Difference between revisions of "S5L8720"

From The iPhone Wiki
Jump to: navigation, search
m (Removed links to a page that will be deleted.)
(remove non-hardware-related exploits)
Line 1: Line 1:
 
This is the Application Processor used on the [[n72ap|iPod touch 2G]].
 
This is the Application Processor used on the [[n72ap|iPod touch 2G]].
   
== Exploits ==
+
== [[Bootrom]] Exploits ==
=== [[iBoot (Bootloader)|iBoot]] ===
 
'''Note''': [[iBoot (Bootloader)|iBoot]] on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares
 
 
* [[ARM7 Go]] - Works on [[iOS]] 2.1.1
 
* [[iBoot Environment Variable Overflow]] - Works up to [[iOS]] 3.1 beta 3
 
* [[usb_control_msg(0x21, 2) Exploit]] - Works up to [[iOS]] 3.1.2
 
 
=== [[Bootrom]] ===
 
 
* [[0x24000 Segment Overflow]] - only in [[Bootrom 240.4]] (old bootrom)
 
* [[0x24000 Segment Overflow]] - only in [[Bootrom 240.4]] (old bootrom)
 
* [[usb_control_msg(0xA1, 1) Exploit]]
 
* [[usb_control_msg(0xA1, 1) Exploit]]
   
  +
'''Note''': [[iBoot (Bootloader)|iBoot]] on the S5L8720 can be downgraded, allowing any of the [[iBoot (Bootloader)|iBoot]] exploits to be used on future firmwares.
=== [[Kernel]] ===
 
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.1.3
 
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0
 
* [[Packet Filter Kernel Exploit]] - Works up to [[iOS]] 4.1
 
* [[HFS Legacy Volume Name Stack Buffer Overflow]] - Works up to [[iOS]] 4.2.1
 
 
=== [[Userland]] ===
 
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.1.3
 
* [[Malformed CFF Vulnerability]] - Works up to [[iOS]] 4.0
 
   
 
==Boot Chain==
 
==Boot Chain==

Revision as of 21:14, 25 October 2012

This is the Application Processor used on the iPod touch 2G.

Bootrom Exploits

Note: iBoot on the S5L8720 can be downgraded, allowing any of the iBoot exploits to be used on future firmwares.

Boot Chain

VROM->LLB->iBoot->Kernel->System Software

It is definitely worthy to note that the Pwnage exploit is fixed because the images are now flashed to the NOR in their encrypted IMG3 containers, and the bootrom can properly check LLB's signature. That being said, unsigned images can still be run using the 0x24000 Segment Overflow, provided the bootrom is old enough.

See Also

External Links