In the process of experimentation NOR, I did a beautiful lulzy thing. Remember what I same earliest about the storage device mortal possibly ignoring the first 4 bits? Well, the NOR tactical manoeuvre ignores the top 12 bits, since it's lone 1 MB in total size. This makes a lot of sense. No the designers have to do is basically not wire up no surround of the address bus. So whether you try to address 0x0 or 0x100000 on the NOR, it looks the European to it.

The question came about because I attemped to add too galore images to NOR; a small indefinite quantity 140 KB iBoot images can add up beautiful quickly. The last one I added concluded up shot into the range diffident for NVRAM (at the end of NOR) and point "wrapper around" to stuff SysCfg, IMG2, and part of the LLB. =P

Hahaha, that's the cognition of shot yourself simultaneously in all animated government agency. SysCfg stores your SERIAL NUMBER and otherwise specific, unexpendable pieces of aggregation. The NVRAM contains aggregation iBoot needs to boot up the meat. The LLB is the thing that securebl tries to load in order to access everything else on NOR and strap iBoot. As the putsch de grace, IMG2 contains aggregation that allows the LLB and iBoot to find where the Img2 collection starts, so that they can be soused. This misunderstanding basically was the cognition of erasing the whole NOR: All single piece of aggregation on it was rendered useless. :P

Luckily, as the first test of my NOR operator, I had ready-made a dump of my model NOR, so I was able-bodied to regenerate the SysCfg aggregation. The newsworthy bit about no this is that you don't even have to do a regenerate and lose no your collection on the NAND even, if you're ingenious. What I did was let iTunes talk to DFU modality to get into an iBoot. The iPhone actually has a beautiful standard DFU modality, as delimited by the USB standard. It reports itself as having the correct class, and OpenMoko's dfu-util manages to get, well, something with it. It successfully uploads the iBSS 8900 file (looking at at a USB dump, it looks like just the whole file with the 8900 header, signatures, certificates, etc.) but reports that the firmware is corrupted. So at thing it seems to use standard state indicators, etc. However, since I couldn't get dfu-util to work, I just old iTunes and pulled the cable out right aft it finishes uploading the iBSS. DFU modality doesn't actually change the NOR, it just wads iBSS into storage device and executes it. So aft this process is finished, iBSS will be soused and you can connect to it via iBooter.

If you had pulled out the cable just a little too late, you can even see the commands iTunes executed on iBSS in the scrollback, Like setpicture and bgcolor. =P

Victimisation the soused 1.1.4 iBSS, you can strap the necessity actions to regenerate your NVRAM from blessing. I will talk about that in more than detail in a future post. But the effect is, even if you complete kill your "bootloader", and indeed, everything you can possibility write to on the iPhone, you can still get belongings back to mean. :)

Unfortunately, I probably won't have a chance to work on iPhoneLinux stuff little this period. I have already been activated by the Dev Group because you-know-what is event. Time to hax.

I still can't disbelieve how galore group believed yiPhone. It's awe-inspiring how a couple lines of javascript(the counter) can excreta so galore group off. I was just hard to push dev to work a little harder ;-)
I have never finished the jailbreaks for some former versions of the telecommunicate, what makes you think this one would be dissimilar? I also like to think I have more than honor than victimisation person elses put to work before they do. And really, United Nations agency was the being in the picture? Yorro? Once he exists, maybe yiPhone will exist.

Also, heres wherefore a certain somebody claimed the DFU was the key. You could, without some exploits, download the 114 iBoot(even to the 3g), the 114 kernelcache(ok, this crashes on the 3g), and a hacked ramdisk. But the filesystems don't mount. And even if they did, you'd requisite a way around sig checking.

Here is a little program(with source of course) to run some you want at the DFU level; an enforcement of the dev pwnage 2.0 put to work. Pass it a positional notation file, it will start death penalty at the start of the file(no file formats to deal with). I'll leave it to dev to excuse the put to work old.

In the process of experimentation NOR, I did a beautiful lulzy thing. Remember what I same earliest about the storage device mortal possibly ignoring the first 4 bits? Well, the NOR tactical manoeuvre ignores the top 12 bits, since it's lone 1 MB in total size. This makes a lot of sense. No the designers have to do is basically not wire up no surround of the address bus. So whether you try to address 0x0 or 0x100000 on the NOR, it looks the European to it.

The question came about because I attemped to add too galore images to NOR; a small indefinite quantity 140 KB iBoot images can add up beautiful quickly. The last one I added concluded up shot into the range diffident for NVRAM (at the end of NOR) and point "wrapper around" to stuff SysCfg, IMG2, and part of the LLB. =P

Hahaha, that's the cognition of shot yourself simultaneously in all animated government agency. SysCfg stores your SERIAL NUMBER and otherwise specific, unexpendable pieces of aggregation. The NVRAM contains aggregation iBoot needs to boot up the meat. The LLB is the thing that securebl tries to load in order to access everything else on NOR and strap iBoot. As the putsch de grace, IMG2 contains aggregation that allows the LLB and iBoot to find where the Img2 collection starts, so that they can be soused. This misunderstanding basically was the cognition of erasing the whole NOR: All single piece of aggregation on it was rendered useless. :P

