From WinPwn

Jump to: navigation, search


IBOOTER (console for iBoot)

What is iBooter?

iBooter is an interactive console for iBoot (the apple bootloader). Most of you would have used iphuc, which uses iBoot. However, it's dependant on iTunes the mobile device library and can't get replies from iBoot, which results in one way communication, where you blindly say cmd setenv foo, but you never know what happened.

With iBooter you can debug phone booting issues as well as run it in Linux/MacOS/Windows without iTunes installed. You can use iBooter to read memory/write memory, load ramdisks, change your wifi mac address, read files from nand and much more!

Where to get it

You can get a copy of the binary from the following:

You must put your phone into recovery for this to work. Turn off your iPhone then hit power and quickly hold home until you see the iTunes plugin screen. Type fsboot to get out of recovery.

Boot Message

This is what the boot message should look like (besides my pwn message):

iBooter tool by cmw ([email protected])
Based on Geohot's kernel driver
Check out www.iphonelinux.org
patch_list: 1801e850, patch_count: d
:: iBoot, Copyright 2007, Apple Inc.
::      BUILD_TAG: pwned-204.3.14

Command List

Here is a command list for iBoot:

   command list:
       help           this list
       script         run script at specific address
       go             jump directly to address
       bootx          boot a kernel cache at specified address
       diags          boot into diagnostics (if present)
       tsys           boot into tsys (if present)
       bdev           block device commands
       image          flash image inspection
       fs             file system commands
       fsboot         try to boot kernel at /kernelcache
       devicetree     create a device tree from the specified address
       ramdisk        create a ramdisk from the specified address
       halt           halt the system (good for JTAG)
       reboot         reboot the device
       poweroff       power off the device
       md             memory display - 32bit
       mdh            memory display - 16bit
       mdb            memory display - 8bit
       mw             memory write - 32bit
       mwh            memory write - 16bit
       mwb            memory write - 8bit
       mws            memory write - string
       crc            POSIX 1003.2 checksum of memory
       printenv       print one or all environment variables
       setenv         set an environment variable
       clearenv       clear all environment variables
       saveenv        save current environment to flash
       run            use contents of environment var as script
       bgcolor        set the display background color
       setpicture     set the image on the display
       iic            iic read/write
       radio          Manipulate the radio board.
       setbusclock    Set bus clock to the given frequency in Hz.
       setcorevoltage Set core voltage to the given voltage in mV.
       syscfg         flash SysCfg inspection
       charge         Manage the charger chip.
       powernvram     Access Power NVRAM.
       usb            run a USB command
       chunk          chunk a file

How to

Change mac address

Download iBooter, connect to iBooter and type the following: (replace xx:xx:xx:xx:xx:xx with any mac address)

setenv wifiaddr "xx:xx:xx:xx:xx:xx"
printenv wifiaddr

It will look something like this:

 Entering recovery mode, starting command prompt
 ] setenv wifiaddr "01:1c:b2:1c:2b:40"
 setenv wifiaddr "01:1c:b2:1c:2b:40"
 ] printenv wifiaddr
 wifiaddr "01:1c:b2:1c:2b:40"
 ] saveenv
 ] fsboot
 HFSInitPartition: 0x1806c298
 Loading kernel cache at 0xb000000...data starts at 0xb000180
 gBootArgs.commandLine = [ ]
 usb_interrupt_write: No error


If you like iBooter and would like to contribute to this project, you can do so by donating below: