The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Pwnage"
ChronicDev (talk | contribs) (→Exploit) |
ChronicDev (talk | contribs) (→Exploit) |
||
Line 5: | Line 5: | ||
==Exploit== |
==Exploit== |
||
+ | ===Pre-2.0 ([[S5L8900]])=== |
||
− | The [[VROM]] doesn't sig check the stuff it jumps to in the [[NOR]]. So to use the exploit, one finds a way of writing to the NOR unsigned, either with [[iBoot]] hacks or kernel patches. |
||
+ | The [[NOR]] was set up in a way that when the firmware images were flashed there, the RSA signatures were dropped along with the rest of the firmware container. So although [[iBoot]] signature checked the [[kernel]], [[LLB]] did not signature check [[iBoot]], and the [[VROM]] did not signature check [[LLB]]. |
||
+ | ===2.0+ ([[S5L8900]])=== |
||
+ | The [[VROM]] doesn't sig check the stuff it jumps to in the [[NOR]]. So to use the exploit, one finds a way of writing to the [[NOR]] unsigned, either with [[iBoot]] hacks or kernel patches. While images are now written to [[NOR]] in a way that one can verify the other, like LLB verifying iBoot, the bootrom cannot be written to, so it still defaults to just reading LLB normally, un-signature checked. |
||
+ | |||
+ | ===2.0+ ([[S5L8720]])=== |
||
This exploit has been fixed on the [[n72ap|iPod Touch 2G]]. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU mode. |
This exploit has been fixed on the [[n72ap|iPod Touch 2G]]. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU mode. |
||
Revision as of 19:33, 28 January 2009
This exploit is in the VROM
Contents
Credit
Exploit
Pre-2.0 (S5L8900)
The NOR was set up in a way that when the firmware images were flashed there, the RSA signatures were dropped along with the rest of the firmware container. So although iBoot signature checked the kernel, LLB did not signature check iBoot, and the VROM did not signature check LLB.
2.0+ (S5L8900)
The VROM doesn't sig check the stuff it jumps to in the NOR. So to use the exploit, one finds a way of writing to the NOR unsigned, either with iBoot hacks or kernel patches. While images are now written to NOR in a way that one can verify the other, like LLB verifying iBoot, the bootrom cannot be written to, so it still defaults to just reading LLB normally, un-signature checked.
2.0+ (S5L8720)
This exploit has been fixed on the iPod Touch 2G. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU mode.