IBooter
From WinPwn
Contents |
IBOOTER (console for iBoot)
What is iBooter?
iBooter is an interactive console for iBoot (the apple bootloader). Most of you would have used iphuc, which uses iBoot. However, it's dependant on iTunes the mobile device library and can't get replies from iBoot, which results in one way communication, where you blindly say cmd setenv foo, but you never know what happened.
With iBooter you can debug phone booting issues as well as run it in Linux/MacOS/Windows without iTunes installed. You can use iBooter to read memory/write memory, load ramdisks, change your wifi mac address, read files from nand and much more!
Where to get it
You can get a copy of the binary from the following:
- iBooter for Windows. You will also need Libusbfilter 0.1.12.
If this doesn't work for you. Put your phone into recovery and then uninstall the driver via device manager.
Then plug it back in and install the recovery driver. - Vista support Use standard win binary but follow this how to.
- iBooter for Linux (2.6.x). This should work without libusb, since it is statically linked
- iBooter for Mac OSX 10.5.2. You will need to install these usb libraries in /usr/local/lib for it to work.
You must put your phone into recovery for this to work. Turn off your iPhone then hit power and quickly hold home until you see the iTunes plugin screen. Type fsboot to get out of recovery.
Boot Message
This is what the boot message should look like (besides my pwn message):
*************************************** iBooter tool by cmw ([email protected]) Based on Geohot's kernel driver Check out www.iphonelinux.org *************************************** patch_list: 1801e850, patch_count: d ======================================= :: :: iBoot, Copyright 2007, Apple Inc. :: :: BUILD_TAG: pwned-204.3.14 :: :: BUILD_STYLE: RELEASE :: =======================================
Command List
Here is a command list for iBoot:
command list:
help this list
script run script at specific address
go jump directly to address
bootx boot a kernel cache at specified address
diags boot into diagnostics (if present)
tsys boot into tsys (if present)
bdev block device commands
image flash image inspection
fs file system commands
fsboot try to boot kernel at /kernelcache
devicetree create a device tree from the specified address
ramdisk create a ramdisk from the specified address
halt halt the system (good for JTAG)
reboot reboot the device
poweroff power off the device
md memory display - 32bit
mdh memory display - 16bit
mdb memory display - 8bit
mw memory write - 32bit
mwh memory write - 16bit
mwb memory write - 8bit
mws memory write - string
crc POSIX 1003.2 checksum of memory
printenv print one or all environment variables
setenv set an environment variable
clearenv clear all environment variables
saveenv save current environment to flash
run use contents of environment var as script
bgcolor set the display background color
setpicture set the image on the display
iic iic read/write
radio Manipulate the radio board.
setbusclock Set bus clock to the given frequency in Hz.
setcorevoltage Set core voltage to the given voltage in mV.
syscfg flash SysCfg inspection
charge Manage the charger chip.
powernvram Access Power NVRAM.
usb run a USB command
chunk chunk a file
How to
Change mac address
Download iBooter, connect to iBooter and type the following: (replace xx:xx:xx:xx:xx:xx with any mac address)
setenv wifiaddr "xx:xx:xx:xx:xx:xx" printenv wifiaddr saveenv fsboot
It will look something like this:
Entering recovery mode, starting command prompt ] ] setenv wifiaddr "01:1c:b2:1c:2b:40" setenv wifiaddr "01:1c:b2:1c:2b:40" ] printenv wifiaddr wifiaddr "01:1c:b2:1c:2b:40" ] saveenv saveenv ] fsboot fsboot HFSInitPartition: 0x1806c298 Loading kernel cache at 0xb000000...data starts at 0xb000180 done gBootArgs.commandLine = [ ] usb_interrupt_write: No error
Contribute
If you like iBooter and would like to contribute to this project, you can do so by donating below: