Difference between revisions of "Jailbreak (S5L8920+)"

From The iPhone Wiki
Jump to: navigation, search
(iPad)
m
 
(120 intermediate revisions by 12 users not shown)
Line 1: Line 1:
When the [[N88ap|iPhone 3GS]] was initially released, Apple did not have enough time to fix the [[0x24000 Segment Overflow]] in the [[S5L8920 (Bootrom)|S5L8920]]. However, in order to flash an exploited [[LLB]] and jailbreak the iPhone 3GS, '''one''' of the following needs to be done:
+
When the [[N88AP|iPhone 3GS]] was initially released, Apple did not have enough time to fix the [[0x24000 Segment Overflow]] in the [[S5L8920]]. However, in order to flash an exploited [[LLB]] and jailbreak the iPhone 3GS, '''one''' of the following needed to be done:
 
* Find a new [[iBoot]] exploit every time a new firmware is out.
 
* Find a new [[iBoot]] exploit every time a new firmware is out.
 
* Find a way to bypass the [[ECID]] checks.
 
* Find a way to bypass the [[ECID]] checks.
* Use a bootrom exploit that allows unsigned code execution via USB (2 of them were finally found by Geohot and Chronic Dev Team).
+
* Use a bootrom exploit that allows unsigned code execution via USB.
   
This also applies to the iPhone 3GS with [[iBoot-359.3.2|the new bootrom]], [[N18ap|iPod touch 3G]] and later devices, except a bootrom exploit for the normal boot-chain or a library based jailbreak payload (similar to [[Star]]) is needed as well.
+
Newer devices (iPhone 3GS with [[Bootrom 359.3.2|new bootrom]], [[N18AP|iPod touch (3rd generation)]], and subsequent devices) are no longer vulnerable to the [[0x24000 Segment Overflow]] exploit. Many of them are susceptible to geohot's bootrom exploit (originally found in [[limera1n]]), which allows unsigned code execution over USB. Even newer devices, starting with the [[iPad 2]], have no bootrom exploits to run unsigned code ''at all''.
   
 
==ECID==
 
==ECID==
Apple added a new tag to the [[IMG3 File Format]] called ECID. The ECID is ''unique'' to each phone, and its signature is being checked. With this method, Apple attempts to block downgrades once newer firmware becomes available, unless you have a dump of your old firmware's unique IMG3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered jailbreaks, because such exploits will be closed in new firmwares. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html].
+
Apple added a new tag to the [[IMG3 File Format]] called ECID. The ECID is ''unique'' to each phone, and its signature is being checked. With this method, Apple attempts to block downgrades once newer firmware becomes available, unless you have a dump of your old firmware's unique IMG3 or signed certificate. Therefore, [[iBoot (Bootloader)|iBoot]] exploits won't be so useful for [[tethered jailbreak]]s, because such exploits will be closed in new firmwares. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html].
   
The issue with this is that, even with the [[0x24000 Segment Overflow]] still in bootrom, an [[iBoot]] exploit was still needed to actually flash the exploited [[LLB]]. Apple uses this ECID stuff to block downgrading iBoot to a vulnerable version. It was resolved when Geohot released his [[limera1n]] tool, which used a bootrom exploit to upload an unsigned iBoot. Still the problem remains with newer devices with [[0x24000 Segment Overflow|0x24000]] fixed - tampering with firmware makes such jailbreak tethered unless some other exploit is used.
+
The issue with this is that, even with the [[0x24000 Segment Overflow]] still in [[bootrom]], an iBoot exploit was still needed to actually flash the exploited [[LLB]]. Apple uses this ECID stuff to block downgrading iBoot to a vulnerable version. It was resolved when Geohot released his [[limera1n]] tool, which used a bootrom exploit to upload an unsigned iBoot. Still the problem remains with newer devices with the [[0x24000 Segment Overflow]] fixed - tampering with firmware makes such jailbreak tethered unless some other exploit is used.
   
 
There are methods to help keep your downgrading ability, though.
 
There are methods to help keep your downgrading ability, though.
   
  +
* If it receives your ECID, saurik's servers will actively cache the necessary files. [http://www.saurik.com/id/12#howto Instructions] to use the servers are available.
* If it was cached prior to 3.1's release, 3GS owners were able save a file which contains the signature of the 3.0 [[iBSS]] containing their [[ECID]], using the [http://purplera1n.com/ purplera1n website]. A tool has not been created to incorporate this file into a fully signed iBSS, however.
 
* Saurik's servers are actively caching the necessary files. [http://www.saurik.com/id/12#howto Instructions] to use the servers are included.
 
