The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L8900"
(removed non-hardware-related exploits) |
|||
Line 1: | Line 1: | ||
+ | {{float toc|right}} |
||
− | This is the Application Processor shared between the [[M68ap|iPhone]], [[N45ap|iPod touch]], and the [[N82ap|iPhone 3G]]. Not much is known about it through official sources. According to [[saurik]], this is an "arm1176jzf-s", if you're looking for manuals. This processor is not used in any of the newest devices, being replaced by the [[S5L8720]], [[S5L8920]], [[S5L8922]], [[S5L8930]], [[S5L8940]], [[S5L8942]] and [[S5L8945]]. |
||
+ | The '''S5L8900''' in the technical name of the [[Application Processor|application processor]] shared between the [[m68ap|iPhone 2G]], [[n45ap|iPod touch 1G]], and the [[n82ap|iPhone 3G]]. Not much is known about it through official sources. According to [[saurik]], this is an "arm1176jzf-s". This processor has been replaced by the [[S5L8720]] in the [[ and the [[S5L8920]] in the [[n88ap|iPhone 3GS]]. Those have subsequently been replaced by newer [[Application Processor|processors]]. |
||
− | ==[[S5L File Formats|Firmware File Formats]]== |
+ | == [[S5L File Formats|Firmware File Formats]] == |
− | == [[VROM (S5L8900)| |
+ | == [[VROM (S5L8900)|VROM]] Exploits == |
* [[pwnage|Pwnage 1.0 (Ramdisk + AppleImage2NORAccess)]] |
* [[pwnage|Pwnage 1.0 (Ramdisk + AppleImage2NORAccess)]] |
||
* [[Pwnage 2.0|Pwnage 2.0 (DFU + Malformed Certificate)]] |
* [[Pwnage 2.0|Pwnage 2.0 (DFU + Malformed Certificate)]] |
||
− | ==Boot Chain== |
+ | == Boot Chain == |
− | [[VROM (S5L8900)]] |
+ | * [[VROM (S5L8900)|VROM]] ([[Bootrom Rev. 2]]) |
+ | * [[LLB]] |
||
+ | * [[iBoot (Bootloader)|iBoot]] |
||
+ | * [[Kernel]] |
||
+ | * [[/|System Software]] |
||
+ | === [[iPhoneLinux]] === |
||
+ | One of the many goals of the [[iPhoneLinux]] project is to modify the boot chain immediately after the bootrom: |
||
+ | * VROM (Bootrom Rev. 2) |
||
+ | * [[OpeniBoot]] |
||
+ | * [http://www.kernel.org Linux Kernel] |
||
+ | * [http://www.x.org X Server] |
||
+ | * [[wikipedia:X Window System|X Window System]] (X11) |
||
+ | This is possible thanks to the [[Pwnage]] and [[Pwnage 2.0]] exploits discovered by the [[iPhone Dev Team]]. The exploit in a nutshell exploits the fact that the [[VROM (S5L8900)|VROM]] ([[Bootrom Rev. 2]]) doesn't signature check the [[LLB]], and as such, by uploading a maliciously crafted LLB, one can gain control of the entire device. |
||
+ | Despite many years of work, it appears that the project will never be finished, much akin to many other big open source projects, such as [[wikipedia:ReactOS|ReactOS]] and the [[wikipedia:GNU Project|GNU]]'s own kernel, the [http://www.gnu.org/software/hurd/hurd.html Hurd]. |
||
− | One of the [[iPhoneLinux]] goals are to replace that Boot Chain after iBoot: |
||
− | |||
− | [[VROM (S5L8900)]]->OpeniBoot->Linux Kernel->X Server->Window Manager |
||
− | |||
− | ==Upgrade Process== |
||
+ | == Upgrade Process == |
||
=== [[Restore Mode]] === |
=== [[Restore Mode]] === |
||
+ | The restore process of the processor is: |
||
− | The common upgrade process chain is [[VROM]]->[[DFU Mode]]->[[WTF]]->[[iBoot (Bootloader)|iBoot]]->[[Kernel]]->[[Ramdisk]]->[[Restore Mode]]. |
||
+ | * [[VROM (S5L8900)|VROM]] ([[Bootrom Rev. 2]]) |
||
+ | * [[DFU Mode]] |
||
+ | * [[WTF]] |
||
+ | * [[iBoot (Bootloader)|iBoot]] |
||
+ | * [[Kernel]] (wait for [[Ramdisk|Restore Ramdisk]] upload) |
||
+ | * Restore Ramdisk |
||
+ | * [[Restore Mode]] |
||
=== [[DFU Mode]] === |
=== [[DFU Mode]] === |
||
