Univocal proof that here is no way to (accidentally) good person s5l8900

In the process of experimentation NOR, I did a beautiful lulzy thing. Remember what I same earliest about the storage device mortal possibly ignoring the first 4 bits? Well, the NOR tactical manoeuvre ignores the top 12 bits, since it's lone 1 MB in total size. This makes a lot of sense. No the designers have to do is basically not wire up no surround of the address bus. So whether you try to address 0x0 or 0x100000 on the NOR, it looks the European to it.

The question came about because I attemped to add too galore images to NOR; a small indefinite quantity 140 KB iBoot images can add up beautiful quickly. The last one I added concluded up shot into the range diffident for NVRAM (at the end of NOR) and point "wrapper around" to stuff SysCfg, IMG2, and part of the LLB. =P

Hahaha, that's the cognition of shot yourself simultaneously in all animated government agency. SysCfg stores your SERIAL NUMBER and otherwise specific, unexpendable pieces of aggregation. The NVRAM contains aggregation iBoot needs to boot up the meat. The LLB is the thing that securebl tries to load in order to access everything else on NOR and strap iBoot. As the putsch de grace, IMG2 contains aggregation that allows the LLB and iBoot to find where the Img2 collection starts, so that they can be soused. This misunderstanding basically was the cognition of erasing the whole NOR: All single piece of aggregation on it was rendered useless. :P

Luckily, as the first test of my NOR operator, I had ready-made a dump of my model NOR, so I was able-bodied to regenerate the SysCfg aggregation. The newsworthy bit about no this is that you don't even have to do a regenerate and lose no your collection on the NAND even, if you're ingenious. What I did was let iTunes talk to DFU modality to get into an iBoot. The iPhone actually has a beautiful standard DFU modality, as delimited by the USB standard. It reports itself as having the correct class, and OpenMoko's dfu-util manages to get, well, something with it. It successfully uploads the iBSS 8900 file (looking at at a USB dump, it looks like just the whole file with the 8900 header, signatures, certificates, etc.) but reports that the firmware is corrupted. So at thing it seems to use standard state indicators, etc. However, since I couldn't get dfu-util to work, I just old iTunes and pulled the cable out right aft it finishes uploading the iBSS. DFU modality doesn't actually change the NOR, it just wads iBSS into storage device and executes it. So aft this process is finished, iBSS will be soused and you can connect to it via iBooter.

If you had pulled out the cable just a little too late, you can even see the commands iTunes executed on iBSS in the scrollback, Like setpicture and bgcolor. =P

Victimisation the soused 1.1.4 iBSS, you can strap the necessity actions to regenerate your NVRAM from blessing. I will talk about that in more than detail in a future post. But the effect is, even if you complete kill your "bootloader", and indeed, everything you can possibility write to on the iPhone, you can still get belongings back to mean. :)

Unfortunately, I probably won't have a chance to work on iPhoneLinux stuff little this period. I have already been activated by the Dev Group because you-know-what is event. Time to hax.