Difference between revisions of "S5L8720"

From The iPhone Wiki
Jump to: navigation, search
m
 
(45 intermediate revisions by 13 users not shown)
Line 1: Line 1:
This is the Application Processor used on the [[n72ap|iPod Touch 2G]].
+
This is the Application Processor used on the [[N72AP|iPod touch (2nd generation)]].
   
  +
== [[Bootrom]] Exploits ==
==Firmware File Formats==
 
  +
* [[0x24000 Segment Overflow]] - only in [[Bootrom 240.4]] (old bootrom)
See [[S5L File Formats|this page]] for more information on the types of firmware files it interprets
 
  +
* [[usb_control_msg(0xA1, 1) Exploit]]
   
  +
'''Note''': [[iBoot (Bootloader)|iBoot]] on the S5L8720 can be downgraded, allowing any of the [[iBoot (Bootloader)|iBoot]] exploits to be used on future firmwares.
==Exploits==
 
===[[iBoot]] / [[Kernel]] Level===
 
These are jailbreaks only available through an [[iBoot]] exploit, which would have to be applied at every boot, meaning you must be connected to a computer, therefore making them a "tethered" jailbreak.
 
   
  +
==Boot Chain==
* [[ARM7 Go]]
 
  +
[[VROM]]->[[LLB]]->[[iBoot (Bootloader)|iBoot]]->[[Kernel]]->[[Firmware|System Software]]
   
  +
It is definitely worthy to note that the [[Pwnage]] exploit is fixed because the images are now flashed to the [[NOR]] in their encrypted [[IMG3 File Format|IMG3]] containers, and the [[bootrom]] can properly check [[LLB]]'s signature. That being said, unsigned images can still be run using the [[0x24000 Segment Overflow]], provided the bootrom is [[Bootrom 240.4|old enough]].
===[[S5L8720 Bootrom|Bootrom]]===
 
An untethered jailbreak would probably need to be in the [[VROM]], but the basic meaning of an untethered jailbreak is to have one that you can freely reboot with and not have to apply it again every boot, not to mention custom boot / recovery logos.
 
   
==Boot Chain==
+
==See Also==
  +
* [[S5L8720 (Hardware)]]
[[S5L8720 Bootrom|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]
 
  +
* [[S5L File Formats]]
  +
  +
==External Links==
  +
* [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0301h/DDI0301H_arm1176jzfs_r0p7_trm.pdf Technical Reference Manual: ARM1176JZF-S]
   
  +
[[Category:Application Processors]]
It is definitely worthy to note that the [[Pwnage]] exploit is fixed because the images are now flashed to the [[NOR]] in their encrypted [[IMG3]] containers, and the [[S5L8720 Bootrom|bootrom]] can properly sigcheck [[LLB]].
 

Latest revision as of 12:33, 23 March 2017

This is the Application Processor used on the iPod touch (2nd generation).

Bootrom Exploits

Note: iBoot on the S5L8720 can be downgraded, allowing any of the iBoot exploits to be used on future firmwares.

Boot Chain

VROM->LLB->iBoot->Kernel->System Software

It is definitely worthy to note that the Pwnage exploit is fixed because the images are now flashed to the NOR in their encrypted IMG3 containers, and the bootrom can properly check LLB's signature. That being said, unsigned images can still be run using the 0x24000 Segment Overflow, provided the bootrom is old enough.

See Also

External Links