|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Bootrom 2651.0.0.3.3"
m (Notes that it is vulnerable to Checkm8.) |
|||
| Line 1: | Line 1: | ||
This is the [[bootrom]] version found in the [[Apple Watch Series 3]]. It is vulnerable to [[Checkm8_Exploit|Checkm8]]. |
This is the [[bootrom]] version found in the [[Apple Watch Series 3]]. It is vulnerable to [[Checkm8_Exploit|Checkm8]]. |
||
| + | |||
| − | {{stub}} |
||
| + | == Symbols == |
||
| + | |||
| + | <pre> |
||
| + | # |
||
| + | # Symbols found by _kritanta |
||
| + | # For: iBoot-2651.0.0.3.3 ROMRELEASE for t8004si |
||
| + | # Report any mistakes here: https://github.com/KritantaDev/timestop/blob/master/Symbols/ROM/t8004 |
||
| + | # |
||
| + | # This file is in python format for ease of loading |
||
| + | # |
||
| + | # You can probably use this to bindiff symbols to most other roms |
||
| + | # |
||
| + | |||
| + | symbols = { |
||
| + | 0x00000000: 'start', |
||
| + | 0x00000040: 'reset', |
||
| + | 0x0000005C: 'relocate_loop', |
||
| + | 0x00000078: 'relocate_data', |
||
| + | 0x000000A0: 'relocate_data_loop', |
||
| + | 0x000000B0: 'stack_setup', |
||
| + | 0x00000188: 'bss_loop', |
||
| + | 0x00000194: 'bss_done', |
||
| + | 0x000001A0: 'spin', |
||
| + | 0x00000200: 'aSecureromForT8004siCopyright20072014AppleInc', |
||
| + | 0x00000240: 'aRomrelease', |
||
| + | 0x00000280: 'aIboot26510033_0', |
||
| + | 0x00000300: 'Description', |
||
| + | 0x00000304: 'ReleaseCategory', |
||
| + | 0x00000308: 'iBootVersion', |
||
| + | 0x0000030C: 'main', |
||
| + | 0x00000310: 'Start', |
||
| + | 0x0000031C: 'sram_start', |
||
| + | 0x00000328: 'argv', |
||
| + | 0x00000334: 'heap_base', |
||
| + | 0x000006F4: 'nullsub_4', |
||
| + | 0x00000854: 'arch_halt', |
||
| + | 0x00000860: 'arch_spin', |
||
| + | 0x00000868: '_main', |
||
| + | 0x000014B0: 'timer_get_ticks', |
||
| + | 0x00001C88: 'jpt_1C84', |
||
| + | 0x00004514: 'aNrpdxekeyekeorpeceseorpdtsgdlodsmodscicedicegcnbbesccescnrpcorpc', |
||
| + | 0x000046B4: 'platform_cache_operation', |
||
| + | 0x000050E4: 'platform_init_setup_clocks', |
||
| + | 0x00005100: 'platform_init_hwpins', |
||
| + | 0x0000527C: 'platform_init_internal_mem', |
||
| + | 0x00005288: 'platform_quiesce_hardware', |
||
| + | 0x000052A0: 'platform_bootprep', |
||
| + | 0x00005308: 'chipid_clear_production_mode', |
||
| + | 0x00005390: 'platform_get_boot_device', |
||
| + | 0x000053AA: 'jpt_53A6', |
||
| + | 0x000053E4: 'def_53A6', |
||
| + | 0x000053EC: 'platform_enable_boot_interface', |
||
| + | 0x000054CC: 'platform_set_dfu_status', |
||
| + | 0x000054D8: 'platform_get_force_dfu', |
||
| + | 0x000054EC: 'platform_get_request_dfu1', |
||
| + | 0x00005504: 'platform_get_request_dfu2', |
||
| + | 0x00005864: 'platform_get_boot_trampoline', |
||
| + | 0x000059AC: 'chipid_set_fuse_lock', |
||
| + | 0x00005F3C: 'jpt_5F38', |
||
| + | 0x00005F46: 'def_5F38', |
||
| + | 0x00005FD8: 'halt', |
||
| + | 0x00005FE4: 'nullsub_1', |
||
| + | 0x00005FEC: 'platform_watchdog_tickle', |
||
| + | 0x0000601C: 'prepare_and_jump', |
||
| + | 0x00006264: 'nullsub_3', |
||
| + | 0x00006268: 'panic', |
||
| + | 0x00006350: 'doublePanicIn', |
||
| + | 0x000063FC: 'platform_get_usb_cable_connected', |
||
| + | 0x0000648C: 'enter_critical_section', |
||
| + | 0x000064C8: 'exit_critical_section', |
||
| + | 0x0000681C: 'task_get_current_task', |
||
| + | 0x00006890: 'list_delete', |
||
| + | 0x000068C8: 'task_yield', |
||
| + | 0x0000698C: 'insert_run_q_tail', |
||
| + | 0x000069B0: 'task_start', |
||
| + | 0x000069D4: 'task_exit', |
||
| + | 0x00006A10: 'wait_queue_wake_all', |
||
| + | 0x00006B24: 'wait_queue_wake_one', |
||
| + | 0x00006D74: 'security_init', |
||
| + | 0x00007320: 'jpt_731C', |
||
| + | 0x0000738C: 'def_731C', |
||
| + | 0x0000745C: 'arch_cpu_init', |
||
| + | 0x000074B8: 'arch_cpu_quiesce', |
||
| + | 0x00007540: 'arm_irq', |
||
| + | 0x000075E8: 'arm_fiq', |
||
| + | 0x00007690: 'arm_undefined', |
||
| + | 0x000076C8: 'arm_syscall', |
||
| + | 0x00007700: 'arm_prefetch_abort', |
||
| + | 0x0000773C: 'arm_data_abort', |
||
| + | 0x00007774: 'arm_reserved', |
||
| + | 0x00007E34: 'usb_create_string_descriptor', |
||
| + | 0x000081D6: 'jpt_81D2', |
||
| + | 0x000082D6: 'jpt_82D2', |
||
| + | 0x0000844C: 'def_81D2', |
||
| + | 0x000086B8: 'getDFUImage', |
||
| + | 0x00008A00: 'image_load', |
||
| + | 0x00009454: 'def_945E', |
||
| + | 0x00009462: 'jpt_945E', |
||
| + | 0x00009C5C: 'heap_verify', |
||
| + | 0x0000A016: 'jpt_A012', |
||
| + | 0x0000A044: 'def_A012', |
||
| + | 0x0000A098: 'jpt_A094', |
||
| + | 0x0000A784: 'sprint_hex', |
||
| + | 0x0000A7BC: 'kAsciiHexChars', |
||
| + | 0x0000A7C4: 'vsnprintf', |
||
| + | 0x0000A7FC: 'puts', |
||
| + | 0x0000A840: 'strlcat', |
||
| + | 0x0000A85C: '___stack_chk_fail', |
||
| + | 0x0000A884: 'memcpy', |
||
| + | 0x0000ABB0: 'memset', |
||
| + | 0x0000ABC8: 'bzero', |
||
| + | 0x0000B08C: '_DERParseBoolean', |
||
| + | 0x0000B0B0: '_DERParseInteger', |
||
| + | 0x0000B0F4: '_DERParseInteger64', |
||
| + | 0x0000B160: '_DERDecodeSeqInit', |
||
| + | 0x0000B1B8: '_DERDecodeSeqContentInit', |
||
| + | 0x0000B1C8: '_DERDecodeSeqNext', |
||
| + | 0x0000B270: '_DERParseSequenceContent', |
||
| + | 0x0000B398: '_Img4DecodeParseLengthFromBuffer', |
||
| + | 0x0000B574: 'j_j_arch_halt', |
||
| + | 0x0000B578: 'j_j_j_arch_halt', |
||
| + | 0x0000B5A4: '_DERImg4DecodeFindInSequence', |
||
| + | 0x0000B5E8: '_DERImg4DecodeContentFindItemWithTag', |
||
| + | 0x0000B614: '_DERImg4DecodeTagCompare', |
||
| + | 0x0000B650: '_DERImg4Decode', |
||
| + | 0x0000B77C: '_DERImg4DecodeUnsignedManifest', |
||
| + | 0x0000B900: '_Img4DecodeInitUnsignedManifest', |
||
| + | 0x0000BB90: '_Img4DecodeGetBooleanFromSection', |
||
| + | 0x0000BBE0: '_Img4DecodeGetPropertyFromSection', |
||
| + | 0x0000BCA0: '_Img4DecodeGetPropertyBoolean', |
||
| + | 0x0000BD20: '_Img4DecodeEvaluateCertificateProperties', |
||
| + | 0x0000BEDC: '_Img4DecodeEvaluateDictionaryProperties', |
||
| + | 0x000105C0: 'j_arch_halt', |
||
| + | 0x00010600: 'aNor0', |
||
| + | 0x00010605: 'nil', |
||
| + | 0x00010606: 'aUsb', |
||
| + | 0x0001060A: 'aImg4', |
||
| + | 0x0001060F: 'aIm4p', |
||
| + | 0x00010614: 'aAppleMobileDeviceDfuMode', |
||
| + | 0x00010633: 'aCpid04xCprv02xCpfm02xScep02xBdid02xEcid016llxI', |
||
| + | 0x0001067C: 'aSrtgS', |
||
| + | 0x00010687: 'aNonc', |
||
| + | 0x0001068E: 'a02x', |
||
| + | 0x00010693: 'aSnon', |
||
| + | 0x0001069A: 'aDoublePanicIn', |
||
| + | 0x000106AB: 'doubleNewline', |
||
| + | 0x000106AE: 'newlinePanic', |
||
| + | 0x000106B7: 'colon', |
||
| + | 0x000106BA: 'aIdleTask', |
||
| + | 0x000106C4: 'aNull', |
||
| + | 0x000106CB: 'aPtr', |
||
| + | 0x000106D1: 'a0x', |
||
| + | 0x000106D8: 'aAppleInc', |
||
| + | 0x00012064: 'a0123456789abcdef', |
||
| + | 0x00012074: 'a0123456789abcdef_0' } |
||
| + | </pre> |
||
| + | |||
[[Category:Bootrom]] |
[[Category:Bootrom]] |
||
Revision as of 16:44, 7 August 2020
This is the bootrom version found in the Apple Watch Series 3. It is vulnerable to Checkm8.
Symbols
#
# Symbols found by _kritanta
# For: iBoot-2651.0.0.3.3 ROMRELEASE for t8004si
# Report any mistakes here: https://github.com/KritantaDev/timestop/blob/master/Symbols/ROM/t8004
#
# This file is in python format for ease of loading
#
# You can probably use this to bindiff symbols to most other roms
#
symbols = {
0x00000000: 'start',
0x00000040: 'reset',
0x0000005C: 'relocate_loop',
0x00000078: 'relocate_data',
0x000000A0: 'relocate_data_loop',
0x000000B0: 'stack_setup',
0x00000188: 'bss_loop',
0x00000194: 'bss_done',
0x000001A0: 'spin',
0x00000200: 'aSecureromForT8004siCopyright20072014AppleInc',
0x00000240: 'aRomrelease',
0x00000280: 'aIboot26510033_0',
0x00000300: 'Description',
0x00000304: 'ReleaseCategory',
0x00000308: 'iBootVersion',
0x0000030C: 'main',
0x00000310: 'Start',
0x0000031C: 'sram_start',
0x00000328: 'argv',
0x00000334: 'heap_base',
0x000006F4: 'nullsub_4',
0x00000854: 'arch_halt',
0x00000860: 'arch_spin',
0x00000868: '_main',
0x000014B0: 'timer_get_ticks',
0x00001C88: 'jpt_1C84',
0x00004514: 'aNrpdxekeyekeorpeceseorpdtsgdlodsmodscicedicegcnbbesccescnrpcorpc',
0x000046B4: 'platform_cache_operation',
0x000050E4: 'platform_init_setup_clocks',
0x00005100: 'platform_init_hwpins',
0x0000527C: 'platform_init_internal_mem',
0x00005288: 'platform_quiesce_hardware',
0x000052A0: 'platform_bootprep',
0x00005308: 'chipid_clear_production_mode',
0x00005390: 'platform_get_boot_device',
0x000053AA: 'jpt_53A6',
0x000053E4: 'def_53A6',
0x000053EC: 'platform_enable_boot_interface',
0x000054CC: 'platform_set_dfu_status',
0x000054D8: 'platform_get_force_dfu',
0x000054EC: 'platform_get_request_dfu1',
0x00005504: 'platform_get_request_dfu2',
0x00005864: 'platform_get_boot_trampoline',
0x000059AC: 'chipid_set_fuse_lock',
