The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "IBoot (Bootloader)"
m (→Revisions) |
(...) |
||
Line 6: | Line 6: | ||
== Revisions == |
== Revisions == |
||
− | + | [[iBoot-99]] 1.0b (1A420) |
|
− | + | [[iBoot-159]] 1.0 (Build 1A543a) |
|
− | + | 1.0.1 (Build 1C25) |
|
− | + | 1.0.2 (Build 1C28) |
|
− | + | [[iBoot-204]] 1.1 (Build 3A100) |
|
+ | 1.1 (Build 3A101) |
||
− | * [[iBoot-204.3.14]] (1.1.3 and 1.1.4) |
||
+ | 1.1.1 (Build 3A109a) |
||
− | * [[iBoot-204.3.16]] (1.1.5) |
||
+ | 1.1.4 (Build 4A102) |
||
− | * [[iBoot-596.24]] (3.0 and 3.0.1) |
||
+ | 2.0.1 (Build 5B108) |
||
− | * [[iBoot-636.66.33]] (3.1.3) |
||
+ | 2.0.2 (Build 5C1) |
||
− | * [[iBoot-817.28]] (3.2) |
||
− | + | [[iBoot-204.0.2]] 1.1.1 (Build 3A110a) |
|
− | + | [[iBoot-204.2.9]] 1.1.2 (Build 3B48b) |
|
− | + | [[iBoot-204.3.14]] 1.1.3 (Build 4A93) |
|
− | + | [[iBoot-204.3.16]] 1.1.5 (Build 4B1) |
|
− | + | [[iBoot-320.20]] 2.0 (Build 5A347) |
|
− | + | [[iBoot-385.22]] 2.1 (Build 5F137) |
|
+ | 2.1.1 (Build 5F138) |
||
+ | [[iBoot-385.49]] 2.2 (Build 5G77) |
||
+ | 2.2 (Build 5G77a) |
||
+ | 2.2.1 (Build 5H11) |
||
+ | 2.2.1 (Build 5H11) |
||
+ | [[iBoot-596.24]] 3.0 (Build 7A341) |
||
+ | 3.0.1 (Build 7A400) |
||
+ | [[iBoot-636.65]] 3.1 (Build 7C144) |
||
+ | [[iBoot-636.66]] 3.1.1 (Build 7C145) |
||
+ | 3.1.1 (Build 7C146) |
||
+ | 3.1.2 (Build 7D11) |
||
+ | [[iBoot-626.66.33]]3.1.3 (Build 7E18) |
||
+ | [[iBoot-817.28]] 3.2 (Build 7B367) |
||
+ | [[iBoot-817.29]] 3.2.1 (Build 7B405) |
||
+ | 3.2.2 (Build 7B500) |
||
* [[iBoot-872]] (4.0 Beta 1) |
* [[iBoot-872]] (4.0 Beta 1) |
||
* [[iBoot-889.3]] (4.0 Beta 2) |
* [[iBoot-889.3]] (4.0 Beta 2) |
Revision as of 03:59, 15 November 2011
This is Apple's stage 2 bootloader for all of the iDevices. It runs what is known as Recovery Mode. It has an interactive interface which can be used over USB or serial.
Contents
Bootrom
The bootrom also goes by the name "iBoot." The list of bootroms can be found on their own page.
Revisions
iBoot-99 1.0b (1A420) iBoot-159 1.0 (Build 1A543a) 1.0.1 (Build 1C25) 1.0.2 (Build 1C28) iBoot-204 1.1 (Build 3A100) 1.1 (Build 3A101) 1.1.1 (Build 3A109a) iBoot-204.0.2 1.1.1 (Build 3A110a) iBoot-204.2.9 1.1.2 (Build 3B48b) iBoot-204.3.14 1.1.3 (Build 4A93) 1.1.4 (Build 4A102) iBoot-204.3.16 1.1.5 (Build 4B1) iBoot-320.20 2.0 (Build 5A347) 2.0.1 (Build 5B108) 2.0.2 (Build 5C1) iBoot-385.22 2.1 (Build 5F137) 2.1.1 (Build 5F138) iBoot-385.49 2.2 (Build 5G77) 2.2 (Build 5G77a) 2.2.1 (Build 5H11) 2.2.1 (Build 5H11) iBoot-596.24 3.0 (Build 7A341) 3.0.1 (Build 7A400) iBoot-636.65 3.1 (Build 7C144) iBoot-636.66 3.1.1 (Build 7C145) 3.1.1 (Build 7C146) 3.1.2 (Build 7D11) iBoot-626.66.333.1.3 (Build 7E18) iBoot-817.28 3.2 (Build 7B367) iBoot-817.29 3.2.1 (Build 7B405) 3.2.2 (Build 7B500)
- iBoot-872 (4.0 Beta 1)
- iBoot-889.3 (4.0 Beta 2)
- iBoot-889.12 (4.0 Beta 3)
- iBoot-889.19 (4.0 Beta 4)
- iBoot-889.24 (4.0.x)
- iBoot-931.18.1 (4.1 Beta 1)
- iBoot-931.18.27 (4.1 Builds 8B117 and 8B118)
- iBoot-931.44.21 (4.1 Build 8M89)
- iBoot-931.67 (4.2 Beta 1)
- iBoot-931.71.13 (4.2 Beta 3)
- iBoot-931.71.16 (4.2 GM and 4.2.1 Builds 8C148, 8C148a, and 8C154)
- iBoot-931.72.14 (4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9 and 4.2.10)
- iBoot-1072.33~1 (4.3 Beta 1)
- iBoot-1072.38 (4.3 Beta 2)
- iBoot-1072.49 (4.3 Beta 3)
- iBoot-1072.58 (4.3 Build 8F190)
- iBoot-1072.59 (4.3 Builds 8F191, 8F191m, 8F202 and 8F305, and 4.3.1)
- iBoot-1072.61 (4.3.2, 4.3.3, 4.3.4 and 4.3.5)
- iBoot-1219.35.80~1 (5.0 Beta 1)
- iBoot-1219.40.25 (5.0 Beta 2)
- iBoot-1219.41.11~1 (5.0 Beta 3)
- iBoot-1219.42.8 (5.0 Beta 4)
- iBoot-1219.43.9 (5.0 Beta 5)
- iBoot-1219.43.?? (5.0 Beta 6)
- iBoot-1219.43.?? (5.0 Beta 7)
- iBoot-1219.43.32 (5.0 GM, 5.0)
- iBoot-1219.43.32~27 (5.0.1 Beta 1)
- iBoot-1219.43.32~29 (5.0.1 Beta 2)
- iBoot-1219.43.?? (5.0.1)
Commands used as an exploit vector
- diags: Until 2.0 beta 6, the diags command would jump to code at the address provided to it. For example, if you sent "diags 0x9000000", it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
- arm7_go: For firmware 2.1.1, the iPod touch 2G iBoot contains the ARM7 Go command, which could be used to run a payload on the ARM7 in the device.
OpeniBoot
There is an open source version of iBoot designed so that custom kernels can be run on the iPhone/iPod/iPad. You can check out the source here. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself. OpeniBoot currently supports all S5l8900, S5l8720, S5l8920 and S5l8930 devices. More info can be found about OpeniBoot and Linux on these devices on the iDroid-Project website.
Remappings
// n88 (3GS) 0x4FF00000 => 0x0 0x40000000 => 0xC0000000