Part of the iPhone Dev Team Archive
Please refer to the top of the 3.9-fakeblank topic for a description of what a fakeblank bootloader is and how it can be used. This page details the 4.6BL version of fakeblank.
For 4.6BL, two of the four S-Gold bootrom check for blank bootloader locations require code patching to jump around the 0xffffffff bytes. The last of the 4 locations is an oddball as discussed below.
For most end-users, 4.6-fakeblank isn't as attractive as 3.9-fakeblank, because 3.9BL itself has fewer restrictions than 4.6BL. But for those who may want to peek/poke/probe/patch 4.6BL for development purposes, 4.6-fakeblank is a safety net in case your experiments go awry.
This code surrounds the 0xA000A5A0 checkblank location:
sub_A000A46C+12C 07 00 50 E1 CMP R0, R7 sub_A000A46C+130 E4 FF FF 8A BHI loc_A000A534 sub_A000A46C+130 sub_A000A46C+134 sub_A000A46C+134 checkblank_checks_here_1 sub_A000A46C+134 48 32 9D E5 LDR R3, [SP,#0x270+var_28] sub_A000A46C+138 B8 30 D3 E1 LDRH R3, [R3,#8]
This code surrounds the 0xA0015C58 checkblank location:
sub_10C44+20 02 50 82 E2 ADD R5, R2, #2 sub_10C44+24 A8 4A 85 E5 STR R4, [R5,#0xAA8] sub_10C44+28 sub_10C44+28 checkblank_checks_here_2 sub_10C44+28 00 C0 A0 E3 MOV R12, #0 sub_10C44+2C 06 00 00 EA B loc_10C90
This is the fakeblank code surrounding the 0xA000A5A0 checkblank location:
sub_A000A46C+12C 07 00 50 E1 CMP R0, R7 sub_A000A46C+130 17 3E 00 EA B loc_A0019E00 sub_A000A46C+130 sub_A000A46C+130 ; --------------------------------------------------------------------------- sub_A000A46C+134 FF FF FF FF checkblank_checks_here_1 DCD 0xFFFFFFFF sub_A000A46C+138 ; --------------------------------------------------------------------------- sub_A000A46C+138 sub_A000A46C+138 loc_A000A5A4 ; CODE XREF: sub_A000A46C+F99Cj sub_A000A46C+138 B8 30 D3 E1 LDRH R3, [R3,#8]
Some unused locations at 0xA0019E00 are used to complete that patch:
sub_A000A46C+F994 ; START OF FUNCTION CHUNK FOR sub_A000A46C sub_A000A46C+F994 sub_A000A46C+F994 loc_A0019E00 ; CODE XREF: sub_A000A46C+130j sub_A000A46C+F994 CB C1 FF 8A BHI loc_A000A534 sub_A000A46C+F994 sub_A000A46C+F998 48 32 9D E5 LDR R3, [SP,#0x24+arg_224] sub_A000A46C+F99C E5 C1 FF EA B loc_A000A5A4 sub_A000A46C+F99C
This is the fakeblank code surrounding the 0xA0015C58 checkblank location:
sub_10C44+20 02 50 82 E2 ADD R5, R2, #2 sub_10C44+24 BD FE FF EA B loc_10764 sub_10C44+24 sub_10C44+24 ; --------------------------------------------------------------------------- sub_10C44+28 FF FF FF FF checkblank_checks_here_2 DCD 0xFFFFFFFF sub_10C44+2C ; --------------------------------------------------------------------------- sub_10C44+2C 06 00 00 EA B loc_10C90
As with 3.9BL, part of the unused nand_lock_block() function is re-used for fakeblank:
