Difference between revisions of "IBoot (Bootloader)"

From The iPhone Wiki
Jump to: navigation, search
m (Revisions)
m (Revisions: 4.2.9 and 4.3.4.)
Line 33: Line 33:
 
* [[iBoot-931.71.13]] (4.2 Beta 3)
 
* [[iBoot-931.71.13]] (4.2 Beta 3)
 
* [[iBoot-931.71.16]] (4.2 GM and 4.2.1 Builds 8C148, 8C148a, and 8C154)
 
* [[iBoot-931.71.16]] (4.2 GM and 4.2.1 Builds 8C148, 8C148a, and 8C154)
* [[iBoot-931.72.14]] (4.2.5, 4.2.6, 4.2.7 and 4.2.8)
+
* [[iBoot-931.72.14]] (4.2.5, 4.2.6, 4.2.7, 4.2.8, and 4.2.9)
 
* [[iBoot-1072.33~1]] (4.3 Beta 1)
 
* [[iBoot-1072.33~1]] (4.3 Beta 1)
 
* [[iBoot-1072.38]] (4.3 Beta 2)
 
* [[iBoot-1072.38]] (4.3 Beta 2)
Line 39: Line 39:
 
* [[iBoot-1072.58]] (4.3 Build 8F190)
 
* [[iBoot-1072.58]] (4.3 Build 8F190)
 
* [[iBoot-1072.59]] (4.3 Builds 8F191, 8F191m, 8F202 and 8F305, and 4.3.1)
 
* [[iBoot-1072.59]] (4.3 Builds 8F191, 8F191m, 8F202 and 8F305, and 4.3.1)
* [[iBoot-1072.61]] (4.3.2, 4.3.3)
+
* [[iBoot-1072.61]] (4.3.2, 4.3.3, and 4.3.4)
 
* [[iBoot-1219.35.80~1]] (5.0 beta 1)
 
* [[iBoot-1219.35.80~1]] (5.0 beta 1)
 
* [[iBoot-1219.40.25]] (5.0 beta 2)
 
* [[iBoot-1219.40.25]] (5.0 beta 2)

Revision as of 00:31, 16 July 2011

This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as Recovery Mode. It has an interactive interface which can be used over USB or serial.

Bootrom

The bootrom also goes by the name "iBoot." The list of bootroms can be found on their own page.

Revisions

Commands used as an exploit vector

  • diags: Until 2.0 beta 6, the diags command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
  • arm7_go: For firmware 2.1.1, the iPod touch 2G iBoot contains the ARM7 Go command, which could be used to run a payload on the ARM7 in the device.

OpeniBoot

There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source here. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.

Remappings

// n88 (3GS)
0x4FF00000 => 0x0
0x40000000 => 0xC0000000

See also