 
* The [[SHSH]] associated with an ECID can be also saved by running [[TinyUmbrella]]. [[TinyUmbrella]] allows the user to restore to whatever version is associated with that [[SHSH]] file permanently. This is based on the aforementioned service [[Saurik]] provides remotely from [[Cydia Server|his server(s)]].
 
* The [[SHSH]] associated with an ECID can be also saved by running [[TinyUmbrella]]. [[TinyUmbrella]] allows the user to restore to whatever version is associated with that [[SHSH]] file permanently. This is based on the aforementioned service [[Saurik]] provides remotely from [[Cydia Server|his server(s)]].
   
==Jailbreak tools ==
+
== Jailbreak Tools ==
  +
{{main|Jailbreak#Jailbreak Tools}}
===[[K66ap |Apple TV 2G]]===
 
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
 
|-
 
!rowspan="2"| [[Jailbreak]] Tool
 
!colspan="4"| Works with [[firmware]]...
 
|-
 
|style="width:100px;"| 4.1
 
|style="width:100px;"| 4.2
 
|-
 
| [[redsn0w]]
 
| {{no}}
 
| {{no}}
 
|-
 
| [[limera1n]]
 
| {{partial|no package management GUI}}
 
| {{no}}
 
|-
 
| [[greenpois0n]]
 
| {{partial|no package management GUI}}
 
| {{no}}
 
|-
 
| [[PwnageTool]]
 
| {{partial|no package management GUI}}
 
| {{partial|Restore from a custom firmware with unofficial bundle<sup>1</sup>}}
 
|-
 
| [[sn0wbreeze]]
 
| {{partial|no package management GUI}}
 
| {{no}}
 
|}
 
<sup>1</sup> [[Tethered jailbreak]].
 
   
  +
[[Category:Jailbreaking]]
===[[K48ap|iPad]]===
 
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
 
|-
 
!rowspan="2"| [[Jailbreak]] Tool
 
!colspan="4"| Works with [[firmware]]...
 
|-
 
|style="width:100px;"| 3.2
 
|style="width:100px;"| 3.2.1
 
|style="width:100px;"| 3.2.2
 
|style="width:150px;"| 4.2.1
 
|-
 
| [[Spirit]]
 
| {{yes}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
|-
 
| [[Star]]
 
| {{yes}}
 
| {{yes}}
 
| {{no}}
 
| {{no}}
 
|-
 
| [[limera1n]]
 
| {{no}}
 
| {{no}}
 
| {{yes}}
 
| {{no}}
 
|-
 
| [[greenpois0n]]
 
| {{no}}
 
| {{no}}
 
| {{yes}}
 
| {{no}}
 
|-
 
| [[redsn0w]]
 
| {{no}}
 
| {{no}}
 
| {{yes|0.9.6b2}}
 
| {{yes|0.9.6b5<sup>1</sup> o 0.9.7b6<sup>2</sup>}}
 
|-
 
| [[PwnageTool]]
 
| {{no}}
 
| {{no}}
 
| {{yes|4.1-4.1.3}}
 
| {{partial|Restore from a custom firmware with unofficial bundle<sup>1</sup>}}
 
|-
 
| [[sn0wbreeze]]
 
| {{no}}
 
| {{no}}
 
| {{yes|2.1}}
 
| {{no}}
 
|}
 
<sup>1</sup> [[Tethered jailbreak]]
 
 
<sup>2</sup>[[Untethered jailbreak]] on device having blobs shsh saved for iOS 4.2b3. There are two bugs: SandBox and Bluetooth. This jailbreak is called Jailbreak Monte.
 
 
===[[N88ap|iPhone 3GS]]===
 
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
 
|-
 
!rowspan="2"| [[Jailbreak]] Tool
 
!colspan="10"| Works with [[firmware]]...
 
|-
 
|style="width:90px;"| 3.0
 
|style="width:90px;"| 3.0.1
 
|style="width:90px;"| 3.1
 
|style="width:90px;"| 3.1.2
 
|style="width:90px;"| 3.1.3
 
|style="width:90px;"| 4.0
 
|style="width:90px;"| 4.0.1
 
|style="width:90px;"| 4.0.2
 
|style="width:90px;"| 4.1
 
|style="width:90px;"| 4.2.1
 
|-
 
| [[purplera1n]]
 
| {{yes}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
|-
 
| [[redsn0w]]
 
| {{yes|0.8}}
 
| {{yes|0.8}}
 
| {{yes|0.9.2<sup>1</sup> or 0.9.3<sup>1</sup>}}
 
| {{yes|0.9.2<sup>1</sup> or 0.9.3<sup>1</sup>}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes|0.9.6b2}}
 
