The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Minus 0x20000 with Back Extend Erase"
ChronicDev (talk | contribs) |
(added links to secpack) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 8: | Line 8: | ||
Writing -0x20000 before the firmware starts allows you to write anything you want. |
Writing -0x20000 before the firmware starts allows you to write anything you want. |
||
− | 0x3C0000 can't have a valid secpack to allow booting. The explicit addresses 0xA03D0000-0xA03F0000 will always erase. This exploit relied on two things, the secaddrs are copied before the secpack is validated(stupid), and the erase command extends the range to whatever is in the secpack. So erase 0xA03D0000-0xA03F0000, the erase command sees 0xA03C0000 to 0xA03F0000 in the secpack; BOOM secpack erased. |
+ | 0x3C0000 can't have a valid [[secpack]] to allow booting. The explicit addresses 0xA03D0000-0xA03F0000 will always erase. This exploit relied on two things, the secaddrs are copied before the [[secpack]] is validated(stupid), and the erase command extends the range to whatever is in the [[secpack]]. So erase 0xA03D0000-0xA03F0000, the erase command sees 0xA03C0000 to 0xA03F0000 in the [[secpack]]; BOOM [[secpack]] erased. |
==Implementations== |
==Implementations== |
Latest revision as of 19:58, 22 October 2010
This is the exploit used to unlock all phones with a 4.6 bootloader.
Credit
Description
Writing -0x20000 before the firmware starts allows you to write anything you want.
0x3C0000 can't have a valid secpack to allow booting. The explicit addresses 0xA03D0000-0xA03F0000 will always erase. This exploit relied on two things, the secaddrs are copied before the secpack is validated(stupid), and the erase command extends the range to whatever is in the secpack. So erase 0xA03D0000-0xA03F0000, the erase command sees 0xA03C0000 to 0xA03F0000 in the secpack; BOOM secpack erased.