Difference between revisions of "Talk:BootNeuter"

From The iPhone Wiki
Jump to: navigation, search
(Change bootloader?)
(Flashing the Boot Loader: new section)
 
(9 intermediate revisions by 5 users not shown)
Line 9: Line 9:
 
I suppose that BootNeuter use Gbootloader (see GeoHotz post : [http://iphonejtag.blogspot.com/2008/02/look-at-things-to-come.html] ) for changing the bootloader 4.6 stock/neutered.
 
I suppose that BootNeuter use Gbootloader (see GeoHotz post : [http://iphonejtag.blogspot.com/2008/02/look-at-things-to-come.html] ) for changing the bootloader 4.6 stock/neutered.
 
I suppose that BooNeuter use 112otb (see GeoHotz post : [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html] ) for changing a fakeblanked bootloader.
 
I suppose that BooNeuter use 112otb (see GeoHotz post : [http://iphonejtag.blogspot.com/2008/01/112-otb-unlocked.html] ) for changing a fakeblanked bootloader.
But for the Bootloader 3.9, we don't know (maybe an upgrade to 4.6 first via bbupdater??) ?
+
But for the Bootloader 3.9, we don't know (maybe an upgrade to 4.6 first via bbupdater??) ? -- dranfi
   
BootNeuter does use geohot's extended secpack erase for erasing the 4.6 BL (as stated in its credits). For actually changing the "locked-down" NOR status of both the 3.9 and 4.6 bootloaders, BootNeuter uses the GPIO hack found by the dev team (and credited to the dev team by geohot within gbootloader. Search his source code for that credit). The actual neuter patch is actually another matter, and is another (still uncredited and unmentioned (until now)) dev team discovery. 3.9 is not upgraded to 4.6 before being neutered :) -- MuscleNerd
+
BootNeuter does use geohot's extended secpack erase for erasing the 4.6 BL (as stated in its credits). For actually changing the "locked-down" NOR status of both the 3.9 and 4.6 bootloaders, BootNeuter uses the GPIO hack found by the dev team (and credited to the dev team by geohot within gbootloader/main-bleraser.c. Search that source code for the credit). The neuter patch is actually another matter, and is another (still uncredited and unmentioned (until now)) dev team discovery. And no, 3.9 is not upgraded to 4.6 before being neutered :) The 3.9 and 4.6 neuters are similar but distinct.-- MuscleNerd
  +
  +
Can you tell us more about the GPIO hack, I only see this in Gehot code : "//deassert WP#, thanks dev team
  +
GPIO=0x700;" -- dranfi
  +
  +
That GPIO adds an extra layer of write protection for the bootloader blocks. Without deasserting WP# via that GPIO (using that particular address and data value), any attempt to erase or reprogram those blocks is ignored. It's one of the critical components in the software-based unlock, found by the dev team and shared with geohot. -- MuscleNerd
  +
  +
Muscle, I get it. the dev team figured out how to toggle the GPIO line, and figured out that it's connected to the WP line on the flash. 2 times in one page is sufficient to drill that into one's head. -Scotty2
  +
  +
LOL you do realize I was responding to dranfi's second question? - MuscleNerd
  +
  +
== Neuter Patch ==
  +
  +
MuscleNerd--can you elaborate on what exactly the "neuter patch" is?
  +
I saw a post about this before BootNeuter actually being released, but I don't think I'll be able to find it. -- dranfi
  +
  +
Use a nordumper. ~geohot
  +
  +
== Flashing the Boot Loader ==
  +
  +
How exactly does Boot Neuter flash the bootloader (3.9/4.6). I have a iPhone 2g that appears to have a broken/currupted BootLoader on it so BootNeuter wont run, it just hangs at Determing current settings. I can get SSH access to the device and would love to be able to manually flash the firmware to it and recover the device.
  +
  +
Thanks,
  +
J

Latest revision as of 18:44, 11 September 2012

Fakeblank

It is not quite clear if fakeblank is a sort of bootloader (same level as 3.9 or 4.6, say a 'blank' bootloader) or if it is just a piece of code which is needed to run a serial payload at will and / or boots the normal bootloader (3.9 or 4.6) if no serial payload is run. The article itself is inconsistent regarding this point.

Besides there is a page Fakeblank and resorting / linking information would be a good idea, IMHO.

Change bootloader?

How does BootNeuter does change the bootloader? I suppose that BootNeuter use Gbootloader (see GeoHotz post : [1] ) for changing the bootloader 4.6 stock/neutered. I suppose that BooNeuter use 112otb (see GeoHotz post : [2] ) for changing a fakeblanked bootloader. But for the Bootloader 3.9, we don't know (maybe an upgrade to 4.6 first via bbupdater??) ? -- dranfi

BootNeuter does use geohot's extended secpack erase for erasing the 4.6 BL (as stated in its credits). For actually changing the "locked-down" NOR status of both the 3.9 and 4.6 bootloaders, BootNeuter uses the GPIO hack found by the dev team (and credited to the dev team by geohot within gbootloader/main-bleraser.c. Search that source code for the credit). The neuter patch is actually another matter, and is another (still uncredited and unmentioned (until now)) dev team discovery. And no, 3.9 is not upgraded to 4.6 before being neutered :) The 3.9 and 4.6 neuters are similar but distinct.-- MuscleNerd

Can you tell us more about the GPIO hack, I only see this in Gehot code : "//deassert WP#, thanks dev team GPIO=0x700;" -- dranfi

That GPIO adds an extra layer of write protection for the bootloader blocks. Without deasserting WP# via that GPIO (using that particular address and data value), any attempt to erase or reprogram those blocks is ignored. It's one of the critical components in the software-based unlock, found by the dev team and shared with geohot. -- MuscleNerd

Muscle, I get it. the dev team figured out how to toggle the GPIO line, and figured out that it's connected to the WP line on the flash. 2 times in one page is sufficient to drill that into one's head. -Scotty2

LOL you do realize I was responding to dranfi's second question? - MuscleNerd

Neuter Patch

MuscleNerd--can you elaborate on what exactly the "neuter patch" is? I saw a post about this before BootNeuter actually being released, but I don't think I'll be able to find it. -- dranfi

Use a nordumper. ~geohot

Flashing the Boot Loader

How exactly does Boot Neuter flash the bootloader (3.9/4.6). I have a iPhone 2g that appears to have a broken/currupted BootLoader on it so BootNeuter wont run, it just hangs at Determing current settings. I can get SSH access to the device and would love to be able to manually flash the firmware to it and recover the device.

Thanks, J