Difference between revisions of "Talk:Bootrom"

From The iPhone Wiki
Jump to: navigation, search
(Extraction / Disassembly: new section)
m
 
(34 intermediate revisions by 9 users not shown)
Line 1: Line 1:
 
== Extraction / Disassembly ==
 
== Extraction / Disassembly ==
  +
Which versions have been successfully extracted and reverse engineered? Where are the instructions on how to do so? -- [[User:Http|http]] 08:26, 26 September 2010 (UTC)
  +
:The [[S5L8900]] is mapped to 0x20000000 so inject [[iBoot]] that is mapped to 0x18000000 then run range check and find where the [[bootrom]] ends --[[User:Liamchat|liamchat]] 12:01, 26 October 2010 (UTC)
  +
:the ipod 2g [[bootrom]] is mapped to 0x22000000 --[[User:Liamchat|liamchat]] 12:01, 26 October 2010 (UTC)
  +
:the iphone 3gs and ipod 3g [[bootrom]] is mapped to 0x84000000 --[[User:Liamchat|liamchat]] 12:01, 26 October 2010 (UTC)
  +
:the [[S5L8930]] [[bootrom]] is mapped to 0x84000000 ( i think ) --[[User:Liamchat|liamchat]] 12:01, 26 October 2010 (UTC)
  +
:Did [[MuscleNerd]] manage to extract the [[Bootrom 838.3|Bootrom version 838.3]] or not? [https://twitter.com/MuscleNerd/status/124970409371250688 reference 1] [https://twitter.com/nitoTV/status/124971542202425344 reference 2] [https://twitter.com/musclenerd/status/124975981944512512 reference 3] Some people interpreted these tweets as a successful extraction confirmation. -- [[User:Http|http]] 04:40, 17 October 2011 (MDT)
  +
::Ok, it has not been extracted yet. --[[User:Http|http]] 11:48, 15 February 2012 (MST)
   
  +
== Untethered/Tethered ==
Which versions have been successfully extracted and reverse engineered? And instructions on how to do so? -- [[User:Http|http]] 08:26, 26 September 2010 (UTC)
 
  +
Well all jailbreaks with greenpois0n are untethered, so shouldn't we say that they are untethered at least for now? I understand that the original exploit alone is tethered, but the jailbreak isn't. {{unsigned|JacobVengeance|16:42, October 25, 2010 (UTC)}}
  +
:greenpois0n does indeed do untethered jailbreaks for its supported devices. I've done a little housekeeping on the articles, which replaced the mention of jailbreak utilities for a slightly more technical explanation on what's different, so hopefully that tackles this issue. :) (If people really want the utilities' names, I suppose they could be added back, but I omitted them because I felt it was unnecessary.) --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 19:38, 25 October 2010 (UTC)
  +
  +
== Bootrom version of the 3G (not Bootrom 596.24) ==
  +
[[User:M2m|M2m]] added the bootrom link [[Bootrom 596.24]] as the one for the iPhone 3G. I highly doubt that. Why should the 3G have a higher version than the two versions of the 3GS? Where do you have this info from? I don't have a 3G and the 3GS-method to get version doesn't work on the 3G. -- [[User:Http|http]] 03:16, 31 December 2011 (MST)
  +
:I already thought that my edit will generate some discussion. This version is reported if I plug the 3G into a MacBook Air, put the 3G into DFU and check in System Profiler. I was also astonished to find this version on the 3G, which leads me into thinking that either the method to get the bootrom version (as described here) is not correct or some of the versions here are somehow faulty. I think that there has been some mixup between bootrom iboot and 2nd stage boot loader iboot.--[[User:M2m|M2m]] 04:18, 31 December 2011 (MST)
  +
::Yes, there has been some confusion. On the pages like [[IBoot-596.24]] it is not clear if it's a bootrom version or a stage 2 bootloader. We have to fix that. But I think all versions listed on this page are correct bootrom versions except the version you added. The method for checking the bootrom version does not work on the 3G, it's intended only for the 3GS. What was the full string that was reported? If there was this version you wrote, maybe it was the stage 2 bootloader. I'll revert to the previous edit until someone can tell what the real version is. -- [[User:Http|http]] 11:24, 31 December 2011 (MST)
  +
:::Information from my 3G as follows from System Profiler when put in DFU
  +
Product-ID: 0x1227
  +
Manufacturer-ID: 0x05ac (Apple Inc.)
  +
Version: 0.00
  +
Serial number: CPID:8900 CPRV:30 CPFM:03 SCEP:05 BDID:04 ECID:000000XXXXXXXXXX IBFL:00 SRTG:[iBoot-596.24]
  +
:::{{unsigned|M2m|14:58, 1 January 2011 (MST)}}
  +
::::That isn't the stage two bootloader as 4.2.1 is iBoot-931.71.16~9 --[[User:5urd|5urd]] 16:32, 1 January 2012 (MST)
  +
::::This is the stage two bootloader belonging to iOS 3.0.1. --[[User:Http|http]] 04:38, 2 January 2012 (MST)
  +
:::::But I am on iOS4.2.1 not 3.0.1. I am confused.--[[User:M2m|M2m]] 04:55, 2 January 2012 (MST)
  +
::::::I have an ipt1, which should have the same bootrom. If I find some time, I'll try to extract it. If you're an advanced user, you might also try to extract the bootrom with the [[Bootrom Dumper Utility]]. In the extracted binary you should find the correct version. --[[User:Http|http]] 05:04, 2 January 2012 (MST)
  +
:::::::Hmm well couldn't find the usb_wait_for_image call offset values and exploit values for the 3G, as the bdu tool is based on the laimra1n exploit which is not available for the 3G, but will keep searching. --[[User:M2m|M2m]] 09:19, 2 January 2012 (MST)
  +
::::With the Mac I get the same info (see my screenshot here: [http://i40.tinypic.com/141s1lt.png]). According to [[User:IH8sn0w|iH8sn0w]], this version comes from the WTF driver. He said "ensure iTunes / iTunesHelper is killed when entering DFU"[https://twitter.com/#!/iH8sn0w/status/160722562983268352]. --[[User:Http|http]] 04:26, 22 January 2012 (MST)
