Difference between revisions of "Diags"

From The iPhone Wiki
Jump to: navigation, search
m (Exploit: Consistency please.)
m (Updating.)
Line 7: Line 7:
 
This is a very easy-to-use exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the [[S5L8900]] using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen, serial, or USB).
 
This is a very easy-to-use exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the [[S5L8900]] using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen, serial, or USB).
   
In 2.0 iBoots, they have a flag check on this command (checks bit 4 of the iBoot flags), and that flag will not be present on a retail device, just an engineering one with a 'whitelisted' CHIPID, so this exploit doesn't work. However, the 1.1.4 [[iBSS]] can still be used on the [[m68ap|iPhone]], [[n82ap|iPhone 3G]], or [[n45ap|iPod touch]], and can be used to boot a modified 2.0+ [[iBoot (Bootloader)|iBoot]]. Therefore, it is still an open exploit for these devices.
+
In 2.0 iBoots, they have a flag check on this command (checks bit 4 of the iBoot flags), and that flag will not be present on a retail device, just an engineering one with a 'whitelisted' CHIPID, so this exploit doesn't work. However, the 1.1.4 [[iBSS]] can still be used on the [[M68AP|iPhone]], [[N82AP|iPhone 3G]], or [[N45AP|iPod touch]], and can be used to boot a modified 2.0+ [[iBoot (Bootloader)|iBoot]]. Therefore, it is still an open exploit for these devices.
   
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Revision as of 07:53, 8 October 2015

This was an exploit that allowed the running of unsigned code at iBoot level, present in pre-2.0 versions of iBoot.

Credit

iPhone Dev Team

Exploit

This is a very easy-to-use exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the S5L8900 using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen, serial, or USB).

In 2.0 iBoots, they have a flag check on this command (checks bit 4 of the iBoot flags), and that flag will not be present on a retail device, just an engineering one with a 'whitelisted' CHIPID, so this exploit doesn't work. However, the 1.1.4 iBSS can still be used on the iPhone, iPhone 3G, or iPod touch, and can be used to boot a modified 2.0+ iBoot. Therefore, it is still an open exploit for these devices.