Part of the iPhone Dev Team Archive
The “3.9-fakeblank” bootloader presented here is a modified version of the official Apple 3.9 bootloader. It gives you the ability to run serial payloads when the S-Gold is reset, instead of running the bootloader.
The fakeblank bootloader currently is most useful to those who want to experiment with patches to the bootloader but don't want to risk “bricking” their S-Gold in a way that requires geohot's hardware-based A17 hack to recover. It also provides a means to run temporary (not flashed to NOR) code on the S-Gold CPU in a clean environment without the Nucleus OS running and without needing to erase/replace the baseband.
In short, the 3.9-fakeblank bootloader is a tool to enable further patching and experimentation with the iPhone's S-Gold CPU. It's a tool to help iPhone hackers.
A 4.6-fakeblank bootloader is also available.
As described on the pseudocode topic, the S-Gold low-level bootrom always accepts (if asked) a serial payload upon reset. But that serial payload is executed only if 4 special locations in the bootloader readback as “empty” (0xffffffff). The 3.9-fakeblank bootloader presents those locations as “empty”.
In 3 of the 4 cases, patching the location to 0xffffffff has no impact on the normal execution of the bootloader. But one of the locations, 0xA000A5A0, cannot simply be patched to contain 0xffffffff because it's part of the normal code execution that starts the baseband. If you simply empty that location, your baseband won't get a chance to boot because your bootloader will get confused when it sees the 0xffffffff as an instruction.
The 3.9-fakeblank fixes that problem by modifying the instruction just before the “emptied” instruction at 0xA000A5A0. The modification jumps to an unused part of the bootloader which does what would have been done at 0xA000A5A0, then jumps back to the address just after 0xA000A5A0.
The original code around the 0xA000A5A0 location looks like this. The ”+254” location corresponds to 0xA000A5A0.
imodecheck_worker+244 08 0B 9F E5 LDR R0, =dword_1094 imodecheck_worker+248 00 00 90 E5 LDR R0, [R0] imodecheck_worker+24C 01 0A 80 E2 ADD R0, R0, #0x1000 imodecheck_worker+250 6C 00 80 E2 ADD R0, R0, #0x6C imodecheck_worker+254 imodecheck_worker+254 checkblank_checks_here: imodecheck_worker+254 04 00 90 E5 LDR R0, [R0,#4] imodecheck_worker+258 B0 00 D0 E1 LDRH R0, [R0] imodecheck_worker+25C 00 00 50 E3 CMP R0, #0 imodecheck_worker+260 08 00 00 1A BNE loc_A7A0
You cannot simply turn that “04 00 90 E5” LDR instruction to “FF FF FF FF”
In contrast, the 3.9-fakeblank code around the 0xA000A5A0 location looks like this:
imodecheck_worker+244 08 0B 9F E5 LDR R0, =dword_1094 imodecheck_worker+248 00 00 90 E5 LDR R0, [R0] imodecheck_worker+24C 01 0A 80 E2 ADD R0, R0, #0x1000 imodecheck_worker+250 D4 17 00 EA B loc_106C0 imodecheck_worker+250 imodecheck_worker+250 ; --------------------------------------------------------------------------- imodecheck_worker+254 FF FF FF FF checkblank_checks_here DCD 0xFFFFFFFF imodecheck_worker+258 ; --------------------------------------------------------------------------- imodecheck_worker+258 imodecheck_worker+258 loc_A770 ; CODE XREF: ITCM:000106C8j imodecheck_worker+258 B0 00 D0 E1 LDRH R0, [R0] imodecheck_worker+25C 00 00 50 E3 CMP R0, #0 imodecheck_worker+260 08 00 00 1A BNE loc_A7A0
The instruction at +250 has been changed to branch to 0x106c0. That means the “code” at +254 is never executed.
Address 0x106c0 is part of a routine that happens to never be used in the current production iPhone. It's used only if the memory connected to the S-Gold is NAND flash. The iPhone uses NOR flash, not NAND, so it's safe to “re-use” that routine in the bootloader for our own purposes. Here's how it's being re-used in 3.9-fakeblank:
000106BC ; --------------------------------------------------------------------------- 000106BC 000106BC nand_lock_block ; DATA XREF: nor_probe:off_11138o 000106BC 1E FF 2F E1 BX LR 000106BC 000106C0 ; --------------------------------------------------------------------------- 000106C0 000106C0 loc_106C0 ; CODE XREF: imodecheck_worker+250j 000106C0 6C 00 80 E2 ADD R0, R0, #0x6C 000106C4 04 00 90 E5 LDR R0, [R0,#4] 000106C8 28 E8 FF EA B loc_A770 000106C8
If you compare the above code to the original code, you'll see that it accomplishes the same thing, but allows the 0xA000A5A0 to be set to 0xffffffff.
For legal and ethical reasons, we cannot host the actual modified bootloader on the Dev wiki. That's copyrighted by Apple and/or Infineon, and the Dev team has always been about “patching, not piracy.”
Instead, we present the byte differences between original 3.9BL and 3.9-fakeblank. Four dwords are changed to 0xffffffff. Another 5 dwords are modified as shown above to accomodate one of those 4 0xffffffff changes.
< 00000030 00 04 00 a0 ff fb ff 5f d0 05 00 a0 43 4a 4b 54 |......._....CJKT| --- > 00000030 ff ff ff ff ff fb ff 5f d0 05 00 a0 43 4a 4b 54 |......._....CJKT|
< 0000a590 08 0b 9f e5 00 00 90 e5 01 0a 80 e2 6c 00 80 e2 |............l...| < 0000a5a0 04 00 90 e5 b0 00 d0 e1 00 00 50 e3 08 00 00 1a |..........P.....| --- > 0000a590 08 0b 9f e5 00 00 90 e5 01 0a 80 e2 d4 17 00 ea |................| > 0000a5a0 ff ff ff ff b0 00 d0 e1 00 00 50 e3 08 00 00 1a |..........P.....|
< 000104f0 94 10 a0 e3 10 2a 9f e5 10 3a 9f e5 b0 30 d3 e1 |.....*...:...0..| --- > 000104f0 1e ff 2f e1 6c 00 80 e2 04 00 90 e5 28 e8 ff ea |../.l.......(...|
< 00015c50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| --- > 00015c50 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 |................|
< 00017370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| --- > 00017370 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 |................|
sping – A small program to test whether your bootrom is accepting and executing serial payloads. Just unload the CommCenter and run sping from an ssh session or Terminal.app.
swdump – Dumps your wifi tables (see related hackint0sh thread http://hackint0sh.org/forum/showthread.php?t=38188)
dosyslog – Enable or disable syslog text log
Please visit this hackint0sh.org thread for discussion about this code and how to use it.