Difference between revisions of "Bootrom"

From The iPhone Wiki
Jump to: navigation, search
(reformulate Exploits section)
(moving exploits to revisions (test))
Line 39: Line 39:
 
== Dumping the bootrom ==
 
== Dumping the bootrom ==
 
You can use [[Bootrom Dumper Utility]] by [[User:pod2g|pod2g]] to dump the bootrom on devices that are vulnerable to the [[limera1n]] exploit.
 
You can use [[Bootrom Dumper Utility]] by [[User:pod2g|pod2g]] to dump the bootrom on devices that are vulnerable to the [[limera1n]] exploit.
 
== Bootrom Exploits ==
 
=== first generation ===
 
* Processors: [[S5L8900]]
 
* Devices: [[M68ap|iPhone]], [[N45ap|iPod touch]], [[N82ap|iPhone 3G]]
 
see also [[VROM (S5L8900)]]. Exploits:
 
* [[pwnage|Pwnage 1.0 (Ramdisk + AppleImage2NORAccess)]]
 
* [[Pwnage 2.0|Pwnage 2.0 (DFU + Malformed Certificate)]]
 
 
=== ipt2/3GS old bootroms ===
 
* Processors: [[S5L8900]], [[S5L8720]] but only with old [[Bootrom 240.4]], [[S5L8920]] but only with old [[Bootrom 359.3]]
 
* Devices: [[M68ap|iPhone]], [[N45ap|iPod touch]], [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G (old bootrom only)]], [[N88ap|iPhone 3GS (old bootrom only)]]
 
Exploits:
 
* [[0x24000 Segment Overflow]]
 
 
=== Steaks4uce ===
 
* Processors: [[S5L8900]], [[S5L8720]], [[S5L8920]](???), [[S5L8922]](??? probably not)
 
* Devices: [[M68ap|iPhone]], [[N45ap|iPod touch]], [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G (old and new bootrom)]], [[N88ap|iPhone 3GS (old and new bootrom)]](???), [[N18ap|iPod touch 3G]](??? probably not)
 
Exploits:
 
* [[usb_control_msg(0xA1, 1) Exploit]] (also called "steaks4uce" exploit)
 
 
=== A4 Devices ===
 
* Processors: [[S5L8900]], [[S5L8720]], [[S5L8920]], [[S5L8922]], [[S5L8930]]
 
* Devices: [[M68ap|iPhone]], [[N45ap|iPod touch]], [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G (old and new bootrom)]], [[N88ap|iPhone 3GS (old and new bootrom)]], [[N18ap|iPod touch 3G]], [[K48ap|iPad]], [[N90ap|iPhone 4 GSM]], [[N81ap|iPod touch 4G]], [[K66ap|Apple TV 2G]], [[N92ap|iPhone 4 CDMA]]
 
Exploits:
 
* [[Limera1n Exploit]]
 
* [[SHA-1 Image Segment Overflow|SHAtter]]
 
   
 
== Revisions ==
 
== Revisions ==
 
===[[S5L8900]], used in the [[m68ap|iPhone 2G]], [[n45ap|iPod touch 1G]], and [[n82ap|iPhone 3G]]===
 
===[[S5L8900]], used in the [[m68ap|iPhone 2G]], [[n45ap|iPod touch 1G]], and [[n82ap|iPhone 3G]]===
  +
see also [[VROM (S5L8900)]]
 
* [[Bootrom Rev.2]]
 
* [[Bootrom Rev.2]]
  +
* Exploits:
  +
** [[pwnage|Pwnage 1.0 (Ramdisk + AppleImage2NORAccess)]]
  +
** [[Pwnage 2.0|Pwnage 2.0 (DFU + Malformed Certificate)]]
  +
** [[0x24000 Segment Overflow]]
  +
** [[usb_control_msg(0xA1, 1) Exploit]] (also called "steaks4uce" exploit)
  +
** [[Limera1n Exploit]]
  +
** [[SHA-1 Image Segment Overflow|SHAtter]]
   
 
===[[S5L8720]], used in the [[n72ap|iPod touch 2G]]===
 
===[[S5L8720]], used in the [[n72ap|iPod touch 2G]]===
 
* [[Bootrom 240.4]] "old bootrom"
 
* [[Bootrom 240.4]] "old bootrom"
  +
* Exploits:
  +
** [[0x24000 Segment Overflow]]
  +
** [[usb_control_msg(0xA1, 1) Exploit]] (also called "steaks4uce" exploit)
  +
** [[Limera1n Exploit]]
  +
** [[SHA-1 Image Segment Overflow|SHAtter]]
 
* [[Bootrom 240.5.1]] "new bootrom"
 
* [[Bootrom 240.5.1]] "new bootrom"
  +
* Exploits:
  +
** [[usb_control_msg(0xA1, 1) Exploit]] (also called "steaks4uce" exploit)
  +
** [[Limera1n Exploit]]
  +
** [[SHA-1 Image Segment Overflow|SHAtter]]
   
 
===[[S5L8920]], used in the [[n88ap|iPhone 3GS]]===
 
===[[S5L8920]], used in the [[n88ap|iPhone 3GS]]===
 
* [[Bootrom 359.3]] "old bootrom"
 
* [[Bootrom 359.3]] "old bootrom"
  +
* Exploits:
  +
** [[0x24000 Segment Overflow]]
  +
** [[usb_control_msg(0xA1, 1) Exploit]] (also called "steaks4uce" exploit)
  +
** [[Limera1n Exploit]]
  +
** [[SHA-1 Image Segment Overflow|SHAtter]]
 
* [[Bootrom 359.3.2]] "new bootrom"
 
* [[Bootrom 359.3.2]] "new bootrom"
  +
* Exploits:
  +
** [[usb_control_msg(0xA1, 1) Exploit]] (also called "steaks4uce" exploit)
  +
** [[Limera1n Exploit]]
  +
** [[SHA-1 Image Segment Overflow|SHAtter]]
   
 
===[[S5L8922]], used in the [[n18ap|iPod touch 3G]]===
 
===[[S5L8922]], used in the [[n18ap|iPod touch 3G]]===
 
* [[Bootrom 359.5]]
 
* [[Bootrom 359.5]]
  +
* Exploits:
  +
** [[usb_control_msg(0xA1, 1) Exploit]] (also called "steaks4uce" exploit) ???
  +
** [[Limera1n Exploit]]
  +
** [[SHA-1 Image Segment Overflow|SHAtter]]
   
 
===[[S5L8930]], used in the [[k48ap|iPad 1G]], [[n90ap|iPhone 4]], [[k66ap|Apple TV 2G]] and [[n81ap|iPod touch 4G]]===
 
===[[S5L8930]], used in the [[k48ap|iPad 1G]], [[n90ap|iPhone 4]], [[k66ap|Apple TV 2G]] and [[n81ap|iPod touch 4G]]===
 
* [[Bootrom 574.4]]
 
* [[Bootrom 574.4]]
  +
* Exploits:
  +
** [[Limera1n Exploit]]
  +
** [[SHA-1 Image Segment Overflow|SHAtter]]
   
 
===[[S5L8940]], used in the [[iPad 2]] and [[n94ap|iPhone 4S]]===
 
===[[S5L8940]], used in the [[iPad 2]] and [[n94ap|iPhone 4S]]===

Revision as of 22:38, 25 October 2012

Summary

The bootrom (called "SecureROM" by Apple) is the first significant code that runs on an iDevice. The bootrom is read-only. Finding exploits in the bootrom level is a big achievement since Apple won't be able to fix it without a hardware revision.

Old & New bootrom

Certain models, including the iPod touch 2G and iPhone 3GS, have different bootrom versions. These are most commonly referred to with the terms "old bootrom" and "new bootrom." These "new bootrom" devices were released after 9 September 2009 and have the 0x24000 Segment Overflow fixed. While the new bootrom revisions have an exploit, the exploit needs the assistance of a firmware-based exploit to achieve an untethered jailbreak.

You might also be looking for Apple's stage 2 bootloader, which also uses the "iBoot" name.

Usually also looking at the CPRV (Chip Revision) tag will also tell you whether the device is new unit or not also.

Finding bootrom version

From the model number (iPod touch 2G)

If the second character of your Model Number is "B" (e.g.- FB533, MB533, or PB533), your iPod has the old bootrom. If the second character is "C" (FC086, MC086 or PC086), your iPod has the new bootrom.

From the serial number (iPhone 3GS)

The third digit of the serial number identifies the year of manufacture (9=2009, 0=2010), while the fourth and the fifth indicate the week. The first "new bootrom" devices are from week 40 of 2009 (??940?????? or higher serials). Any iPhone made after Week 45 of 2009 (??945?????? and higher or ??0???????? serials) has the new bootrom.

From the DFU Device descriptors (all devices except S5L8900)

Windows

  1. Connect Device & Enter DFU Mode
  2. Open Device Manager, find USB controller, subitem Apple Mobile Device USB Driver
  3. Right-Click & click Properties
  4. Go to Details tab & select Device Instance Path in the dropdown box
  5. The end of the info string will show the bootrom version

Mac OS X

  1. Connect Device & Enter DFU Mode
  2. Go to System Profiler, and under the Hardware category, go to USB, and click on Apple Mobile Device (DFU Mode)
  3. The end of the Serial Number string will show the bootrom version in brackets (ie: [iBoot-574.4])

Linux

  1. Make sure your distribution has usbutils installed. (most distributions have it by default)
  2. Connect Device & Enter DFU Mode
  3. In terminal, run sudo lsusb -v
  4. Find the line that says iSerial and your bootrom version will be at the end of the line.

Dumping the bootrom

You can use Bootrom Dumper Utility by pod2g to dump the bootrom on devices that are vulnerable to the limera1n exploit.

Revisions

S5L8900, used in the iPhone 2G, iPod touch 1G, and iPhone 3G

see also VROM (S5L8900)

S5L8720, used in the iPod touch 2G

S5L8920, used in the iPhone 3GS

S5L8922, used in the iPod touch 3G

S5L8930, used in the iPad 1G, iPhone 4, Apple TV 2G and iPod touch 4G

S5L8940, used in the iPad 2 and iPhone 4S

S5L8942, used in the iPad 2 (Wi-Fi) [R2] and Apple TV 3G

  •  ?

S5L8945, used in the iPad 3

S5L8950, used in the iPhone 5