3.9-fakeblank Bootloader

What it is

The “3.9-fakeblank” bootloader presented here is a modified version of the official Apple 3.9 bootloader. It gives you the ability to run serial payloads when the S-Gold is reset, instead of running the bootloader.

The fakeblank bootloader currently is most useful to those who want to experiment with patches to the bootloader but don't want to risk “bricking” their S-Gold in a way that requires geohot's hardware-based A17 hack to recover. It also provides a means to run temporary (not flashed to NOR) code on the S-Gold CPU in a clean environment without the Nucleus OS running and without needing to erase/replace the baseband.

In short, the 3.9-fakeblank bootloader is a tool to enable further patching and experimentation with the iPhone's S-Gold CPU. It's a tool to help iPhone hackers.

A 4.6-fakeblank bootloader is also available.

How it works

As described on the pseudocode topic, the S-Gold low-level bootrom always accepts (if asked) a serial payload upon reset. But that serial payload is executed only if 4 special locations in the bootloader readback as “empty” (0xffffffff). The 3.9-fakeblank bootloader presents those locations as “empty”.

In 3 of the 4 cases, patching the location to 0xffffffff has no impact on the normal execution of the bootloader. But one of the locations, 0xA000A5A0, cannot simply be patched to contain 0xffffffff because it's part of the normal code execution that starts the baseband. If you simply empty that location, your baseband won't get a chance to boot because your bootloader will get confused when it sees the 0xffffffff as an instruction.

The 3.9-fakeblank fixes that problem by modifying the instruction just before the “emptied” instruction at 0xA000A5A0. The modification jumps to an unused part of the bootloader which does what would have been done at 0xA000A5A0, then jumps back to the address just after 0xA000A5A0.

Details

Original code

The original code around the 0xA000A5A0 location looks like this. The ”+254” location corresponds to 0xA000A5A0.

imodecheck_worker+244  08 0B 9F E5                 LDR     R0, =dword_1094
imodecheck_worker+248  00 00 90 E5                 LDR     R0, [R0]
imodecheck_worker+24C  01 0A 80 E2                 ADD     R0, R0, #0x1000
imodecheck_worker+250  6C 00 80 E2                 ADD     R0, R0, #0x6C
imodecheck_worker+254
imodecheck_worker+254              checkblank_checks_here:
imodecheck_worker+254  04 00 90 E5                 LDR     R0, [R0,#4]
imodecheck_worker+258  B0 00 D0 E1                 LDRH    R0, [R0]
imodecheck_worker+25C  00 00 50 E3                 CMP     R0, #0
imodecheck_worker+260  08 00 00 1A                 BNE     loc_A7A0

You cannot simply turn that “04 00 90 E5” LDR instruction to “FF FF FF FF”

Modified code

In contrast, the 3.9-fakeblank code around the 0xA000A5A0 location looks like this:

imodecheck_worker+244  08 0B 9F E5                 LDR     R0, =dword_1094
imodecheck_worker+248  00 00 90 E5                 LDR     R0, [R0]
imodecheck_worker+24C  01 0A 80 E2                 ADD     R0, R0, #0x1000
imodecheck_worker+250  D4 17 00 EA                 B       loc_106C0
imodecheck_worker+250
imodecheck_worker+250              ; ---------------------------------------------------------------------------
imodecheck_worker+254  FF FF FF FF checkblank_checks_here DCD 0xFFFFFFFF
imodecheck_worker+258              ; ---------------------------------------------------------------------------
imodecheck_worker+258
imodecheck_worker+258              loc_A770                                          ; CODE XREF: ITCM:000106C8j
imodecheck_worker+258  B0 00 D0 E1                 LDRH    R0, [R0]
imodecheck_worker+25C  00 00 50 E3                 CMP     R0, #0
imodecheck_worker+260  08 00 00 1A                 BNE     loc_A7A0

The instruction at +250 has been changed to branch to 0x106c0. That means the “code” at +254 is never executed.

Address 0x106c0 is part of a routine that happens to never be used in the current production iPhone. It's used only if the memory connected to the S-Gold is NAND flash. The iPhone uses NOR flash, not NAND, so it's safe to “re-use” that routine in the bootloader for our own purposes. Here's how it's being re-used in 3.9-fakeblank:

000106BC             ; ---------------------------------------------------------------------------
000106BC
000106BC             nand_lock_block                                   ; DATA XREF: nor_probe:off_11138o
000106BC 1E FF 2F E1                 BX      LR
000106BC
000106C0             ; ---------------------------------------------------------------------------
000106C0
000106C0             loc_106C0                                         ; CODE XREF: imodecheck_worker+250j
000106C0 6C 00 80 E2                 ADD     R0, R0, #0x6C
000106C4 04 00 90 E5                 LDR     R0, [R0,#4]
000106C8 28 E8 FF EA                 B       loc_A770
000106C8

If you compare the above code to the original code, you'll see that it accomplishes the same thing, but allows the 0xA000A5A0 to be set to 0xffffffff.

Binary

For legal and ethical reasons, we cannot host the actual modified bootloader on the Dev wiki. That's copyrighted by Apple and/or Infineon, and the Dev team has always been about “patching, not piracy.”

Instead, we present the byte differences between original 3.9BL and 3.9-fakeblank. Four dwords are changed to 0xffffffff. Another 5 dwords are modified as shown above to accomodate one of those 4 0xffffffff changes.

< 00000030  00 04 00 a0 ff fb ff 5f  d0 05 00 a0 43 4a 4b 54  |......._....CJKT|
---
> 00000030  ff ff ff ff ff fb ff 5f  d0 05 00 a0 43 4a 4b 54  |......._....CJKT|
< 0000a590  08 0b 9f e5 00 00 90 e5  01 0a 80 e2 6c 00 80 e2  |............l...|
< 0000a5a0  04 00 90 e5 b0 00 d0 e1  00 00 50 e3 08 00 00 1a  |..........P.....|
---
> 0000a590  08 0b 9f e5 00 00 90 e5  01 0a 80 e2 d4 17 00 ea  |................|
> 0000a5a0  ff ff ff ff b0 00 d0 e1  00 00 50 e3 08 00 00 1a  |..........P.....|
< 000104f0  94 10 a0 e3 10 2a 9f e5  10 3a 9f e5 b0 30 d3 e1  |.....*...:...0..|
---
> 000104f0  1e ff 2f e1 6c 00 80 e2  04 00 90 e5 28 e8 ff ea  |../.l.......(...|
< 00015c50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
---
> 00015c50  00 00 00 00 00 00 00 00  ff ff ff ff 00 00 00 00  |................|
< 00017370  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
---
> 00017370  ff ff ff ff 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Utilities

sping – A small program to test whether your bootrom is accepting and executing serial payloads. Just unload the CommCenter and run sping from an ssh session or Terminal.app.

swdump – Dumps your wifi tables (see related hackint0sh thread http://hackint0sh.org/forum/showthread.php?t=38188)

dosyslog – Enable or disable syslog text log

Thanks

  • Thanks to geohot for his gbootloader and bldl serial payload examples, and for being so open (on his blog and in email) about all things iPhone.
  • Thanks to aCujo for his ideas and his seemingly unlimited cache of iPhones to try stuff out on.
  • Last but not least, thanks to Gray for his continued exploration of the bootloader and baseband.

Discussion

Please visit this hackint0sh.org thread for discussion about this code and how to use it.

sgold_bootrom/fakeblank.txt · Last modified: 2008/04/22 23:14 (external edit)
 
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki