IBoot

iBoot
Developer(s)	Apple Inc.
Initial release	June 29, 2007
Stable release	iBoot-11881.40.163~61 (RELEASE)
Preview release	iBoot-11881.80.44~18 (RELEASE)
Operating system	Darwin, macOS, iPadOS and iOS
Platform	x86, ARM
Type	Boot loader
License	Proprietary software

Last updated January 25, 2025

iBoot is the stage 2 bootloader for iPhones, iPads, Apple silicon-based Macs, and the T2 chip in Intel-based Macs with such a chip.^[3]^[4] Compared with its predecessor, iBoot improves authentication performed in the boot chain.^[2]

For Intel-based Macs with a T2 chip, the boot process starts by running code on the T2 chip from the boot ROM. That boot ROM loads and runs iBoot onto the T2 chip; iBoot loads the bridgeOS operating system onto the T2 chip and starts it; bridgeOS loads the UEFI firmware; UEFI firmware starts the main Intel processor and completes the Power-On Self Test process. The UEFI firmware loads boot.efi, which loads and starts the macOS kernel.^[4]

For iPhones, iPads and Apple silicon-based Macs, the boot process starts by running the device's boot ROM. On iPhones and iPads with A9 or earlier A-series processors, the boot ROM loads the Low-Level Bootloader (LLB), which is the stage 1 bootloader and loads iBoot; on Macs and devices with A10 or later processors, the boot ROM loads iBoot. If all goes well, iBoot will then proceed to load the iOS, iPadOS or macOS kernel as well as the rest of the operating system.^[5]^[6]^[7] If iBoot fails to load or fails to verify iOS, iPadOS or macOS, the bootloader jumps to DFU (Device Firmware Update)^[8] mode; otherwise it loads the remaining kernel modules.^[2]^[9]

Once the kernel and all drivers necessary for booting are loaded, the boot loader starts the kernel’s initialization procedure. At this point, enough drivers are loaded for the kernel to find the root device.^[10]

Since Apple A7, the LLB and iBoot are stored on NAND flash of iPhone or iPad;^[11] since Apple M1, the LLB is stored on the internal SSD of Apple silicon Mac.^[12]

Build styles

In iBoot, the build style varies on the version being used. Apple, Inc often uses "DEVELOPMENT" builds of iBoot, having features that are not available to "RELEASE" versions of it. This could apply to "DEBUG" or "SECRET" builds of it, but is not yet known.

Meanings

RELEASE - A release version

DEVELOPMENT - A build that is used on developmental hardware, allows access to some developmental tools, such as the 'diags' command.

DEBUG - A build used for debugging iOS and other lower-level components

Features

iBoot features a command prompt when in recovery, DFU, or restore mode (it is also in "DEBUG" builds of iBoot, but was never seen in future builds). Command availability depends on the type of iBoot being used, especially the build style (can be RELEASE, DEVELOPMENT, DEBUG, SECRET, etc).^{[ citation needed ]}

When using iBoot's command prompt, the included commands are used to manage the behaviour, such as its boot arguments (internally called the "boot-args" in the NVRAM), or if the startup command (fsboot) should be used when iBoot is automatically loaded (known as auto-boot).^[13]^[14]

Memory safety

Apple has modified the C compiler toolchain that is used to build iBoot in order to advance memory safety since iOS 14. This advancement is designed to mitigate entire classes of common memory corruption vulnerabilities such as buffer overflows, heap exploitations, type confusion vulnerabilities, and use-after-free attacks. These modifications can potentially prevent attackers from successfully escalating their privileges to run malicious code, such as an attack involving arbitrary code execution.^[15]

Source code leak incident

In 2018, a portion of iBoot source code for iOS 9 was leaked on GitHub for various iPhone, iPad, iPod touch, and Apple Watch models,^[16] Apple then issued a copyright takedown request (DMCA) to GitHub to remove the repository. It was believed an Apple employee was responsible for the leak. However, this was not confirmed by Apple. It is known that a user by the name of "ZioShiba" was responsible for the publication of the iBoot source code.

History

iBoot-87.1, the earliest known version of iBoot running on production hardware over serial. Screenshot by mcg29 on X. IBoot-87.1.jpg — iBoot-87.1, the earliest known version of iBoot running on production hardware over serial. Screenshot by mcg29 on X.

The earliest known version of iBoot was iBoot-87.1, seen on very early prototypes during the iPhone's production in 2006-2007.^[17] It had the same features as the first known version of iBoot (iBoot-99), except it not having features before the final release. This version of iBoot could be considered the "first early beta" of iBoot. Following the release of the iPhone 2G and iPhone OS 1, the first release iBoot version was iBoot-159.

Related Research Articles

<span class="mw-page-title-main">Booting</span> Process of starting a computer

In computing, booting is the process of starting a computer as initiated via hardware such as a physical button on the computer or by a software command. After it is switched on, a computer's central processing unit (CPU) has no software in its main memory, so some process must load software into memory before it can be executed. This may be done by hardware or firmware in the CPU, or by a separate processor in the computer system. On some systems a power-on reset (POR) does not initiate booting and the operator must initiate booting after POR completes. IBM uses the term Initial Program Load (IPL) on some product lines.

