The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "LLB"
(→Patched LLB) |
|||
(4 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
− | + | The '''LLB''' is the '''L'''ow '''L'''evel '''B'''ootloader, also referred to as “iBoot first-stage loader” in the source code. It runs several setup routines and on firmware versions 2.0 and higher it checks the signature of [[iBoot (Bootloader)|iBoot]] before jumping to it. |
|
Those same setup routines are present in [[iBEC]] and [[iBSS]], which is why they can be launched directly from [[DFU Mode]]. |
Those same setup routines are present in [[iBEC]] and [[iBSS]], which is why they can be launched directly from [[DFU Mode]]. |
||
+ | == Disassembly == |
||
+ | LLB can be disassembled in a similar manner to the one described for iBoot. The base address for LLB 5.1 is 0x84000000 and the disassembly should yield the following: |
||
+ | |||
+ | <pre> |
||
+ | ROM:84000000 loc_84000000 ; CODE XREF: ROM:84000078�j |
||
+ | ROM:84000000 ; DATA XREF: ROM:_reset�o ... |
||
+ | ROM:84000000 B _reset |
||
+ | ROM:84000004 ; --------------------------------------------------------------------------- |
||
+ | ROM:84000004 LDR PC, =_undef |
||
+ | ROM:84000008 ; --------------------------------------------------------------------------- |
||
+ | ROM:84000008 LDR PC, =_swi |
||
+ | ROM:8400000C ; --------------------------------------------------------------------------- |
||
+ | ROM:8400000C LDR PC, =_prefabt |
||
+ | ROM:84000010 ; --------------------------------------------------------------------------- |
||
+ | ROM:84000010 LDR PC, =_dataabt |
||
+ | ROM:84000014 ; --------------------------------------------------------------------------- |
||
+ | ROM:84000014 LDR PC, =_halt |
||
+ | ROM:84000018 ; --------------------------------------------------------------------------- |
||
+ | ROM:84000018 LDR PC, =_irq |
||
+ | ROM:8400001C ; --------------------------------------------------------------------------- |
||
+ | ROM:8400001C LDR PC, =_fiq |
||
+ | ROM:8400001C ; --------------------------------------------------------------------------- |
||
+ | ROM:84000020 DCD _reset |
||
+ | ROM:84000024 off_84000024 DCD _undef ; DATA XREF: ROM:84000004�r |
||
+ | ROM:84000028 off_84000028 DCD _swi ; DATA XREF: ROM:84000008�r |
||
+ | ROM:8400002C off_8400002C DCD _prefabt ; DATA XREF: ROM:8400000C�r |
||
+ | ROM:84000030 off_84000030 DCD _dataabt ; DATA XREF: ROM:84000010�r |
||
+ | ROM:84000034 off_84000034 DCD _halt ; DATA XREF: ROM:84000014�r |
||
+ | ROM:84000038 off_84000038 DCD _irq ; DATA XREF: ROM:84000018�r |
||
+ | ROM:8400003C off_8400003C DCD _fiq ; DATA XREF: ROM:8400001C�r |
||
+ | ROM:84000040 ; --------------------------------------------------------------------------- |
||
+ | ROM:84000040 |
||
+ | ROM:84000040 _reset ; CODE XREF: ROM:loc_84000000�j |
||
+ | ROM:84000040 ; DATA XREF: ROM:84000020�o |
||
+ | ROM:84000040 ADR R0, loc_84000000 |
||
+ | ... |
||
+ | </pre> |
||
+ | |||
+ | LLB and iBoot likely share a common code base, as is evident by similar symbols and strings for the FTL, Image_Load, and others. LLB is specialized, however, to load iBoot, which it does by looking for the Img3 tagged "ibot", as can be seen here: |
||
+ | |||
+ | <pre> |
||
+ | ROM:84000880 _do_boot ; CODE XREF: _LLB_Start+A6�p |
||
+ | ROM:84000880 PUSH {R7,LR} |
||
+ | ROM:84000882 MOVW R0, #'ot' |
||
+ | ROM:84000886 MOV R7, SP |
||
+ | ROM:84000888 MOVT.W R0, #'ib' |
||
+ | ROM:8400088C MOVS R1, #2 |
||
+ | ROM:8400088E BL _boot_flash_probably ; First argument is "ibot", second argument is "2" |
||
+ | ROM:84000892 MOV.W R0, #0xFFFFFFFF |
||
+ | ROM:84000896 POP {R7,PC} |
||
+ | </pre> |
||
+ | |||
+ | If iBoot cannot be found, LLB instructs the i-Device to identify itself as Apple Mobile Device (DFU Mode): |
||
+ | |||
+ | <pre> |
||
+ | ROM:84019297 aAppleMobileDev DCB "Apple Mobile Device (DFU Mode)",0 |
||
+ | </pre> |
||
==Patched LLB== |
==Patched LLB== |
||
− | Restoring or |
+ | Restoring or flashing an LLB patched with [[Pwnage]] or [[0x24000 Segment Overflow]] can lead to these changes: |
− | * ECID checks on boot-up are cancelled |
+ | * [[ECID]] checks on boot-up are cancelled |
* A restored firmware is no longer integrity-checked |
* A restored firmware is no longer integrity-checked |
||
− | * RSA Signature Hash blobs ([[SHSH]]) are ignored |
+ | * RSA Signature Hash blobs ([[SHSH]]) and [[APTicket]] are ignored |
* Jailbreak is always untethered for a pwn-able device |
* Jailbreak is always untethered for a pwn-able device |
||
− | * Custom |
+ | * Custom boot logos and recovery logos can be applied |
Latest revision as of 01:35, 8 February 2018
The LLB is the Low Level Bootloader, also referred to as “iBoot first-stage loader” in the source code. It runs several setup routines and on firmware versions 2.0 and higher it checks the signature of iBoot before jumping to it.
