| iBoot | |
|---|---|
 | |
| Developer | Apple Inc. |
| Initial release | June 29, 2007 |
| Stable release | iBoot-11881.80.57~171 (RELEASE, iOS 18.3 RC and iOS 18.3.1) |
| Preview release | iBoot-11881.80.57~107 (RELEASE, iOS 18.3 beta 1) |
| Operating system | Darwin,macOS,[1]iPadOS andiOS[2] |
| Platform | x86,ARM |
| Type | Boot loader |
| License | Proprietary software |
iBoot is the stage 1 and stage 2bootloader foriPhones,iPads,Apple silicon-based Macs, and theT2 chip in Intel-basedMacs with such a chip.[3][4] Compared with its predecessor, iBoot improves authentication performed in the boot chain.[2]
For Intel-based Macs with a T2 chip, the boot process starts by running code on the T2 chip from theboot ROM. That boot ROM loads and runs iBoot onto the T2 chip; iBoot loads thebridgeOS operating system onto the T2 chip and starts it; bridgeOS loads theUEFI firmware; UEFI firmware starts the main Intel processor and completes thePower-On Self Test process. The UEFI firmware loads boot.efi, which loads and starts the macOS kernel.[4] For Intel-based Macs with a T2 chip, the UEFI firmware may be callediBoot UEFI.
For iPhones, iPads, and Apple silicon-based Macs, the boot process starts by running the device's boot ROM, which is integrated into the device'sSoC. On iPhones and iPads withA9 or earlier A-series processors, the boot ROM loads theLow-Level Bootloader (LLB), which is the stage 1 bootloader and loads iBoot, and LLB is stored on an EEPROM; on iPhones and iPads with A10 or later processors, as well as Apple silicon Macs, the boot ROM loads iBoot, and LLB and iBoot are stored on NAND flash or internal SSD, which is a NOR-less boot flow.[5][6] If all goes well, iBoot will then proceed to load theiOS,iPadOS ormacOS kernel as well as the rest of the operating system.[7][8][9] If iBoot fails to load or fails to verify iOS, iPadOS or macOS, the bootloader jumps to DFU (DeviceFirmwareUpdate)[10] mode; otherwise it loads the remainingkernel modules. Forarm64 devices with iBoot, it will "jump" to the kernelcache (the kernel itself wrapped in the Image4 format), and boot off of it.[2][11]
Once the kernel and all drivers necessary for booting are loaded, the boot loader starts the kernel's initialization procedure. At this point, enough drivers are loaded for the kernel to find the root device.[12]
 | This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "IBoot" – news ·newspapers ·books ·scholar ·JSTOR(July 2025) (Learn how and when to remove this message) |
According to the leaked iBoot source code (from February 7, 2018),[13] in apps/iBoot/iBoot.mk, defines the valid build styles as "RELEASE", "DEVELOPMENT", "DEBUG", and "SECRET" when building a copy of iBoot.[citation needed] These build styles define specific information when the bootloader is compiled, such as adding more debugging commands for finding issues on a developmental device, or performing hardware tests using the iBoot command prompt over serial.
RELEASE - A release version
DEVELOPMENT - A build that is used on developmental hardware, allows access to some developmental tools, such as the 'diags' command.
DEBUG - A build used for debugging iOS and other lower-level components
iBoot features a command prompt when in recovery, DFU, or restore mode (it is also in "DEBUG" builds of iBoot, but was never seen in future builds). Command availability depends on the type of iBoot being used, especially the build style (can be RELEASE, DEVELOPMENT, DEBUG, SECRET, etc.).[citation needed]
When using iBoot's command prompt, the included commands are used to manage the behaviour, such as its boot arguments (internally called the "boot-args" in the NVRAM), or if the startup command (fsboot) should be used when iBoot is automatically loaded (known as auto-boot).[14][15]
Apple has modified theC compilertoolchain that is used to build iBoot in order to advancememory safety sinceiOS 14. This advancement is designed to mitigate entire classes of common memory corruption vulnerabilities such asbuffer overflows,heap exploitations,type confusion vulnerabilities, anduse-after-free attacks. These modifications can potentially prevent attackers from successfullyescalating their privileges to run malicious code, such as an attack involvingarbitrary code execution.[16]
In 2018, a portion of iBoot source code foriOS 9 was leaked onGitHub for variousiPhone,iPad,iPod touch, andApple Watch models,[17] Apple then issued a copyright takedown request (DMCA) to GitHub to remove the repository. It was believed an Apple employee was responsible for the leak. However, this was not confirmed by Apple. It is known that a user by the name of "ZioShiba" was responsible for the publication of the iBoot source code.
The earliest known version of iBoot was iBoot-87.1, seen on very early prototypes during the iPhone's production in 2006–2007.[18] It had the same features as the first known version of iBoot (iBoot-99), except it not having features before the final release. This version of iBoot could be considered the "first early beta" of iBoot. Following the release of theiPhone 2G andiPhone OS 1, the first release iBoot version was iBoot-159.
| Processes |  | ||||||
|---|---|---|---|---|---|---|---|
| Bootingfirmware |
| ||||||
| Hybrid firmware bootloader | |||||||
| Bootloaders |
| ||||||
| Partition layouts | |||||||
| Partitions | |||||||
| Utilities |
| ||||||
| Network boot | |||||||
| ROM variants | |||||||
| Related | |||||||
