Difference between revisions of "LLB"

From The iPhone Wiki
Jump to: navigation, search
m
 
(13 intermediate revisions by 6 users not shown)
Line 1: Line 1:
This is the Low Level Bootloader. It runs several setup routines and checks the signature of [[iBoot]], before jumping to it.
+
The '''LLB''' is the '''L'''ow '''L'''evel '''B'''ootloader, also referred to as “iBoot first-stage loader” in the source code. It runs several setup routines and on firmware versions 2.0 and higher it checks the signature of [[iBoot (Bootloader)|iBoot]] before jumping to it.
   
Those same setup routines are present in iBEC and iBSS so they can be launched directly from the [[DFU]].
+
Those same setup routines are present in [[iBEC]] and [[iBSS]], which is why they can be launched directly from [[DFU Mode]].
  +
  +
== Disassembly ==
  +
LLB can be disassembled in a similar manner to the one described for iBoot. The base address for LLB 5.1 is 0x84000000 and the disassembly should yield the following:
  +
  +
<pre>
  +
ROM:84000000 loc_84000000 ; CODE XREF: ROM:84000078�j
  +
ROM:84000000 ; DATA XREF: ROM:_reset�o ...
  +
ROM:84000000 B _reset
  +
ROM:84000004 ; ---------------------------------------------------------------------------
  +
ROM:84000004 LDR PC, =_undef
  +
ROM:84000008 ; ---------------------------------------------------------------------------
  +
ROM:84000008 LDR PC, =_swi
  +
ROM:8400000C ; ---------------------------------------------------------------------------
  +
ROM:8400000C LDR PC, =_prefabt
  +
ROM:84000010 ; ---------------------------------------------------------------------------
  +
ROM:84000010 LDR PC, =_dataabt
  +
ROM:84000014 ; ---------------------------------------------------------------------------
  +
ROM:84000014 LDR PC, =_halt
  +
ROM:84000018 ; ---------------------------------------------------------------------------
  +
ROM:84000018 LDR PC, =_irq
  +
ROM:8400001C ; ---------------------------------------------------------------------------
  +
ROM:8400001C LDR PC, =_fiq
  +
ROM:8400001C ; ---------------------------------------------------------------------------
  +
ROM:84000020 DCD _reset
  +
ROM:84000024 off_84000024 DCD _undef ; DATA XREF: ROM:84000004�r
  +
ROM:84000028 off_84000028 DCD _swi ; DATA XREF: ROM:84000008�r
  +
ROM:8400002C off_8400002C DCD _prefabt ; DATA XREF: ROM:8400000C�r
  +
ROM:84000030 off_84000030 DCD _dataabt ; DATA XREF: ROM:84000010�r
  +
ROM:84000034 off_84000034 DCD _halt ; DATA XREF: ROM:84000014�r
  +
ROM:84000038 off_84000038 DCD _irq ; DATA XREF: ROM:84000018�r
  +
ROM:8400003C off_8400003C DCD _fiq ; DATA XREF: ROM:8400001C�r
  +
ROM:84000040 ; ---------------------------------------------------------------------------
  +
ROM:84000040
  +
ROM:84000040 _reset ; CODE XREF: ROM:loc_84000000�j
  +
ROM:84000040 ; DATA XREF: ROM:84000020�o
  +
ROM:84000040 ADR R0, loc_84000000
  +
...
  +
</pre>
  +
  +
LLB and iBoot likely share a common code base, as is evident by similar symbols and strings for the FTL, Image_Load, and others. LLB is specialized, however, to load iBoot, which it does by looking for the Img3 tagged "ibot", as can be seen here:
  +
  +
<pre>
  +
ROM:84000880 _do_boot ; CODE XREF: _LLB_Start+A6�p
  +
ROM:84000880 PUSH {R7,LR}
  +
ROM:84000882 MOVW R0, #'ot'
  +
ROM:84000886 MOV R7, SP
  +
ROM:84000888 MOVT.W R0, #'ib'
  +
ROM:8400088C MOVS R1, #2
  +
ROM:8400088E BL _boot_flash_probably ; First argument is "ibot", second argument is "2"
  +
ROM:84000892 MOV.W R0, #0xFFFFFFFF
  +
ROM:84000896 POP {R7,PC}
  +
</pre>
  +
  +
If iBoot cannot be found, LLB instructs the i-Device to identify itself as Apple Mobile Device (DFU Mode):
  +
  +
<pre>
  +
ROM:84019297 aAppleMobileDev DCB "Apple Mobile Device (DFU Mode)",0
  +
</pre>
  +
==Patched LLB==
  +
Restoring or flashing an LLB patched with [[Pwnage]] or [[0x24000 Segment Overflow]] can lead to these changes:
  +
* [[ECID]] checks on boot-up are cancelled
  +
* A restored firmware is no longer integrity-checked
  +
* RSA Signature Hash blobs ([[SHSH]]) and [[APTicket]] are ignored
  +
* Jailbreak is always untethered for a pwn-able device
  +
* Custom boot logos and recovery logos can be applied