Those same setup routines are present in iBEC and iBSS, which is why they can be launched directly from DFU Mode.
Disassembly
LLB can be disassembled in a similar manner to the one described for iBoot. The base address for LLB 5.1 is 0x84000000 and the disassembly should yield the following:
ROM:84000000 loc_84000000 ; CODE XREF: ROM:84000078�j ROM:84000000 ; DATA XREF: ROM:_reset�o ... ROM:84000000 B _reset ROM:84000004 ; --------------------------------------------------------------------------- ROM:84000004 LDR PC, =_undef ROM:84000008 ; --------------------------------------------------------------------------- ROM:84000008 LDR PC, =_swi ROM:8400000C ; --------------------------------------------------------------------------- ROM:8400000C LDR PC, =_prefabt ROM:84000010 ; --------------------------------------------------------------------------- ROM:84000010 LDR PC, =_dataabt ROM:84000014 ; --------------------------------------------------------------------------- ROM:84000014 LDR PC, =_halt ROM:84000018 ; --------------------------------------------------------------------------- ROM:84000018 LDR PC, =_irq ROM:8400001C ; --------------------------------------------------------------------------- ROM:8400001C LDR PC, =_fiq ROM:8400001C ; --------------------------------------------------------------------------- ROM:84000020 DCD _reset ROM:84000024 off_84000024 DCD _undef ; DATA XREF: ROM:84000004�r ROM:84000028 off_84000028 DCD _swi ; DATA XREF: ROM:84000008�r ROM:8400002C off_8400002C DCD _prefabt ; DATA XREF: ROM:8400000C�r ROM:84000030 off_84000030 DCD _dataabt ; DATA XREF: ROM:84000010�r ROM:84000034 off_84000034 DCD _halt ; DATA XREF: ROM:84000014�r ROM:84000038 off_84000038 DCD _irq ; DATA XREF: ROM:84000018�r ROM:8400003C off_8400003C DCD _fiq ; DATA XREF: ROM:8400001C�r ROM:84000040 ; --------------------------------------------------------------------------- ROM:84000040 ROM:84000040 _reset ; CODE XREF: ROM:loc_84000000�j ROM:84000040 ; DATA XREF: ROM:84000020�o ROM:84000040 ADR R0, loc_84000000 ...
LLB and iBoot likely share a common code base, as is evident by similar symbols and strings for the FTL, Image_Load, and others. LLB is specialized, however, to load iBoot, which it does by looking for the Img3 tagged "ibot", as can be seen here:
ROM:84000880 _do_boot ; CODE XREF: _LLB_Start+A6�p ROM:84000880 PUSH {R7,LR} ROM:84000882 MOVW R0, #'ot' ROM:84000886 MOV R7, SP ROM:84000888 MOVT.W R0, #'ib' ROM:8400088C MOVS R1, #2 ROM:8400088E BL _boot_flash_probably ; First argument is "ibot", second argument is "2" ROM:84000892 MOV.W R0, #0xFFFFFFFF ROM:84000896 POP {R7,PC}
If iBoot cannot be found, LLB instructs the i-Device to identify itself as Apple Mobile Device (DFU Mode):
ROM:84019297 aAppleMobileDev DCB "Apple Mobile Device (DFU Mode)",0
Patched LLB
Restoring or flashing an LLB patched with Pwnage or 0x24000 Segment Overflow can lead to these changes: