Bootrom

From The Apple Wiki
(Redirected from Bootrom Exploits)

The BootROM (called "SecureROM" by Apple) is the first significant code that runs on an iDevice and is read-only. Finding exploits at the BootROM level is a big achievement, since Apple cannot fix it without a hardware revision.

However, the attack vector of the BootROM is very small and so it is therefore very difficult to find such vulnerabilities. As a result, there has only been 2 vulnerabilities made public in the last 10 years - alloc8 and checkm8 (both from Axi0mX).

Old & New bootrom[edit | edit source]

Certain models, including the iPod touch (2nd generation) and iPhone 3GS, have different bootrom versions. These are most commonly referred to with the terms "old bootrom" and "new bootrom." These "new bootrom" devices were released after 9 September 2009 and have the 0x24000 Segment Overflow fixed. While the new bootrom revisions were relatively quickly found vulnerable to the tethered limera1n Exploit which could be paired with firmware exploits for an untethered jailbreak, it took many years for the untethered alloc8 Exploit to be discovered.

You might also be looking for Apple's stage 2 bootloader, which also uses the "iBoot" name.

Usually also looking at the CPRV (Chip Revision) tag will also tell you whether the device is new unit or not also.

Finding bootrom version[edit | edit source]

From the model number (iPod touch (2nd generation))[edit | edit source]

If the second character of your Model Number is "B" (e.g.- FB533, MB533, or PB533), your iPod has the old bootrom. If the second character is "C" (FC086, MC086 or PC086), your iPod has the new bootrom.

From the serial number (iPhone 3GS)[edit | edit source]

The third digit of the serial number identifies the year of manufacture (9=2009, 0=2010, 1=2011, 2=2012), while the fourth and the fifth indicate the week. There is a gray area between week 40 of 2009 (??940??????) and week 45 of 2009 (??945??????) where some devices have new bootrom whilst others have old bootrom. . Any iPhone made after Week 45 of 2009 (??945?????? and higher or ??0???????? serials) has the new bootrom.

From the DFU Device descriptors (all devices except S5L8900)[edit | edit source]

Windows[edit | edit source]

  1. Connect Device & Enter DFU Mode
  2. Open Device Manager, find USB controller, subitem Apple Mobile Device USB Driver
  3. Right-Click & click Properties
  4. Go to Details tab & select Device Instance Path in the dropdown box
  5. The end of the info string will show the bootrom version

Mac OS X[edit | edit source]

  1. Connect Device & Enter DFU Mode
  2. Go to System Profiler, and under the Hardware category, go to USB, and click on Apple Mobile Device (DFU Mode)
  3. The end of the Serial Number string will show the bootrom version in brackets (ie: [iBoot-574.4])

Linux[edit | edit source]

  1. Make sure your distribution has usbutils installed. (most distributions have it by default)
  2. Connect Device & Enter DFU Mode
  3. In terminal, run sudo lsusb -v
  4. Find the line that says iSerial and your bootrom version will be at the end of the line.

Dumping the bootrom[edit | edit source]

You can use Bootrom Dumper Utility by pod2g to dump the bootrom on devices that are vulnerable to the Limera1n Exploit.

ipwndfu can be used to dump the BootROM on devices vulnerable to checkm8.

Bootrom Exploits[edit | edit source]

Revisions[edit | edit source]

S5L8900, used in the iPhone, iPod touch, and iPhone 3G[edit | edit source]

see also VROM (S5L8900)

S5L8720, used in the iPod touch (2nd generation)[edit | edit source]

S5L8747, used in the Haywire[edit | edit source]

S5L8920, used in the iPhone 3GS[edit | edit source]

S5L8922, used in the iPod touch (3rd generation)[edit | edit source]

S5L8930, used in the iPad, iPhone 4, Apple TV (2nd generation), and iPod touch (4th generation)[edit | edit source]

S5L8940, used in the iPad 2 and iPhone 4S[edit | edit source]

S5L8942, used in the iPad 2 (iPad2,4), Apple TV (3rd generation) (AppleTV3,1), iPod touch (5th generation), and iPad mini[edit | edit source]

S5L8945, used in the iPad (3rd generation)[edit | edit source]

S5L8947, used in the Apple TV (3rd generation) (AppleTV3,2)[edit | edit source]

S5L8950, used in the iPhone 5 and iPhone 5c[edit | edit source]