Latest revision as of 01:35, 8 February 2018

The LLB is the Low Level Bootloader, also referred to as “iBoot first-stage loader” in the source code. It runs several setup routines and on firmware versions 2.0 and higher it checks the signature of iBoot before jumping to it.

Those same setup routines are present in iBEC and iBSS, which is why they can be launched directly from DFU Mode.

Disassembly

LLB can be disassembled in a similar manner to the one described for iBoot. The base address for LLB 5.1 is 0x84000000 and the disassembly should yield the following:

ROM:84000000 loc_84000000                            ; CODE XREF: ROM:84000078�j
ROM:84000000                                         ; DATA XREF: ROM:_reset�o ...
ROM:84000000                 B               _reset
ROM:84000004 ; ---------------------------------------------------------------------------
ROM:84000004                 LDR             PC, =_undef
ROM:84000008 ; ---------------------------------------------------------------------------
ROM:84000008                 LDR             PC, =_swi
ROM:8400000C ; ---------------------------------------------------------------------------
ROM:8400000C                 LDR             PC, =_prefabt
ROM:84000010 ; ---------------------------------------------------------------------------
ROM:84000010                 LDR             PC, =_dataabt
ROM:84000014 ; ---------------------------------------------------------------------------
ROM:84000014                 LDR             PC, =_halt
ROM:84000018 ; ---------------------------------------------------------------------------
ROM:84000018                 LDR             PC, =_irq
ROM:8400001C ; ---------------------------------------------------------------------------
ROM:8400001C                 LDR             PC, =_fiq
ROM:8400001C ; ---------------------------------------------------------------------------
ROM:84000020                 DCD _reset
ROM:84000024 off_84000024    DCD _undef              ; DATA XREF: ROM:84000004�r
ROM:84000028 off_84000028    DCD _swi                ; DATA XREF: ROM:84000008�r
ROM:8400002C off_8400002C    DCD _prefabt            ; DATA XREF: ROM:8400000C�r
ROM:84000030 off_84000030    DCD _dataabt            ; DATA XREF: ROM:84000010�r
ROM:84000034 off_84000034    DCD _halt               ; DATA XREF: ROM:84000014�r
ROM:84000038 off_84000038    DCD _irq                ; DATA XREF: ROM:84000018�r
ROM:8400003C off_8400003C    DCD _fiq                ; DATA XREF: ROM:8400001C�r
ROM:84000040 ; ---------------------------------------------------------------------------
ROM:84000040
ROM:84000040 _reset                                  ; CODE XREF: ROM:loc_84000000�j
ROM:84000040                                         ; DATA XREF: ROM:84000020�o
ROM:84000040                 ADR             R0, loc_84000000
  ... 

LLB and iBoot likely share a common code base, as is evident by similar symbols and strings for the FTL, Image_Load, and others. LLB is specialized, however, to load iBoot, which it does by looking for the Img3 tagged "ibot", as can be seen here:

ROM:84000880 _do_boot                                ; CODE XREF: _LLB_Start+A6�p
ROM:84000880                 PUSH            {R7,LR}
ROM:84000882                 MOVW            R0, #'ot'
ROM:84000886                 MOV             R7, SP
ROM:84000888                 MOVT.W          R0, #'ib'
ROM:8400088C                 MOVS            R1, #2
ROM:8400088E                 BL              _boot_flash_probably ; First argument is "ibot", second argument is "2"
ROM:84000892                 MOV.W           R0, #0xFFFFFFFF
ROM:84000896                 POP             {R7,PC}

If iBoot cannot be found, LLB instructs the i-Device to identify itself as Apple Mobile Device (DFU Mode):

ROM:84019297 aAppleMobileDev DCB "Apple Mobile Device (DFU Mode)",0
 

Patched LLB

Restoring or flashing an LLB patched with Pwnage or 0x24000 Segment Overflow can lead to these changes:

  • ECID checks on boot-up are cancelled
  • A restored firmware is no longer integrity-checked
  • RSA Signature Hash blobs (SHSH) and APTicket are ignored
  • Jailbreak is always untethered for a pwn-able device
  • Custom boot logos and recovery logos can be applied