<span class="mw-page-title-main">Old World ROM</span>

Old World ROM computers are the Macintosh (Mac) models that use a Macintosh Toolbox read-only memory (ROM) chip, usually in a socket. All Macs prior to the iMac, the iBook, the Blue and White Power Mac G3 and the Bronze Keyboard (Lombard) PowerBook G3 use Old World ROM, while said models, as well as all subsequent models until the introduction of the Intel-based EFI Models, are New World ROM machines. In particular, the Beige Power Mac G3 and all other beige and platinum-colored Power Macs are Old World ROM machines. In common use, the "Old World" designation usually applies to the early generations of PCI-based "beige" Power Macs, but not the older Motorola 68000-based Macs; however, the Toolbox runs the same way on all three types of machines.

Unified Extensible Firmware Interface is a specification for the firmware architecture of a computing platform. When a computer is powered on, the UEFI-implementation is typically the first that runs, before starting the operating system. Examples include AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O.

coreboot, formerly known as LinuxBIOS, is a software project aimed at replacing proprietary firmware found in most computers with a lightweight firmware designed to perform only the minimum number of tasks necessary to load and run a modern 32-bit or 64-bit operating system.

A power-on self-test (POST) is a process performed by firmware or software routines immediately after a computer or other digital electronic device is powered on.

<span class="mw-page-title-main">Hackintosh</span> Non-Apple computer running macOS

A Hackintosh is a computer that runs Apple's operating system macOS on computer hardware that is not authorized for the purpose by Apple. This is due to the software license for macOS only permitting its use on in-house hardware built by Apple itself, in this case the Mac line.

The GUID Partition Table (GPT) is a standard for the layout of partition tables of a physical computer storage device, such as a hard disk drive or solid-state drive. It is part of the Unified Extensible Firmware Interface (UEFI) standard.

The Apple–Intel architecture, or Mactel, is an unofficial name used for Macintosh personal computers developed and manufactured by Apple Inc. that use Intel x86 processors, rather than the PowerPC and Motorola 68000 ("68k") series processors used in their predecessors or the ARM-based Apple silicon SoCs used in their successors. As Apple changed the architecture of its products, they changed the firmware from the Open Firmware used on PowerPC-based Macs to the Intel-designed Extensible Firmware Interface (EFI). With the change in processor architecture to x86, Macs gained the ability to boot into x86-native operating systems, while Intel VT-x brought near-native virtualization with macOS as the host OS.

Boot ROM is a piece of read-only memory (ROM) that is used for booting a computer system. It contains instructions that are run after the CPU is reset to the reset vector, and it typically loads a bootloader. There are two types of boot ROM: a mask boot ROM that cannot be changed afterwards and a writable boot ROM such as an EEPROM or a flash memory chip.

quik is a boot loader designed to start Linux on Apple Macintosh PowerPC systems based on the Old World ROM architecture. It was originally written by Paul Mackerras, and portions of its code were reused in all other Linux boot loaders for PowerPC, including the one known as BootX, which is dependent on the Mac OS. Quik's loader boots from Open Firmware and bypasses the Mac OS entirely. New World ROM systems use yaboot.

Das U-Boot is an open-source boot loader used in embedded devices to perform various low-level hardware initialization tasks and boot the device's operating system kernel. It is available for a number of computer architectures, including M68000, ARM, Blackfin, MicroBlaze, AArch64, MIPS, Nios II, SuperH, PPC, RISC-V, LoongArch and x86.

The EFIsystem partition or ESP is a partition on a data storage device that is used by computers that have the Unified Extensible Firmware Interface (UEFI). When a computer is booted, UEFI firmware loads files stored on the ESP to start operating systems and various utilities.

The Linux booting process involves multiple stages and is in many ways similar to the BSD and other Unix-style boot processes, from which it derives. Although the Linux booting process depends very much on the computer architecture, those architectures share similar stages and software components, including system startup, bootloader execution, loading and startup of a Linux kernel image, and execution of various startup scripts and daemons. Those are grouped into 4 steps: system startup, bootloader stage, kernel stage, and init process.

BootX is a software-based bootloader designed and developed by Apple Inc. for use on the company's Macintosh computer range. BootX is used to prepare the computer for use, by loading all required device drivers and then starting-up Mac OS X by booting the kernel on all PowerPC Macintoshes running the Mac OS X 10.2 operating system or later versions.

The Macintosh startup sequence for Apple Macintosh computers includes hardware tests and diagnostics which can trigger the startup chimes and/or other instances of success or failure of the startup routines.

IPSW is a file format used to install iOS, iPadOS, tvOS, HomePod, watchOS, and most recently, macOS firmware for devices equipped with Apple silicon. All Apple devices share the same IPSW file format for iOS firmware and their derivatives, allowing users to flash their devices through Finder or iTunes on macOS or Windows, respectively. Users can flash Apple silicon Macs through Apple Configurator 2.

