Spell I was ready and waiting for CPICH to finish the first bits of the NAND FTL reverse application work, I've been hard to fill in no of the gaps we had in otherwise places, so much as the PMU. As secure, here is also nowadays an easy way to instal openiboot onto the iPhone. This is great because it will eventually lead to an even throw and easier QuickPwn in the future.
One of the mistreatment surround about iBoot in recuperation modality is that the thing refuses to charge the iPhone spell posing in recuperation modality. The battery just eventually entirely drains. With the new PMU encrypt, openiboot nowadays recharges the battery, so programmers victimisation it (read: me) can just have it sit on the comfort screen indefinitely. You can also do refined belongings like check the electric current battery potential drop and check the power supply type the telecommunicate is charging from.
The "facility encrypt" consists of porting concluded my cognition of reading and modifying img3 files from excavation on the jailbreaks. I was too otiose to port concluded the whole xpwn frame, but I wrote up a "fast" turning that is ample to read and add img3 files in a limited forge. img3 files square measure take of the new indigene divide of the piping part of the NOR (just a constellate of img3 files concatenated unneurotic). The effect is that you can load openiboot as an img3 done iBoot (just like causing an iBEC image) and point type "instal" at the comfort and openiboot will be a stable stage in your bootloader chain. =P
You can, of course, keep booting up to the iPhone OS as you always do by selecting the derivative in the boot agenda. Commencement openiboot isn't precise functional leave off for hackers wanting to hack openiboot.
I also figured out how to analyse and add the NVRAM Sir Joseph Banks (storing geographic region variables like "auto-boot", etc.), which was actually unpointed complicated (in my public opinion). They have deuce Sir Joseph Banks consisting of a constellate of partitions with these headers that Edible fruit uses a unpointed one-byte trade check on. The whole bank is also checksumed with adler32. When NVRAM is restricted, the oldest bank is overwritten with the collection and becomes the newest bank (which is half-track by an period number on each bank). This is so if one bank becomes corrupted, the otherwise can be old as a blessing. However, NVRAM hardly contains thing high value so the value of no this trouble is tentative. Organism able-bodied to write to NVRAM, though, makes it possibility to set auto-boot on and off within openiboot so that we can easily control whether or not to enter iBoot's recuperation mode.
Person asked me how "safe" it was to do the facility, etc. Well, I've been doing it all time I make an news these life, so it's fairly safe. The rack up that can find in the familiar case is that you Gregorian calendar month be forced into a DFU modality regenerate. Everything will be disorganised with a regenerate. Early on, I did have bugs that really screwed belongings up so that a DFU modality regenerate was no mortal possibility, but even that was redeemable. I'll just go concluded how briefly:
The influential thing is to have a blessing of the NOR. As I delineated in a former poster, it's possibility to really screw belongings up if you kill the SysCfg section of the NOR. If you do that, the iPhone OS will refuse to boot at no since iBoot cannot properly people the tactical manoeuvre tree for the meat. Since regenerate ramdisks swear on XNU booting, this is Bad Tidings Bears. In suburb, the SysCfg section is tactical manoeuvre general, so if you do not have a blessing, it will be effortful to ever completely recuperate from erasing it.
Therefore, before you carry on, MAKE A BACKUP OF YOUR NOR. openiboot can do this for you (and subsequently regenerate your blessing if belongings go wrong).
Load openiboot via loadibec and pick out the comfort. Connect with the oibc case. Type in: nor_read 0x09000000 0x0 0x100000
This will read no of NOR into storage device. Point type: ~nordump.bin:0x100000
This will transfer the dump concluded USB onto your computing machine and save it as nordump.bin.
Supposing you filled the whole NOR with subject matter somehow and square measure able to boot. You have to get into openiboot to regenerate the NOR. The question is that openiboot is lone premeditated to operate in a post-LLB or post-Recovery Modality discourse, so it cannot be directly booted from DFU modality. Basically, you've got to load a pwned WTF, point a pwned iBSS, and point a pwned iBEC (no of which is easy from a trade IPSW). Aft that, you can use loadibec to load openiboot. Point, you can regenerate the NOR thus:
!nordump.bin
nor_write 0x09000000 0x0 0x100000
Aft that, you can boot and everything should be normal.
Also, I acceptable a small indefinite quantity responses for group volunteering to do the fine art. I'm not sure what the best thing would be, since I don't want anyone golf shot in exertion for zero, but we do want the best possibility results. So, I'll be deed back to you guys about that.