|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L8900"
m |
|||
| (36 intermediate revisions by 12 users not shown) | |||
| Line 1: | Line 1: | ||
| + | {{float toc|right}} |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | The '''S5L8900''' in the technical name of the [[Application Processor|application processor]] shared between the [[M68AP|iPhone]], [[N45AP|iPod touch]], and the [[N82AP|iPhone 3G]]. Not much is known about it, even through official sources. According to [[saurik]], this is an [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0301h/DDI0301H_arm1176jzfs_r0p7_trm.pdf <code>arm1176jzf-s</code>]. This processor was succeded by the [[S5L8720]] used in the [[N72AP|iPod touch (2nd generation)]] and the [[S5L8920]] in the [[N88AP|iPhone 3GS]]. Those have subsequently been succeded by newer processors. |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | == Exploits == |
+ | == [[VROM (S5L8900)|VROM]] Exploits == |
| + | * [[pwnage|Pwnage 1.0 (Ramdisk + AppleImage2NORAccess)]] |
||
| − | === [[iBoot]] === |
||
| + | * [[Pwnage 2.0|Pwnage 2.0 (DFU + Malformed Certificate)]] |
||
| − | '''Note''': [[iBoot]] on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares |
||
| − | * [[Restore Mode]] - Works up to [[iOS]] 1.0.2 |
||
| − | * [[Ramdisk Hack]] - Works up to [[iOS]] 2.0 beta 3 |
||
| − | * [[diags]] - Works up to [[iOS]] 2.0 beta 5 |
||
| − | * [[ARM7 Go]] - Works on [[iOS]] 2.1.1 |
||
| − | * [[iBoot Environment Variable Overflow]] - Works up to [[iOS]] 3.1 beta 3 |
||
| − | * [[usb_control_msg(0x21, 2) Exploit]] - Works up to [[iOS]] 3.1.2 |
||
| + | == Boot Chain == |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | * [[VROM (S5L8900)|VROM]] ([[Bootrom Rev.2]]) |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | * [[LLB]] |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | * [[iBoot (Bootloader)|iBoot]] |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | * [[Kernel]] |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | * [[/|System Software]] |
||
| − | === [[ |
+ | === [[iDroid]] === |
| + | One of the many goals of the [[iDroid]] project is to modify the boot chain immediately after the bootrom: |
||
| − | * [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.1.3 |
||
| + | * VROM ([[Bootrom Rev.2]]) |
||
| − | * [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0.1 |
||
| + | * [[OpeniBoot]] |
||
| + | * [http://www.kernel.org Linux Kernel] |
||
| + | * [http://www.x.org X Server] |
||
| + | * [[wikipedia:X Window System|X Window System]] (X11) |
||
| + | This is possible thanks to the [[Pwnage]] and [[Pwnage 2.0]] exploits discovered by the [[iPhone Dev Team]]. The exploit in a nutshell exploits the fact that the [[VROM (S5L8900)|VROM]] ([[Bootrom Rev.2]]) doesn't signature check the [[LLB]], and as such, by uploading a maliciously crafted LLB, one can gain control of the entire device. |
||
| − | === [[Userland]] === |
||
| − | * [[Symlinks]] - Works up to [[iOS]] 1.1.1 |
||
| − | * [[LibTiff]] - Works up to [[iOS]] 1.1.1 |
||
| − | * [[Mknod]] - Works up to [[iOS]] 1.1.2 |
||
| − | * [[Dual Boot Exploit]] - Works up to [[iOS]] 2.0 beta 3 |
||
| − | * [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.1.3 |
||
| − | * [[PDF CFF Font Stack Overflow]] - Works up to [[iOS]] 4.0.1 |
||
| + | Despite many years of work, it appears that the project will never be finished, much akin to many other big open source projects, such as [[wikipedia:ReactOS|ReactOS]] and the [[wikipedia:GNU Project|GNU]]'s own kernel, the [http://www.gnu.org/software/hurd/hurd.html Hurd]. |
||
| − | ===Boot Chain=== |
||
| − | [[VROM]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]] |
||
| + | == Upgrade Process == |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | === [[Restore Mode]] === |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | The restore process of the processor is: |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | * [[VROM (S5L8900)|VROM]] ([[Bootrom Rev.2]]) |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | * [[DFU Mode]] |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | * [[WTF]] |
