# iPhone Dev Team notes # iPhone 3GS bootrom # 24Kpwn lives on! _start+112 44 49 LDR R1, =0x84024000 _start+114 F8 22 D2 05 MOVS R2, 0x7C000000 _start+118 max_llb_size = 0x24000 _start+118 52 18 ADDS R2, R2, R1 _start+118 _start+11A _start+11A loc_808 ; DATA XREF: sub_4AB0+DEo _start+11A ; ROM:off_4BCCo _start+11A max_llb_size = R10 _start+11A 92 46 MOV max_llb_size, R2 . . . . . . . . . . . . . . . . . . . . _start+146 _start+14A 48 E0 B handle_illb _start+14A _start+1DE _start+1DE handle_illb ; CODE XREF: _start+14Aj _start+1DE memz = R5 _start+1DE 05 1C ADDS memz, R0, #0 _start+1DE _start+1E0 _start+1E0 start_module_if_valid_memz ; CODE XREF: _start+1BAj _start+1E0 00 2D CMP memz, #0 _start+1E2 09 D0 BEQ FAIL _start+1E2 _start+1E4 84 21 MOVS R1, #0x84 ; '' _start+1E6 28 1C MOVS R0, memz _start+1E8 09 06 LSLS R1, R1, #24 ; R1 = 0x84000000 _start+1EA 52 46 MOV R2, max_llb_size _start+1EC 01 9B LDR R3, [SP,#0x38+setting1] _start+1EE FF F7 EC FE BL start_module ; (memz, entry, max_size, setting1) . . . . . . . . . . . . . . . . . . . . start_module ; =============== S U B R O U T I N E ======================================= start_module start_module ; (memz, entry, max_size, setting1) start_module ; Attributes: bp-based frame start_module start_module start_module ; CODE XREF: _start+196p start_module ; _start+1EEp start_module start_module max_size = -0x14 start_module entry = -0x10 start_module oldR4 = -0xC start_module oldR7 = -8 start_module oldLR = -4 start_module start_module 90 B5 PUSH {R4,R7,LR} start_module+2 01 AF ADD R7, SP, #4 start_module+4 82 B0 SUB SP, SP, #8 start_module+6 01 91 STR R1, [SP,#0x14+entry] start_module+8 max_size is saved but never used! start_module+8 00 92 STR R2, [SP,#0x14+max_size] start_module+A 04 69 LDR R4, [R0,#0x10] start_module+C 01 21 MOVS R1, #1 start_module+E 22 1C MOVS R2, R4 start_module+10 0A 43 ORRS R2, R1 start_module+12 02 61 STR R2, [R0,#0x10] start_module+14 0B 42 TST R3, R1 start_module+16 02 D1 BNE loc_6D6 start_module+16 start_module+18 03 23 MOVS R3, #3 start_module+1A 23 43 ORRS R3, R4 start_module+1C 03 61 STR R3, [R0,#0x10] start_module+1C start_module+1E start_module+1E loc_6D6 ; CODE XREF: start_module+16j start_module+1E 01 A9 ADD R1, SP, #0x14+entry start_module+20 6A 46 MOV R2, SP start_module+22 01 F0 11 FC BL load_module ; (memz_or_img3, &outbuf_addr, &outbuf_len) start_module+22 ; Returns 0 on success start_module+22 start_module+26 00 28 CMP R0, #0 start_module+28 03 D1 BNE loc_6EA start_module+28 start_module+2A 01 99 LDR R1, [SP,#0x14+entry] start_module+2C 00 22 MOVS R2, #0 start_module+2E 03 F0 3F F9 BL run_code start_module+2E start_module+32 start_module+32 loc_6EA ; CODE XREF: start_module+28j start_module+32 02 B0 ADD SP, SP, #8 start_module+34 90 BD POP {R4,R7,PC} start_module+34 start_module+34 ; End of function start_module start_module+34