0x00005F3C: 'jpt_5F38',
0x00005F46: 'def_5F38',
0x00005FD8: 'halt',
0x00005FE4: 'nullsub_1',
0x00005FEC: 'platform_watchdog_tickle',
0x0000601C: 'prepare_and_jump',
0x00006264: 'nullsub_3',
0x00006268: 'panic',
0x00006350: 'doublePanicIn',
0x000063FC: 'platform_get_usb_cable_connected',
0x0000648C: 'enter_critical_section',
0x000064C8: 'exit_critical_section',
0x0000681C: 'task_get_current_task',
0x00006890: 'list_delete',
0x000068C8: 'task_yield',
0x0000698C: 'insert_run_q_tail',
0x000069B0: 'task_start',
0x000069D4: 'task_exit',
0x00006A10: 'wait_queue_wake_all',
0x00006B24: 'wait_queue_wake_one',
0x00006D74: 'security_init',
0x00007320: 'jpt_731C',
0x0000738C: 'def_731C',
0x0000745C: 'arch_cpu_init',
0x000074B8: 'arch_cpu_quiesce',
0x00007540: 'arm_irq',
0x000075E8: 'arm_fiq',
0x00007690: 'arm_undefined',
0x000076C8: 'arm_syscall',
0x00007700: 'arm_prefetch_abort',
0x0000773C: 'arm_data_abort',
0x00007774: 'arm_reserved',
0x00007E34: 'usb_create_string_descriptor',
0x000081D6: 'jpt_81D2',
0x000082D6: 'jpt_82D2',
0x0000844C: 'def_81D2',
0x000086B8: 'getDFUImage',
0x00008A00: 'image_load',
0x00009454: 'def_945E',
0x00009462: 'jpt_945E',
0x00009C5C: 'heap_verify',
0x0000A016: 'jpt_A012',
0x0000A044: 'def_A012',
0x0000A098: 'jpt_A094',
0x0000A784: 'sprint_hex',
0x0000A7BC: 'kAsciiHexChars',
0x0000A7C4: 'vsnprintf',
0x0000A7FC: 'puts',
0x0000A840: 'strlcat',
0x0000A85C: '___stack_chk_fail',
0x0000A884: 'memcpy',
0x0000ABB0: 'memset',
0x0000ABC8: 'bzero',
0x0000B08C: '_DERParseBoolean',
0x0000B0B0: '_DERParseInteger',
0x0000B0F4: '_DERParseInteger64',
0x0000B160: '_DERDecodeSeqInit',
0x0000B1B8: '_DERDecodeSeqContentInit',
0x0000B1C8: '_DERDecodeSeqNext',
0x0000B270: '_DERParseSequenceContent',
0x0000B398: '_Img4DecodeParseLengthFromBuffer',
0x0000B574: 'j_j_arch_halt',
0x0000B578: 'j_j_j_arch_halt',
0x0000B5A4: '_DERImg4DecodeFindInSequence',
0x0000B5E8: '_DERImg4DecodeContentFindItemWithTag',
0x0000B614: '_DERImg4DecodeTagCompare',
0x0000B650: '_DERImg4Decode',
0x0000B77C: '_DERImg4DecodeUnsignedManifest',
0x0000B900: '_Img4DecodeInitUnsignedManifest',
0x0000BB90: '_Img4DecodeGetBooleanFromSection',
0x0000BBE0: '_Img4DecodeGetPropertyFromSection',
0x0000BCA0: '_Img4DecodeGetPropertyBoolean',
0x0000BD20: '_Img4DecodeEvaluateCertificateProperties',
0x0000BEDC: '_Img4DecodeEvaluateDictionaryProperties',
0x000105C0: 'j_arch_halt',
0x00010600: 'aNor0',
0x00010605: 'nil',
0x00010606: 'aUsb',
0x0001060A: 'aImg4',
0x0001060F: 'aIm4p',
0x00010614: 'aAppleMobileDeviceDfuMode',
0x00010633: 'aCpid04xCprv02xCpfm02xScep02xBdid02xEcid016llxI',
0x0001067C: 'aSrtgS',
0x00010687: 'aNonc',
0x0001068E: 'a02x',
0x00010693: 'aSnon',
0x0001069A: 'aDoublePanicIn',
0x000106AB: 'doubleNewline',
0x000106AE: 'newlinePanic',
0x000106B7: 'colon',
0x000106BA: 'aIdleTask',
0x000106C4: 'aNull',
0x000106CB: 'aPtr',
0x000106D1: 'a0x',
0x000106D8: 'aAppleInc',
0x00012064: 'a0123456789abcdef',
0x00012074: 'a0123456789abcdef_0' }
