|Home » Industry Watch (» The Technological » Hall of Monkeys » Heroes Banquet)
iPhone Bootloader: Hackint0sh Progress Report
'We have another in.'
6 July — 'I REPEAT, A FULL INTERACTIVE SHELL'
Your friends at #iPhone made a major breakthrough this morning.
we got a serial console working, here is how
the serial has the same pinouts as iPod serial
use a 6.8kish resistor from pin 21 to gnd
tie pin 11-sergnd to the real ground
use iphoneinterface to send the following commands in recovery mode:
setenv debug-uarts 1
that should work
IT GIVES YOU A FULL INTERACTIVE SHELL
I REPEAT, A FULL INTERACTIVE SHELL
The command list is:
You need a level convertor, like the max 232 to make this work
|The bootloader is basically a dead end. Everything that goes into it must be signed, and without apples 1024-bit RSA private key, this isn't going to happen. Fortunately we have another in. We have basically full command over the file system and can upload, copy, and run files. I'll say this, ringtones would be a *trivial* thing to do now. We know the radio is accessible though software from from thisbbupdate dump. Once the toolchain is working, we can write a program to write to /dev/tty.baseband, and finally unlock this thing. Thanks|
bdev block device commands
bgcolor set the display background color
bootx boot a kernel cache at specified address
charge Manage the charger chip.
chunk chunk a file7/6/2007
clearenv clear all environment variables
crc POSIX 1003.2 checksum of memory
devicetree create a device tree from the specified address
diags boot into diagnostics (if present)
eload tftp via ethernet from hardcoded install server
fs file system commands
fsboot try to boot kernel at /kernelcache
go jump directly to address
halt halt the system (good for JTAG)
help this list
iic iic read/write
image flash image inspection
md memory display - 32bit
mdb memory display - 8bit
mdh memory display - 16bit
mw memory write - 32bit
mwb memory write - 8bit
mwh memory write - 16bit
mws memory write - string
nand nand flash routines
powernvram Access Power NVRAM
poweroff power off the device
printenv print one or all environment variables
radio Manipulate the radio board.
ramdisk create a ramdisk from the specified address
reboot reboot the device
run use contents of environment var as script
saveenv save current environment to flash
script run script at specific address
setbusclock Set bus clock to the given frequency in Hz.
setcorevoltage Set core voltage to the given voltage in mV.
setenv set an environment variable
setpicture set the image on the display
syscfg flash SysCfg inspection
task examine system tasks
tftp tftp via ethernet to/from device
tsys boot into tsys (if present)
usb run a USB command
Effective UID: 0
iPhone and the Media
iPhone OS X System Architecture
iPhone: A Bit of This, A Bit of That
Thanks to Devon at Pixel Groovy for the excellent artwork.