||
| + | * [[iBoot (Bootloader)|iBoot]] |
||
| + | * [[Kernel]] (wait for [[Ramdisk|Restore Ramdisk]] upload) |
||
| + | * Restore Ramdisk |
||
| + | * [[Restore Mode]] |
||
| + | === [[DFU Mode]] === |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | In order to flash an older version of [[iOS|iPhone OS]] onto the device, you need to enter [[DFU Mode]]. The entry into DFU Mode is in the [[iDevice|device]]'s circuitry and the processor itself. This allows a non-responsive device to enter DFU Mode nearly anywhere, essentially making it improbable to [[bricked|brick]] the device. |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | Once in [[DFU Mode]], [[iTunes]] will notify you of a device in [[Restore Mode]], even though it isn't. This is common across all devices. In iTunes, you just hold the [[wikipedia:Option key|Option key]] ([[wikipedia:File:Third-party option key.JPG|⌥]]) on [[wikipedia:OS X|OS X]] or the [[wikipedia:Shift key|shift key]] on [[wikipedia:Microsoft Windows|Windows]] while clicking the "Restore" button. Just navigate to the [[IPSW File Format|IPSW]] for the specific version you want. As [[SHSH|SHSH blobs]] didn't exist before [[iOS|iPhone OS]] 3.0 with the [[S5L8920]] on the [[N88AP|iPhone 3GS]], you are only limited by your ability to obtain the [[firmware]] IPSW. |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | The boot chain is a very simple one: |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | * [[VROM (S5L8900)|VROM]] ([[Bootrom Rev.2]]) |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| + | * [[DFU Mode]] |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | Haxed by 1337Urmom at The Pois0nhack team |
||
| − | + | == See Also == |
|
| − | [[VROM |
+ | * [[VROM (S5L8900)]] |
| + | ** [[Bootrom Rev.2]] |
||
| + | |||
| + | [[Category:Application Processors]] |
||
Latest revision as of 18:22, 22 March 2017
The S5L8900 in the technical name of the application processor shared between the iPhone, iPod touch, and the iPhone 3G. Not much is known about it, even through official sources. According to saurik, this is an arm1176jzf-s. This processor was succeded by the S5L8720 used in the iPod touch (2nd generation) and the S5L8920 in the iPhone 3GS. Those have subsequently been succeded by newer processors.
VROM Exploits
Boot Chain
iDroid
One of the many goals of the iDroid project is to modify the boot chain immediately after the bootrom:
- VROM (Bootrom Rev.2)
- OpeniBoot
- Linux Kernel
- X Server
- X Window System (X11)
This is possible thanks to the Pwnage and Pwnage 2.0 exploits discovered by the iPhone Dev Team. The exploit in a nutshell exploits the fact that the VROM (Bootrom Rev.2) doesn't signature check the LLB, and as such, by uploading a maliciously crafted LLB, one can gain control of the entire device.
Despite many years of work, it appears that the project will never be finished, much akin to many other big open source projects, such as ReactOS and the GNU's own kernel, the Hurd.
Upgrade Process
Restore Mode
The restore process of the processor is:
- VROM (Bootrom Rev.2)
- DFU Mode
- WTF
- iBoot
- Kernel (wait for Restore Ramdisk upload)
- Restore Ramdisk
- Restore Mode
DFU Mode
In order to flash an older version of iPhone OS onto the device, you need to enter DFU Mode. The entry into DFU Mode is in the device's circuitry and the processor itself. This allows a non-responsive device to enter DFU Mode nearly anywhere, essentially making it improbable to brick the device.
Once in DFU Mode, iTunes will notify you of a device in Restore Mode, even though it isn't. This is common across all devices. In iTunes, you just hold the Option key (⌥) on OS X or the shift key on Windows while clicking the "Restore" button. Just navigate to the IPSW for the specific version you want. As SHSH blobs didn't exist before iPhone OS 3.0 with the S5L8920 on the iPhone 3GS, you are only limited by your ability to obtain the firmware IPSW.
The boot chain is a very simple one:
