The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Jailbreak (S5L8920+)"
(→Jailbreak tools: ...And here's the rest of them. :)) |
(Now keeping SHSHs is unnecessary to downgrade) |
||
Line 2: | Line 2: | ||
* Find a new [[iBoot]] exploit every time a new firmware is out. |
* Find a new [[iBoot]] exploit every time a new firmware is out. |
||
* Find a way to bypass the [[ECID]] checks. |
* Find a way to bypass the [[ECID]] checks. |
||
− | * Use a bootrom exploit that allows unsigned code execution via USB. |
+ | * Use a bootrom exploit that allows unsigned code execution via USB (2 of them were finally found by Geohot and Chronic Dev Team). |
This also applies to the iPhone 3GS with [[iBoot-359.3.2|the new bootrom]], [[N18ap|iPod touch 3G]] and later devices, except a bootrom exploit for the normal boot-chain or a library based jailbreak payload (similar to [[Star]]) is needed as well. |
This also applies to the iPhone 3GS with [[iBoot-359.3.2|the new bootrom]], [[N18ap|iPod touch 3G]] and later devices, except a bootrom exploit for the normal boot-chain or a library based jailbreak payload (similar to [[Star]]) is needed as well. |
||
Line 9: | Line 9: | ||
Apple added a new tag to the [[IMG3 File Format]] called ECID. The ECID is ''unique'' to each phone, and its signature is being checked. With this method, Apple attempts to block downgrades once newer firmware becomes available, unless you have a dump of your old firmware's unique IMG3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered jailbreaks, because such exploits will be closed in new firmwares. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html]. |
Apple added a new tag to the [[IMG3 File Format]] called ECID. The ECID is ''unique'' to each phone, and its signature is being checked. With this method, Apple attempts to block downgrades once newer firmware becomes available, unless you have a dump of your old firmware's unique IMG3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered jailbreaks, because such exploits will be closed in new firmwares. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html]. |
||
+ | The issue was resolved when Geohot released his [[limera1n]] tool exploiting bootrom security hole which allowed him to upload unsigend iBoot. Still the problem remains with newer devices with [[0x24000 Segment Overflow|0x24000]] fixed - tampering with firmware makes such jailbreak tethered unless some other exploit is used. |
||
− | The issue with this is that, even with the [[0x24000 Segment Overflow]] still in bootrom, an [[iBoot]] exploit is still needed to actually flash the exploited [[LLB]]. Apple uses this ECID stuff to block downgrades, and a new [[iBoot]] exploit is needed whenever they fix the last, so that the 0x24000 Segment Overflow can be applied. This is because Apple chooses to not let you upload an older, exploitable [[iBEC]]/[[iBoot]]/[[iBSS]] to the device (unless it is signed with your ECID). |
||
There are methods to help keep your downgrading ability, though. |
There are methods to help keep your downgrading ability, though. |
||
Line 16: | Line 16: | ||
* Saurik's servers are actively caching the necessary files. [http://www.saurik.com/id/12#howto Instructions] to use the servers are included. |
* Saurik's servers are actively caching the necessary files. [http://www.saurik.com/id/12#howto Instructions] to use the servers are included. |
||
* The [[SHSH]] associated with an ECID can be also saved by running [[TinyUmbrella]]. [[TinyUmbrella]] allows the user to restore to whatever version is associated with that [[SHSH]] file permanently. This is based on the aforementioned service [[Saurik]] provides remotely from his server(s). |
* The [[SHSH]] associated with an ECID can be also saved by running [[TinyUmbrella]]. [[TinyUmbrella]] allows the user to restore to whatever version is associated with that [[SHSH]] file permanently. This is based on the aforementioned service [[Saurik]] provides remotely from his server(s). |
||
+ | |||
+ | Release of [[PwnageTool]] 4.1.2 makes storing [[SHSH]]s unnecessary for the time being - there is always a way now for all current iDevices to rollback to jailbroken 4.1 firmware. |
||
==Jailbreak tools== |
==Jailbreak tools== |
Revision as of 11:20, 2 November 2010
When the iPhone 3GS was initially released, Apple did not have enough time to fix the 0x24000 Segment Overflow in the S5L8920. However, in order to flash an exploited LLB and jailbreak the iPhone 3GS, one of the following needs to be done:
- Find a new iBoot exploit every time a new firmware is out.
- Find a way to bypass the ECID checks.
- Use a bootrom exploit that allows unsigned code execution via USB (2 of them were finally found by Geohot and Chronic Dev Team).
This also applies to the iPhone 3GS with the new bootrom, iPod touch 3G and later devices, except a bootrom exploit for the normal boot-chain or a library based jailbreak payload (similar to Star) is needed as well.
Contents
ECID
Apple added a new tag to the IMG3 File Format called ECID. The ECID is unique to each phone, and its signature is being checked. With this method, Apple attempts to block downgrades once newer firmware becomes available, unless you have a dump of your old firmware's unique IMG3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered jailbreaks, because such exploits will be closed in new firmwares. [1].
The issue was resolved when Geohot released his limera1n tool exploiting bootrom security hole which allowed him to upload unsigend iBoot. Still the problem remains with newer devices with 0x24000 fixed - tampering with firmware makes such jailbreak tethered unless some other exploit is used.
There are methods to help keep your downgrading ability, though.
- If it was cached prior to 3.1's release, 3GS owners were able save a file which contains the signature of the 3.0 iBSS containing their ECID, using the purplera1n website. A tool has not been created to incorporate this file into a fully signed iBSS, however.
- Saurik's servers are actively caching the necessary files. Instructions to use the servers are included.
- The SHSH associated with an ECID can be also saved by running TinyUmbrella. TinyUmbrella allows the user to restore to whatever version is associated with that SHSH file permanently. This is based on the aforementioned service Saurik provides remotely from his server(s).
Release of PwnageTool 4.1.2 makes storing SHSHs unnecessary for the time being - there is always a way now for all current iDevices to rollback to jailbroken 4.1 firmware.
Jailbreak tools
iPad
Jailbreak Tool | Works with firmware... | ||
---|---|---|---|
3.2 | 3.2.1 | 3.2.2 | |
Spirit | Yes | No | No |
Star | Yes | Yes | No |
limera1n | No | No | Yes |
greenpois0n | No | No | Yes |
redsn0w | No | No | 0.9.6b2 |
PwnageTool | No | No | 4.1 |
iPhone 3GS
Jailbreak Tool | Works with firmware... | ||||||||
---|---|---|---|---|---|---|---|---|---|
3.0 | 3.0.1 | 3.1 | 3.1.2 | 3.1.3 | 4.0 | 4.0.1 | 4.0.2 | 4.1 | |
purplera1n | Yes | No | No | No | No | No | No | No | No |
redsn0w | 0.8 | 0.8 | 0.9.21 or 0.9.31 | 0.9.21 or 0.9.31 | No | No | No | No | 0.9.6b2 |
blackra1n | No | No | Yes1 | Yes1 | No | No | No | No | No |
Spirit | No | No | No | Yes | Yes | No | No | No | No |
Star | No | No | No | Yes | Yes | Yes | Yes | No | No |
PwnageTool | No | No | Restore from a custom firmware2 | 3.1.4 | Restore from a custom firmware2 | Restore from a custom firmware with unofficial bundle2 | 4.1 | ||
sn0wbreeze | No | No | No | 1.42 or 2.0.21 2 | 1.5.12 or 2.0.21 2 | 1.71 2 or 2.0.21 2 | 2.0.21 2 | ||
limera1n | No | No | No | No | No | Yes | Yes | Yes | Yes |
greenpois0n | No | No | No | No | No | No | No | No | Yes |
1 Tethered jailbreak on devices with the new bootrom. Requires usage of the usb_control_msg(0x21, 2) Exploit.
2 Only applicable for devices with the old bootrom. Requires the device to have signature checks disabled (pwned).
iPhone 4
Jailbreak Tool | Works with firmware... | |||
---|---|---|---|---|
4.0 | 4.0.1 | 4.0.2 | 4.1 | |
Star | Yes | Yes | No | No |
limera1n | Yes | Yes | Yes | Yes |
greenpois0n | No | No | No | Yes |
redsn0w | No | No | No | 0.9.6b2 |
PwnageTool | No | No | No | 4.1 |
iPod touch 3G
Jailbreak Tool | Works with firmware... | |||||
---|---|---|---|---|---|---|
3.1.1 | 3.1.2 | 3.1.3 | 4.0 | 4.0.2 | 4.1 | |
blackra1n | Yes1 | Yes1 | No | No | No | No |
redsn0w | 0.9.21 or 0.9.31 | 0.9.21 or 0.9.31 | No | No | No | 0.9.6b2 |
Spirit | No | Yes | Yes | No | No | No |
Star | No | Yes | Yes | Yes | No | No |
sn0wbreeze | No | 2.0.21 | 2.0.21 | 1.71 or 2.0.21 | 2.0.21 | |
limera1n | No | No | No | Yes | Yes | Yes |
greenpois0n | No | No | No | No | No | Yes |
PwnageTool | No | No | No | No | No | 4.1 |
1 Tethered jailbreak. Requires usage of the usb_control_msg(0x21, 2) Exploit.
iPod touch 4G
Jailbreak Tool | Works with firmware... | ||
---|---|---|---|
4.1 | |||
limera1n | Yes | ||
greenpois0n | Yes | ||
PwnageTool | 4.1 |