Difference between revisions of "Diags (iBoot command)"

From The iPhone Wiki
Jump to: navigation, search
(Exploit)
Line 5: Line 5:
   
 
==Exploit==
 
==Exploit==
The diags function can be passed a parameter. It jumps to that parameter, but not before trashing the I/O table. You can run unsigned code using this, but there's no guarantee about the state of the processor
+
This is a very simple exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before trashing the I/O table. You can run unsigned code using this, but there's no guarantee about the state of the processor.
   
 
In 2.0 iBoots, they check the permission register for this command, so the exploit doesn't work.
 
In 2.0 iBoots, they check the permission register for this command, so the exploit doesn't work.

Revision as of 18:27, 28 November 2008

This was an exploit in pre 2.0 versions of iBoot

Credit

The dev team

Exploit

This is a very simple exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before trashing the I/O table. You can run unsigned code using this, but there's no guarantee about the state of the processor.

In 2.0 iBoots, they check the permission register for this command, so the exploit doesn't work.