Tuesday, July 31, 2007
Priorities...
JTAG: This is a sure unlock, but it is hard to find. I don't think it is on the dock connector, instead I think pins 7-10 are the network port. I am going to spend the reset of the day trying to power up of baseband board standalone.
AH5DD: This is the "Apple H5 Debug Dock" H5 is low level serial over bluetooth protocol. See here for the spec. The iPhone is believed to output a very low level signal that can be picked up and connected too. I've heard that a patch exists for BlueZ to implement H5. I'm not sure what you would see if you did establish a connection, but "debug" is always cool.
Baseband Bootloader: The baseband bootloader has an interactive mode which is used to download the firmware/eeprom. It also supports reading of the data. This could lead to a memory dump, which would make the firmware *so* much easier to follow.
I want to keep everyone updated with the fronts the unlock is being tackled from, and if I ever post something like 'we are working on "several fronts" for an unlock' and leave it at that, please slap me :-)
AH5DD: This is the "Apple H5 Debug Dock" H5 is low level serial over bluetooth protocol. See here for the spec. The iPhone is believed to output a very low level signal that can be picked up and connected too. I've heard that a patch exists for BlueZ to implement H5. I'm not sure what you would see if you did establish a connection, but "debug" is always cool.
Baseband Bootloader: The baseband bootloader has an interactive mode which is used to download the firmware/eeprom. It also supports reading of the data. This could lead to a memory dump, which would make the firmware *so* much easier to follow.
I want to keep everyone updated with the fronts the unlock is being tackled from, and if I ever post something like 'we are working on "several fronts" for an unlock' and leave it at that, please slap me :-)
"Permission Denied"
I am thinking that the only thing that keeps the iBoot "Permission Denied" errors around is the lack of a proper resistance on the accessory indicator pin. But I'd bet the resistance is very specific. bluetang found the "This accessory is not made to work with iPhone" string in IAP.framework's Framework.strings file, so I think reversing the program that calls this would be a good idea. Find the resistance ranges that the iPhone likes.
Monday, July 30, 2007
The Dock Connector
A few notes:
The firewire power is present, but not the data
The old video pins/line in pins are connected to the main board(JTAG maybe)
The line out pins don't make a direction connection from the board to the conn
A bunch of pins on the conn have traces, but idk where they are connected
Stupid Multimeters
The $100 multimeters can't beep right away with the continuity check. This $30 one can.
Wow it still powers up...
The only connectors still connected are the two to the screen and the top button connector.
A theory
I'd bet that apple has a way to power up the baseband board without it being connected to the main board. I'd like to see what the main header contains.
That 52 pin unpopulated connector could be one of two things. Either a debug connector that apple used while troubleshooting the baseband, or a connector for another revision of the iPhone main board. I am leaning toward the latter. I'd think that JTAG is actually present on both connectors, and that Apple accesses it through something like the camera port. The camera only appears to use half the pins on the connector. So once I get a multimeter that doesn't suck, which will probably be tomorrow, I will test for continuity between the camera header and the board interconnect header. I'd bet that there are a few pins in common, and those are JTAG.
That 52 pin unpopulated connector could be one of two things. Either a debug connector that apple used while troubleshooting the baseband, or a connector for another revision of the iPhone main board. I am leaning toward the latter. I'd think that JTAG is actually present on both connectors, and that Apple accesses it through something like the camera port. The camera only appears to use half the pins on the connector. So once I get a multimeter that doesn't suck, which will probably be tomorrow, I will test for continuity between the camera header and the board interconnect header. I'd bet that there are a few pins in common, and those are JTAG.
Hmm...
I'd bet JTAG is on here, I am going to start seeing where these pads correspond to. I'm thinking JTAG is also somewhere more accessible.
Sunday, July 29, 2007
iPhone in hand, ready to begin...
Thanks to jpetrie, who donated an iPhone to the cause, I have an iPhone to take apart. I will be posting to this blog as I take it apart and discover things.
Subscribe to:
Posts (Atom)
