The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L8720"
m (→Boot Chain) |
(→Exploits) |
||
Line 11: | Line 11: | ||
===[[VROM (S5L8720)|Bootrom]]=== |
===[[VROM (S5L8720)|Bootrom]]=== |
||
* [[0x24000 Segment Overflow]] |
* [[0x24000 Segment Overflow]] |
||
+ | |||
+ | ===[[Firmware|Userland]]=== |
||
+ | * [[MobileBackup Copy Exploit]] - Firmware 3.1.3 and below |
||
+ | * [[BPF STX Kernel Write Exploit]] - Firmware 3.1.3 and below |
||
==Boot Chain== |
==Boot Chain== |
Revision as of 23:52, 29 July 2010
This is the Application Processor used on the iPod Touch 2G.
Contents
Exploits
iBoot / Kernel Level
Note: iBoot on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares
- ARM7 Go - Firmware v2.1.1
- iBoot Environment Variable Overflow - 3.1 beta 3 and below
- usb_control_msg(0x21, 2) Exploit - 3.1.2 and below
Bootrom
Userland
- MobileBackup Copy Exploit - Firmware 3.1.3 and below
- BPF STX Kernel Write Exploit - Firmware 3.1.3 and below
Boot Chain
VROM->LLB->iBoot->Kernel->System Software
It is definitely worthy to note that the Pwnage exploit is fixed because the images are now flashed to the NOR in their encrypted IMG3 containers, and the bootrom can properly check LLB's signature. That being said, unsigned images can still be run using the 0x24000 Segment Overflow.