Difference between revisions of "Jailbreak (S5L8920+)"

From The iPhone Wiki
Jump to: navigation, search
(Modernization and removal of jailbreak tool author mentions.)
Line 1: Line 1:
Apple did not have the time to fix the [[0x24000 Segment Overflow]] in the [[S5L8920 (Bootrom)|S5L8920]]. However, in order to flash an exploited [[LLB]] and jailbreak the [[N88ap|iPhone 3GS]], '''one''' of the following needs to be done:
+
When the [[N88ap|iPhone 3GS]] was initially released, Apple did not have enough time to fix the [[0x24000 Segment Overflow]] in the [[S5L8920 (Bootrom)|S5L8920]]. However, in order to flash an exploited [[LLB]] and jailbreak the iPhone 3GS, '''one''' of the following needs to be done:
 
* Find a new [[iBoot]] exploit every time a new firmware is out.
 
* Find a new [[iBoot]] exploit every time a new firmware is out.
 
* Find a way to bypass the [[ECID]] checks.
 
* Find a way to bypass the [[ECID]] checks.
 
* Find another bootrom exploit that allows unsigned code executing via USB ([[Pwnage 2.0]]-like)
 
* Find another bootrom exploit that allows unsigned code executing via USB ([[Pwnage 2.0]]-like)
   
This also applies to the [[N18ap|iPod touch 3G]] and later devices, except a bootrom exploit is needed.
+
This also applies to the iPhone 3GS with [[iBoot-359.3.2|the new bootrom]], [[N18ap|iPod touch 3G]] and later devices, except a bootrom exploit is needed as well.
   
 
==ECID==
 
==ECID==
Apple added a new tag to the [[IMG3 File Format]] called ECID. The ECID is ''unique'' to each phone, and is being sigchecked. So Apple could block downgrades once newer firmware becomes available, unless you have a dump of your unique old firmware's IMG3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered jailbreaks, because such exploits will be closed in new firmwares. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html].
+
Apple added a new tag to the [[IMG3 File Format]] called ECID. The ECID is ''unique'' to each phone, and its signature is being checked. With this method, Apple attempts to block downgrades once newer firmware becomes available, unless you have a dump of your old firmware's unique IMG3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered jailbreaks, because such exploits will be closed in new firmwares. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html].
   
 
The issue with this is that, even with 24kpwn still in bootrom, an [[iBoot]] exploit is still needed to actually flash the exploited [[LLB]]. If Apple uses this ECID stuff to block downgrades, then a new [[iBoot]] exploit will be needed whenever they fix the last, so that [[24kpwn]] can be applied. This is because Apple could choose to not let you upload an older, exploitable [[iBEC]]/iBoot/[[iBSS]] to the device.
 
The issue with this is that, even with 24kpwn still in bootrom, an [[iBoot]] exploit is still needed to actually flash the exploited [[LLB]]. If Apple uses this ECID stuff to block downgrades, then a new [[iBoot]] exploit will be needed whenever they fix the last, so that [[24kpwn]] can be applied. This is because Apple could choose to not let you upload an older, exploitable [[iBEC]]/iBoot/[[iBSS]] to the device.
Line 13: Line 13:
 
There are methods to help keep your downgrading ability, though.
 
There are methods to help keep your downgrading ability, though.
   
* If it was cached prior to 3.1's release, 3GS owners can save a file which contains the signature of the 3.0 iBSS containing their [[ECID]], using [http://purplera1n.com/|purplera1n.com].
+
* If it was cached prior to 3.1's release, 3GS owners can save a file which contains the signature of the 3.0 iBSS containing their [[ECID]], using the [http://purplera1n.com/ purplera1n website].
 
* Saurik's servers are actively caching the necessary files. [http://www.saurik.com/id/12#howto Instructions] to use the servers are included.
 
* Saurik's servers are actively caching the necessary files. [http://www.saurik.com/id/12#howto Instructions] to use the servers are included.
 
* The [[SHSH]] associated with an ECID can be also saved by running [http://thefirmwareumbrella.blogspot.com/ Umbrella]. An included application, TinyTSS, would allow the user to restore to whatever version is associated with that SHSH file permanently. This is based on the aforementioned service Saurik provides remotely from his server(s). The only difference is that Umbrella and TinyTSS are local applications.
 
* The [[SHSH]] associated with an ECID can be also saved by running [http://thefirmwareumbrella.blogspot.com/ Umbrella]. An included application, TinyTSS, would allow the user to restore to whatever version is associated with that SHSH file permanently. This is based on the aforementioned service Saurik provides remotely from his server(s). The only difference is that Umbrella and TinyTSS are local applications.
 
