BootNeuter
by the iPhone Dev Team
http://iphone-dev.org

Overview

BootNeuter gives you total control of your first-gen iPhone's S-Gold bootloader and baseband.

It's an application you run right on your iPhone that lets you:

  • Neuter your bootloader
  • Unlock your baseband
  • Reflash your bootloader to 3.9BL or 4.6BL no matter what version you're at now (even if you're at 3.8BL)
  • Fakeblank your bootloader to let you run serial payloads directly on your S-Gold

Neutering

A neutered bootloader gives you absolute control over your baseband. The restrictions normally applied by the bootloader are completely lifted! With a neutered bootloader:

  • The baseband is no longer integrity-checked
    • Can be patched (unlocked or other custom modifications)
    • 4.6BL will even run with patched baseband – no need to revert to 3.9BL even with most recent firmware
  • Secpack restrictions are removed
    • You are free to downgrade your baseband using bbupdater without having to run ieraser/ienew first.
    • No longer does the “greater than” (4.6BL) or “greater than or equal” (3.9BL) rule apply. You can arbitrarily go up and down regardless of what secpacks you use.
  • Secpack signatures are ignored
    • The RSA encrypted header is no longer checked for correct hash values by the bootloader
    • The *.fls files can be patched and fed to bbupdater directly
    • A copy of the last used secpack will be saved at a03c0000, retrievable via norz or similar dumpers. Not that secpacks even matter anymore.
  • Your neuter selection survives iTunes restores and updates

Unlocking

BootNeuter gives you the option to unlock your 1.1.4 or 2.0 1G baseband. An unlocked baseband is patched, and would normally fail the integrity check done by the bootloader on recent firmware releases. The anySIM app written by gray forges the token in the baseband, which will trick 3.9BL but not 4.6BL. With a neutered phone, the integrity check is skipped completely. So now you can run recent firmware releases with a 4.6BL even if you've unlocked your baseband!

A neutered bootloader will let you use bbupdater on modified ICE*.fls files, so now you don't even need a separate app to unlock. As discussed on the simple_unlock page, you can now unlock the baseband before it even gets put on your iPhone!

Bootloader Version

If you found yourself downgraded to 3.9BL (without your consent) by running buggy software, the iPhone Dev Team comes to the rescue. With BootNeuter you can freely go back and forth between bootloader versions. Now you can truly restore your iPhone to its out-of-box condition.

Fakeblank

For iPhone hackers who want to be able to run serial payloads directly at S-Gold reboot time, BootNeuter lets you choose a fakeblank bootloader. If BootNeuter detects that your iPhone is currently fakeblanked, it will do all of its bootloader operations via serial payload and won't need to erase/reprogram the baseband to make bootloader changes.

For a real-world example of a serial payload utility that can be run on a fakeblanked iPhone, see the wifi fixer

Tips

  • Do not interrupt the flashing process. Some of the operations take a long time to complete, so don't jump the gun by exiting the application. Don't let your iPhone turn off either! It is very important to not interrupt the flashing process.
  • BootNeuter needs to run with root permissions to unload the CommCenter and access the interactive bootloader. So, it needs to be installed either via Pwnage or via a method that gives it suid-root privileges.
  • The optimal settings for end users are Neuter=On, FakeBlank=Off, Unlock=On. If you are a developer, set FakeBlank=On. Don't worry though, it's all reversible via BootNeuter.
  • During long flashing operations, you'll sometimes see WiFi dialog boxes pop up. Those can be safely canceled.

Credits and stuff

  • BootNeuter is brought to you by MuscleNerd, gray, chris, wizdaz, planetbeing, and the entire iPhone Dev Team. Thanks to geohot for the extended secpack erase method for those with 4.6 bootloaders.
  • BootNeuter is completely reversible (as is all of Pwnage).
  • This tool demonstrates that an application with root privileges can erase and reflash any bootloader. Be careful what applications you run, and never run them from a ramdisk (which is disintegrating as its being used). Unlike the main s5l8900 CPU, the S-Gold can actually be bricked
  • A neutered bootloader survives iTunes updates, even updates to 1.2.0 (aka 2.0). Unlike unlocking which requires a new patch for each firmware version, you only need to neuter once.
  • As effortless as BootNeuter makes it seem, bootloader flashing should not be taken lightly. BootNeuter won't reflash your bootloader if it detects that your desired bootloader settings match the current settings (for instance, if you are only changing the baseband lock status).
sgold_bootrom/bootneuter.txt · Last modified: 2008/07/20 09:41 (external edit)
 
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki