Rixstep
	`About \| ACP \| Buy \| Industry Watch \| Learning Curve \| News \| Products \| Search \| Substack`

Home » Industry Watch

iPhone Bootloader: Hackint0sh Progress Report

'We have another in.'

6 July — 'I REPEAT, A FULL INTERACTIVE SHELL'

Your friends at #iPhone made a major breakthrough this morning.
we got a serial console working, here is how
the serial has the same pinouts as iPod serial
use a 6.8kish resistor from pin 21 to gnd
tie pin 11-sergnd to the real ground
use iphoneinterface to send the following commands in recovery mode:
setenv debug-uarts 1
saveenv
reboot
that should work

IT GIVES YOU A FULL INTERACTIVE SHELL
I REPEAT, A FULL INTERACTIVE SHELL

The command list is:
http://iphone.fiveforty.net/geohot/cmdlist.txt

You need a level convertor, like the max 232 to make this work

DIGG: http://digg.com/apple/iPhone_serial_mode_popped_open_full_shell_access

9 July

The bootloader is basically a dead end. Everything that goes into it must be signed, and without apples 1024-bit RSA private key, this isn't going to happen. Fortunately we have another in. We have basically full command over the file system and can upload, copy, and run files. I'll say this, ringtones would be a *trivial* thing to do now. We know the radio is accessible though software from from thisbbupdate dump. Once the toolchain is working, we can write a program to write to /dev/tty.baseband, and finally unlock this thing. Thanks

cmdlist.txt

bdev           block device commands
bgcolor        set the display background color
bootx          boot a kernel cache at specified address
charge         Manage the charger chip.
chunk          chunk a file7/6/2007
clearenv       clear all environment variables
crc            POSIX 1003.2 checksum of memory
devicetree     create a device tree from the specified address
diags          boot into diagnostics (if present)
eload          tftp via ethernet from hardcoded install server
fs             file system commands
fsboot         try to boot kernel at /kernelcache
go             jump directly to address
halt           halt the system (good for JTAG)
help           this list
iic            iic read/write
image          flash image inspection
md             memory display - 32bit
mdb            memory display - 8bit
mdh            memory display - 16bit
mw             memory write - 32bit
mwb            memory write - 8bit
mwh            memory write - 16bit
mws            memory write - string
nand           nand flash routines
powernvram     Access Power NVRAM
poweroff       power off the device
printenv       print one or all environment variables
radio          Manipulate the radio board.
ramdisk        create a ramdisk from the specified address
reboot         reboot the device
run            use contents of environment var as script
saveenv        save current environment to flash
script         run script at specific address
setbusclock    Set bus clock to the given frequency in Hz.
setcorevoltage Set core voltage to the given voltage in mV.
setenv         set an environment variable
setpicture     set the image on the display
syscfg         flash SysCfg inspection
task           examine system tasks
tftp           tftp via ethernet to/from device
tsys           boot into tsys (if present)
usb            run a USB command

Thanks to Devon at Pixel Groovy for the excellent artwork.