Difference between revisions of "Bootrom Dumper Utility"

From The iPhone Wiki
Jump to: navigation, search
(Info / Instructions)
(values from October 2010 release: http://pastebin.com/vLa8reaS)
Line 14: Line 14:
 
* the offset to the call of usb_wait_for_image in payload.S
 
* the offset to the call of usb_wait_for_image in payload.S
   
  +
0x7ef @ A4 devices: iPad 1, iPhone 4 (GSM+CDMA), Apple TV 2G, iPod touch 4G
0x7ef @ A4
 
0x30E9 @ iPod 2G, old bootrom
+
0x8b7 @ iPod touch 3G
0x30F1 @ iPod 2G, new bootrom
+
0x8b7 @ iPhone 3GS new bootrom
0x8b7 @ iPod 3G, iPhone 3Gs new bootrom
+
0x8b7 @ iPhone 3GS old bootrom
  +
0x8b7 @ iPod touch 2G new bootrom (0x30F1 according to other sources)
  +
0x8b7 @ iPod touch 2G old bootrom (0x30E9 according to other sources)
   
 
* exploit offsets in bdu.c
 
* exploit offsets in bdu.c
Line 24: Line 26:
 
#define EXPLOIT_LR 0x8403BF9C
 
#define EXPLOIT_LR 0x8403BF9C
 
#define LOADADDR_SIZE 0x2C000
 
#define LOADADDR_SIZE 0x2C000
// iPod 2G:
+
// iPod touch 2G:
 
#define EXPLOIT_LR 0x22000000
 
#define EXPLOIT_LR 0x22000000
 
#define LOADADDR_SIZE 0x24000
 
#define LOADADDR_SIZE 0x24000
// iPod 3G:
+
// iPod touch 3G:
 
#define EXPLOIT_LR 0x84033F98
 
#define EXPLOIT_LR 0x84033F98
 
#define LOADADDR_SIZE 0x24000
 
#define LOADADDR_SIZE 0x24000
// iPhone 3Gs new bootrom:
+
// iPhone 3GS new bootrom:
 
#define EXPLOIT_LR 0x84033FA4
 
#define EXPLOIT_LR 0x84033FA4
 
#define LOADADDR_SIZE 0x24000
 
#define LOADADDR_SIZE 0x24000
Line 36: Line 38:
 
== Links ==
 
== Links ==
 
[https://github.com/Chronic-Dev/Bootrom-Dumper Github]
 
[https://github.com/Chronic-Dev/Bootrom-Dumper Github]
 
   
 
[[Category:Hacking Software]]
 
[[Category:Hacking Software]]

Revision as of 20:02, 2 January 2012

Credit

Pod2g

Geohot for limera1n

Info / Instructions

  • you need a mac or linux box to use it / build it
  • libusb > 1.0.8 required
  • execute it with root privileges (sudo ./bdu)
  • by default compatible only with A4 devices: (iPhone 4, iPod 4G, iPad, AppleTV 2)

It's possible to extend the compatibility to older devices as well (iPhone 3GS, iPod 3G) by changing:

  • the offset to the call of usb_wait_for_image in payload.S
0x7ef @ A4 devices: iPad 1, iPhone 4 (GSM+CDMA), Apple TV 2G, iPod touch 4G
0x8b7 @ iPod touch 3G
0x8b7 @ iPhone 3GS new bootrom
0x8b7 @ iPhone 3GS old bootrom
0x8b7 @ iPod touch 2G new bootrom (0x30F1 according to other sources)
0x8b7 @ iPod touch 2G old bootrom (0x30E9 according to other sources)
  • exploit offsets in bdu.c
// A4:
#define EXPLOIT_LR 0x8403BF9C
#define LOADADDR_SIZE 0x2C000
// iPod touch 2G:
#define EXPLOIT_LR 0x22000000
#define LOADADDR_SIZE 0x24000
// iPod touch 3G:
#define EXPLOIT_LR 0x84033F98
#define LOADADDR_SIZE 0x24000
// iPhone 3GS new bootrom:
#define EXPLOIT_LR 0x84033FA4
#define LOADADDR_SIZE 0x24000

Links

Github