This page has been robot translated, sorry for typos if any. Original content here.

iBoot and tethered jailbreak

Many users can no longer imagine their devices without jailbreaking, and owners of locked devices can’t do without it at all, because untying from the operator is carried out only by hacking the device. To do this, it is necessary to modify the core of the system - this is the very essence of the jailbreak. The kernel modification process is possible only when the iPhone operating system is not loaded, namely when it is in DFU mode. However, even in this mode, the bootloader (bootloader) checks the digital signatures of the launched modules. But, an error was found in the bootloader program code, which allowed loading into the machine and executing arbitrary code bypassing the signature verification by the bootloader. An exploit from 24kpwn contains code that can modify the kernel and disable signature verification, as was the case with the iPhone 2G, 3G and iPod Touch.

In newer models of iPhone 3GS and iPod Touch 2G / 3G, Apple decided to supplement the protection and introduced another check, now the bootloader checks the digital signature of the kernel itself, and if it turns out to be modified, the device simply does not boot. Moreover, the system of verification of code signatures has become more complicated, now Apple itself can control this process, as Signature verification is carried out by the company’s server via the Internet. Thus, Apple can easily control and prevent the installation of old or modified firmware, which actually does.

On firmware 3.0 and 3.1, this problem was successfully resolved, since the firmware itself contains a signed iBoot module with a vulnerability that allows executing hacker code to modify the kernel in DFU mode. Another vulnerability was found in the ROM bootloader itself, which allowed loading an already modified kernel. Thus, even having released the next version of the firmware, where the vulnerability of the iBoot module will certainly be closed, we will be able to start the phone thanks to the cached response verification codes of the signature made earlier on firmware 3.0 and 3.1. It is thanks to these signatures that we can hack the system, and thanks to a vulnerability in ROM, successfully loading it no matter what new firmware comes out.

Naturally, with the bootloader, on already released devices, Apple will not be able to do anything, they will always start. However, this did not end there, starting from the 43rd week of 2009, they updated the ROM bootloader version to version 359.3.2, thereby closing all previously found holes.

DevTeam assured us that there is nothing to fear. At the initial stage, the so-called “tied” jailbreak will be possible, when the modified kernel can be downloaded using a computer, and then a full-fledged one is just around the corner.

The jailbreak process does not differ in any way from the actions performed on other devices, but there is one caveat, after each turn off the device you have to do some simple manipulations to turn it on. The most unpleasant thing is that these actions are performed on the computer, and if, God forbid, something is buggy or it is discharged, then you can turn it on only if you have a computer. The easiest way to turn on such a device is provided by the utility from GeoHot. You need to download the blackra1n program , connect the phone to the computer, start it and click on the only button “ Make it ra1n ”. After a few moments, the device will boot up and you can continue to work with it, the data will not be deleted.

The problem is solved, now a full jailbreak can be done using the [ iSpirit utility! ]

Now about how to find out which iBoot you have. There are several ways:
  1. The easiest way is to find out by the serial number - the 4th and 5th digits are the week number of its production. For example, if the serial number starts at 879 31 , it means that it was produced at the 31st week of 2009 (3rd digit). So you can make a full-fledged jail on it, and if you have 43 or higher there, then alas, so far only attached.
  2. Using the f0recast utility. Just plug in the device, run the utility:

    The following information will be available to you:
    • Serial # : Serial number of the device
    • Baseband: Modem firmware version
    • Bootloader: bootloader version
    • Model: Device Model
    • Unlockable ?: Locked or not (If Yes, it will be prompted with what to unlock)
    • Tethered ?: Tied Jail or not (This is what we need)