|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L8720"
(→Exploits: Trying to unify the syntax.) |
|||
| Line 1: | Line 1: | ||
This is the Application Processor used on the [[n72ap|iPod Touch 2G]]. |
This is the Application Processor used on the [[n72ap|iPod Touch 2G]]. |
||
| − | ==Exploits== |
+ | == Exploits == |
| − | ===[[iBoot]] |
+ | === [[iBoot]] === |
'''Note''': [[iBoot]] on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares |
'''Note''': [[iBoot]] on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares |
||
| − | * [[ARM7 Go]] - |
+ | * [[ARM7 Go]] - Works on [[iOS]] 2.1.1 |
| − | * [[iBoot Environment Variable Overflow]] - 3.1 beta 3 |
+ | * [[iBoot Environment Variable Overflow]] - Works up to [[iOS]] 3.1 beta 3 |
| − | * [[usb_control_msg(0x21, 2) Exploit]] - 3.1.2 |
+ | * [[usb_control_msg(0x21, 2) Exploit]] - Works up to [[iOS]] 3.1.2 |
| − | * [[PDF CFF Font Stack Overflow]] - 4.0 to 3.1.2 |
||
| − | ===[[ |
+ | === [[S5L8720 (Bootrom)|Bootrom]] === |
| − | * [[0x24000 Segment Overflow]] - |
+ | * [[0x24000 Segment Overflow]] - only in [[iBoot-240.4]] |
| − | * [[usb_control_msg(0xA1, 1) Exploit]] - |
+ | * [[usb_control_msg(0xA1, 1) Exploit]] - in [[iBoot-240.4]] and [[iBoot-240.5.1]] |
| − | ===[[ |
+ | === [[Kernel]] === |
| − | * [[ |
+ | * [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.1.3 |
| − | * [[ |
+ | * [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0 |
| + | |||
| + | === [[Userland]] === |
||
| + | * [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.1.3 |
||
| + | * [[PDF CFF Font Stack Overflow]] - Works up to [[iOS]] 4.0 |
||
==Boot Chain== |
==Boot Chain== |
||
Revision as of 00:45, 23 September 2010
This is the Application Processor used on the iPod Touch 2G.
Contents
Exploits
iBoot
Note: iBoot on the S5L8720 can be downgraded, allowing any of these exploits to be used on future firmwares
- ARM7 Go - Works on iOS 2.1.1
- iBoot Environment Variable Overflow - Works up to iOS 3.1 beta 3
- usb_control_msg(0x21, 2) Exploit - Works up to iOS 3.1.2
Bootrom
- 0x24000 Segment Overflow - only in iBoot-240.4
- usb_control_msg(0xA1, 1) Exploit - in iBoot-240.4 and iBoot-240.5.1
Kernel
- BPF STX Kernel Write Exploit - Works up to iOS 3.1.3
- IOSurface Kernel Exploit - Works up to iOS 4.0
Userland
- MobileBackup Copy Exploit - Works up to iOS 3.1.3
- PDF CFF Font Stack Overflow - Works up to iOS 4.0
Boot Chain
VROM->LLB->iBoot->Kernel->System Software
It is definitely worthy to note that the Pwnage exploit is fixed because the images are now flashed to the NOR in their encrypted IMG3 containers, and the bootrom can properly check LLB's signature. That being said, unsigned images can still be run using the 0x24000 Segment Overflow, provided the bootrom is old enough.
