cool - just remeber to donate

I use Debian 7.0 with bsdiff

bspatch iapd iapd_patched iapd.bspatch

Size of iapd: 1.1 Mb
Size of iapd_patched: 609.4 Kb

New file is not work. When I restart touch screen doesn't work.
I can't enter unlock code....

iSchmave can you post patched iapd?

Sorry for my English
Thank you!

even if i did you would have the same problem.

you have to chmod 777 the new binary... over wifi and restart

mmm... I don't know why but...

The end of file:

Original IAPD
3C2F706C6973743E0AFADE0B01000000080000000000000000 00000000000000

Patched IAPD
001A2A9000EB000090E5110050E300F18F9635F5FFEA2A00F8 EA110000EA1200

I tried chmod... nothing 8(

Can you share your patched IAPD file?

Hmm... How I can apply this "bspatch" if I have only Windows on my desktop? Does any Win-analog for bspatch exist? For me, it's much easy do work in hex-editor, but then I need the table like:

Offset|Original byte|New byte
-----------------------------
AA05 | 4E| 4F
........and so on.............

Please, help!

This patch is for 2.0 only. In 2.1 iapd is much larger.
SamMan: iapd(2.1) change 0x124A4, 0x8DE8 to 00 00 A0 E1
Also you have to resign iapd with "ldid -S" after modifying it.

2comcute:

Thanks to trying help! What I did:

1. Get the original iapd from OS 2.1 and open it in HEX-editor(in Windows).
2. Find hex-offset 8DE8 and change four bytes starting from this point to 0000A0E1.
3. All the same for hex-offset 124A4.
4. Save new version of iapd.
5. Put edited version of iapd to /System/Library/PrivateFrameworks/IAP.framework/Support replacing the original one.
6. In terminal execute command:
ldid -S /System/Library/PrivateFrameworks/IAP.framework/Support/iapd
(by the way, in this point I didn't get any error message, but I also didn't get any confirmation message. Just one string on terminal. Is it normal?).
7. Change permission for edited, re-signed(I hope!) iapd to 0755.
8. And - reboot iPhone.

It's all vain. (( After ~90 sec. of normal work with non-Appple AV-cable TV-screen just go to black and iPhone return to the list of video files on it. The only "achievement" - nag screen "This accessory is..." doesn't appear anymore. That's all!
HELP!

this is what you have to do:

find SecKeyRawVerify after it, it will compare a register with some constant (i forgot) and you must change the proceeding

beq 0xwhatever

to

b 0xwhatever

that will kill nag msg forever.

the 90 sec thing is harder to kill.

go into gdb and type

info func CFRunLoopAddTimer

and note down on paper EVERY offset for CFRunLoopTimerAdd.

set a break at the first one, plug in cable and see if it goes more than 90 sec. if it dosent cross that one off and repeate if you do find one that is it, there could be more so check ALL of them

what CFRunLoopAddTimer does is adds the check timer, which fires every 90 secs or so and throws you back to te video screen.

you only have to nop them out, and if i remeber correctly an arm littel endian nop is 00 00 a0 e1


so, armed with that knowledge someone go forth and patch fw 2.1! or send me an autralian iphone so ican upgrade to 2.1 and patch it myself!

2iSchmave:

Thanks for reply! Debug on iPhone is - that's a new one on me, but I will try. Couple questions:

>>find SecKeyRawVerify after it
Sorry - after WHAT??

>>you only have to nop them out
What I should nop-out: THE CALL to the func CFRunLoopAddTimer OR the CFRunLoopAddTimer itself(i.e. the whole body of the function)? Think I must do first(the call), but just in case...

And again, Thank you for your help!