   
 
==Jailbreak tools==
 
==Jailbreak tools==
 
===Firmware 3.0 for iPhone 3GS===
 
===Firmware 3.0 for iPhone 3GS===
There are several possible methods to jailbreak which use the same iBoot exploit discovered independently by [[User:Geohot|Geohot]] and the [[iPhone Dev Team]]:
+
There are several possible methods to jailbreak which use the same [[iBoot]] exploit discovered (independently) by [[User:Geohot|Geohot]] and the [[iPhone Dev Team]]:
   
* [[redsn0w]] 0.8 by the iPhone Dev Team (also works with 3.0.1)
+
* [[redsn0w]] 0.8 (also works with 3.0.1)
* [[PwnageTool]] 3.0.1 by the iPhone Dev Team
+
* [[PwnageTool]] 3.0.1
* [[purplera1n]] by Geohot.
+
* [[purplera1n]]
   
 
===Firmware 3.1 for iPhone 3GS===
 
===Firmware 3.1 for iPhone 3GS===
 
Firmware 3.1 can be jailbroken using
 
Firmware 3.1 can be jailbroken using
 
* [[PwnageTool]] 3.1.3 (Mac only), provided that the device was previously jailbroken on 3.0/3.0.1.
 
* [[PwnageTool]] 3.1.3 (Mac only), provided that the device was previously jailbroken on 3.0/3.0.1.
* [[Blackra1n]] by Geohot
+
* [[blackra1n]]
   
 
===Firmware 3.1.2 for iPhone 3GS===
 
===Firmware 3.1.2 for iPhone 3GS===
 
Firmware 3.1.2 for iPhone 3GS can be jailbroken using
 
Firmware 3.1.2 for iPhone 3GS can be jailbroken using
 
* [[PwnageTool]] 3.1.4 (Mac only).
 
* [[PwnageTool]] 3.1.4 (Mac only).
* [[Blackra1n]] by Geohot
+
* [[blackra1n]]
   
 
===Firmware 3.1.1/3.1.2 for iPod Touch 3G===
 
===Firmware 3.1.1/3.1.2 for iPod Touch 3G===
It is currently possible to jailbreak all devices that ship with 3.1 pre-installed or that have updated to 3.1/3.1.1/3.1.2 using [http://www.blackra1n.com geohot's blackra1n].
+
It is currently possible to jailbreak all devices that have/had 3.1/3.1.1/3.1.2 using
  +
* [[redsn0w]] 0.9.3
  +
* [[blackra1n]]
   
===Firmware 3.1.3/3.1.2 for iPhone 3GS and iPod Touch 3G===
+
===Firmware 3.1.2/3.1.3 for iPhone 3GS and iPod Touch 3G===
 
Firmware 3.1.3 for iPhone 3GS (Both bootroms) and iPod Touch 3G can be jailbroken using
 
Firmware 3.1.3 for iPhone 3GS (Both bootroms) and iPod Touch 3G can be jailbroken using
* [[Spirit]] by Comex.
+
* [[Spirit]]

Revision as of 19:33, 6 May 2010

When the iPhone 3GS was initially released, Apple did not have enough time to fix the 0x24000 Segment Overflow in the S5L8920. However, in order to flash an exploited LLB and jailbreak the iPhone 3GS, one of the following needs to be done:

  • Find a new iBoot exploit every time a new firmware is out.
  • Find a way to bypass the ECID checks.
  • Find another bootrom exploit that allows unsigned code executing via USB (Pwnage 2.0-like)

This also applies to the iPhone 3GS with the new bootrom, iPod touch 3G and later devices, except a bootrom exploit is needed as well.

ECID

Apple added a new tag to the IMG3 File Format called ECID. The ECID is unique to each phone, and its signature is being checked. With this method, Apple attempts to block downgrades once newer firmware becomes available, unless you have a dump of your old firmware's unique IMG3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered jailbreaks, because such exploits will be closed in new firmwares. [1].

The issue with this is that, even with 24kpwn still in bootrom, an iBoot exploit is still needed to actually flash the exploited LLB. If Apple uses this ECID stuff to block downgrades, then a new iBoot exploit will be needed whenever they fix the last, so that 24kpwn can be applied. This is because Apple could choose to not let you upload an older, exploitable iBEC/iBoot/iBSS to the device.

There are methods to help keep your downgrading ability, though.

  • If it was cached prior to 3.1's release, 3GS owners can save a file which contains the signature of the 3.0 iBSS containing their ECID, using the purplera1n website.
  • Saurik's servers are actively caching the necessary files. Instructions to use the servers are included.
  • The SHSH associated with an ECID can be also saved by running Umbrella. An included application, TinyTSS, would allow the user to restore to whatever version is associated with that SHSH file permanently. This is based on the aforementioned service Saurik provides remotely from his server(s). The only difference is that Umbrella and TinyTSS are local applications.

Jailbreak tools

Firmware 3.0 for iPhone 3GS

There are several possible methods to jailbreak which use the same iBoot exploit discovered (independently) by Geohot and the iPhone Dev Team:

Firmware 3.1 for iPhone 3GS

Firmware 3.1 can be jailbroken using

  • PwnageTool 3.1.3 (Mac only), provided that the device was previously jailbroken on 3.0/3.0.1.
  • blackra1n

Firmware 3.1.2 for iPhone 3GS

Firmware 3.1.2 for iPhone 3GS can be jailbroken using

Firmware 3.1.1/3.1.2 for iPod Touch 3G

It is currently possible to jailbreak all devices that have/had 3.1/3.1.1/3.1.2 using

Firmware 3.1.2/3.1.3 for iPhone 3GS and iPod Touch 3G

Firmware 3.1.3 for iPhone 3GS (Both bootroms) and iPod Touch 3G can be jailbroken using