The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Jailbreak (S5L8920+)"
(Revamp-ish.) |
|||
Line 1: | Line 1: | ||
− | Apple did not have the time to fix the [[ |
+ | Apple did not have the time to fix the the [[0x24000 Segment Overflow]] in the [[S5L8920 (Bootrom)|S5L8920]]. However, in order to flash an exploited [[LLB]] and jailbreak the [[N88ap|iPhone 3GS]], '''one''' of the following needs to be done: |
* Find a new [[iBoot]] exploit every time a new firmware is out. |
* Find a new [[iBoot]] exploit every time a new firmware is out. |
||
− | * Find a way to bypass the ECID checks. |
+ | * Find a way to bypass the [[ECID]] checks. |
− | * Find another bootrom exploit that allows unsigned code |
+ | * Find another bootrom exploit that allows unsigned code executing via USB ([[Pwnage 2.0]]-like) |
+ | |||
+ | This also applies to the [[N18ap|iPod touch 3G]] and later devices, except a bootrom exploit is needed. |
||
==ECID== |
==ECID== |
||
− | Apple added a new tag to the |
+ | Apple added a new tag to the [[IMG3 File Format]] called ECID. The ECID is ''unique'' to each phone, and is being sigchecked. So Apple could block downgrades once newer firmware becomes available, unless you have a dump of your unique old firmware's IMG3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered jailbreaks, because such exploits will be closed in new FWs. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html]. |
+ | |||
+ | The issue with this is that, even with 24kpwn still in bootrom, an [[iBoot]] exploit is still needed to actually flash the exploited [[LLB]]. If Apple uses this ECID stuff to block downgrades, then a new [[iBoot]] exploit will be needed whenever they fix the last, so that [[24kpwn]] can be applied. This is because Apple could choose to not let you upload an older / exploitable iBEC / iBoot / iBSS to the device. |
||
+ | |||
+ | There are methods to help keep your downgrading ability, though. |
||
+ | |||
+ | * If it was cached prior to 3.1's release, 3GS owners can save a file which contains the signature of the 3.0 iBSS containing their [[ECID]], using [http://purplera1n.com/|purplera1n.com]. |
||
+ | * Saurik's servers are actively caching the necessary files. [http://www.saurik.com/id/12#howto Instructions] to use the servers are included. |
||
+ | * The [[SHSH]] associated with an ECID can be also saved by running [http://thefirmwareumbrella.blogspot.com/ Umbrella]. An included application, TinyTSS, would allow the user to restore to whatever version is associated with that SHSH file permanently. This is based on the aforementioned service Saurik provides remotely from his server(s). The only difference is that Umbrella and TinyTSS are local applications. |
||
− | The issue with this is that, even with [[24kpwn]] still in bootrom, an [[iBoot]] exploit is still needed to actually flash the 24kpwned [[LLB]]. If Apple uses this ECID stuff to block downgrades, then a new [[iBoot]] exploit will be needed whenever they fix the last, so that [[24kpwn]] can be applied. This is because Apple could choose to not let you upload an older / exploitable iBEC / iBoot / iBSS to the device. 3GS owners can save a file which contains the signature of an iBSS for 3.0GM containing their [[ECID]], using http://purplera1n.com/ should Apple try to block this in the future. One can also save the shsh associated with an ECID by running the Umbrella application found at http://thefirmwareumbrella.blogspot.com. This application allows a user to input their device ECID and obtain a file that can be used with an included application, TinyTSS, which would allow the user to restore to whatever version is associated with that shsh file permanently. In other words, with that shsh file and TinyTSS the user can restore to a particular version of the firmware through iTunes even if Apple decides to stop signing the shsh for that version. This is based on the service Saurik provides remotely from his server(s). The only difference is that Umbrella and TinyTSS are local applications. |
||
==Jailbreak tools== |
==Jailbreak tools== |
||
− | There are two possible methods to jailbreak which use the same iBoot exploit discovered independently by [[User:Geohot|Geohot]] and the [[iPhone Dev Team]]. In order to jailbreak, you can use [[redsn0w]] by the iPhone Dev Team or [[purplera1n]] by Geohot. |
+ | There are two possible methods to jailbreak which use the same iBoot exploit discovered independently by [[User:Geohot|Geohot]] and the [[iPhone Dev Team]]. In order to jailbreak, you can use [[redsn0w]] by the iPhone Dev Team or [[purplera1n]] by Geohot. Both work on 3.0, but only redsn0w works on 3.0.1. Neither work for 3.1. |
Revision as of 03:32, 6 October 2009
Apple did not have the time to fix the the 0x24000 Segment Overflow in the S5L8920. However, in order to flash an exploited LLB and jailbreak the iPhone 3GS, one of the following needs to be done:
- Find a new iBoot exploit every time a new firmware is out.
- Find a way to bypass the ECID checks.
- Find another bootrom exploit that allows unsigned code executing via USB (Pwnage 2.0-like)
This also applies to the iPod touch 3G and later devices, except a bootrom exploit is needed.
ECID
Apple added a new tag to the IMG3 File Format called ECID. The ECID is unique to each phone, and is being sigchecked. So Apple could block downgrades once newer firmware becomes available, unless you have a dump of your unique old firmware's IMG3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered jailbreaks, because such exploits will be closed in new FWs. [1].
The issue with this is that, even with 24kpwn still in bootrom, an iBoot exploit is still needed to actually flash the exploited LLB. If Apple uses this ECID stuff to block downgrades, then a new iBoot exploit will be needed whenever they fix the last, so that 24kpwn can be applied. This is because Apple could choose to not let you upload an older / exploitable iBEC / iBoot / iBSS to the device.
There are methods to help keep your downgrading ability, though.
- If it was cached prior to 3.1's release, 3GS owners can save a file which contains the signature of the 3.0 iBSS containing their ECID, using [2].
- Saurik's servers are actively caching the necessary files. Instructions to use the servers are included.
- The SHSH associated with an ECID can be also saved by running Umbrella. An included application, TinyTSS, would allow the user to restore to whatever version is associated with that SHSH file permanently. This is based on the aforementioned service Saurik provides remotely from his server(s). The only difference is that Umbrella and TinyTSS are local applications.
Jailbreak tools
There are two possible methods to jailbreak which use the same iBoot exploit discovered independently by Geohot and the iPhone Dev Team. In order to jailbreak, you can use redsn0w by the iPhone Dev Team or purplera1n by Geohot. Both work on 3.0, but only redsn0w works on 3.0.1. Neither work for 3.1.