This page has been robot translated, sorry for typos if any. Original content here.

iBoot and tethered jailbreak

Many users no longer represent their devices without jailbroken, and owners of locked devices can not do without it at all. The decoupling from the operator is carried out only by hacking the device. To do this, you need to modify the kernel of the system - this is the very essence of jailbreaking. The kernel modification process is possible only when the iPhone operating system is not loaded, namely when it is in DFU mode. However, even in this mode the bootloader (loader) checks the digital signatures of the modules being launched. But, an error was found in the bootloader code that allowed loading into the device and executing arbitrary code, bypassing the signature verification by the loader. The 24kpwn exploit contains code that can make a kernel modification and disable signature verification, as it was in the models of the iPhone 2G, 3G and iPod Touch devices.

In newer models of iPhone 3GS and iPod Touch 2G / 3G, Apple decided to add protection and introduced another test, now the loader checks the digital signature of the kernel itself, and if it turns out to be modified, the device simply does not boot. Moreover, the system for verifying the signatures of the code has become more complicated, now Apple itself can control this process. verification of the signature is carried out by the server of the company through the Internet. Thus, Apple can easily control and prevent the installation of an old or modified firmware, which actually does.

On firmware 3.0 and 3.1, this problem was successfully solved, since the firmware itself contains a signed iBoot module with a vulnerability, which allows DFU mode to execute the hacker code for kernel modification. Also, another vulnerability was found in the ROM loader itself, which allowed to load the already modified kernel. Thus, even after releasing the next version of the firmware, where the vulnerability of the iBoot module will certainly be closed, we will be able to launch the phone thanks to the cached verification code verification codes made earlier on the firmware 3.0 and 3.1. It is thanks to these signatures that we can hack the system, and due to the vulnerability in the ROM, it is successful to download it whatever new firmware it is released.

Naturally, with the bootloader, on the already released devices, Apple can not do anything already, they will always be launched. However, this all did not end, starting from the 43nd week of 2009, they upgraded the version of the ROM loader to version 359.3.2, thereby closing all previously found holes.

DevTeam assured us that there is nothing to be afraid of. At the initial stage, a so-called "tethered" jailbreak will be possible, when the modified kernel can be downloaded using a computer, well, there's a full-fledged kernel just around the corner.

The process of jailbreaking does not differ from the actions performed on other devices, but there is one nuance, after each device turn off you have to do some simple manipulations to turn it on. The most unpleasant thing is that these actions are performed on the computer, and if you do not God forbid something glitches or it is discharged, then it will turn on only if you have a computer. The easiest way to enable such a device is provided by the GeoHot utility. It is necessary to download the program blackra1n , connect the phone to the computer, start it and click on the single button " Make it ra1n ". After a few moments the device will boot up and you can continue to work with it, the data will not be deleted.

The problem is solved, now a full-fledged jailbreak can be done with [ iSpirit utility! ]

Now about how to find out what your iBoot is. There are several ways:
  1. The easiest way is to find out by serial number - 4th and 5th digits and there is a week number of its production. For example, if the serial number starts at 879 31 , this indicates that it was produced on the 31st week of 2009 (3rd digit). So on it you can make a full jail, and if you have there 43 or higher, then alas, so far only tied.
  2. Using the f0recast utility. Just plug in the device and run the utility:

    The following information will be available to you:
    • Serial # : Serial number of the device
    • Baseband: Modem firmware version
    • Bootloader: Butler version
    • Model: Device model
    • Unlockable ?: Locked or not (If Yes, it will be prompted than to unlock)
    • Tethered ?: An Earth jail or not (This is what we need)