− | + | In order to flash an older version of [[iOS|iPhone OS]] onto the device, you need to enter [[DFU Mode]]. The entry into DFU Mode is in the [[iDevice|device]]'s circuitry and the processor itself. This allows a non-responsive device to enter DFU Mode nearly anywhere, essentially making it improbable(?) to [[brick]] the device. |
|
+ | Once in [[DFU Mode]], [[iTunes]] will notify you of a device in [[Restore Mode]], even though it isn't. This is common across all devices. In iTunes, you just hold the [[wikipedia:Option key|Option key]] (क) on [[wikipedia:OS X|OS X]] or the [[wikipedia:Shift key|shift key]] on [[wikipedia:Microsoft Windows|Windows]] while clicking the "Restore" button. Just navigate to the [[IPSW File Format|IPSW]] for the specific version you want. As [[SHSH|SHSH blobs]] didn't exist before [[iOS|iPhone OS]] 3.0 with the [[S5L8920]] on the [[n88ap|iPhone 3GS]], you are only limited by your ability to obtain the [[firmware]] IPSW. |
||
− | ==== Boot Chain ==== |
||
− | [[VROM]]->[[DFU Mode]] |
||
+ | The boot chain is a very simple one: |
||
− | ==External Links== |
||
+ | * [[VROM (S5L8900)|VROM]] ([[Bootrom Rev. 2]]) |
||
+ | * [[DFU Mode]] |
||
+ | |||
+ | == See Also == |
||
+ | * [[VROM (S5L8900)]] |
||
+ | ** [[Bootrom Rev. 2]] |
||
+ | * [[Application Processor]] |
||
+ | |||
+ | == External Links == |
||
* [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0301h/DDI0301H_arm1176jzfs_r0p7_trm.pdf Technical Reference Manual: ARM1176JZF-S] |
* [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0301h/DDI0301H_arm1176jzfs_r0p7_trm.pdf Technical Reference Manual: ARM1176JZF-S] |
||
+ | |||
+ | [[Category:Application Processors]] |
Revision as of 22:55, 17 November 2012
The S5L8900 in the technical name of the application processor shared between the iPhone 2G, iPod touch 1G, and the iPhone 3G. Not much is known about it through official sources. According to saurik, this is an "arm1176jzf-s". This processor has been replaced by the S5L8720 in the [[ and the S5L8920 in the iPhone 3GS. Those have subsequently been replaced by newer processors.
Firmware File Formats
VROM Exploits
Boot Chain
iPhoneLinux
One of the many goals of the iPhoneLinux project is to modify the boot chain immediately after the bootrom:
- VROM (Bootrom Rev. 2)
- OpeniBoot
- Linux Kernel
- X Server
- X Window System (X11)
This is possible thanks to the Pwnage and Pwnage 2.0 exploits discovered by the iPhone Dev Team. The exploit in a nutshell exploits the fact that the VROM (Bootrom Rev. 2) doesn't signature check the LLB, and as such, by uploading a maliciously crafted LLB, one can gain control of the entire device.
Despite many years of work, it appears that the project will never be finished, much akin to many other big open source projects, such as ReactOS and the GNU's own kernel, the Hurd.
Upgrade Process
Restore Mode
The restore process of the processor is:
- VROM (Bootrom Rev. 2)
- DFU Mode
- WTF
- iBoot
- Kernel (wait for Restore Ramdisk upload)
- Restore Ramdisk
- Restore Mode
DFU Mode
In order to flash an older version of iPhone OS onto the device, you need to enter DFU Mode. The entry into DFU Mode is in the device's circuitry and the processor itself. This allows a non-responsive device to enter DFU Mode nearly anywhere, essentially making it improbable(?) to brick the device.
Once in DFU Mode, iTunes will notify you of a device in Restore Mode, even though it isn't. This is common across all devices. In iTunes, you just hold the Option key (क) on OS X or the shift key on Windows while clicking the "Restore" button. Just navigate to the IPSW for the specific version you want. As SHSH blobs didn't exist before iPhone OS 3.0 with the S5L8920 on the iPhone 3GS, you are only limited by your ability to obtain the firmware IPSW.
The boot chain is a very simple one: