Active discussions

Fixing IOS brick without NAND backup

I think it might be possible to install BootMii over boot1 using NAND programmer, then mess with the power lines (like with the HRESET hack)? In boot0's hash fail path, there is an unreachable instruction after the jump to panic that boots boot1 as normal. If we can get the Starlet booting in drunk mode, then it might skip that instruction and proceed to loading BootMii-boot1 for recovery. Hallowizer (talk) 23:00, 23 May 2021 (CEST)

Now that I think about it, instead of BootMii, we probably need a custom executable that has plenty of redundancy. It should just enable AHBPROT and boot the Broadway, so the Starlet can hallucinate all it wants while the Broadway dumps the NAND key. Hallowizer (talk) 00:38, 25 May 2021 (CEST)