Difference between revisions of "IBSS"

From The iPhone Wiki
Jump to: navigation, search
(abbrev is short for iBoot single stage (src is the leaked iBoot src))
(new name in iOS 10)
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{DISPLAYTITLE:iBSS}}
+
{{lowercase}}
'''iBSS''' (short for '''''iB'''oot '''s'''ingle '''s'''tage'') is a stripped down version of [[IBoot (Bootloader)|iBoot]], missing things such as interacting with the [[/|filesystem]]. Can be uploaded via [[DFU (Protocol)|DFU]] to bootstrap [[iBEC]] during a [[DFU Mode]] restore.
+
'''iBSS''' (short for '''''iB'''oot '''S'''ingle '''S'''tage'') is a stripped down version of [[IBoot (Bootloader)|iBoot]], missing things such as interacting with the [[/|filesystem]]. Can be uploaded via [[DFU (Protocol)|DFU]] to bootstrap [[iBEC]] during a [[DFU Mode]] restore. It was renamed '''iBootStage1''' in iOS 10.
   
==Use of the iBSS==
+
According to Apple’s source code, ''“dongle products get an iBSS with all of iBoot’s recovery mode accroutements, EXCEPT for filesystem support”''.
  +
  +
== Use of the iBSS ==
 
The [[iBSS]] bootstraps the [[iBEC]], which prepares and executes the [[Restore Ramdisk]]. in addition, it sends messages to [[iTunes]] on the restore to supervise the restore process. It also integrity checks the images uploaded, and on iOS5+ does the image responsible for [[APTicket]], by uploading the [[nonce]] string to [[iTunes]] then checks for the match of the [[APTicket]] and [[nonce]] and the signatures on [[APTicket]]. On custom firmwares, the [[iBSS]] is patched out of every signature check, but on certain circumstances it still generates [[nonce]]. Check [[APTicket]] for further detail.
 
The [[iBSS]] bootstraps the [[iBEC]], which prepares and executes the [[Restore Ramdisk]]. in addition, it sends messages to [[iTunes]] on the restore to supervise the restore process. It also integrity checks the images uploaded, and on iOS5+ does the image responsible for [[APTicket]], by uploading the [[nonce]] string to [[iTunes]] then checks for the match of the [[APTicket]] and [[nonce]] and the signatures on [[APTicket]]. On custom firmwares, the [[iBSS]] is patched out of every signature check, but on certain circumstances it still generates [[nonce]]. Check [[APTicket]] for further detail.
   
 
On jailbreak softwares like [[redsn0w]] and [[greenpois0n]], the [[iBSS]] bootstraps [[iBEC]] and executes a payload. It is patched out of its signature checks, of course.
 
On jailbreak softwares like [[redsn0w]] and [[greenpois0n]], the [[iBSS]] bootstraps [[iBEC]] and executes a payload. It is patched out of its signature checks, of course.
   
==iBSS 5.x==
+
== iBSS 5.x ==
   
 
iBSS in iOS 5.x is very similar to LLB/DFU, where it has the same protocol. On UART out, it says: "iBSS ready. Asking for DFU...", or something along those lines.
 
iBSS in iOS 5.x is very similar to LLB/DFU, where it has the same protocol. On UART out, it says: "iBSS ready. Asking for DFU...", or something along those lines.
   
 
Interesting things I've noted are when certain bits in chip ID are set, it uses a different DFU device identifier (I've personally seen 0x1226/0x1228), and these modes reject any Img3 files sent over USB.
 
Interesting things I've noted are when certain bits in chip ID are set, it uses a different DFU device identifier (I've personally seen 0x1226/0x1228), and these modes reject any Img3 files sent over USB.
  +
  +
== See also ==
  +
* [[iBSS commands]]

Latest revision as of 03:07, 8 February 2018

iBSS (short for iBoot Single Stage) is a stripped down version of iBoot, missing things such as interacting with the filesystem. Can be uploaded via DFU to bootstrap iBEC during a DFU Mode restore. It was renamed iBootStage1 in iOS 10.

According to Apple’s source code, “dongle products get an iBSS with all of iBoot’s recovery mode accroutements, EXCEPT for filesystem support”.

Use of the iBSS

The iBSS bootstraps the iBEC, which prepares and executes the Restore Ramdisk. in addition, it sends messages to iTunes on the restore to supervise the restore process. It also integrity checks the images uploaded, and on iOS5+ does the image responsible for APTicket, by uploading the nonce string to iTunes then checks for the match of the APTicket and nonce and the signatures on APTicket. On custom firmwares, the iBSS is patched out of every signature check, but on certain circumstances it still generates nonce. Check APTicket for further detail.

On jailbreak softwares like redsn0w and greenpois0n, the iBSS bootstraps iBEC and executes a payload. It is patched out of its signature checks, of course.

iBSS 5.x

iBSS in iOS 5.x is very similar to LLB/DFU, where it has the same protocol. On UART out, it says: "iBSS ready. Asking for DFU...", or something along those lines.

Interesting things I've noted are when certain bits in chip ID are set, it uses a different DFU device identifier (I've personally seen 0x1226/0x1228), and these modes reject any Img3 files sent over USB.

See also