The Apple T2 security chip is a system on a chip "SoC" tasked with providing security and controller features to Apple's Intel based Macintosh computers. It is a 64-bit ARMv8 chip and runs bridgeOS. T2 has its own RAM and is essentially a special embedded controller of its own, running in parallel to and responding to requests by the main computer that the user interacts with.

bridgeOS is an embedded operating system created and developed by Apple Inc. for use exclusively with its hardware. bridgeOS runs on the T series Apple silicon processors and operates devices such as the OLED touchscreen strip called the "Touch Bar", TouchID fingerprint sensor, SSD encryption, and cooling fans.

TianoCore EDK II is the reference implementation of UEFI by Intel. EDK is the abbreviation for EFI Development Kit and is developed by the TianoCore community. TianoCore EDK II is the de facto standard generic UEFI services implementation.

The Linux kernel can run on a variety of devices made by Apple, including devices where the unlocking of the bootloader is not possible with an official procedure, such as iPhones and iPads.

References

↑ "Darwin 9.2 Source Code". Apple Inc. Archived from the original on September 21, 2020. Retrieved January 19, 2020.
1 2 3 Ryan, Peter Y. A.; Naccache, David; Quisquater, Jean-Jacques (2016-03-17). The New Codebreakers: Essays Dedicated to David Kahn on the Occasion of His 85th Birthday. Springer. ISBN 9783662493014.
↑ Hayes, Darren R. (2014-12-17). A Practical Guide to Computer Forensics Investigations. Pearson IT Certification. ISBN 9780132756150.
1 2 "Boot process for an Intel-based Mac - Apple Support". Apple Platform Security.
↑ Apple Inc. (May 2016). "iOS Security Guide" (PDF). apple.com. Archived (PDF) from the original on February 27, 2016.
↑ "Boot process for iPhone and iPad devices - Apple Support". Apple Platform Security.
↑ "Boot process for a Mac with Apple silicon - Apple Support". Apple Platform Security.
↑ "iFixit Support: DFU Restore". iFixit . Retrieved 2019-09-29.
↑ "*OS: iBoot" (PDF).
↑ "The Early Boot Process". developer.apple.com. Retrieved 2017-08-26.
↑ "LLB". The Apple Wiki. 2023-09-10. Retrieved 2024-11-27.
↑ hoakley (2021-01-14). "M1 Macs radically change boot and recovery". The Eclectic Light Company. Retrieved 2024-11-27.
↑ "iRecovery on GitHub". GitHub .
↑ "iBoot information from the Apple Wiki".
↑ "Memory safe iBoot implementation". Apple Platform Security. Apple. Retrieved 25 January 2023.
↑ "Apple confirms iPhone source code leak". BBC News. 9 February 2018.
↑ "iBoot-87.1 on the iPhone 2G by mcg29 on Twitter". 6 March 2024.

External links

Mac OS X at osxbook.com

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Darwin 9.2 Source Code". Apple Inc. Archived from the original on September 21, 2020. Retrieved January 19, 2020.

[the-new-codebreakers-2] 1 2 3 Ryan, Peter Y. A.; Naccache, David; Quisquater, Jean-Jacques (2016-03-17). The New Codebreakers: Essays Dedicated to David Kahn on the Occasion of His 85th Birthday. Springer. ISBN 9783662493014.

[3] Hayes, Darren R. (2014-12-17). A Practical Guide to Computer Forensics Investigations. Pearson IT Certification. ISBN 9780132756150.

[apple-platform-security-intel-mac-boot-4] 1 2 "Boot process for an Intel-based Mac - Apple Support". Apple Platform Security.

[:0-5] Apple Inc. (May 2016). "iOS Security Guide" (PDF). apple.com. Archived (PDF) from the original on February 27, 2016.

[6] "Boot process for iPhone and iPad devices - Apple Support". Apple Platform Security.

[7] "Boot process for a Mac with Apple silicon - Apple Support". Apple Platform Security.

[8] "iFixit Support: DFU Restore". iFixit . Retrieved 2019-09-29.

[9] "*OS: iBoot" (PDF).

[10] "The Early Boot Process". developer.apple.com. Retrieved 2017-08-26.

[11] "LLB". The Apple Wiki. 2023-09-10. Retrieved 2024-11-27.

[12] y (2021-01-14). "M1 Macs radically change boot and recovery". The Eclectic Light Company. Retrieved 2024-11-27.

[13] "iRecovery on GitHub". GitHub .

[14] "iBoot information from the Apple Wiki".

[15] "Memory safe iBoot implementation". Apple Platform Security. Apple. Retrieved 25 January 2023.

[16] "Apple confirms iPhone source code leak". BBC News. 9 February 2018.

[17] "iBoot-87.1 on the iPhone 2G by mcg29 on Twitter". 6 March 2024.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]