Today saw the release of a new bootrom exploit for the iPhone 3GS, an unpatchable vulnerability which gives jailbreakers total control of this device forever.

Although the iPhone 3GS is now very much a legacy device and few users will be actively using them, the rarity of a bootrom exploit makes it worthy of note. There have been no publicly released exploits of this kind since limera1n, which supported only up to the iPhone 4.

Released by Twitter user axi0mX, the exploit is called alloc8, and makes use of a vulnerability in the malloc function in the bootrom. The details of the exploit and how it works can be found on axi0mX’s GitHub page, where there is a comprehensive write-up. The majority of the write-up went over my head, but may prove invaluable to those trying to increase their knowledge of iOS exploitation and jailbreaking in general.

The original iPhone 3GS had a vulnerability in the bootrom which was exploited by 24Kpwn. Because of the low level nature of bootrom exploits, they give total control over upgrading, downgrading, untethered jailbreaking, and installing of custom firmwares, and are therefore considered incredibly serious by Apple, and incredibly valuable by developers. They can only be patched by a hardware update, not by any software measure or firmware update. No recent jailbreak has made use of such a vulnerability, and none have even been made public for any device since the iPhone 4. 24Kpwn was sufficiently worrying to Apple that they actually released a refresh of the iPhone 3GS halfway through its release cycle, with a new bootrom.

This new exploit works on both the old and new revisions of the iPhone 3GS bootrom, and due to Apple’s inability to patch or release new revisions, means that the device is now permanently pwned. Doubtless this will mean little to the majority of people for whom the 3GS is now a distant memory, but it could allow for more research to be done into the iPhone’s early boot components, and even if not, is a very impressive feat.

There have already been reports of the exploit in action, with a downgrade without blobs to an arbitrary iOS version one of the outcomes. I’m sure tinkerers everywhere will enjoy trying out this powerful new release if they have a 3GS lying around. Apparently, while alloc8 works on both revisions of the 3GS, the older 24Kpwn exploit is the faster on the older bootrom.

Congratulations are in order to axi0mX for this rare achievement, even if we can all lament that this exploit was not for a current device family, as a bootrom exploit for new devices would be an event unheard of in the jailbreak community since limera1n. axi0mX is also responsible for the apticket-nonce-checker tool which I mentioned recently, and is useful for checking the validity of your blobs for use with the Re-restore tool. Clearly, he’s been busy of late.

Do you still have an iPhone 3GS lying around which you could try this exploit out on? Do you think we’ll ever see another publicly-released bootrom exploit for current devices?

  • Diego Milano

    While this wasn’t my first iOS device per se, it certainly was my first iPhone.

    • Mr_Coldharbour

      Likewise. I remember how excited I was with the 3GS and after jailbreaking it with blackra1n and then limera1n, it was one of my most exciting and fun times with tech, ever.

      • Diego Milano

        Total-effing-ly! I can’t second this more! blackra1n… *tears*

  • burge

    I’ve got 2 3GS and it’s going to be tested especially if I can downgrade back to IOS 3.

    • Joaquim Barbosa

      It should let you upgrade/downgrade as you please without blobs. Good luck, let me know how it goes!

  • Marc Hilberer

    How can I install it?

    • Joaquim Barbosa

      The GitHub page describes the process I believe. It uses another tool on his GitHub, which includes alloc8 as one of the steps. You’ll have to read up on it a bit more though I think:

      https://github.com/axi0mX/ipwndfu

      Cheers!

      • Marc Hilberer

        Thank you, will try it later.

  • Dexter SherloConan

    My iPhone 3GS in collection has old bootrom (manufactured before Week 41), MC136 LL/A (white, 16G), A1303, modem 05.13.04, and is on iPhone OS 3.1.3.

    • Joaquim Barbosa

      This exploit will work for the old bootrom, but apparently the existing exploit is faster in your case. Nice legacy device you’ve got going there…

  • Martynet

    I still use mine for my second SIM. Works great. And I also use it every year for couple of weeks, when I sell main iPhone and waiting for new model to arrive. https://uploads.disquscdn.com/images/ef16392f228ea1427e03a7aa68ae93733baf9adc12880e214f8bfe1ff0c5211d.jpg

    • Jay Dee

      Nice. Which iOS version is it on?

      • Martynet

        6.1.6

  • HamptonWalley

    A guide how to downgrade to IOS 3?

  • Sailor_V90
  • Keaton Burleson

    Works great here on my end. 3.1.2 on a 3G[s] that shipped with iOS 5 is something funny. https://uploads.disquscdn.com/images/00cd6ee433112dcc6ec9d2354ee6bf8f073cf709b80d386aa3b1234dde637f36.jpg

  • Chris Ryan

    i have a 3gs in my desk drawer…what would be the benefit of restoring it to iOS 3 as others seems to be doing?

  • Wanted to try this but my iPhone 3gs just dies a lot for no reason at all.