Pre-processing
1. Front end application select the set of payloads, creates the payload.zip file.
2. A sh style options file (options.inc) is also created.
3. Using AFC, the payload.zip file and the option file are moved to the phone /var/{root,mobile}/Media directory.
4. Bootstrapped the ramdisk (pass-1)
Pass-1
The ramdisk will boot and perform only the following tasks:
5. Jailbreak
6. Enable AFC2
7. Do nothing if payload not found
8. Perform minimal setup for pass-2:
a. Install the pass2.plist in LaunchDaemon
b. Create the minimal environment in /bin2
c. Place required files in /etc (profile and termcap)
d. Temporarily disable CommCenter and Springboard
9. Erase any process communication file (.MSG)
10. Do the necessary pass-1 cleanup
11. Reboot the phone
Pass-2
After phone reboots, progress goes into pass-2.
12. The pass2.plist will start the pass2.sh that will use iPipe to start the master.sh. This is the script that will perform all pass-2 actions.
13. The master.sh will:
a. Restore CommCenter and SprinBoard for next boot
b. Unpack the main payload.zip file
c. Setup the environment (extract basepack.zip to /bin2 and add to PATH)
d. In-order, for each payload, unpack the corresponding zip (if available), run the script and clean up for the script
e. Setup the leftover directory (sh, chmod, mv, unzip and reboot)
f. Clean up the temporary environment
g. Create the PHONE2PC.MSG message file with DONE
h. Reboot
Notes
To reduce the complexity in program, some of the above steps are not implemented in the current iLiberty+ version, the missing steps will be added in later updates.
The brief flowchart (omitted some items) is shown below:
6 Comments
Dear George Zhu:
I have selected “Fix no signal,no WiFi,no bluetooth”,but the phone still in grey WiFi and Bluetooth.
the iphone’s bl 3.9 and bb 04.04.05_G, 51weeks.
What’s wrong?
Does it work with the BL3.9? Or is it only for BL4.6?
Great stuff George Zhu & folks,
One ‘technical’ question, Re:
“Pre-processing
[snip]
4. Bootstrapped the ramdisk (pass-1)”
What is happening so as to, or How is the, ramdisk (in the Media partition) boostrapped? (Given that at that point the device is still jailed (?), or does this only apply to/work on already jailbroken devices? Jailbroken prior using on of the previous firmware exploit methods). Or is this the 64 million dollar Q, if it is don’t worry about answering, consider it rhetorical.
I’m interested because i like to manually do my own jailbreaks, on my iPod touch (8GB), to understand the process as fully as my OS X-system beginner brain can (I was good on Apple II assembler back in the day :) ).
Your many write ups here are great, and i noticed that you like to do your jailbreak manually too, so i thought you may sympathise, and so be interested to explain that bootstrap.
The bootstrap uses an exploit (the memory was not cleaned up), the main concept is like this:
1. Upload the ramdisk, it will be loaded starting at 0×9000000
2. Boot device from memory starting at the ramdisk uploaded in step 1
But there’s a catch here, iBoot is also loaded at 0×9000000, so it will overwrite the ramdisk we uploaded. To solve this, we have to add offset to ramdisk, that’s why we need to prepend the ramdisk image. The prepended data is overwritten by iBoot but the real ramdisk is not affected, then we just tell device to boot from the real ramdisk address.
Wow, thanks for some details in reply, for the more recent flowchart, and most of all for the whole thing!
how do you upload the ramdisk to 0×9000000 then boot it?