|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IBoot (Bootloader)"
(→Revisions: Updated for 3.2.1, 3.2.2, and 4.0.2.) |
(→Revisions: Added "Build" in front of build numbers, and two iBoots from 4.1.) |
||
| Line 8: | Line 8: | ||
* [[iBoot-99]] (1A420 a.k.a. Prototype) |
* [[iBoot-99]] (1A420 a.k.a. Prototype) |
||
* [[iBoot-159]] (1.0.x) |
* [[iBoot-159]] (1.0.x) |
||
| − | * [[iBoot-204]] (1.1 and 1.1.1 3A109a) |
+ | * [[iBoot-204]] (1.1 and 1.1.1 Build 3A109a) |
| − | * [[iBoot-204.0.2]] (1.1.1 3A110a) |
+ | * [[iBoot-204.0.2]] (1.1.1 Build 3A110a) |
* [[iBoot-204.2.9]] (1.1.2) |
* [[iBoot-204.2.9]] (1.1.2) |
||
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4) |
* [[iBoot-204.3.14]] (1.1.3 and 1.1.4) |
||
| Line 17: | Line 17: | ||
* [[iBoot-385.49]] (2.2 and 2.2.1) |
* [[iBoot-385.49]] (2.2 and 2.2.1) |
||
* [[iBoot-596.24]] (3.0 and 3.0.1) |
* [[iBoot-596.24]] (3.0 and 3.0.1) |
||
| − | * [[iBoot-636.65]] (3.1 and 3.1.1) |
+ | * [[iBoot-636.65]] (3.1 and 3.1.1 Build 7C145) |
| − | * [[iBoot-636.66]] (3.1.1 7C146 and 3.1.2) |
+ | * [[iBoot-636.66]] (3.1.1 Build 7C146 and 3.1.2) |
* [[iBoot-636.66.33]] (3.1.3) |
* [[iBoot-636.66.33]] (3.1.3) |
||
* [[iBoot-817.28]] (3.2) |
* [[iBoot-817.28]] (3.2) |
||
| Line 27: | Line 27: | ||
* [[iBoot-889.19]] (4.0 Beta 4) |
* [[iBoot-889.19]] (4.0 Beta 4) |
||
* [[iBoot-889.24]] (4.0.x) |
* [[iBoot-889.24]] (4.0.x) |
||
| + | * [[iBoot-931.18.1]] (4.1 Beta 1) |
||
| + | * [[iBoot-931.18.27]] (4.1) |
||
==Commands used as an exploit vector== |
==Commands used as an exploit vector== |
||
Revision as of 00:06, 3 September 2010
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as Recovery Mode. It has an interactive interface which can be used over USB or serial.
Contents
Bootrom
The bootrom also goes by the name "iBoot." The list of bootroms can be found on their own page.
Revisions
- iBoot-99 (1A420 a.k.a. Prototype)
- iBoot-159 (1.0.x)
- iBoot-204 (1.1 and 1.1.1 Build 3A109a)
- iBoot-204.0.2 (1.1.1 Build 3A110a)
- iBoot-204.2.9 (1.1.2)
- iBoot-204.3.14 (1.1.3 and 1.1.4)
- iBoot-204.3.16 (1.1.5)
- iBoot-320.20 (2.0.x)
- iBoot-385.22 (2.1 and 2.1.1)
- iBoot-385.49 (2.2 and 2.2.1)
- iBoot-596.24 (3.0 and 3.0.1)
- iBoot-636.65 (3.1 and 3.1.1 Build 7C145)
- iBoot-636.66 (3.1.1 Build 7C146 and 3.1.2)
- iBoot-636.66.33 (3.1.3)
- iBoot-817.28 (3.2)
- iBoot-817.29 (3.2.1 and 3.2.2)
- iBoot-872 (4.0 Beta 1)
- iBoot-889.3 (4.0 Beta 2)
- iBoot-889.12 (4.0 Beta 3)
- iBoot-889.19 (4.0 Beta 4)
- iBoot-889.24 (4.0.x)
- iBoot-931.18.1 (4.1 Beta 1)
- iBoot-931.18.27 (4.1)
Commands used as an exploit vector
- diags: Until 2.0 beta 6, the diags command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at written to 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
- arm7_go: For firmware 2.1.1, the iPod touch 2G iBoot contains the ARM7 Go command, which could be used to run a payload on the ARM7 in the device.
OpeniBoot
There is an open source version of iBoot being made so that Linux on the iPhone will work. You can check out the source here. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself.
Remappings
// n88 0x4FF00000 => 0x0 0x40000000 => 0xC0000000
