GeoHot: Exploit in Bootloader 5.8 – Unlock for all versions

Posted on Monday April 13th, 2009 / 02:27


Ο GeoHot ανακάλυψε ένα νέο exploit στο bootloader 5.8, το οποίο καθιστά δυνατή την υποβάθμιση (downgrade) της baseband, από 02.30 σε 02.28 !!

Ο ίδιος δηλώνει πεπεισμένος πως υπάρχει τρόπος να τρέξει το 5.8 ramloader αντί του bb στην RAM, πράγμα το οποίο πρακτικά σημαίνει unlock για όλα τα Firmware του iPhone 3G!

Σημείωση: Τόσο η Vodafone όσο και η Cosmote διαθέτουν το iPhone 3G ξεκλείδωτο (Unlocked – SIM free) στην Ελληνική αγορά.

“In bootloader 5.8 on the 3G, the loader signature validator is broken. Someone botched an if statement checking the location and length of the loader in the cert. Because of this, you can pass the run cert for the firmware you currently have on the phone instead of the loader cert, and send whatever you want as a loader.

Here is a bspatch file to be applied to ICE2_02.28.00.fls allowing downgrades from 2.30.03 using BBUpdaterExtreme. By replacing the patched cert with your current run cert, you can downgrade from any other version.

Unfortunately, most 3G’s out there are bootloader 5.9 I was hoping, since RSA was added to the bootrom, that it would run the vulnerable ramstrapper, but I had no luck, although I didn’t try that hard. I see no reason why it shouldn’t work theoretically; the bootrom RSA is complicated, maybe when I finish EDA…

And dev, since you’re into hashes

“I’m convinced theres a way to make it run the 5.8 ramloader instead of the bb in ram. We can also do a yellowsnowish thing to grab the bb reset and command boot from the bootrom level, even if the main sig doesn’t validate. Unlocks for all versions…”

Συζήτηση στο forum: Bootloader 5.8 exploit: Unlock for All iPhone versions!

About Vasilis Ananiadis

Ο ζωντανός θρύλος της Ελληνικής blogόσφαιρας, ο αβυσσαλέος master του SEO, o πρίγκηπας των Social Media, ο τυφώνας των Web Startups, ο οργασμός της ιντερνετικής επιτυχίας. Τώρα και στο twitter: @vananiadis

Tags: , ,

Comments are closed.