Difference between revisions of "Diags (iBoot command)"

From The iPhone Wiki
Jump to: navigation, search
m (Exploit: Consistency please.)
m
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
  +
The <code>diags</code> command is an iBoot command that loads an image from an address in memory after disabling all the GPIO devices. This is meant for loading [[Diags|diags]], so even unsigned images will be loaded. This command had no permission checks in 1.0-1.1.4 iBoots, so it was exploitable to load a patched iBoot, but in 2.0 iBoots, this command has a permission check to make sure it is not being run on a RELEASE fused CHIPID. In 3.1+, this command was removed entirely, but is still present in DEVELOPMENT iBoots. This command can also be set as the boot-command variable. In that case, as well as if you run diags without any args, it looks for the diags image in NOR/NAND, and also checks the diags-path value in NVRAM. If it doesn't find it, the command will fail.
This was an exploit that allowed the running of unsigned code at iBoot level, present in pre-2.0 versions of [[iBoot (Bootloader)|iBoot]].
 
   
 
==Credit==
 
==Credit==
Line 5: Line 5:
   
 
==Exploit==
 
==Exploit==
This is a very easy-to-use exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the [[S5L8900]] using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen, serial, or USB).
+
This is a very easy-to-use exploit on 1.x iBoots. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the [[S5L8900]] using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen, serial, or USB).
   
In 2.0 iBoots, they have a flag check on this command (checks bit 4 of the iBoot flags), and that flag will not be present on a retail device, just an engineering one with a 'whitelisted' CHIPID, so this exploit doesn't work. However, the 1.1.4 [[iBSS]] can still be used on the [[m68ap|iPhone]], [[n82ap|iPhone 3G]], or [[n45ap|iPod touch]], and can be used to boot a modified 2.0+ [[iBoot (Bootloader)|iBoot]]. Therefore, it is still an open exploit for these devices.
+
In 2.0 iBoots, they have a flag check on this command (checks bit 4 of the iBoot flags), and that flag will not be present on a RELEASE fused CHIPID, just a whitelisted engineering CHIPID, so this exploit doesn't work on RELEASE fused devices after 2.0. However, the 1.1.4 [[iBSS]] can still be used on the [[M68AP|iPhone]], [[N82AP|iPhone 3G]], or [[N45AP|iPod touch]], and can be used to boot a modified 2.0+ [[iBoot (Bootloader)|iBoot]]. Therefore, it is still an open exploit for these devices.
   
[[Category:Exploits]]
+
[[Category:Exploits]] [[Category:iBoot commands]]

Latest revision as of 06:22, 11 February 2021

The diags command is an iBoot command that loads an image from an address in memory after disabling all the GPIO devices. This is meant for loading diags, so even unsigned images will be loaded. This command had no permission checks in 1.0-1.1.4 iBoots, so it was exploitable to load a patched iBoot, but in 2.0 iBoots, this command has a permission check to make sure it is not being run on a RELEASE fused CHIPID. In 3.1+, this command was removed entirely, but is still present in DEVELOPMENT iBoots. This command can also be set as the boot-command variable. In that case, as well as if you run diags without any args, it looks for the diags image in NOR/NAND, and also checks the diags-path value in NVRAM. If it doesn't find it, the command will fail.

Credit

iPhone Dev Team

Exploit

This is a very easy-to-use exploit on 1.x iBoots. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the S5L8900 using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen, serial, or USB).

In 2.0 iBoots, they have a flag check on this command (checks bit 4 of the iBoot flags), and that flag will not be present on a RELEASE fused CHIPID, just a whitelisted engineering CHIPID, so this exploit doesn't work on RELEASE fused devices after 2.0. However, the 1.1.4 iBSS can still be used on the iPhone, iPhone 3G, or iPod touch, and can be used to boot a modified 2.0+ iBoot. Therefore, it is still an open exploit for these devices.