by the iPhone Dev Team
February 2009

This is the software prep side of the "run rs" flavor of dongles. After performing these setup steps:

• Your ipt2g will boot into Recovery mode (with a Recovery logo showing)
• It will be bootable by sending “run rs\n\r” either through a serial cable or through USB
• The table below shows which graphics you are ok to change for a custom look
• Any of the existing tethered jailbreakers and booters can incorporate these changes if they wish.

The hardware side of the “run rs” flavor of dongles will be available soon. But it is really just a matter of sending the “run rs\n\r” string over the 3.3V serial Rx pin at 115,200 8N1.

The directory “Firmware/all_flash/all_flash.n72ap.production” inside the ipsw should be constructed from the following sources. The bsdiff patches for the 3 indicated files are at the end of this topic.

Notes about the patches:

1. ”-” means a patch is optional (no sigchecks being done)
2. The iBoot2 img3 must also have its internal img3 4cc changed from “ibot” to “ibo2”. One way to do that is:

   echo -n 2 | dd  of=iBoot2.n72ap.RELEASE.img3 conv=notrunc bs=1 seek=16

Other than the above configuration, the custom IPSW should be created and applied just like in the original redsn0w lite.

After restoring with this new custom IPSw, nor0 should look like:

    ] image list
    image 0xff31950: bdev 0xff316a8 type illb offset 0x8000 len 0x1008c
    image 0xff31988: bdev 0xff316a8 type ibot offset 0x18900 len 0x2908c
    image 0xff319c0: bdev 0xff316a8 type ibo2 offset 0x42200 len 0x2908c
    image 0xff319f8: bdev 0xff316a8 type tsys offset 0x6bb00 len 0x19048
    image 0xff31a30: bdev 0xff316a8 type dtre offset 0x853c0 len 0x8490
    image 0xff31a68: bdev 0xff316a8 type logo offset 0x8e0c0 len 0x15cd
    image 0xff31aa0: bdev 0xff316a8 type recm offset 0x8ff00 len 0xb248
    image 0xff31ad8: bdev 0xff316a8 type nsrv offset 0x9b9c0 len 0x4718
    image 0xff31b10: bdev 0xff316a8 type bat0 offset 0xa0940 len 0xd504
    image 0xff31b48: bdev 0xff316a8 type bat1 offset 0xae6c0 len 0xf654
    image 0xff31b80: bdev 0xff316a8 type glyC offset 0xbe580 len 0x8898
    image 0xff31bb8: bdev 0xff316a8 type glyP offset 0xc7680 len 0x8438

setenv rs "arm7_stop;mw 0x9000000 0xe59f3014;mw 0x9000004 0xe3a02a02;mw 0x9000008 0xe1c323b4;mw 0x900000c 0xe59f300c;mw 0x9000010 0xe3e02000;mw 0x9000014 0xe503223f;mw 0x9000018 0xeafffffe;mw 0x900001c 0x0ff1a100;mw 0x9000020 0x0ff2afff;arm7_go;run rs1"
setenv rs1 "sha1 0x8000000 0x3000000;arm7_stop;mw 0xff006d4 0x21906943;mw 0xff006d8 0x68da6898;mw 0xff006dc 0x9300699b;mw 0xff006e0 0x69c40509;mw 0xff006e4 0x47a02300;mw 0xff006e8 0xf0002000;mw 0xff006ec 0xe002fde3;tsys"
setenv debug-uarts true
saveenv

To boot after a power-cycle, issue the following via USB or serial:

run rs

• For those who are already jailbroken and just want to update their NOR for “run rs” without touching their main filesystem, use the ramdisk patch in this zip file. To use it, replace whatever 018-4993-11 patch you're currently using with this one (keeping all the other patch files the same). For PwnageTool users, it's better to replace both 018-4993-11 patches with this same patch. The resulting IPSW you create will not touch the main filesystem – only the NOR will be rewritten.

The package with this README and the above bsdiff patches is available here.

For historical purposes, its sha1 hash was uploaded and timestamped a few days before this writeup was created, here and here.