The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IBoot (Bootloader)"
ChronicDev (talk | contribs) |
ChronicDev (talk | contribs) |
||
Line 1: | Line 1: | ||
This is Apple's bootloader for the [[S5L8900]]. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial. |
This is Apple's bootloader for the [[S5L8900]]. It runs what is known as [[Recovery Mode]]. It has an interactive interface which can be used over USB or serial. |
||
+ | ==Commands used as an exploit vector== |
||
− | In versions Pre-2.0, there was an exploit in the [[diags]] command. In the iPod Touch 2G 2.1.1 version, there was an exploit in the [[ARM7 Go]] command. |
||
+ | There are already two public exploits in which commands in iBoot have been used in order to run unsigned code: |
||
+ | * Before it was fixed in 2.0 beta 6, the [[diags]] command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor. |
||
+ | * In the iPod Touch 2G firmware 2.1.1 iBoot (iBoot version 385.22), the [[ARM7 Go]] command could be used to run a payload on the ARM7 in the iPod Touch 2G. |
||
− | == |
+ | ==OpeniBoot== |
− | There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [[http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]]. |
+ | There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [[http://github.com/planetbeing/iphonelinux/tree/master/openiboot here]]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself. |
Revision as of 21:13, 4 February 2009
This is Apple's bootloader for the S5L8900. It runs what is known as Recovery Mode. It has an interactive interface which can be used over USB or serial.
Commands used as an exploit vector
There are already two public exploits in which commands in iBoot have been used in order to run unsigned code:
- Before it was fixed in 2.0 beta 6, the diags command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
- In the iPod Touch 2G firmware 2.1.1 iBoot (iBoot version 385.22), the ARM7 Go command could be used to run a payload on the ARM7 in the iPod Touch 2G.
OpeniBoot
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source [here]. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.