==July 7, 2007 2:19AM Eastern Update==

We got a serial interface working today. See the hackint0sh forum or the
last progress report for instructions on building. I stayed up all night building and testing one. Don't try to modify your iphone dock. The soldering was nearly impossible(and i hand solder qfp and tssop). The serial interface isn't really as great as it sounds. The nice thing is we got a [http://iphone.fiveforty.net/geohot/cmdlist.txt Command List]. These commands can be issued much easier with sendCommandToDevice and are included in iphoneinterface. The new version has a much nicer recovery mode shell. We know how to unlock the phone. Unfortunatly the commands needed gave "Permission Denied" errors. We did find a refernce to a hardware register that causes "Permission Denied" error in the bootloader, but we cannot software patch the bootloader because it is signed. The only way I see around it is JTAG, which we currently know nothing about. Or possibly in DFU mode. I think we may just be better off accessing the radio through user mode.

Let me clarify the "modes" of the device, because only today did I really understand them. Normal mode is the running mode of the device. It uses the system from the 39 dmg, and since this is running a system, it's called User Mode. Recovery mode is embedded into iBoot. It can be entered one of two ways, either with a call to AMDeviceEnterRecovery or the home+top button combo. The call trashes the fs while the button combo does not. The third mode is Restore mode. This is the mode when the device is booted from the ramdisk, and it runs restored. All the fs commands can be accessed here, with calls to performOperation, a private dll function. The last mode is DFU mode. We currently have never entered/don't know how to enter it. I believe this is the key to uploading a patched bootloader, because I don't think it checks the signature.

I still have never gotten a clear answer as to whether all the binaries and signed or not. I don't see a signature easily in them, they don't begin with "89001.0". If someone is looking for a way to contribute, build a gcc toolchain with support for Mach-O ARM, and compile some nice gcc binaries. I'd like those binaries for windows. Don't harass us in the irc chat with questions on how to build this toolchain because we don't know. Just PM me with a link to a working binary :-) Tomorrow my first priority is to get the dll to export the private functions and access restore mode directly with performOperation instead of AMRestorePerformRecoveryModeRestore. We should get nice interactive shells in all three modes. Good work today, everyone.

~geohot
some great stuff going on!