This page has been robot translated, sorry for typos if any. Original content here.

iBoot and tethered jailbreak

Many users no longer present their devices without jailbreaking, and owners of locked devices can’t do without it, because Unlinking from the operator is carried out only by hacking the device. To do this, you need to modify the kernel of the system - this is the very essence of the jailbreak. The kernel modification process is possible only when the iPhone operating system is not loaded, namely when it is in DFU mode. However, even in this mode, the bootloader (bootloader) checks the digital signatures of the launched modules. But, an error was found in the program code of the loader, which allowed to load into the device and execute arbitrary code to bypass the signature verification by the loader. The 24kpwn exploit contains code that can modify the kernel and disable signature verification, as was the case with the iPhone 2G, 3G and iPod Touch models.

In the newer models of iPhone 3GS and iPod Touch 2G / 3G, Apple decided to add protection and introduced another check, now the bootloader checks the digital signature of the kernel itself, and if it is modified, the device simply does not boot. Moreover, the code signature verification system has become more complex, now Apple itself can control this process, since signature verification is carried out by the company's server via the Internet. Thus, Apple can easily control and prevent the installation of old or modified firmware, which actually does.

On firmware 3.0 and 3.1, this problem was successfully solved, since the firmware itself contains a signed iBoot module with a vulnerability that allows you to execute hacker code for modifying the kernel in DFU mode. Another vulnerability was found in the ROM bootloader itself, which allowed to load the already modified kernel. Thus, even by releasing the next version of the firmware, where the iBoot module vulnerability is sure to be closed, we can launch the phone thanks to the cached signature verification response codes made earlier on firmware 3.0 and 3.1. It is thanks to these signatures that we can hack the system, and thanks to the vulnerability in ROM, no matter what new firmware is released, successfully download it.

Naturally, with the bootloader, on already released devices, Apple will not be able to do anything, they will always run. However, this did not end there, starting from week 43 of 2009, they updated the ROM bootloader version to version 359.3.2, thereby closing all the previously found holes.

DevTeam assured us that there is nothing to fear. At the initial stage, it will be possible to have a so-called “tethered” jailbreak, when the modified kernel can be downloaded using a computer, well, and there full-fledged is not far off.

The jailbreak process is no different from the actions performed on other devices, but there is one caveat; after each shutdown of the device, you will have to do some simple manipulations to turn it on. The most annoying thing is that these actions are performed on the computer, and if God forbid something glitched or discharged, you can only turn it on if you have a computer. The easiest way to enable such a device is provided by the utility from GeoHot. You need to download the blackra1n program , connect the phone to the computer, start it and click on the single button “ Make it ra1n ”. After a few moments, the device will boot up and you can continue to work with it, the data will not be deleted.

The problem is solved, now a full jailbreak can be done with the help of [ iSpirit utility! ]

Now how to find out what your iBoot is. There are several ways:
  1. The easiest way is to find out by serial number - the 4th and 5th digits is the week number of its production. For example, if the serial number starts at 879 31 , this indicates that it was produced at week 31 of 2009 (3rd digit). So on it you can make a full jail, and if you have 43 or higher there, then alas, so far only tied.
  2. Using the utility f0recast . Just connect the device, run the utility:

    The following information will be available to you:
    • Serial # : device serial number
    • Baseband: Modem firmware version
    • Bootloader: Bootloader Version
    • Model: Device Model
    • Unlockable ?: Locked or not (If Yes, then it will be prompted than to unlock)
    • Tethered ?: Tied jail or not (This is what we need)