[[S-Gold bootrom check for blank bootloader]]
 
You are here: iPhone Dev Team Portal » S-Gold Bootrom » S-Gold bootrom check for blank bootloader

S-Gold bootrom check for blank bootloader

Geo's hardware trick convinces the bootrom that the bootloader is empty. Here is the bootrom code that's being tricked by the A17 pullup. 

004004B0 ; if values at these locations are all FFFFFFFF: A0000030,A000A5A0,A0015C58,A0017370
004004B0 ;    return 0
004004B0 ; else if value at A0000030 is complement of value at A0000034
004004B0 ;    return 1
004004B0 ; else
004004B0 ;    return -1
004004B0 ;
004004B0
004004B0 checkblank
004004B0               STMFD   SP!, {R3-R5,LR}
004004B4               MOV     R0, #0
004004B8               BL      setup_nor
004004B8
004004BC               LDR     R0, =0xA0000030
004004C0               BL      readnor
004004C0
004004C4               MOV     R4, R0
004004C8               CMN     R4, #1
004004CC               BNE     loc_400520
004004CC
004004D0               LDR     R0, =0xA000A5A0
004004D4               BL      readnor
004004D4
004004D8               CMN     R0, #1
004004DC               BEQ     loc_4004E8
004004DC
004004E0               MVN     R0, #0          ; return -1
004004E0
004004E4
004004E4 locret_4004E4
004004E4               LDMFD   SP!, {R3-R5,PC}
004004E4
004004E8 ; ---------------------------------------------------------------------------
004004E8
004004E8 loc_4004E8                            ; CODE XREF: checkblank+2Cj
004004E8               LDR     R0, =0xA0015C58
004004EC               BL      readnor
004004EC
004004F0               CMN     R0, #1
004004F4               BEQ     loc_400500
004004F4
004004F8               MOVL    R0, 0xFFFFFFFF  ; return -1
004004FC               B       locret_4004E4
004004FC
00400500 ; ---------------------------------------------------------------------------
00400500
00400500 loc_400500                            ; CODE XREF: checkblank+44j
00400500               LDR     R0, =0xA0017370
00400504               BL      readnor
00400504
00400508               CMN     R0, #1
0040050C               BEQ     return0
0040050C
00400510               MOVL    R0, 0xFFFFFFFF  ; return -1
00400514               B       locret_4004E4
00400514
00400518 ; ---------------------------------------------------------------------------
00400518
00400518 return0                               ; CODE XREF: checkblank+5Cj
00400518               MOV     R0, #0
0040051C               B       locret_4004E4
0040051C
00400520 ; ---------------------------------------------------------------------------
00400520
00400520 loc_400520                            ; CODE XREF: checkblank+1Cj
00400520               LDR     R0, =0xA0000034
00400524               BL      readnor
00400524
00400528               MOV     R5, R0
0040052C if (*(0xA0000030)&0x3)
0040052C   return -1
0040052C               TST     R4, #3
00400530               BNE     loc_400540      ; return -1
00400530
00400534               MVN     R0, R5
00400538 if (*(0xA0000030) == ~(0xA0000034))
00400538   return 1
00400538
00400538               CMP     R4, R0
0040053C               BEQ     return1
0040053C
00400540
00400540 loc_400540                            ; CODE XREF: checkblank+80j
00400540               MOVL    R0, 0xFFFFFFFF  ; return -1
00400544               B       locret_4004E4
00400544
00400548 ; ---------------------------------------------------------------------------
00400548
00400548 return1                               ; CODE XREF: checkblank+8Cj
00400548               MOV     R0, #1
0040054C               B       locret_4004E4
0040054C
0040054C ; End of function checkblank
sgold_bootrom/checkblank.txt · Last modified: 2008/02/10 23:24 (external edit)
 
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki
Part of the iPhone Dev Team Archive