|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L8720"
m (→Userland) |
|||
| Line 19: | Line 19: | ||
=== [[Userland]] === |
=== [[Userland]] === |
||
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.1.3 |
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.1.3 |
||
| − | * [[ |
+ | * [[Malformed CFF Vulnerability]] - Works up to [[iOS]] 4.0 |
==Boot Chain== |
==Boot Chain== |
||
Revision as of 19:08, 12 October 2010
This is the Application Processor used on the iPod Touch 2G.
Contents
Exploits
iBoot
Note: iBoot on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares
- ARM7 Go - Works on iOS 2.1.1
- iBoot Environment Variable Overflow - Works up to iOS 3.1 beta 3
- usb_control_msg(0x21, 2) Exploit - Works up to iOS 3.1.2
Bootrom
- 0x24000 Segment Overflow - only in iBoot-240.4 (old bootrom)
- usb_control_msg(0xA1, 1) Exploit - in iBoot-240.4 and iBoot-240.5.1
Kernel
- BPF STX Kernel Write Exploit - Works up to iOS 3.1.3
- IOSurface Kernel Exploit - Works up to iOS 4.0
Userland
- MobileBackup Copy Exploit - Works up to iOS 3.1.3
- Malformed CFF Vulnerability - Works up to iOS 4.0
Boot Chain
VROM->LLB->iBoot->Kernel->System Software
It is definitely worthy to note that the Pwnage exploit is fixed because the images are now flashed to the NOR in their encrypted IMG3 containers, and the bootrom can properly check LLB's signature. That being said, unsigned images can still be run using the 0x24000 Segment Overflow, provided the bootrom is old enough.
