom level is a big achievement since Apple won't be able to fix it without a hardware revision.

Contents

Old & New bootrom

Certain models, including the iPod touch (2nd generation) and iPhone 3GS, have different bootrom versions. These are most commonly referred to with the terms "old bootrom" and "new bootrom." These "new bootrom" devices were released after 9 September 2009 and have the 0x24000 Segment Overflow fixed. While the new bootrom revisions have an exploit, the exploit needs the assistance of a firmware-based exploit to achieve an untethered jailbreak.

You might also be looking for Apple's stage 2 bootloader, which also uses the "iBoot" name.

Usually also looking at the CPRV (Chip Revision) tag will also tell you whether the device is new unit or not also.

Finding bootrom version

From the model number (iPod touch (2nd generation))

If the second character of your Model Number is "B" (e.g.- FB533, MB533, or PB533), your iPod has the old bootrom. If the second character is "C" (FC086, MC086 or PC086), your iPod has the new bootrom.

From the serial number (iPhone 3GS)

The third digit of the serial number identifies the year of manufacture (9=2009, 0=2010, 1=2011, 2=2012), while the fourth and the fifth indicate the week. There is a gray area between week 40 of 2009 (??940??????) and week 45 of 2009 (??945??????) where some devices have new bootrom whilst others have old bootrom. . Any iPhone made after Week 45 of 2009 (??945?????? and higher or ??0???????? serials) has the new bootrom.

From the DFU Device descriptors (all devices except S5L8900)

Windows

  1. Connect Device & Enter DFU Mode
  2. Open Device Manager, find USB controller, subitem Apple Mobile Device USB Driver
  3. Right-Click & click Properties
  4. Go to Details tab & select Device Instance Path in the dropdown box
  5. The end of the info string will show the bootrom version

Mac OS X

  1. Connect Device & Enter DFU Mode
  2. Go to System Profiler, and under the Hardware category, go to USB, and click on Apple Mobile Device (DFU Mode)
  3. The end of the Serial Number string will show the bootrom version in brackets (ie: [iBoot-574.4])

Linux

  1. Make sure your distribution has usbutils installed. (most distributions have it by default)
  2. Connect Device & Enter DFU Mode
  3. In terminal, run sudo lsusb -v
  4. Find the line that says iSerial and your bootrom version will be at the end of the line.

Dumping the bootrom

You can use Bootrom Dumper Utility by pod2g to dump the bootrom on devices that are vulnerable to the Limera1n Exploit.

Bootrom Exploits

Revisions


S5L8900, used in the iPhone, iPod touch, and iPhone 3G

see also VROM (S5L8900)

S5L8720, used in the iPod touch (2nd generation)

S5L8920, used in the iPhone 3GS

S5L8747, used in the Haywire

S5L8922, used in the iPod touch (3rd generation)

S5L8930, used in the iPad, iPhone 4, Apple TV (2nd generation), and iPod touch (4th generation)

S5L8940, used in the iPad 2 and iPhone 4S

S5L8942, used in the iPad 2 (iPad2,4), Apple TV (3rd generation) (AppleTV3,1), iPod touch (5th generation), and iPad mini

S5L8945, used in the iPad (3rd generation)

S5L8947, used in the Apple TV (3rd generation) (AppleTV3,2)

S5L8950, used in the iPhone 5 and iPhone 5c

S5L8955, used in the iPad (4th generation)

S5L8960/S5L8965, used in the iPhone 5s, iPad Air, iPad mini 2, and iPad mini 3

T7000, used in the Apple TV (4th generation), HomePod, iPad mini 4, iPhone 6, iPhone 6 Plus, and iPod touch (6th generation)

T7001, used in the iPad Air 2

S7002, used in the Apple Watch (1st generation)

S8000, used in the iPad (5th generation), iPhone 6s, iPhone 6s Plus and iPhone SE

S8001, used in the iPad Pro

S8003, used in the iPhone 6s, iPhone 6s Plus and iPhone SE

T8002, used in the Apple Watch Series 1 and Apple Watch Series 2

T8010, used in the iPhone 7 and iPhone 7 Plus

T8015, used in the iPhone 8, iPhone 8 Plus, and iPhone X

References