[i=s] 本帖最后由 czj 于 2009-11-1 00:09 编辑 [/i]
iPhone 1011问题总结如下:
问题症状:
1) 使用iTunes刷固件时报1011错误。
2) 在1)后破解软件(iPlus,ZiPhone等等)都无法正常完成步骤,无法破解成功
3)使用ibrickr或ibrickr的Boot功能可以跳过报错,勉强使得手机能够成功启动并进入系统界面;
4)但3)后的手机成为彻底的三无手机。无电话、无wifi,无蓝牙。声音播放也会有问题。其他功能倒是使用无碍 -- 沦为iTouch、iPod。有人戏称为可以开机的砖头。
问题根源:
手机的BaseBand(管理通讯等的基础模块)模块损坏。所以出现三无症状;
问题成因推测:
1)使用BootNeuter等软件刷新你BootLoader时出错或中断;
2)恢复固件时出错或中断;
解决方案:
(一)BootLoader为3.9(或 3.9Fake)的手机:
据查,应当可以解决。只要使用iphone-tools,ZiPhone、iEraser、bbUpdater等工具刷新BB即可;
(二)BootLoader为4.6的iPhone。!!!最槽糕的情况
目前没有办法通过软件方式解决此问题!
大致分析如下:
苹果公司为了防止破解现象愈演愈烈,对BL4.6进行了漏洞的修补和其他一些改进。使得基于BL3.9的所有(至目前)刷新BB方式无法正常运作。所以BB无法恢复。
有人曾就此提出,为何不把BL降至3.9再恢复呢?好问题,但经过不少人实验,发现:使用现有工具降级的必要基础是BaseBand工作正常...
大家看出来没?这儿陷入了死锁和矛盾: 要降级3.9BL--> BB要完好;要恢复BB--> 必须要3.9BL。
故绝望的得出无法恢复的结论...
其他恢复方案:
1)使用firmware2.0刷机。因为条件所限(2.0只有beta版,且只能在Mac下刷,而且危险性更高),目前未能实验,但网上有人试过证明行不通。
而且firmware2.0的BL和BB工作机制似乎无太大变化,推测还是有同样的问题。所以不再实验。
可行的方案:
1)返厂修理
2)有人称更换手机的CommBoard(通讯板)可以修复。需要懂硬件的高手帮忙了。
关于BL4.6下BB损坏修复
MuscleNerd
iPhone DevTeam
BOOTNEUTER刷机出问题后再启动一直停留在"Determining settings"
For those who are stuck on "Determining settings"...
Please go to this wiki page, scroll down to Utilities, and grab the "sping" program. If you could run it on your iPhone (after unloading the CommCenter) and report the result, that would be useful info.
首先用SPING检测,老外砖友测试如下:
第一种情况:
when i run sping it just says 'Your bootloader isn't fakeblanked.'
ok after running bbupdater -v
it says the following:
Resetting target...
pinging baseband...
baseband unresponsive to pinging
Done
我的机子是BOOTNEUTER时中途退出造成损坏,执行上述2条命令目前就是这种状况.
这个老外砖友的情况是:他原生1.1.3本来用ZIPHONE破好了但没有降BL到3.9,然后他朋友拿了1天就三无了,然后那朋友用IPLUS修补,但不知道是只针对1.1.4的,然后中途中断,跟花生用ZIPHONE中途中断一个道理.
第2种情况:
Sping -v says
Opened: /dev/tty.debug
Spamming AT, waiting for a response
Connection to bootrom established
Unexpected result 0xc1!
Bbupdater -v says
Could not set exclusive access 1 to the modem : 0xe00002cd - is CommCenter still running? Could not gain exclusive access to the modem
Swifi -v says
wifi fixer
by MuscleNerd, gray, and the iPhone Dev Team
Opened: /dev/tty.debug
Spamming AT, waiting for a response
Connection to bootrom established
Error 0xffffffff
以上是另一个老外砖友的结果,这个结果很糟糕,下面来看对于这两种结果MuscleNerd的解释:
If sping reports "unexpected result 0xc1" that's a bad sign
It basically means that although the low-level bootrom noticed you knocking and accepted the serial payload, it refused to run it because it thinks the bootloader has started. But if the bootloader was still active you'd see more characters after the 0xc1, so that means the bootloader has passed control to the baseband and the baseband has spun out of control.
The boot sequence is bootrom->bootloader<->baseband. The bootrom sanity checks the bootloader before running it, the bootloader sanity checks the baseband before running it. The sanity check is pretty weak though. If the bootloader passes CPU control to the baseband and the baseband is corrupted and throws an invalid instruction or data alignment exception (for example) early in the boot process, the exception vectors are not set up yet and you'll end up in tight loop using dummy handlers.
In other words, your S-Gold is doing bootrom->bootloader->baseband->tight loop. The tight loop is preventing the bootloader from servicing interactive bootloader requests done by bbupdater, bootneuter, and the rest.
In theory, if your baseband is empty at the right locations above a0040000, you may still be able to do the A17 hardware hack, which will trick the bootrom into thinking the bootloader is empty and so it would execute your serial payloads.
以上是对第2种情况的解释,论坛上已经有人转过,这种情况非常糟糕,如果满足baseband is empty at the right locations above a0040000,也许还可以用A17硬解的办法解救.
Quote:
Originally Posted by butterbean
ok after running bbupdater -v
it says the following:
Resetting target...
pinging baseband...
baseband unresponsive to pinging
Done .
butterbean your situation is a little different, yours looks like an invalid baseband that even the bootloader has determined isn't safe to run. You can get past the 1011 restore screen by using iNdependence or ibooter or iphuc etc. And then run geohot's ienew eraser program to erase the baseband completely and use bbupdater to flash valid fls files.
对第一种情况的解释,与前面那种情况有些不同, BB无效,我们可以用 iNdependence or ibooter or iphuc etc这些程序跳出恢复后1011错误的恢复模式(用ZIPHONE和ILIBERTY+就可以,简单),然后运行geohot's 的ienew eraser程序清除BB,完成后用BBUPDATER刷相应版本BB的FLS 就行.
同病相连的砖友们,大伙看看自己属于哪种情况,要是属于第一种,似乎不用拆机硬搞就成,我查了下IENEW命令是当初硬解1.1.2原生时用的,还要配合IUNEW命令,可是这老大的办法似乎直接用IENEW擦除BB然后用BBUPDATER刷上就行,大家研究下.....
玩iPhone你需要懂得的一些基础知识**** 1.什么是BL,如何判断我的BL版本 BL的全称BootLoader。是开机后第一个运行的程序,一旦破坏就无法恢复,是很基本的、修改风险最高的程序。目前BL有2种官方版本3.9和4.6,一般来说OTB1.1.2(原生,出厂的时候就是1.1.2固件)以后的机器都是BL4.6版本的,之前的版本都是BL3.9的。 BL还有一种非官方版本,BL3.9FB(FB的意思是修改过的)FB版的产生是因为iPlus这款破解软件的出现,可以将本不可以降级的BL4.6进行了降级,并且可以通过软件升级回4.6。 安装bbinfo软件,可以查看当前BL版本,一般来说OTB1.1.2,2007年47周以后都是BL4.6版本。
可以换版解决。
