Difference between revisions of "Pwnage"

From The iPhone Wiki
Jump to: navigation, search
m (2.0+ (S5L8720 and on): Redirect fix.)
m (2.0+ (S5L8720 and on))
Line 12: Line 12:
   
 
===2.0+ ([[S5L8720]] and on)===
 
===2.0+ ([[S5L8720]] and on)===
This exploit has been fixed on the [[N72ap|iPod touch 2G]] and all devices released after it. The [[VROM (S5L8720)|bootrom]] sigchecks [[LLB]] before jumping to it now, and if the [[LLB]] is patched, it will default to [[DFU Mode]]. The [[0x24000 Segment Overflow]] exploit was later found in the [[N72ap|iPod touch 2G]] [[VROM (S5L8720)|bootrom]] (and the first revision of the [[N88ap|iPhone 3GS]] [[IBoot-359.3|bootrom]]) allowing the device to be fully jailbroken. It has since been fixed with new bootrom revisions for these devices, and the newer ones.
+
This exploit has been fixed on the [[N72ap|iPod touch 2G]] and all devices released after it. The [[VROM (S5L8720)|bootrom]] sigchecks [[LLB]] before jumping to it now, and if the [[LLB]] is patched, it will default to [[DFU Mode]]. The [[0x24000 Segment Overflow]] exploit was later found in the first revisions of the [[N72ap|iPod touch 2G]] and [[N88ap|iPhone 3GS]] [[bootrom]]s, allowing the device to be fully jailbroken. It has since been fixed with new bootrom revisions for these devices. Newer devices were never susceptible to the [[0x24000 Segment Overflow]].
   
 
==Implementation==
 
==Implementation==

Revision as of 04:49, 21 September 2010

This exploit is in the S5L8900 bootrom, thus available in the iPhone, iPod Touch and iPhone 3G. The exploit is that the bootrom doesn't signature check LLB.

Credit

iPhone Dev Team

Exploit

Pre-2.0 (S5L8900)

The NOR was set up in a way that when the firmware images were flashed there, the RSA signatures were dropped along with the rest of the firmware container. So although iBoot signature checked the kernel, LLB did not signature check iBoot, and the VROM did not signature check LLB.

2.0+ (S5L8900)

The VROM doesn't sig check the stuff it jumps to in the NOR. So to use the exploit, one finds a way of writing to the NOR unsigned, either with iBoot hacks or kernel patches. While images are now written to NOR in a way that one can verify the other, like LLB verifying iBoot, the bootrom cannot be written to, so it still defaults to just reading LLB normally, un-signature checked.

2.0+ (S5L8720 and on)

This exploit has been fixed on the iPod touch 2G and all devices released after it. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU Mode. The 0x24000 Segment Overflow exploit was later found in the first revisions of the iPod touch 2G and iPhone 3GS bootroms, allowing the device to be fully jailbroken. It has since been fixed with new bootrom revisions for these devices. Newer devices were never susceptible to the 0x24000 Segment Overflow.

Implementation