IBoot (Bootloader)

iBoot, also referred to as “iBoot second-stage loader” in the source code, is Apple's stage 2 bootloader for all of the devices. It runs what is known as Recovery Mode. It has an interactive interface which can be used over USB or serial.

Extract and Disassemble
To extract the bootloader and disassemble using IDA: "iBoot for ...., Copyright 2011, Apple Inc."  Load in IDA. Set processor to ARM. Rebase program (Edit&#8594;Segments&#8594;Rebase Program) to 0x5FF00000 (for iBoot in iOS 5). You should see something like:
 * 1) Obtain the bootloader from the iPSW. This file is in the  subdir, e.g. , where the "n81ap", "k90", etc.. are for the i-Device type
 * 2) Run xpwntool with the proper key
 * 3) Make sure the decryption was successful - if it is, you should see the following if you cat (i.e. type) the file:

ROM:5FF00000 loc_5FF00000                           ; CODE XREF: ROM:5FF00078↓j ROM:5FF00000                B       loc_5FF00040        ; Used for Reset - This is where we start ROM:5FF00004 ; --- ROM:5FF00004                LDR     PC, =sub_5FF16FB4   ; Used for Undef ROM:5FF00008 ; --- ROM:5FF00008                LDR     PC, =sub_5FF16FEC   ; Used for SWI ROM:5FF0000C ; --- ROM:5FF0000C                LDR     PC, =sub_5FF17024   ; Used for Prefabt ROM:5FF00010 ; --- ROM:5FF00010                LDR     PC, =sub_5FF17060   ; Used for DataAbt ROM:5FF00014 ; --- ROM:5FF00014                LDR     PC, =loc_5FF17098   ; Used for AddrExc ROM:5FF00018 ; --- ROM:5FF00018                LDR     PC, =loc_5FF16F24   ; Used for IRQ ROM:5FF0001C ; --- ROM:5FF0001C                LDR     PC, =sub_5FF16F6C   ; Probably FIQ, need to verify this ROM:5FF00020 ; --- ROM:5FF00020                SVCPL   0xF00040 ROM:5FF00020 ; --- ROM:5FF00024 off_5FF00024   DCD sub_5FF16FB4        ; DATA XREF: ROM:5FF00004↑r ROM:5FF00028 off_5FF00028   DCD sub_5FF16FEC        ; DATA XREF: ROM:5FF00008↑r ROM:5FF0002C off_5FF0002C   DCD sub_5FF17024        ; DATA XREF: ROM:5FF0000C↑r ROM:5FF00030 off_5FF00030   DCD sub_5FF17060        ; DATA XREF: ROM:5FF00010↑r ROM:5FF00034 off_5FF00034   DCD loc_5FF17098        ; DATA XREF: ROM:5FF00014↑r ROM:5FF00038 off_5FF00038   DCD loc_5FF16F24        ; DATA XREF: ROM:5FF00018↑r ROM:5FF0003C off_5FF0003C   DCD sub_5FF16F6C        ; DATA XREF: ROM:5FF0001C↑r ROM:5FF00040 ; --- ROM:5FF00040 ROM:5FF00040 loc_5FF00040                           ; CODE XREF: ROM:loc_5FF00000↑j ROM:5FF00040                ADR     R0, loc_5FF00000   <-- The address we rebased to ROM:5FF00044                 LDR     R1, =loc_5FF00000 ROM:5FF00048                CMP     R0, R1 ROM:5FF0004C                 CMP     R0, R1 ROM:5FF00050                 BEQ     loc_5FF0007C ... ... ROM:5FF000E8 loc_5FF000E8                           ; CODE XREF: ROM:5FF000F0↓j ROM:5FF000E8                CMP     R0, R1 ROM:5FF000EC                 STRLT   R2, [R0],#4 ROM:5FF000F0                BLT     loc_5FF000E8 ROM:5FF000F4                LDR     R0, =(_ibootStart+1) ROM:5FF000F8                MOV     LR, PC ROM:5FF000FC                 BX      R0 ; _ibootStart ROM:5FF00100 ROM:5FF00100 loc_5FF00100                           ; CODE XREF: ROM:loc_5FF00100↓j ROM:5FF00100                B       loc_5FF00100

Where iBootStart (not the official Apple Symbol, of course) can be seen at:

ROM:5FF00BA4 _ibootStart                            ; CODE XREF: ROM:5FF000FC↑p ROM:5FF00BA4                                        ; DATA XREF: ROM:5FF000F4↑o ... ROM:5FF00BA4                PUSH    {R7,LR} ROM:5FF00BA6                MOV     R7, SP ROM:5FF00BA8                 LDR     R0, =aIbootStart ; "\niBoot start\n" ROM:5FF00BAA                BL      loc_5FF233C4 ROM:5FF00BAE                MOVS    R0, #0 ROM:5FF00BB0                BL      loc_5FF16E54 ROM:5FF00BB4                BL      loc_5FF1570C ROM:5FF00BB8                BL      loc_5FF143A8 ROM:5FF00BBC                BL      unk_5FF15264 ROM:5FF00BC0                LDR     R0, =aMain      ; "main" ..

Flow of iBoot (1219 - 5.0.x)
iBoot is quite a complicated binary, which spawns several ARM tasks to enable the boot process:

- iBootStart (disassembly started above) - starts main (5FF00BCA) - which calls the main function at 5FF00C14 - main: Does the good stuff (loading the kernel, etc) starts the poweroff task (5FF00EF2) - calls (sub_5FF00FD0+1) In recovery mode (failed boot): starts command (5FF00F0A) - calls 5FF15928 starts idleoff (5FF99F2E) - calls 5FF01060

Exploits
On 2014, iH8sn0w found a very powerful iBoot exploit that allows any iDevice with an A5 or A5X chip to be jailbroken, regardless of the iOS version. He used it mainly to grab AES decryption keys. However, according to this tweet from winocm, the exploit will never go public. Once he cleans it up a bit, the decryption keys will be available here. He mentioned here that it will work on A6 and A7 chips soon, but it will require some minor modifications.

Commands used as an exploit vector

 * diags: Until 2.0 beta 6, the diags command would jump to code at the address provided to it. For example, if you sent, it would directly jump to the code at 0x9000000. There is now a check that only allows engineering devices to utilize this backdoor.
 * arm7_go: For firmware 2.1.1, the iPod touch (2nd generation) iBoot contains the ARM7 Go command, which could be used to run a payload on the ARM7 in the device.

OpeniBoot
There is an open source version of iBoot designed so that custom kernels can be run on the iPhone/iPod/iPad. You can check out the source here. It is VERY useful if you are ever reversing iBoot and do not feel like finding out what certain hardware registers are yourself. OpeniBoot currently supports all S5l8900, S5l8720, S5l8920 and S5l8930 devices. More info can be found about OpeniBoot and Linux on these devices on the iDroid-Project website.

Remappings
// N88 (3GS) 0x4FF00000 => 0x0 0x40000000 => 0xC0000000