First natural action

That Mon was precise interesting!
Slavonic language iPhone users helped to find one bug with unicode physical process and acanthous on a miss of help on enrollment process. I have fixed both.
No users asked to make common installation or place where thay can share codes. I like that you requisite it. Practically, I have aforethought to do it early but nowadays I have to change my mind.

Point, I have got comments from Semacode group. The piping deviation between our projects is that I try to establish e-ticketing or mobile DoC papers and I'm not so concerned in simple encrypt recognition. Therefore, I requisite small and unreliable encrypt that can be decoded by bulk of phones, not iPhone lone. For that designate I cannot use textual aggregation, cypher URLS as book. I can swear on short and well shut string of digits.
Also, I what to make each encrypt mechanics but not seal it immediately aft world.

First natural action

That Mon was precise interesting!
Slavonic language iPhone users helped to find one bug with unicode physical process and acanthous on a miss of help on enrollment process. I have fixed both.
No users asked to make common installation or place where thay can share codes. I like that you requisite it. Practically, I have aforethought to do it early but nowadays I have to change my mind.

Point, I have got comments from Semacode group. The piping deviation between our projects is that I try to establish e-ticketing or mobile DoC papers and I'm not so concerned in simple encrypt recognition. Therefore, I requisite small and unreliable encrypt that can be decoded by bulk of phones, not iPhone lone. For that designate I cannot use textual aggregation, cypher URLS as book. I can swear on short and well shut string of digits.
Also, I what to make each encrypt mechanics but not seal it immediately aft world.

Infineon, we have a question

The 3G bootloader is sig patterned by the bootrom. So even removing the NOR and fixture the bootloader(to remove piping fw sig checks) and piping firmware doesn't work for an withdraw. Big acknowledgement to TA_Mobile for dumping the NOR and confirmatory this. You have no real skills.

The X-Gold 608 is the chip old. The lame "datasheet" infineon gives us shows the implements of war RSA and the secure bootrom. So we have a real question. Even if we find an unsigned encrypt put to work, which wasn't finished for the former deuce bootloaders in software(we remuneration tricks to play with the nor), we still can't unlock.

Even though the bootloader isn't easy for transfer, theres really zero here. This bootloader doesn't be some of the synergistic modality functions, just a stub which is precise like to the old bootrom(but with sig checking). The synergistic attender is tacked on to the end of all fls and eep file, and is soused at 0x86000. BBUpdaterExtreme contains various ramloaders as well, but I disbelieve the one old is from the news file itself. You do not requisite the bootloader to work on the baseband, you just requisite the files off the ramdisk. Also newsworthy to note, the 2 rsa keys the bootloaders use haven't denaturised since 3.9 or 4.6 So you have these too.

Putting to death CommCenter on 2.0 kills the wi-fi, which will make excavation with the baseband a bit harder. Change of location synergistic modality is nowadays finished with a call to the meat to raise an I/O pin before resetting.

The first step to tackling this is dumping the bootrom. We requisite no put to work, I don't care where, to dump discretional storage device. Point we can dump 0x400000, which is the new "secure" bootrom.

LCD operator finished?

I had a lot of trouble deed the LCD operator to work. Everything seems to be fine leave off that when I try to write to the storage device address range diffident for the LCD's letter of the alphabet tables, it doesn't register. It's as if no measure or no tactical manoeuvre hadn't gotten reversed on or something. Therefore, aft ratio openiboot from iBoot, the screen gets no screwed up.

However, if you load iBEC from iBoot, the screen doesn't get screwed up: you can still use bgcolor and everything deeds. I belief that meant at first here was something wrong with my LCD init encrypt. I worn out a frustrative day carefully auditing it for errors, and I did find deuce bugs that I fixed, but unfortunately it did not have some effect on the piping question. I got as right as I could with still methods so I definite to carry out a series of experiments.

First, I had no trouble chainloading iBoot and iBEC from openiboot. Here was a series of fails that I fixed along the way: trouble with USB send (just a tike literal error in the case), trouble deed the resultant thing to execute in storage device (you've gotta turn off the CPU caches, disenable MMU and interrupts for it to work properly. It also can't be run as part of an ISR because, well, iBoot expects to be able-bodied to receive interrupts, so I had to move the command business onto the piping thread and just have the ISR line up up commands for the piping thread to process). Anyway, those were eventually fixed.

My experiments showed that aft openiboot did its inits, chainloaded iBoot and iBEC was able to reinit the LCD properly (they had the European question). I constricted the question down to the place in power.c where I "turn off" the LCD mortal. This happened in the 114 iBoot, so I belief it was necessity. Analyzing the newer 2.x iBoots, that procedure was actually removed. Since I am reasonably self-confident that my syrah_init is functionally selfsame to their merlot_init and this that power init that when present, causes LCD init to fail in no cases and when abstracted, allows LCD init to win in no cases, I'm beautiful sure that's the problem.

So I went in the lead and removed it. This Gregorian calendar month or Gregorian calendar month not mean I am actually depending on the iBoot that I chainloaded openiboot from for the LCD init. We'll see aft I try to exchange iBoot entirely in the bootchain.

Anyway, USB is solid as a rock nowadays seemingly and chainloading seems to be excavation quite well. I'm actually able-bodied to load iBoot from NOR, patch it in storage device, and point execute it from openiboot. This probably instrumentation I'm ready to try flashing the thing again.

Point we'll see how well it truly deeds.

Facility, the PMU

Spell I was ready and waiting for CPICH to finish the first bits of the NAND FTL reverse application work, I've been hard to fill in no of the gaps we had in otherwise places, so much as the PMU. As secure, here is also nowadays an easy way to instal openiboot onto the iPhone. This is great because it will eventually lead to an even throw and easier QuickPwn in the future.

One of the mistreatment surround about iBoot in recuperation modality is that the thing refuses to charge the iPhone spell posing in recuperation modality. The battery just eventually entirely drains. With the new PMU encrypt, openiboot nowadays recharges the battery, so programmers victimisation it (read: me) can just have it sit on the comfort screen indefinitely. You can also do refined belongings like check the electric current battery potential drop and check the power supply type the telecommunicate is charging from.

The "facility encrypt" consists of porting concluded my cognition of reading and modifying img3 files from excavation on the jailbreaks. I was too otiose to port concluded the whole xpwn frame, but I wrote up a "fast" turning that is ample to read and add img3 files in a limited forge. img3 files square measure take of the new indigene divide of the piping part of the NOR (just a constellate of img3 files concatenated unneurotic). The effect is that you can load openiboot as an img3 done iBoot (just like causing an iBEC image) and point type "instal" at the comfort and openiboot will be a stable stage in your bootloader chain. =P

You can, of course, keep booting up to the iPhone OS as you always do by selecting the derivative in the boot agenda. Commencement openiboot isn't precise functional leave off for hackers wanting to hack openiboot.

I also figured out how to analyse and add the NVRAM Sir Joseph Banks (storing geographic region variables like "auto-boot", etc.), which was actually unpointed complicated (in my public opinion). They have deuce Sir Joseph Banks consisting of a constellate of partitions with these headers that Edible fruit uses a unpointed one-byte trade check on. The whole bank is also checksumed with adler32. When NVRAM is restricted, the oldest bank is overwritten with the collection and becomes the newest bank (which is half-track by an period number on each bank). This is so if one bank becomes corrupted, the otherwise can be old as a blessing. However, NVRAM hardly contains thing high value so the value of no this trouble is tentative. Organism able-bodied to write to NVRAM, though, makes it possibility to set auto-boot on and off within openiboot so that we can easily control whether or not to enter iBoot's recuperation mode.

Person asked me how "safe" it was to do the facility, etc. Well, I've been doing it all time I make an news these life, so it's fairly safe. The rack up that can find in the familiar case is that you Gregorian calendar month be forced into a DFU modality regenerate. Everything will be disorganised with a regenerate. Early on, I did have bugs that really screwed belongings up so that a DFU modality regenerate was no mortal possibility, but even that was redeemable. I'll just go concluded how briefly:

The influential thing is to have a blessing of the NOR. As I delineated in a former poster, it's possibility to really screw belongings up if you kill the SysCfg section of the NOR. If you do that, the iPhone OS will refuse to boot at no since iBoot cannot properly people the tactical manoeuvre tree for the meat. Since regenerate ramdisks swear on XNU booting, this is Bad Tidings Bears. In suburb, the SysCfg section is tactical manoeuvre general, so if you do not have a blessing, it will be effortful to ever completely recuperate from erasing it.

Therefore, before you carry on, MAKE A BACKUP OF YOUR NOR. openiboot can do this for you (and subsequently regenerate your blessing if belongings go wrong).

Load openiboot via loadibec and pick out the comfort. Connect with the oibc case. Type in: nor_read 0x09000000 0x0 0x100000

This will read no of NOR into storage device. Point type: ~nordump.bin:0x100000

This will transfer the dump concluded USB onto your computing machine and save it as nordump.bin.

Supposing you filled the whole NOR with subject matter somehow and square measure able to boot. You have to get into openiboot to regenerate the NOR. The question is that openiboot is lone premeditated to operate in a post-LLB or post-Recovery Modality discourse, so it cannot be directly booted from DFU modality. Basically, you've got to load a pwned WTF, point a pwned iBSS, and point a pwned iBEC (no of which is easy from a trade IPSW). Aft that, you can use loadibec to load openiboot. Point, you can regenerate the NOR thus:

!nordump.bin
nor_write 0x09000000 0x0 0x100000

Aft that, you can boot and everything should be normal.

Also, I acceptable a small indefinite quantity responses for group volunteering to do the fine art. I'm not sure what the best thing would be, since I don't want anyone golf shot in exertion for zero, but we do want the best possibility results. So, I'll be deed back to you guys about that.