| {{yes|0.9.6b5<sup>1</sup> o 0.9.7b6<sup>3</sup>}}
 
|-
 
| [[blackra1n]]
 
| {{no}}
 
| {{no}}
 
| {{yes|Yes<sup>1</sup>}}
 
| {{yes|Yes<sup>1</sup>}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
|-
 
| [[Spirit]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes}}
 
| {{yes}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
|-
 
| [[Star]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes}}
 
| {{yes}}
 
| {{yes}}
 
| {{yes}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
|-
 
| [[PwnageTool]]
 
| {{no}}
 
| {{no}}
 
| {{partial|Restore from a custom firmware<sup>2</sup>}}
 
| {{yes|3.1.4<sup>2</sup>}}
 
|colspan="2" {{partial|Restore from a custom firmware<sup>2</sup>}}
 
|colspan="2" {{partial|Restore from a custom firmware with unofficial bundle<sup>2</sup>}}
 
| {{yes|4.1-4.1.3}}
 
| {{partial|Restore from a custom firmware with unofficial bundle<sup>1</sup>}}
 
|-
 
| [[sn0wbreeze]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{partial|1.4<sup>2</sup> or 2.0.2<sup>1 2</sup>}}
 
| {{partial|1.5.1<sup>2</sup> or 2.0.2<sup>1 2</sup>}}
 
| {{partial|1.7<sup>1 2</sup> or 2.0.2<sup>1 2</sup>}}
 
|colspan="2" {{partial|2.0.2<sup>1 2</sup>}}
 
| {{yes|2.1}}
 
| {{no}}
 
|-
 
| [[limera1n]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes}}
 
| {{yes}}
 
| {{yes}}
 
| {{yes}}
 
| {{no}}
 
|-
 
| [[greenpois0n]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes}}
 
| {{no}}
 
|}
 
<sup>1</sup> [[Tethered jailbreak]] on devices with the [[iBoot-359.3.2|new bootrom]].
 
 
<sup>2</sup> Only applicable for devices with the [[iBoot-359.3|old bootrom]]. Requires the device to have signature checks disabled (pwned).
 
 
<sup>3</sup>[[Untethered jailbreak]] on device with the [[iBoot-359.3.2|new bootroom]] and having blobs shsh saved for iOS 4.2b3. There are two bugs: SandBox and Bluetooth. This jailbreak is called Jailbreak Monte.
 
 
===[[N90ap|iPhone 4]]===
 
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
 
|-
 
!rowspan="2"| [[Jailbreak]] Tool
 
!colspan="5"| Works with [[firmware]]...
 
|-
 
|style="width:100px;"| 4.0
 
|style="width:100px;"| 4.0.1
 
|style="width:100px;"| 4.0.2
 
|style="width:100px;"| 4.1
 
|style="width:100px;"| 4.2.1
 
|-
 
| [[Star]]
 
| {{yes}}
 
| {{yes}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
|-
 
| [[limera1n]]
 
| {{yes}}
 
| {{yes}}
 
| {{yes}}
 
| {{yes}}
 
| {{no}}
 
|-
 
| [[greenpois0n]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes}}
 
| {{no}}
 
|-
 
| [[redsn0w]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes|0.9.6b2}}
 
| {{yes|0.9.6b5<sup>1</sup>}}
 
|-
 
| [[PwnageTool]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes|4.1-4.1.3}}
 
| {{partial|With unofficial firmware bundle<sup>1</sup>}}
 
|-
 
| [[sn0wbreeze]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes|2.1}}
 
| {{no}}
 
|}
 
<sup>1</sup> [[Tethered jailbreak]].
 
 
===[[N18ap|iPod touch 3G]]===
 
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
 
|-
 
!rowspan="2"| [[Jailbreak]] Tool
 
!colspan="7"| Works with [[firmware]]...
 
