GeoHot Finds Exploit in the 5.8 iPhone Bootloader
Posted April 12, 2009 at 5:03pm by iClarified
Geohot has found a bug in the 5.8 iPhone bootloader which can be exploited to downgrade your baseband.
Unfortunately most people who need to downgrade are already on the 5.9 bootloader. Geohot is "convinced theres a way to make it run the 5.8 ramloader instead of the bb in ram." Meaning unlocks for all firmware versions.
Both Geohot and the iPhone Dev-Team are looking ways of accomplishing this and hopefully in the near future those who accidentally upgraded will be able to get their unlock back!
-----
I've been off the iPhone scene for a while. A couple days ago, I got an e-mail from Chronic asking for help with the new asr. I helped out with genpass, and started reading through theiphonewiki again. Thanks so much for all the information contributed so far; it prompted me to find this.
In bootloader 5.8 on the 3G, the loader signature validator is broken. Someone botched an if statement checking the location and length of the loader in the cert. Because of this, you can pass the run cert for the firmware you currently have on the phone instead of the loader cert, and send whatever you want as a loader.
Here is a bspatch file to be applied to ICE2_02.28.00.fls allowing downgrades from 2.30.03 using BBUpdaterExtreme. By replacing the patched cert with your current run cert, you can downgrade from any other version.
Unfortunately, most 3G's out there are bootloader 5.9 I was hoping, since RSA was added to the bootrom, that it would run the vulnerable ramstrapper, but I had no luck, although I didn't try that hard. I see no reason why it shouldn't work theoretically; the bootrom RSA is complicated, maybe when I finish EDA...
And dev, since you're into hashes
882B7B3E84B76125755A84FB0BE52B9D8E25284D
-----
Read More
Unfortunately most people who need to downgrade are already on the 5.9 bootloader. Geohot is "convinced theres a way to make it run the 5.8 ramloader instead of the bb in ram." Meaning unlocks for all firmware versions.
Both Geohot and the iPhone Dev-Team are looking ways of accomplishing this and hopefully in the near future those who accidentally upgraded will be able to get their unlock back!
-----
I've been off the iPhone scene for a while. A couple days ago, I got an e-mail from Chronic asking for help with the new asr. I helped out with genpass, and started reading through theiphonewiki again. Thanks so much for all the information contributed so far; it prompted me to find this.
In bootloader 5.8 on the 3G, the loader signature validator is broken. Someone botched an if statement checking the location and length of the loader in the cert. Because of this, you can pass the run cert for the firmware you currently have on the phone instead of the loader cert, and send whatever you want as a loader.
Here is a bspatch file to be applied to ICE2_02.28.00.fls allowing downgrades from 2.30.03 using BBUpdaterExtreme. By replacing the patched cert with your current run cert, you can downgrade from any other version.
Unfortunately, most 3G's out there are bootloader 5.9 I was hoping, since RSA was added to the bootrom, that it would run the vulnerable ramstrapper, but I had no luck, although I didn't try that hard. I see no reason why it shouldn't work theoretically; the bootrom RSA is complicated, maybe when I finish EDA...
And dev, since you're into hashes
882B7B3E84B76125755A84FB0BE52B9D8E25284D
-----
Read More