|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L8720"
m (→Kernel) |
m |
||
| Line 2: | Line 2: | ||
== Exploits == |
== Exploits == |
||
| − | === [[iBoot]] === |
+ | === [[iBoot (Bootloader)|iBoot]] === |
| − | '''Note''': [[iBoot]] on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares |
+ | '''Note''': [[iBoot (Bootloader)|iBoot]] on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares |
* [[ARM7 Go]] - Works on [[iOS]] 2.1.1 |
* [[ARM7 Go]] - Works on [[iOS]] 2.1.1 |
||
| Line 11: | Line 11: | ||
=== [[S5L8720 (Bootrom)|Bootrom]] === |
=== [[S5L8720 (Bootrom)|Bootrom]] === |
||
* [[0x24000 Segment Overflow]] - only in [[iBoot-240.4]] (old bootrom) |
* [[0x24000 Segment Overflow]] - only in [[iBoot-240.4]] (old bootrom) |
||
| − | * [[usb_control_msg(0xA1, 1) Exploit |
+ | * [[usb_control_msg(0xA1, 1) Exploit]] |
=== [[Kernel]] === |
=== [[Kernel]] === |
||
| Line 24: | Line 24: | ||
==Boot Chain== |
==Boot Chain== |
||
| − | [[VROM]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]] |
+ | [[VROM]]->[[LLB]]->[[iBoot (Bootloader)|iBoot]]->[[Kernel]]->[[Firmware|System Software]] |
| − | It is definitely worthy to note that the [[Pwnage]] exploit is fixed because the images are now flashed to the [[NOR]] in their encrypted [[IMG3 File Format|IMG3]] containers, and the [[S5L8720 (Bootrom)|bootrom]] can properly check [[LLB]]'s signature. That being said, unsigned images can still be run using the [[0x24000 Segment Overflow]], provided the |
+ | It is definitely worthy to note that the [[Pwnage]] exploit is fixed because the images are now flashed to the [[NOR]] in their encrypted [[IMG3 File Format|IMG3]] containers, and the [[S5L8720 (Bootrom)|bootrom]] can properly check [[LLB]]'s signature. That being said, unsigned images can still be run using the [[0x24000 Segment Overflow]], provided the bootrom is [[iBoot-240.4|old enough]]. |
==See Also== |
==See Also== |
||
Revision as of 04:35, 26 April 2011
This is the Application Processor used on the iPod touch 2G.
Contents
Exploits
iBoot
Note: iBoot on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares
- ARM7 Go - Works on iOS 2.1.1
- iBoot Environment Variable Overflow - Works up to iOS 3.1 beta 3
- usb_control_msg(0x21, 2) Exploit - Works up to iOS 3.1.2
Bootrom
- 0x24000 Segment Overflow - only in iBoot-240.4 (old bootrom)
- usb_control_msg(0xA1, 1) Exploit
Kernel
- BPF STX Kernel Write Exploit - Works up to iOS 3.1.3
- IOSurface Kernel Exploit - Works up to iOS 4.0
- Packet Filter Kernel Exploit - Works up to iOS 4.1
- HFS Legacy Volume Name Stack Buffer Overflow - Works up to iOS 4.2.1
Userland
- MobileBackup Copy Exploit - Works up to iOS 3.1.3
- Malformed CFF Vulnerability - Works up to iOS 4.0
Boot Chain
VROM->LLB->iBoot->Kernel->System Software
It is definitely worthy to note that the Pwnage exploit is fixed because the images are now flashed to the NOR in their encrypted IMG3 containers, and the bootrom can properly check LLB's signature. That being said, unsigned images can still be run using the 0x24000 Segment Overflow, provided the bootrom is old enough.
