GeoHot Finds Bootrom Bug That Allows Bootloader Downgrade From Any Firmware Version
.
Geohot found a bug in the 5.8 version of the iPhone 3G Bootloader which allowed him to downgrade the Baseband.
Unfortunately, most people in need of a downgrade use an iPhone with 5.9 Bootloader: in this case the exploit cannot be fully executed, but GeoHot thinks he would be able to run the ramloader of 5.8 on these devices.
GeoHot and the DevTeam are back and soon all users who have accidentally updated their iPhones to 2.2.1 firmware will be able to downgrade and use Yellowsn0w.
Here you are the details from GeoHot’s official blog:
“In bootloader 5.8 on the 3G, the loader signature validator is broken. Someone botched an if statement checking the location and length of the loader in the cert. Because of this, you can pass the run cert for the firmware you currently have on the phone instead of the loader cert, and send whatever you want as a loader.
Here is a bspatch file to be applied to ICE2_02.28.00.fls allowing downgrades from 2.30.03 using BBUpdaterExtreme. By replacing the patched cert with your current run cert, you can downgrade from any other version.
Unfortunately, most 3G’s out there are bootloader 5.9 I was hoping, since RSA was added to the bootrom, that it would run the vulnerable ramstrapper, but I had no luck, although I didn’t try that hard. I see no reason why it shouldn’t work theoretically; the bootrom RSA is complicated, maybe when I finish EDA…
And dev, since you’re into hashes
882B7B3E84B76125755A84FB0BE52B9D8E25284D
iDan realized a nice guide for the downgrade: you could find it here.”
Via Ispazio