iPhone Dev Team
October 14 2009

Apple has started shipping devices with bootroms not vulnerable to previous exploits. So far, these devices include at least the iPod touch 3G. They also likely include the new 8GB iPod touch 2G [see Update #1] and very recent versions of the iPhone 3GS. For these devices, even though an iBoot exploit can make your filesystem jailbroken, the device itself is not bootable after that point without being “tethered” to something like a computer.

Up until the 24Kpwn exploit was made public, the iPod touch 2G used a tethered jailbreak. Here are some videos that illustrate the evolution of the tethered jailbreak:

• Jan 18 - Technical overview
• Feb 17 - Tethering to a DEFCON badge with "run rs" hack
• Mar 9 - Tethering to a TI-84 calculator

While requiring a computer, DEFCON badge, or TI-84 calculator to assist an iPod boot is mostly just an inconvenience, requiring the same thing for an iPhone reboot is a major hassle. It means you won't be able to use your iPhone as a cellphone until you can perform the tethered boot. Every time your battery runs out or your system resets due to a software bug or memory exhaustion, you'd need to do a tethered boot to use your phone again.

In order to overcome this obstacle on these very recent devices, a new bootrom exploit will need to be found.

• This use of the “tethering” concept has nothing to do with tethering your Mac or PC to the internet via your iPhone
• Any new iBoot exploits will always be useful for jailbreaking the actual filesystem. But unless the there's a bootrom exploit that breaks the boot chain of trust, that filesystem won't be bootable without a tethered assist.

We can now confirm that the new 8GB iPod touch is not vulnerable to 24Kpwn. It took just 6 bytes for Apple to fix this:

load_module+16   43 68    LDR  R3, [R0,#bdevImg.totalSize]
load_module+18   9A 42    CMP  bufsize, R3
load_module+1A   13 D3    BCC  FAIL

find_named_image(illb): 000100d8  00024100  696c6c62 696d6733
                        dataSize  totalSize illb     img3

Given how small the fix is, it seems likely that it was also applied to that updated bootrom of very recent iPhone 3GS devices. We'll be able to confirm this once we have an actual one of those in hand.

Confirmation that the new 8GB iPod touch is at least a tethered jailbreak. This device doesn't require personalized img3 files in the way that the iPhone 3GS and iPod touch 3G do. For this reason, it will “always” be jailbreakable (no need to rush and get your ECID signed hashes like you do for the 3GS and ipt3G). But for the foreseeable future, it will be a tethered jailbreak only.