|-
 
|style="width:100px;"| 3.1.1
 
|style="width:100px;"| 3.1.2
 
|style="width:100px;"| 3.1.3
 
|style="width:100px;"| 4.0
 
|style="width:100px;"| 4.0.2
 
|style="width:100px;"| 4.1
 
|style="width:100px;"| 4.2.1
 
|-
 
| [[blackra1n]]
 
| {{yes|Yes<sup>1</sup>}}
 
| {{yes|Yes<sup>1</sup>}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
|-
 
| [[redsn0w]]
 
| {{yes|0.9.2<sup>1</sup> or 0.9.3<sup>1</sup>}}
 
| {{yes|0.9.2<sup>1</sup> or 0.9.3<sup>1</sup>}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes|0.9.6b2}}
 
| {{yes|0.9.6b5<sup>1</sup>}}
 
|-
 
| [[Spirit]]
 
| {{no}}
 
| {{yes}}
 
| {{yes}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
|-
 
| [[Star]]
 
| {{no}}
 
| {{yes}}
 
| {{yes}}
 
| {{yes}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
|-
 
| [[sn0wbreeze]]
 
| {{no}}
 
| {{yes|2.0.2<sup>1</sup>}}
 
| {{partial|2.0.2<sup>1</sup>}}
 
| {{partial|1.7<sup>1</sup> or 2.0.2<sup>1</sup>}}
 
| {{partial|2.0.2<sup>1</sup>}}
 
| {{yes|2.1}}
 
| {{no}}
 
|-
 
| [[limera1n]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes}}
 
| {{yes}}
 
| {{yes}}
 
| {{no}}
 
|-
 
| [[greenpois0n]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes}}
 
| {{no}}
 
|-
 
| [[PwnageTool]]
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{no}}
 
| {{yes|4.1-4.1.3}}
 
| {{partial|With unofficial firmware bundle<sup>1</sup>}}
 
|}
 
<sup>1</sup> [[Tethered jailbreak]].
 
 
===[[N81ap |iPod touch 4G]]===
 
{| class="wikitable" style="font-size: smaller; text-align: center; table-layout: fixed; border-collapse: collapse;" border="1"
 
|-
 
!rowspan="2"| [[Jailbreak]] Tool
 
!colspan="4"| Works with [[firmware]]...
 
|-
 
|style="width:100px;"| 4.1 (both builds)
 
|style="width:100px;"| 4.2.1
 
|-
 
| [[redsn0w]]
 
| {{yes|0.9.4b2}}
 
| {{yes|0.9.6b5<sup>1</sup>}}
 
|-
 
| [[limera1n]]
 
| {{yes}}
 
| {{no}}
 
|-
 
| [[greenpois0n]]
 
| {{yes}}
 
| {{no}}
 
|-
 
| [[PwnageTool]]
 
| {{yes|4.1-4.1.3}}
 
| {{partial|With unofficial firmware bundle<sup>1</sup>}}
 
|-
 
| [[sn0wbreeze]]
 
| {{yes|2.1}}
 
| {{no}}
 
|}
 
<sup>1</sup> [[Tethered jailbreak]].
 

Latest revision as of 09:52, 26 March 2017

When the iPhone 3GS was initially released, Apple did not have enough time to fix the 0x24000 Segment Overflow in the S5L8920. However, in order to flash an exploited LLB and jailbreak the iPhone 3GS, one of the following needed to be done:

  • Find a new iBoot exploit every time a new firmware is out.
  • Find a way to bypass the ECID checks.
  • Use a bootrom exploit that allows unsigned code execution via USB.

Newer devices (iPhone 3GS with new bootrom, iPod touch (3rd generation), and subsequent devices) are no longer vulnerable to the 0x24000 Segment Overflow exploit. Many of them are susceptible to geohot's bootrom exploit (originally found in limera1n), which allows unsigned code execution over USB. Even newer devices, starting with the iPad 2, have no bootrom exploits to run unsigned code at all.

ECID

Apple added a new tag to the IMG3 File Format called ECID. The ECID is unique to each phone, and its signature is being checked. With this method, Apple attempts to block downgrades once newer firmware becomes available, unless you have a dump of your old firmware's unique IMG3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered jailbreaks, because such exploits will be closed in new firmwares. [1].

The issue with this is that, even with the 0x24000 Segment Overflow still in bootrom, an iBoot exploit was still needed to actually flash the exploited LLB. Apple uses this ECID stuff to block downgrading iBoot to a vulnerable version. It was resolved when Geohot released his limera1n tool, which used a bootrom exploit to upload an unsigned iBoot. Still the problem remains with newer devices with the 0x24000 Segment Overflow fixed - tampering with firmware makes such jailbreak tethered unless some other exploit is used.

There are methods to help keep your downgrading ability, though.

  • If it receives your ECID, saurik's servers will actively cache the necessary files. Instructions to use the servers are available.
  • The SHSH associated with an ECID can be also saved by running TinyUmbrella. TinyUmbrella allows the user to restore to whatever version is associated with that SHSH file permanently. This is based on the aforementioned service Saurik provides remotely from his server(s).

Jailbreak Tools

Main article: Jailbreak#Jailbreak Tools