  +
::::: Good info. I check that again tomorrow.--[[User:M2m|M2m]] 05:47, 22 January 2012 (MST)
  +
::::: Killed iTunes & iTunes Helper.
  +
My iPhone 2G in System Profiler:
  +
USB DFU Device:
  +
Produkt-ID: 0x1222
  +
Hersteller-ID: 0x05ac (Apple Inc.)
  +
Version: 0,01
  +
Seriennummer: 89000000000001
  +
Geschwindigkeit: Bis zu 480 MBit/s
  +
Hersteller: Apple Computer, Inc.
  +
Standort-ID: 0xfd110000 / 3
  +
Verfügbare Stromstärke (mA): 500
  +
Erforderliche Stromstärke (mA): 100
  +
My iPhone 3G in System Profiler:
  +
USB DFU Device:
  +
Produkt-ID: 0x1222
  +
Hersteller-ID: 0x05ac (Apple Inc.)
  +
Version: 0,01
  +
Seriennummer: 89000000000001
  +
Geschwindigkeit: Bis zu 480 MBit/s
  +
Hersteller: Apple Computer, Inc.
  +
Standort-ID: 0xfd110000 / 3
  +
Verfügbare Stromstärke (mA): 500
  +
Erforderliche Stromstärke (mA): 100
  +
--[[User:M2m|M2m]] 13:09, 22 January 2012 (MST)
  +
  +
== Rename Bootrom pages ==
  +
I would like to rename the bootrom pages from iBoot-xxx to something different, because of two reasons:
  +
*The same name format is currently being used for [[iBoot (Bootloader)|iBoot stage 2 bootloader]] pages, which causes confusion.
  +
*The bootrom for the S5L8900 has no version number, as IH8sn0w just pointed out. It just shows <code>&#63743;Apple Computer, Inc. USB DFU Device 89000000000001 S5L8900 Rev.2 ROM BOOT</code> in the code.
  +
I would suggest a new name starting with "Bootrom" and then either the application processor name (like S5Lxxxx) together with a version (like A, B, or old, new) or the version number like "Bootrom 838.1" and a special name for the 8900, like "Bootrom S5L8900".
  +
Personally I would prefer the processor named version, but I don't like the old/new or A/B in it. Maybe just add the version where it's known? So finally I would suggest these names:
  +
*Bootrom S5L8900 Rev.2
  +
*Bootrom S5L8720 240.4
  +
*Bootrom S5L8720 240.5.1
  +
*Bootrom S5L8920 359.3
  +
*Bootrom S5L8920 359.3.2
  +
*Bootrom S5L8922 359.5
  +
*Bootrom S5L8930 574.4
  +
*Bootrom S5L8940 838.3
  +
So what do you think? Any concerns? Better ideas? --[[User:Http|http]] 06:16, 5 March 2012 (MST)
  +
: I agree with http, adding the proccesor wouldn't cause frustration or confusion. Just a bootrom page is maybe to broad on the subject, we could get the small device specific details on the proccesor (Device model, type of proccesor, what year it came in, etc.) --[[User:Dylan Laws|Dylan Laws]] 08:33, 6 March 2012 (MST)
  +
::For the processors itself, we already have pages. --[[User:Http|http]] 10:39, 6 March 2012 (MST)
  +
::I think using 'SecureROM' would be more appropriate. -- [[User:iH8sn0w|iH8sn0w]] 17:30, 6 March 2012 (MST)
  +
:::I don't like 'SecureROM' too much, because it's more a product name and could change, while 'Bootrom' is more neutral. Also, if I hear 'SecureROM', immediately planetbeing's "it's not so secure" (from [[25C3]]) comes to my mind. Also the "SecureBoot" sounds very similar. But if others like it, that's fine for me too. But for the rest of the name? Is my last suggestion there ok? --[[User:Http|http]] 00:43, 7 March 2012 (MST)
  +
::::I don't think mentioning the CPU in the page title is necessary. (It'd definitely be acknowledged in the bootrom's page anyways.) I like the sound of [[Bootrom Rev.2]], [[Bootrom 240.4]], etc. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 10:01, 7 March 2012 (MST)
  +
:::::You're right with the fact that the CPU name is not necessary and if you prefer a short title, it's even better. The only thing is that these bootroms "belong" to a specific chip, as the bootrom is part of the hardware, so that's why I kinda like it. But I also like short titles and the CPU alone is not enough, so if nobody else comes in, I'll go with Dialexio's idea. --[[User:Http|http]] 12:10, 7 March 2012 (MST)
  +
:::::Done! --10:21, 11 March 2012 (MDT)

Latest revision as of 20:58, 20 August 2013

Extraction / Disassembly

Which versions have been successfully extracted and reverse engineered? Where are the instructions on how to do so? -- http 08:26, 26 September 2010 (UTC)

The S5L8900 is mapped to 0x20000000 so inject iBoot that is mapped to 0x18000000 then run range check and find where the bootrom ends --liamchat 12:01, 26 October 2010 (UTC)
the ipod 2g bootrom is mapped to 0x22000000 --liamchat 12:01, 26 October 2010 (UTC)
the iphone 3gs and ipod 3g bootrom is mapped to 0x84000000 --liamchat 12:01, 26 October 2010 (UTC)
the S5L8930 bootrom is mapped to 0x84000000 ( i think ) --liamchat 12:01, 26 October 2010 (UTC)
Did MuscleNerd manage to extract the Bootrom version 838.3 or not? reference 1 reference 2 reference 3 Some people interpreted these tweets as a successful extraction confirmation. -- http 04:40, 17 October 2011 (MDT)
Ok, it has not been extracted yet. --http 11:48, 15 February 2012 (MST)

Untethered/Tethered

Well all jailbreaks with greenpois0n are untethered, so shouldn't we say that they are untethered at least for now? I understand that the original exploit alone is tethered, but the jailbreak isn't. --The preceding unsigned comment was added by JacobVengeance (talk) 16:42, October 25, 2010 (UTC). Please consult this page for more info on how to sign pages, and how to fix this.

greenpois0n does indeed do untethered jailbreaks for its supported devices. I've done a little housekeeping on the articles, which replaced the mention of jailbreak utilities for a slightly more technical explanation on what's different, so hopefully that tackles this issue. :) (If people really want the utilities' names, I suppose they could be added back, but I omitted them because I felt it was unnecessary.) --Dialexio 19:38, 25 October 2010 (UTC)

Bootrom version of the 3G (not Bootrom 596.24)

M2m added the bootrom link Bootrom 596.24 as the one for the iPhone 3G. I highly doubt that. Why should the 3G have a higher version than the two versions of the 3GS? Where do you have this info from? I don't have a 3G and the 3GS-method to get version doesn't work on the 3G. -- http 03:16, 31 December 2011 (MST)

I already thought that my edit will generate some discussion. This version is reported if I plug the 3G into a MacBook Air, put the 3G into DFU and check in System Profiler. I was also astonished to find this version on the 3G, which leads me into thinking that either the method to get the bootrom version (as described here) is not correct or some of the versions here are somehow faulty. I think that there has been some mixup between bootrom iboot and 2nd stage boot loader iboot.--M2m 04:18, 31 December 2011 (MST)
Yes, there has been some confusion. On the pages like IBoot-596.24 it is not clear if it's a bootrom version or a stage 2 bootloader. We have to fix that. But I think all versions listed on this page are correct bootrom versions except the version you added. The method for checking the bootrom version does not work on the 3G, it's intended only for the 3GS. What was the full string that was reported? If there was this version you wrote, maybe it was the stage 2 bootloader. I'll revert to the previous edit until someone can tell what the real version is. -- http 11:24, 31 December 2011 (MST)
Information from my 3G as follows from System Profiler when put in DFU
Product-ID: 0x1227
Manufacturer-ID: 0x05ac (Apple Inc.)
Version: 0.00
Serial number: CPID:8900 CPRV:30 CPFM:03 SCEP:05 BDID:04 ECID:000000XXXXXXXXXX IBFL:00 SRTG:[iBoot-596.24]
--The preceding unsigned comment was added by M2m (talk) 14:58, 1 January 2011 (MST). Please consult this page for more info on how to sign pages, and how to fix this.
That isn't the stage two bootloader as 4.2.1 is iBoot-931.71.16~9 --5urd 16:32, 1 January 2012 (MST)
This is the stage two bootloader belonging to iOS 3.0.1. --http 04:38, 2 January 2012 (MST)
But I am on iOS4.2.1 not 3.0.1. I am confused.--M2m 04:55, 2 January 2012 (MST)
I have an ipt1, which should have the same bootrom. If I find some time, I'll try to extract it. If you're an advanced user, you might also try to extract the bootrom with the Bootrom Dumper Utility. In the extracted binary you should find the correct version. --http 05:04, 2 January 2012 (MST)
Hmm well couldn't find the usb_wait_for_image call offset values and exploit values for the 3G, as the bdu tool is based on the laimra1n exploit which is not available for the 3G, but will keep searching. --M2m 09:19, 2 January 2012 (MST)
With the Mac I get the same info (see my screenshot here: [1]). According to iH8sn0w, this version comes from the WTF driver. He said "ensure iTunes / iTunesHelper is killed when entering DFU"[2]. --http 04:26, 22 January 2012 (MST)
Good info. I check that again tomorrow.--M2m 05:47, 22 January 2012 (MST)
Killed iTunes & iTunes Helper.

My iPhone 2G in System Profiler:

 USB DFU Device:
 Produkt-ID:	0x1222
 Hersteller-ID:	0x05ac (Apple Inc.)
 Version:	0,01
 Seriennummer:	89000000000001
 Geschwindigkeit:	Bis zu 480 MBit/s
 Hersteller:	Apple Computer, Inc.
 Standort-ID:	0xfd110000 / 3
 Verfügbare Stromstärke (mA):	500
 Erforderliche Stromstärke (mA):	100

My iPhone 3G in System Profiler:

 USB DFU Device:
 Produkt-ID:	0x1222
 Hersteller-ID:	0x05ac (Apple Inc.)
 Version:	0,01
 Seriennummer:	89000000000001
 Geschwindigkeit:	Bis zu 480 MBit/s
 Hersteller:	Apple Computer, Inc.
 Standort-ID:	0xfd110000 / 3
 Verfügbare Stromstärke (mA):	500
 Erforderliche Stromstärke (mA):	100

--M2m 13:09, 22 January 2012 (MST)

Rename Bootrom pages

I would like to rename the bootrom pages from iBoot-xxx to something different, because of two reasons:

  • The same name format is currently being used for iBoot stage 2 bootloader pages, which causes confusion.
  • The bootrom for the S5L8900 has no version number, as IH8sn0w just pointed out. It just shows Apple Computer, Inc. USB DFU Device 89000000000001 S5L8900 Rev.2 ROM BOOT in the code.

I would suggest a new name starting with "Bootrom" and then either the application processor name (like S5Lxxxx) together with a version (like A, B, or old, new) or the version number like "Bootrom 838.1" and a special name for the 8900, like "Bootrom S5L8900". Personally I would prefer the processor named version, but I don't like the old/new or A/B in it. Maybe just add the version where it's known? So finally I would suggest these names:

  • Bootrom S5L8900 Rev.2
  • Bootrom S5L8720 240.4
  • Bootrom S5L8720 240.5.1
  • Bootrom S5L8920 359.3
  • Bootrom S5L8920 359.3.2
  • Bootrom S5L8922 359.5
  • Bootrom S5L8930 574.4
  • Bootrom S5L8940 838.3

So what do you think? Any concerns? Better ideas? --http 06:16, 5 March 2012 (MST)

I agree with http, adding the proccesor wouldn't cause frustration or confusion. Just a bootrom page is maybe to broad on the subject, we could get the small device specific details on the proccesor (Device model, type of proccesor, what year it came in, etc.) --Dylan Laws 08:33, 6 March 2012 (MST)
For the processors itself, we already have pages. --http 10:39, 6 March 2012 (MST)
I think using 'SecureROM' would be more appropriate. -- iH8sn0w 17:30, 6 March 2012 (MST)
I don't like 'SecureROM' too much, because it's more a product name and could change, while 'Bootrom' is more neutral. Also, if I hear 'SecureROM', immediately planetbeing's "it's not so secure" (from 25C3) comes to my mind. Also the "SecureBoot" sounds very similar. But if others like it, that's fine for me too. But for the rest of the name? Is my last suggestion there ok? --http 00:43, 7 March 2012 (MST)
I don't think mentioning the CPU in the page title is necessary. (It'd definitely be acknowledged in the bootrom's page anyways.) I like the sound of Bootrom Rev.2, Bootrom 240.4, etc. --Dialexio 10:01, 7 March 2012 (MST)
You're right with the fact that the CPU name is not necessary and if you prefer a short title, it's even better. The only thing is that these bootroms "belong" to a specific chip, as the bootrom is part of the hardware, so that's why I kinda like it. But I also like short titles and the CPU alone is not enough, so if nobody else comes in, I'll go with Dialexio's idea. --http 12:10, 7 March 2012 (MST)
Done! --10:21, 11 March 2012 (MDT)