Page 2 of 23 FirstFirst 12345678910111222 ... LastLast
Results 11 to 20 of 221
Discuss [Bootloader] Anyway to downgrade from 4.6 to 3.9? at the iPhone "2G" (Rev. 1) - Hackint0sh.org; Originally Posted by pspsully Hi Eric, i can confirm that ut is eeprom and not ...
  1. #11
    Professional Array

    Join Date
    Oct 2007
    Posts
    63
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Quote Originally Posted by pspsully View Post
    Hi Eric, i can confirm that ut is eeprom and not eprom.

    Guys, i want you's to have a look at the following images, these are screenshots taken of IDA Pro Disassembler reverse engineering bbupdater:





    As you can CLEARLY see here, bbupdater has the ability to reflash the bootloader. It uses the comand "-l" to flas a bootloader fls file.

    If, we can find a way to erase the bootloader with a program such as ieraser, we could then reflash the old bootloader fls file to the phones using bbupdater.

    The major problem with this is if you mess with the bootloader and something goes wrong, your phone is bricked asn since we donet know EXACTLY how bbupdater implements the -l command and reflashes the bootloader, it would be VERY risky to attempt to erase the bootloader and reflash and old one.

    I just posted these images to prove that a bootloader downgrade IS possible, but hopefully when we get the dump of the new bootloader we will be able to find an exploit and not have to risk a bootloader downgrade!!
    Even if we know a bootloader downgrade is possible, we still need to find an exploit in the baseband firmware which will allow unsigned upload of the bootloader.

    So, we are back to Sikachu's two methods.

    For #1, I doubt they can easily find another exploit that will allow us to write an unsigned baseband firmware. I mean, how big is the bootloader? It should be really small. It has been two months after anySIM 1.0. We know Apple fixed the exploit that we were all using. But I think they probably fixed some other exploits too. Finding a hole in a small program is not easy already, plus all exploits are not useful to us -- we need the kind of holes that can enable us to write to the baseband firmware. The challenge is really big I think.

    For #2, since the baseband firmware is bigger, it is likely to have more exploit than the bootloader. But then like you said it suffers from the risk of messing up the bootloader, which equals to truly bricking the phone.

    I just hope that they really can find a new exploit in the bootloader that will again allow us to write to the baseband firmware, or they can find a totally new approach.


  2. #12
    Professional Array

    Join Date
    Oct 2007
    Posts
    98
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    11

    Default

    Quote Originally Posted by ALUOp View Post
    Even if we know a bootloader downgrade is possible, we still need to find an exploit in the baseband firmware which will allow unsigned upload of the bootloader.
    But wouldn't the old 3.9 or what was it bootloader be signed, too? Or has it to be newer?

  3. #13
    Professional Array

    Join Date
    Oct 2007
    Posts
    63
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Quote Originally Posted by sirdir View Post
    But wouldn't the old 3.9 or what was it bootloader be signed, too? Or has it to be newer?
    Not sure but I think so.
    Otherwise what is the point of requiring a signed copy? You could then always revert back to the old version that has some holes in it.

  4. #14
    Senior Professional Array

    Join Date
    Sep 2007
    Posts
    156
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    15

    Default

    Quote Originally Posted by ALUOp View Post
    Not sure but I think so.
    Otherwise what is the point of requiring a signed copy? You could then always revert back to the old version that has some holes in it.
    You see thats my point, if we can re-write ieraser to erase the bootloader and not the baseband firmware, then a reflash wont have a version to check against when it goes to reflash.

    It'll work in the same way we downgrade the baseband, we delete the one thats there so we can downgrade to an older one!!

  5. #15
    Professional Array

    Join Date
    Oct 2007
    Posts
    63
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Quote Originally Posted by pspsully View Post
    You see thats my point, if we can re-write ieraser to erase the bootloader and not the baseband firmware, then a reflash wont have a version to check against when it goes to reflash.

    It'll work in the same way we downgrade the baseband, we delete the one thats there so we can downgrade to an older one!!
    First of all, what I am going to say is totally just my guess because I have absolutely no idea how ieraser works. So, please correct me if I am wrong.

    But I guess ieraser utilizes that unlocker-friendly exploit in bootloader 3.9 which allows us to write/erase the baseband firmware, unless there is another routine to just erase baseband firmware. If this is true, that means we still need to find a new exploit in the baseband firmware in order to erase/write the bootloader. This is the same as Sikachu's #2.
    Last edited by ALUOp; 11-20-2007 at 11:55 AM.


  6. #16
    Newbie Array

    Join Date
    Nov 2007
    Posts
    4
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    It would be good to understand more how writes to the NOR are controlled. In my mind, I can see re-writing the old bootloader to the correct memory area as attractive but I am unsure of what prevents us from doing that.

    If anyone has pointers to some technical documentation on the baseband system - specifically what is involved in flashing /anything/ to the NOR then I would be very interested.

  7. #17
    Rookie Array

    Join Date
    Nov 2007
    Posts
    24
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Thanks pspsully!
    Those screenshot make me feel warm and happy, at least there is chance to rewrite the bl.

    I really think that it's a matter of time for true 1.1.2 unlocking solution now,
    there are strong iphone *unlocking community and awesome DevTeam,
    I hope my 1.1.2 OTB iphone on my desk can be unlock before the warm warm christmas.

    I don't wanna refund my iphone since i hv confidence that the devTeam and other expert like GeoHot will soon discover the exploit.

  8. #18
    Senior Professional Array

    Join Date
    Oct 2007
    Posts
    171
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    15

    Default

    Quote Originally Posted by ericeric View Post
    Thanks pspsully!
    Those screenshot make me feel warm and happy, at least there is chance to rewrite the bl.

    I really think that it's a matter of time for true 1.1.2 unlocking solution now,
    there are strong iphone *unlocking community and awesome DevTeam,
    I hope my 1.1.2 OTB iphone on my desk can be unlock before the warm warm christmas.

    I don't wanna refund my iphone since i hv confidence that the devTeam and other expert like GeoHot will soon discover the exploit.
    Oh Jeez...ur not alone...I got 5 OTB 1.1.2s on my desk...ipod touches i should say...grrrr!

  9. #19
    Senior Professional Array car__34's Avatar

    Join Date
    Jul 2007
    Posts
    208
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    17

    Default

    has anyone tried flashing the bootloader... I did try (knowing that I might've bricked the phone totally) and it just hangs.. same way as if you were trying to flash the baseband..

  10. #20
    Professional Array

    Join Date
    Oct 2007
    Posts
    63
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Quote Originally Posted by IMF2000 View Post
    It would be good to understand more how writes to the NOR are controlled. In my mind, I can see re-writing the old bootloader to the correct memory area as attractive but I am unsure of what prevents us from doing that.

    If anyone has pointers to some technical documentation on the baseband system - specifically what is involved in flashing /anything/ to the NOR then I would be very interested.
    I read somewhere that it is a Intel NOR flash PF38F1030W0YTQ2.
    I think this is the correct document.
    Haven't read it yet but it should be in Chapter 12.

    http://download.intel.com/design/flc...s/29070114.pdf


 

 

Similar Threads

  1. downgrade bootloader
    By Claytod2 in forum iPhone 3G
    Replies: 1
    Last Post: 04-19-2010, 09:08 AM
  2. downgrade bootloader
    By Obelix_22 in forum iPhone 3G
    Replies: 1
    Last Post: 10-25-2009, 08:26 AM
  3. Replies: 6
    Last Post: 02-19-2008, 12:34 AM
  4. [OTB 1.1.3] Is downgrade bootloader necessary?
    By apsk121 in forum iPhone "2G" (Rev. 1)
    Replies: 4
    Last Post: 02-17-2008, 04:31 PM
  5. Replies: 1
    Last Post: 02-09-2008, 05:36 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 12:25 PM.
twitter, follow us!