S5L8955, used in the iPad (4th generation)[edit | edit source]

S5L8960/S5L8965, used in the iPhone 5s, iPad Air, iPad mini 2, and iPad mini 3[edit | edit source]

T7000, used in the Apple TV HD, HomePod, iPad mini 4, iPhone 6, iPhone 6 Plus, and iPod touch (6th generation)[edit | edit source]

T7001, used in the iPad Air 2[edit | edit source]

S7002, used in the Apple Watch (1st generation)[edit | edit source]

S8000, used in the iPad (5th generation), iPhone 6s, iPhone 6s Plus and iPhone SE[edit | edit source]

S8001, used in the iPad Pro (12.9-inch) and iPad Pro (9.7-inch)[edit | edit source]

T8002, used in the Apple Watch Series 1, Apple Watch Series 2, and T1 MacBook Pros[edit | edit source]

S8003, used in the iPad (5th generation), iPhone 6s, iPhone 6s Plus and iPhone SE[edit | edit source]

T8004, used in the Apple Watch Series 3[edit | edit source]

T8006, used in the Apple Watch Series 4, Apple Watch Series 5 and Apple Watch SE[edit | edit source]

T8010, used in the iPad (6th generation), iPad (7th generation), iPhone 7, iPhone 7 Plus and iPod touch (7th generation)[edit | edit source]

T8011, used in the iPad Pro (10.5-inch), iPad Pro (12.9-inch) (2nd generation), and Apple TV 4K[edit | edit source]

T8015, used in the iPhone 8, iPhone 8 Plus, and iPhone X[edit | edit source]

T8012, used in the iMac Pro and other T2 based Macs[edit | edit source]

T8020, used in the iPad (8th generation), iPad Air (3rd generation), iPad mini (5th generation), iPhone XR, iPhone XS, and iPhone XS Max[edit | edit source]

T8027, used in the iPad Pro (11-inch), iPad Pro (12.9-inch) (3rd generation), iPad Pro (11-inch) (2nd generation), and iPad Pro (12.9-inch) (4th generation)[edit | edit source]

T8030, used in the iPad (9th generation), iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max, and iPhone SE (2nd generation)[edit | edit source]

T8101, used in the iPad Air (4th generation), iPhone 12 mini, iPhone 12, iPhone 12 Pro, iPhone 12 Pro Max, and iPad (10th generation)[edit | edit source]

T8301, used in the Apple Watch Series 6, Apple Watch Series 7, Apple Watch Series 8, Apple Watch SE (2nd generation), and Apple Watch Ultra[edit | edit source]

T8103, used in the iPad Pro (11-inch) (3rd generation), iPad Pro (12.9-inch) (5th generation), M1 Macs, and iPad Air (5th generation)[edit | edit source]

T6000, T6001, and T6002, used in the MacBook Pro (14-inch, 2021), MacBook Pro (16-inch, 2021), and Mac Studio (2022)[edit | edit source]

T8110, used in the iPad mini (6th generation), iPhone 13 mini, iPhone 13, iPhone 13 Pro, iPhone 13 Pro Max, iPhone 14, iPhone 14 Plus, and Apple TV 4K (3rd generation)[edit | edit source]

T8112, used in the iPad Pro (11-inch) (4th generation), iPad Pro (12.9-inch) (6th generation), and M2 Macs[edit | edit source]

T6020, T6021, and T6022, used in the MacBook Pro (14-inch, 2023), MacBook Pro (16-inch, 2023), Mac mini (2023), Mac Studio (2023), and Mac Pro (2023)[edit | edit source]

T8120, used in the iPhone 14 Pro, iPhone 14 Pro Max, iPhone 15, and iPhone 15 Plus[edit | edit source]

T8122, used in the IMac (24-inch, 2023), and the MacBook Pro (14-inch, Nov 2023) (M3)[edit | edit source]

T6030, used in the MacBook Pro (14-inch, Nov 2023) and MacBook Pro (16-inch, Nov 2023)[edit | edit source]

T6031, used in the MacBook Pro (14-inch, M3 Max, Nov 2023) and MacBook Pro (16-inch, M3 Max, Nov 2023)[edit | edit source]

T8130, used in the iPhone 15 Pro and iPhone 15 Pro Max[edit | edit source]

References[edit | edit source]