Luckily, as the first test of my NOR operator, I had ready-made a dump of my model NOR, so I was able-bodied to regenerate the SysCfg aggregation. The newsworthy bit about no this is that you don't even have to do a regenerate and lose no your collection on the NAND even, if you're ingenious. What I did was let iTunes talk to DFU modality to get into an iBoot. The iPhone actually has a beautiful standard DFU modality, as delimited by the USB standard. It reports itself as having the correct class, and OpenMoko's dfu-util manages to get, well, something with it. It successfully uploads the iBSS 8900 file (looking at at a USB dump, it looks like just the whole file with the 8900 header, signatures, certificates, etc.) but reports that the firmware is corrupted. So at thing it seems to use standard state indicators, etc. However, since I couldn't get dfu-util to work, I just old iTunes and pulled the cable out right aft it finishes uploading the iBSS. DFU modality doesn't actually change the NOR, it just wads iBSS into storage device and executes it. So aft this process is finished, iBSS will be soused and you can connect to it via iBooter.

If you had pulled out the cable just a little too late, you can even see the commands iTunes executed on iBSS in the scrollback, Like setpicture and bgcolor. =P

Victimisation the soused 1.1.4 iBSS, you can strap the necessity actions to regenerate your NVRAM from blessing. I will talk about that in more than detail in a future post. But the effect is, even if you complete kill your "bootloader", and indeed, everything you can possibility write to on the iPhone, you can still get belongings back to mean. :)

Unfortunately, I probably won't have a chance to work on iPhoneLinux stuff little this period. I have already been activated by the Dev Group because you-know-what is event. Time to hax.

Well, that was quick. See, I can actually get belongings finished beautiful quickly when it doesn't consisting of scrap my head against machine encrypt until it starts component sense. When I actually have the drivers, belongings like this square measure easy.

You can use the Hold button to switch between the agenda items (and the derivative will be highlighted). You can decide the home button to pick out it. The "openiboot comfort" derivative takes you to the command-line surface like to the one I incontestable in the last post (you do have to be obstructed in via USB and victimisation the openiboot case to talk to it). The "iPhone OS" derivative chainloads a copy of iBoot stored in NOR low-level other identifier ('ibot' becomes openiboot and 'ibox' becomes the existent iBoot). I got that set up with a slightly restricted turning of the QuickPwn ramdisk, but in the future an installer ready-made from a restricted turning of LogoMe can be run from userland to instal openiboot. It's also possibility to get openiboot to instal openiboot (little like the way GRUB can do it); I'll probably work on that next.

So if anyone likes living on the hurt edge, they could do that. =P

Least of the hard part was me failing at GIMP golf shot unneurotic the boot agenda artwork. I appealed to you communicate readers for artwork before, but basically no one responded. Nowadays that here is a excavation model of what I take of want, I hope here will be more than of a response.

So, please gratify gratify plan the boot menu for me. And possibly come up with a logo for the project we can stick on here. If you're good at this take of thing, or know person United Nations agency is, gratify put them in touch. This stuff will obviously get a lot of attracter in the future and we requisite nice eye-candy. Acknowledgement!

Aft a Brobdingnagian come of exertion and in-situ enquiry with iBoot (basically a positional notation large positional notation search done the encrypt, disqualifying no functions to see if I could figure out wherefore my LCD operator wasn't excavation properly), I managed to get it fully excavation. The question was three-fold: first, I forgot to write the first and last bytes of my letter of the alphabet tables: oops, but easily fixed. The second question was that apparently iBoot changes the SDIV of the measure in the middle of the data formatting process. I'm not even sure yet how galore inclination the change in measure relative frequency affects. It certainly unnatural the LCD, because before here was no sorts of flickering scanline unfamiliarity as one would reckon from a misconfigured clock.

Anyway, I converse the procedure that denaturised the SDIV and unenforced it. Seems to work fine nowadays. It's been ages since I looked into the measure speed stuff (beautiful little right when I first started this) so I can't say for certain, but I'm beautiful sure doing this increases the measure speed (which would make sense).

The LCD operator worked aft those fixes and I went onto write a simple framebuffer in a couple of time period, so we can finally get text-mode indefinite quantity on the iPhone screen. It was beautiful influential to me to get the screen excavation because even if we can boot a meat, I wanted the layman to feel like a full-fledged OS was running on the tactical manoeuvre, and that instrumentation display and I/O of no sort.

For a final cry, I also wrote no encrypt that lets us notice when the physical buttons (Home, Hold, etc.) were organism pressed down. From these pieces, it will be possibility to construct a in writing boot agenda restricted by those buttons. You could have one derivative to boot into the iPhone OS, and one derivative to go into openiboot command-line modality with that text-mode display.

The icon I posted is the electric current development exposure running on a first generation iPhone, with oibc (openiboot case) adjacent and running on my screen background computing machine. If you have a 2G iPhone or a first-gen iPod touch, you can try it out yourself by checking out the encrypt from Github and collection it (It's lone premeditated to be shapely on a UNIX machine. You'll be wanting no UNIX headers other). I wrote no alkaline notes on how to get it running inside the source tree, but this is not something you're anticipated to work with unless you're a fairly experience software engineer yourself.