4.6-fakeblank Bootloader

What it is

Please refer to the top of the 3.9-fakeblank topic for a description of what a fakeblank bootloader is and how it can be used. This page details the 4.6BL version of fakeblank.

For 4.6BL, two of the four S-Gold bootrom check for blank bootloader locations require code patching to jump around the 0xffffffff bytes. The last of the 4 locations is an oddball as discussed below.

For most end-users, 4.6-fakeblank isn't as attractive as 3.9-fakeblank, because 3.9BL itself has fewer restrictions than 4.6BL. But for those who may want to peek/poke/probe/patch 4.6BL for development purposes, 4.6-fakeblank is a safety net in case your experiments go awry.

Details

Original code

This code surrounds the 0xA000A5A0 checkblank location:

sub_A000A46C+12C  07 00 50 E1                 CMP     R0, R7
sub_A000A46C+130  E4 FF FF 8A                 BHI     loc_A000A534
sub_A000A46C+130
sub_A000A46C+134
sub_A000A46C+134              checkblank_checks_here_1
sub_A000A46C+134  48 32 9D E5                 LDR     R3, [SP,#0x270+var_28]
sub_A000A46C+138  B8 30 D3 E1                 LDRH    R3, [R3,#8]

This code surrounds the 0xA0015C58 checkblank location:

sub_10C44+20   02 50 82 E2                 ADD     R5, R2, #2
sub_10C44+24   A8 4A 85 E5                 STR     R4, [R5,#0xAA8]
sub_10C44+28
sub_10C44+28               checkblank_checks_here_2
sub_10C44+28   00 C0 A0 E3                 MOV     R12, #0
sub_10C44+2C   06 00 00 EA                 B       loc_10C90

Modified code

This is the fakeblank code surrounding the 0xA000A5A0 checkblank location:

sub_A000A46C+12C  07 00 50 E1                 CMP     R0, R7
sub_A000A46C+130  17 3E 00 EA                 B       loc_A0019E00
sub_A000A46C+130
sub_A000A46C+130              ; ---------------------------------------------------------------------------
sub_A000A46C+134  FF FF FF FF checkblank_checks_here_1 DCD 0xFFFFFFFF
sub_A000A46C+138              ; ---------------------------------------------------------------------------
sub_A000A46C+138
sub_A000A46C+138              loc_A000A5A4                            ; CODE XREF: sub_A000A46C+F99Cj
sub_A000A46C+138  B8 30 D3 E1                 LDRH    R3, [R3,#8]

Some unused locations at 0xA0019E00 are used to complete that patch:

sub_A000A46C+F994             ; START OF FUNCTION CHUNK FOR sub_A000A46C
sub_A000A46C+F994
sub_A000A46C+F994             loc_A0019E00                            ; CODE XREF: sub_A000A46C+130j
sub_A000A46C+F994 CB C1 FF 8A                 BHI     loc_A000A534
sub_A000A46C+F994
sub_A000A46C+F998 48 32 9D E5                 LDR     R3, [SP,#0x24+arg_224]
sub_A000A46C+F99C E5 C1 FF EA                 B       loc_A000A5A4
sub_A000A46C+F99C

This is the fakeblank code surrounding the 0xA0015C58 checkblank location:

sub_10C44+20   02 50 82 E2                 ADD     R5, R2, #2
sub_10C44+24   BD FE FF EA                 B       loc_10764
sub_10C44+24
sub_10C44+24               ; ---------------------------------------------------------------------------
sub_10C44+28   FF FF FF FF checkblank_checks_here_2 DCD 0xFFFFFFFF
sub_10C44+2C               ; ---------------------------------------------------------------------------
sub_10C44+2C   06 00 00 EA                 B       loc_10C90

As with 3.9BL, part of the unused nand_lock_block() function is re-used for fakeblank:

00010760             nand_lock_block                         ; DATA XREF: nor_probe:off_111DCo
00010760 1E FF 2F E1                 BX      LR
00010760
sub_10C44-4E0              ; ---------------------------------------------------------------------------
sub_10C44-4E0              ; START OF FUNCTION CHUNK FOR sub_10C44
sub_10C44-4E0
sub_10C44-4E0              loc_10764                               ; CODE XREF: sub_10C44+24j
sub_10C44-4E0  A8 4A 85 E5                 STR     R4, [R5,#0xAA8]
sub_10C44-4DC  00 C0 A0 E3                 MOV     R12, #0
sub_10C44-4D8  47 01 00 EA                 B       loc_10C90
sub_10C44-4D8

