The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:BootNeuter"
MuscleNerd (talk | contribs) (→Change bootloader?) |
(→Flashing the Boot Loader: new section) |
||
(9 intermediate revisions by 5 users not shown) | |||
Line 9: | Line 9: | ||
I suppose that BootNeuter use Gbootloader (see GeoHotz post : [http://iphonejtag.blogspot.com/2008/02/look-at-things-to-come.html] ) for changing the bootloader 4.6 stock/neutered. |
I suppose that BootNeuter use Gbootloader (see GeoHotz post : [http://iphonejtag.blogspot.com/2008/02/look-at-things-to-come.html] ) for changing the bootloader 4.6 stock/neutered. |
||
I suppose that BooNeuter use 112otb (see GeoHotz post : [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html] ) for changing a fakeblanked bootloader. |
I suppose that BooNeuter use 112otb (see GeoHotz post : [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html] ) for changing a fakeblanked bootloader. |
||
− | But for the Bootloader 3.9, we don't know (maybe an upgrade to 4.6 first via bbupdater??) ? |
+ | But for the Bootloader 3.9, we don't know (maybe an upgrade to 4.6 first via bbupdater??) ? -- dranfi |
− | BootNeuter does use geohot's extended secpack erase for erasing the 4.6 BL (as stated in its credits). For actually changing the "locked-down" NOR status of both the 3.9 and 4.6 bootloaders, BootNeuter uses the GPIO hack found by the dev team (and credited to the dev team by geohot within gbootloader. Search |
+ | BootNeuter does use geohot's extended secpack erase for erasing the 4.6 BL (as stated in its credits). For actually changing the "locked-down" NOR status of both the 3.9 and 4.6 bootloaders, BootNeuter uses the GPIO hack found by the dev team (and credited to the dev team by geohot within gbootloader/main-bleraser.c. Search that source code for the credit). The neuter patch is actually another matter, and is another (still uncredited and unmentioned (until now)) dev team discovery. And no, 3.9 is not upgraded to 4.6 before being neutered :) The 3.9 and 4.6 neuters are similar but distinct.-- MuscleNerd |
+ | |||
+ | Can you tell us more about the GPIO hack, I only see this in Gehot code : "//deassert WP#, thanks dev team |
||
+ | GPIO=0x700;" -- dranfi |
||
+ | |||
+ | That GPIO adds an extra layer of write protection for the bootloader blocks. Without deasserting WP# via that GPIO (using that particular address and data value), any attempt to erase or reprogram those blocks is ignored. It's one of the critical components in the software-based unlock, found by the dev team and shared with geohot. -- MuscleNerd |
||
+ | |||
+ | Muscle, I get it. the dev team figured out how to toggle the GPIO line, and figured out that it's connected to the WP line on the flash. 2 times in one page is sufficient to drill that into one's head. -Scotty2 |
||
+ | |||
+ | LOL you do realize I was responding to dranfi's second question? - MuscleNerd |
||
+ | |||
+ | == Neuter Patch == |
||
+ | |||
+ | MuscleNerd--can you elaborate on what exactly the "neuter patch" is? |
||
+ | I saw a post about this before BootNeuter actually being released, but I don't think I'll be able to find it. -- dranfi |
||
+ | |||
+ | Use a nordumper. ~geohot |
||
+ | |||
+ | == Flashing the Boot Loader == |
||
+ | |||
+ | How exactly does Boot Neuter flash the bootloader (3.9/4.6). I have a iPhone 2g that appears to have a broken/currupted BootLoader on it so BootNeuter wont run, it just hangs at Determing current settings. I can get SSH access to the device and would love to be able to manually flash the firmware to it and recover the device. |
||
+ | |||
+ | Thanks, |
||
+ | J |
Latest revision as of 18:44, 11 September 2012
Fakeblank
It is not quite clear if fakeblank is a sort of bootloader (same level as 3.9 or 4.6, say a 'blank' bootloader) or if it is just a piece of code which is needed to run a serial payload at will and / or boots the normal bootloader (3.9 or 4.6) if no serial payload is run. The article itself is inconsistent regarding this point.
Besides there is a page Fakeblank and resorting / linking information would be a good idea, IMHO.
Change bootloader?
How does BootNeuter does change the bootloader? I suppose that BootNeuter use Gbootloader (see GeoHotz post : [1] ) for changing the bootloader 4.6 stock/neutered. I suppose that BooNeuter use 112otb (see GeoHotz post : [2] ) for changing a fakeblanked bootloader. But for the Bootloader 3.9, we don't know (maybe an upgrade to 4.6 first via bbupdater??) ? -- dranfi
BootNeuter does use geohot's extended secpack erase for erasing the 4.6 BL (as stated in its credits). For actually changing the "locked-down" NOR status of both the 3.9 and 4.6 bootloaders, BootNeuter uses the GPIO hack found by the dev team (and credited to the dev team by geohot within gbootloader/main-bleraser.c. Search that source code for the credit). The neuter patch is actually another matter, and is another (still uncredited and unmentioned (until now)) dev team discovery. And no, 3.9 is not upgraded to 4.6 before being neutered :) The 3.9 and 4.6 neuters are similar but distinct.-- MuscleNerd
Can you tell us more about the GPIO hack, I only see this in Gehot code : "//deassert WP#, thanks dev team GPIO=0x700;" -- dranfi
That GPIO adds an extra layer of write protection for the bootloader blocks. Without deasserting WP# via that GPIO (using that particular address and data value), any attempt to erase or reprogram those blocks is ignored. It's one of the critical components in the software-based unlock, found by the dev team and shared with geohot. -- MuscleNerd
Muscle, I get it. the dev team figured out how to toggle the GPIO line, and figured out that it's connected to the WP line on the flash. 2 times in one page is sufficient to drill that into one's head. -Scotty2
LOL you do realize I was responding to dranfi's second question? - MuscleNerd
Neuter Patch
MuscleNerd--can you elaborate on what exactly the "neuter patch" is? I saw a post about this before BootNeuter actually being released, but I don't think I'll be able to find it. -- dranfi
Use a nordumper. ~geohot
Flashing the Boot Loader
How exactly does Boot Neuter flash the bootloader (3.9/4.6). I have a iPhone 2g that appears to have a broken/currupted BootLoader on it so BootNeuter wont run, it just hangs at Determing current settings. I can get SSH access to the device and would love to be able to manually flash the firmware to it and recover the device.
Thanks, J