00010760 nand_lock_block ; DATA XREF: nor_probe:off_111DCo 00010760 1E FF 2F E1 BX LR 00010760 sub_10C44-4E0 ; --------------------------------------------------------------------------- sub_10C44-4E0 ; START OF FUNCTION CHUNK FOR sub_10C44 sub_10C44-4E0 sub_10C44-4E0 loc_10764 ; CODE XREF: sub_10C44+24j sub_10C44-4E0 A8 4A 85 E5 STR R4, [R5,#0xAA8] sub_10C44-4DC 00 C0 A0 E3 MOV R12, #0 sub_10C44-4D8 47 01 00 EA B loc_10C90 sub_10C44-4D8
Finally, here's the code surronding the 0xA0017370 checkblank location. Even though this falls right in the middle of some Thumb code, the address we care about is never reached. The compiler should have optimized this away, but it didn't, which makes this location patchable without requiring any extra work:
eblx4+6 02 20 MOVS R0, #2 eblx4+8 04 90 STR R0, [SP,#0x28+var_18] eblx4+A The following branch is never taken eblx4+A because the MOVS R0,#2 above make Z=0 eblx4+A 05 D0 BEQ checkblank_checks_here_3 eblx4+A eblx4+C CE 48 LDR R0, =eblfnxs eblx4+E 00 68 LDR R0, [R0] eblx4+10 80 30 ADDS R0, #0x80 ; '?' eblx4+12 81 69 LDR R1, [R0,#0x18] eblx4+14 01 91 STR R1, [SP,#0x28+var_24] eblx4+16 04 E0 B loc_1238E eblx4+16 eblx4+16 ; --------------------------------------------------------------------------- eblx4+18 FF FF FF FF checkblank_checks_here_3 DCD 0xFFFFFFFF ; CODE XREF: eblx4+Aj eblx4+1C ; ----------------------------------------------------------------
For legal and ethical reasons, we cannot host the actual modified bootloader on the Dev wiki. That's copyrighted by Apple and/or Infineon, and the Dev team has always been about “patching, not piracy.”
If you do these patches correctly to the official 4.6BL 128KB binary, your new file should have an md5 checksum of f42fadd86fa301ab150df9fe847c6515 and sha-1 checksum of 518253a9a7d3edbbf269d104afd5e9b5f5714bc3.
< 00000030 00 04 00 a0 ff fb ff 5f 6c 06 00 a0 43 4a 4b 54 |......._l...CJKT| --- > 00000030 ff ff ff ff ff fb ff 5f 6c 06 00 a0 43 4a 4b 54 |......._l...CJKT|
< 0000a590 48 02 9d e5 b8 00 d0 e1 07 00 50 e1 e4 ff ff 8a |H.........P.....| < 0000a5a0 48 32 9d e5 b8 30 d3 e1 03 11 85 e0 48 32 9d e5 |H2...0......H2..| --- > 0000a590 48 02 9d e5 b8 00 d0 e1 07 00 50 e1 17 3e 00 ea |H.........P..>..| > 0000a5a0 ff ff ff ff b8 30 d3 e1 03 11 85 e0 48 32 9d e5 |.....0......H2..|
< 00015740 ff 10 a0 e3 b0 10 c0 e1 1e ff 2f e1 94 10 a0 e3 |........../.....| < 00015750 10 2a 9f e5 10 3a 9f e5 b0 30 d3 e1 03 22 82 e0 |.*...:...0..."..| --- > 00015740 ff 10 a0 e3 b0 10 c0 e1 1e ff 2f e1 1e ff 2f e1 |........../.../.| > 00015750 a8 4a 85 e5 00 c0 a0 e3 47 01 00 ea 03 22 82 e0 |.J......G...."..|
< 00015c50 02 50 82 e2 a8 4a 85 e5 00 c0 a0 e3 06 00 00 ea |.P...J..........| --- > 00015c50 02 50 82 e2 bd fe ff ea ff ff ff ff 06 00 00 ea |.P..............|
< 00017370 cb 48 00 68 80 30 41 69 01 91 01 98 fe f7 00 ee |.H.h.0Ai........| --- > 00017370 ff ff ff ff 80 30 41 69 01 91 01 98 fe f7 00 ee |.....0Ai........|
< 00019e00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| --- > 00019e00 cb c1 ff 8a 48 32 9d e5 e5 c1 ff ea ff ff ff ff |....H2..........|
Please visit this hackint0sh.org thread for discussion about this code and how to use it.