Finally, here's the code surronding the 0xA0017370 checkblank location. Even though this falls right in the middle of some Thumb code, the address we care about is never reached. The compiler should have optimized this away, but it didn't, which makes this location patchable without requiring any extra work:

eblx4+6    02 20                       MOVS    R0, #2
eblx4+8    04 90                       STR     R0, [SP,#0x28+var_18]
eblx4+A                The following branch is never taken
eblx4+A                because the MOVS R0,#2 above make Z=0
eblx4+A    05 D0                       BEQ     checkblank_checks_here_3
eblx4+A
eblx4+C    CE 48                       LDR     R0, =eblfnxs
eblx4+E    00 68                       LDR     R0, [R0]
eblx4+10   80 30                       ADDS    R0, #0x80 ; '?'
eblx4+12   81 69                       LDR     R1, [R0,#0x18]
eblx4+14   01 91                       STR     R1, [SP,#0x28+var_24]
eblx4+16   04 E0                       B       loc_1238E
eblx4+16
eblx4+16               ; ---------------------------------------------------------------------------
eblx4+18   FF FF FF FF checkblank_checks_here_3 DCD 0xFFFFFFFF ; CODE XREF: eblx4+Aj
eblx4+1C               ; ----------------------------------------------------------------

Binary

For legal and ethical reasons, we cannot host the actual modified bootloader on the Dev wiki. That's copyrighted by Apple and/or Infineon, and the Dev team has always been about “patching, not piracy.”

If you do these patches correctly to the official 4.6BL 128KB binary, your new file should have an md5 checksum of f42fadd86fa301ab150df9fe847c6515 and sha-1 checksum of 518253a9a7d3edbbf269d104afd5e9b5f5714bc3.

< 00000030  00 04 00 a0 ff fb ff 5f  6c 06 00 a0 43 4a 4b 54  |......._l...CJKT|
---
> 00000030  ff ff ff ff ff fb ff 5f  6c 06 00 a0 43 4a 4b 54  |......._l...CJKT|
< 0000a590  48 02 9d e5 b8 00 d0 e1  07 00 50 e1 e4 ff ff 8a  |H.........P.....|
< 0000a5a0  48 32 9d e5 b8 30 d3 e1  03 11 85 e0 48 32 9d e5  |H2...0......H2..|
---
> 0000a590  48 02 9d e5 b8 00 d0 e1  07 00 50 e1 17 3e 00 ea  |H.........P..>..|
> 0000a5a0  ff ff ff ff b8 30 d3 e1  03 11 85 e0 48 32 9d e5  |.....0......H2..|
< 00015740  ff 10 a0 e3 b0 10 c0 e1  1e ff 2f e1 94 10 a0 e3  |........../.....|
< 00015750  10 2a 9f e5 10 3a 9f e5  b0 30 d3 e1 03 22 82 e0  |.*...:...0..."..|
---
> 00015740  ff 10 a0 e3 b0 10 c0 e1  1e ff 2f e1 1e ff 2f e1  |........../.../.|
> 00015750  a8 4a 85 e5 00 c0 a0 e3  47 01 00 ea 03 22 82 e0  |.J......G...."..|
< 00015c50  02 50 82 e2 a8 4a 85 e5  00 c0 a0 e3 06 00 00 ea  |.P...J..........|
---
> 00015c50  02 50 82 e2 bd fe ff ea  ff ff ff ff 06 00 00 ea  |.P..............|
< 00017370  cb 48 00 68 80 30 41 69  01 91 01 98 fe f7 00 ee  |.H.h.0Ai........|
---
> 00017370  ff ff ff ff 80 30 41 69  01 91 01 98 fe f7 00 ee  |.....0Ai........|
< 00019e00  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
---
> 00019e00  cb c1 ff 8a 48 32 9d e5  e5 c1 ff ea ff ff ff ff  |....H2..........|

Thanks

  • Thanks to geohot for his gbootloader and bldl serial payload examples, and for being so open (on his blog and in email) about all things iPhone.
  • Thanks to aCujo for his ideas and his seemingly unlimited cache of iPhones to try stuff out on.
  • Last but not least, thanks to Gray for his continued exploration of the bootloader and baseband.

Discussion

Please visit this hackint0sh.org thread for discussion about this code and how to use it.

sgold_bootrom/fakeblank46.txt · Last modified: 2008/03/05 10:02 (external edit)
 
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki