My favorites | Sign in
Project Home Downloads Wiki Source
Search
for
Bootrom  
Notes on the bootrom (WTF / DFU 2.0)
Updated Feb 4, 2010 by will.chr...@gmail.com

Notes

Random

-Mapped to 0x22000000 in memory

-Sets the minimum_addr global flag to 0x18000000

-Sets the maximum_addr global flag to 0x18024000

-Many things such as file transfering, range check, flag check, and more are almost verbatim taken from iBoot / iBEC / etc.

What it does

The purpose of the bootrom is just to start off by initializing some stuff, and then it will do one of two things. If it is in DFU mode, it will accept a (signed) firmware file, such as iBSS. It sets the range to 0x18000000 and then sends the file there, then starts executing it. If the file has been modified or patched, then it will not execute the file. If it is not in DFU mode, then it will start LLB, the Low Level Bootloader. If the LLB fails the signature check, then it will not start the LLB and it will just fallback to DFU mode, at which it would need to be passed a (signed) firmware file, and from there, restored to a firmware with a properly signed LLB.

The Challenge

Read about why this will be a whole new challenge.

Parsing

Moved here

Reversings

Setup Restrictions

ROM:22006228        Setup_Restrictions                      ; CODE XREF: SecureROM_Start+64p
ROM:22006228                                                ; sub_22005C40+18p
ROM:22006228
ROM:22006228        var_8           = -8
ROM:22006228
ROM:22006228 000 B0+                PUSH    {R4,R5,R7,LR}   ; Push registers
ROM:2200622A 010 1B+                LDR     R4, =SecureROM_Flags ; SecureROM Flags
ROM:2200622C 010 B0+                MOVLS   R3, 0x2C0000
ROM:22006230 010 02+                ADD     R7, SP, #0x10+var_8 ; Rd = Op1 + Op2
ROM:22006232 010 23+                STR     R3, [R4]        ; Store to Memory
ROM:22006234 010 05+                ADDS    R5, R0, #0      ; Rd = Op1 + Op2
ROM:22006236 010 FE+                BL      sub_22004B2A    ; Branch with Link
ROM:2200623A 010 00+                CMP     R0, #0          ; Set cond. codes on Op1 - Op2
ROM:2200623C 010 03+                BEQ     loc_22006246    ; Branch
ROM:2200623E 010 C0+                MOVS    R2, #0xC0       ; Rd = Op2
ROM:22006240 010 23+                LDR     R3, [R4]        ; Load from Memory
ROM:22006242 010 92+                LSLS    R2, R2, #0x16   ; Logical Shift Left
ROM:22006244 010 01+                B       loc_2200624A    ; Branch
ROM:22006246        ; ---------------------------------------------------------------------------
ROM:22006246
ROM:22006246        loc_22006246                            ; CODE XREF: Setup_Restrictions+14j
ROM:22006246 010 22+                LDR     R2, [R4]        ; Load from Memory
ROM:22006248 010 10+                MOVS    R3, #0x10       ; Rd = Op2
ROM:2200624A
ROM:2200624A        loc_2200624A                            ; CODE XREF: Setup_Restrictions+1Cj
ROM:2200624A 010 13+                ORRS    R3, R2          ; Rd = Op1 | Op2
ROM:2200624C 010 23+                STR     R3, [R4]        ; Store to Memory
ROM:2200624E 010 FE+                BL      sub_22004B20    ; Branch with Link
ROM:22006252 010 00+                CMP     R0, #0          ; Set cond. codes on Op1 - Op2
ROM:22006254 010 04+                BNE     loc_22006260    ; min addr
ROM:22006256 010 10+                LDR     R2, =SecureROM_Flags ; SecureROM Flags
ROM:22006258 010 10+                LDR     R1, =0x100020   ; Load from Memory
ROM:2200625A 010 13+                LDR     R3, [R2]        ; Load from Memory
ROM:2200625C 010 0B+                ORRS    R3, R1          ; Rd = Op1 | Op2
ROM:2200625E 010 13+                STR     R3, [R2]        ; Store to Memory
ROM:22006260
ROM:22006260        loc_22006260                            ; CODE XREF: Setup_Restrictions+2Cj
ROM:22006260 010 0F+                LDR     R2, =min_addr   ; min addr
ROM:22006262 010 01+                MOVS    R3, #1          ; Rd = Op2
ROM:22006264 010 5B+                NEGS    R3, R3          ; Negate
ROM:22006266 010 13+                STR     R3, [R2]        ; Store to Memory
ROM:22006268 010 0E+                LDR     R3, =max_addr   ; max addr
ROM:2200626A 010 00+                MOVS    R2, #0          ; Rd = Op2
ROM:2200626C 010 1A+                STR     R2, [R3]        ; Store to Memory
ROM:2200626E 010 00+                CMP     R5, #0          ; Set cond. codes on Op1 - Op2
ROM:22006270 010 08+                BEQ     loc_22006284    ; Branch
ROM:22006272 010 C0+                MOVS    R0, #0xC0       ; Rd = Op2
ROM:22006274 010 90+                MOVS    R1, #0x90       ; Rd = Op2
ROM:22006276 010 40+                LSLS    R0, R0, #0x15   ; Logical Shift Left
ROM:22006278 010 89+                LSLS    R1, R1, #0xA    ; Logical Shift Left
ROM:2200627A 010 02+                BLX     sub_22008498    ; Branch with Link and Exchange (immediate address)
ROM:2200627E 010 0A+                LDR     R3, =unk_22020DAC ; Load from Memory
ROM:22006280 010 01+                MOVS    R2, #1          ; Rd = Op2
ROM:22006282 010 1A+                STR     R2, [R3]        ; Store to Memory
ROM:22006284
ROM:22006284        loc_22006284                            ; CODE XREF: Setup_Restrictions+48j
ROM:22006284 010 C0+                MOVS    R0, #0xC0       ; Rd = Op2
ROM:22006286 010 90+                MOVS    R1, #0x90       ; Rd = Op2
ROM:22006288 010 40+                LSLS    R0, R0, #0x15   ; 0x18000000
ROM:2200628A 010 89+                LSLS    R1, R1, #0xA    ; 0x24000
ROM:2200628C 010 00+                MOVS    R2, #0          ; option
ROM:2200628E 010 FF+                BL      Setup_Allowed_Range ; set allowed range:
ROM:2200628E 010 F7+                                        ;     min - 0x18000000
ROM:2200628E 010 A9+                                        ;     max - 0x18024000
ROM:22006292 010 00+                MOVS    R0, #0          ; Rd = Op2
ROM:22006294 010 B0+                POP     {R4,R5,R7,PC}   ; Pop registers
ROM:22006294 010 BD ; End of function Setup_Restrictions

Range Check

Also looks to be the same as iBoot one. 

ROM:220061B0        ; int __cdecl Range_Check(__int32 loadaddr, __int32 filesize)
ROM:220061B0        Range_Check
ROM:220061B0 000 09+                LDR     R3, =SecureROM_Flags ; Load from Memory
ROM:220061B2 000 42+                ADDS    R2, R0, R1      ; Rd = Op1 + Op2
ROM:220061B4 000 1B+                LDR     R3, [R3]        ; Load from Memory
ROM:220061B6 000 D9+                LSLS    R1, R3, #0xF    ; Logical Shift Left
ROM:220061B8 000 09+                BMI     loc_220061CE    ; Branch
ROM:220061BA 000 90+                CMP     R0, R2          ; Set cond. codes on Op1 - Op2
ROM:220061BC 000 09+                BCS     loc_220061D2    ; Branch
ROM:220061BE 000 07+                LDR     R3, =min_addr   ; Load from Memory
ROM:220061C0 000 1B+                LDR     R3, [R3]        ; Load from Memory
ROM:220061C2 000 98+                CMP     R0, R3          ; Set cond. codes on Op1 - Op2
ROM:220061C4 000 05+                BCC     loc_220061D2    ; Branch
ROM:220061C6 000 06+                LDR     R3, =max_addr   ; Load from Memory
ROM:220061C8 000 1B+                LDR     R3, [R3]        ; Load from Memory
ROM:220061CA 000 9A+                CMP     R2, R3          ; Set cond. codes on Op1 - Op2
ROM:220061CC 000 01+                BHI     loc_220061D2    ; Branch
ROM:220061CE
ROM:220061CE        loc_220061CE                            ; CODE XREF: Range_Check+8j
ROM:220061CE 000 01+                MOVS    R0, #1          ; Rd = Op2
ROM:220061D0 000 00+                B       locret_220061D4 ; Branch
ROM:220061D2        ; ---------------------------------------------------------------------------
ROM:220061D2
ROM:220061D2        loc_220061D2                            ; CODE XREF: Range_Check+Cj
ROM:220061D2                                                ; Range_Check+14j
ROM:220061D2                                                ; Range_Check+1Cj
ROM:220061D2 000 00+                MOVS    R0, #0          ; Rd = Op2
ROM:220061D4
ROM:220061D4        locret_220061D4                         ; CODE XREF: Range_Check+20j
ROM:220061D4 000 70+                BX      LR              ; Branch to/from Thumb mode
ROM:220061D4 000 47 ; End of function Range_Check
ROM:220061D4 000
ROM:220061D4        ; ---------------------------------------------------------------------------
ROM:220061D6 00+                    DCW 0
ROM:220061D8 A0+    off_220061D8    DCD SecureROM_Flags     ; DATA XREF: Range_Checkr
ROM:220061DC A4+    off_220061DC    DCD min_addr            ; DATA XREF: Range_Check+Er
ROM:220061E0 A8+    off_220061E0    DCD max_addr            ; DATA XREF: Range_Check+16r
ROM:220061E4

Flag Check

ROM:22006158        ; =============== S U B R O U T I N E =======================================
ROM:22006158
ROM:22006158
ROM:22006158        ; int __cdecl flag_check(int flag)
ROM:22006158        flag_check                              ; CODE XREF: sub_22004D54+34p
ROM:22006158                                                ; sub_22004D54+48p
ROM:22006158 000 10+                PUSH    {R4,LR}         ; Push registers
ROM:2200615A 008 08+                LDR     R1, =SecureROM_Flags ; Load from Memory
ROM:2200615C 008 00+                MOVS    R4, #0          ; Rd = Op2
ROM:2200615E 008 0A+                LDR     R2, [R1]        ; Load from Memory
ROM:22006160 008 13+                ADDS    R3, R2, #0      ; Rd = Op1 + Op2
ROM:22006162 008 03+                ANDS    R3, R0          ; Rd = Op1 & Op2
ROM:22006164 008 98+                CMP     R0, R3          ; Set cond. codes on Op1 - Op2
ROM:22006166 008 07+                BNE     loc_22006178    ; Branch
ROM:22006168 008 01+                MOVS    R4, #1          ; Rd = Op2
ROM:2200616A 008 C3+                LSLS    R3, R0, #0x1B   ; Logical Shift Left
ROM:2200616C 008 04+                BPL     loc_22006178    ; Branch
ROM:2200616E 008 04+                LDR     R3, =0xDFF3FFFF ; Load from Memory
ROM:22006170 008 13+                ANDS    R3, R2          ; Rd = Op1 & Op2
ROM:22006172 008 20+                MOVS    R2, #0x20       ; Rd = Op2
ROM:22006174 008 13+                ORRS    R3, R2          ; Rd = Op1 | Op2
ROM:22006176 008 0B+                STR     R3, [R1]        ; Store to Memory
ROM:22006178
ROM:22006178        loc_22006178                            ; CODE XREF: flag_check+Ej
ROM:22006178                                                ; flag_check+14j
ROM:22006178 008 20+                ADDS    R0, R4, #0      ; Rd = Op1 + Op2
ROM:2200617A 008 10+                POP     {R4,PC}         ; Pop registers
ROM:2200617A 008 BD ; End of function flag_check
ROM:2200617A 008
ROM:2200617A        ; ---------------------------------------------------------------------------
ROM:2200617C A0+    off_2200617C    DCD SecureROM_Flags     ; DATA XREF: flag_check+2r
ROM:22006180 FF+    dword_22006180  DCD 0xDFF3FFFF          ; DATA XREF: flag_check+16r
ROM:22006184
Comment by alexiaco...@gmail.com, Dec 13, 2008

so does this mean the jailbreak is soon?

Comment by kme...@nate.com, Dec 13, 2008

How long does it jailbreak ??

Comment by brsboard...@gmail.com, Dec 13, 2008

guys relax,stop asking stupid questions, just because he updates something doesn't mean its anywhere near the jailbreak. Sit back, relax, or go learn programming and start jailbreaking it yourself.

Comment by project member will.chr...@gmail.com, Dec 13, 2008

again, i cannot stress this enough. this is DOCUMENTATION

Comment by dmwc...@gmail.com, Dec 13, 2008

would it be possible for u to release all the documentation you have? maybe some programmers or eng students (im doing a degree in electrical) could try to help you. as soon as i finish my finals i was planning to learn some arm programming. though i dont know how to extract the system files and ive never used a toolchain before. and the iphone dev wiki seems to be a bit vague...

Comment by project member will.chr...@gmail.com, Dec 13, 2008

...

this is the documentation. thats what you are reading on this page. what did you think this was? :)

Comment by dmwc...@gmail.com, Dec 13, 2008

heh. thats it? these are just snippets of code. i want the whole rootsystem. =\

Comment by dmwc...@gmail.com, Dec 13, 2008

or the iboot source code

Comment by project member will.chr...@gmail.com, Dec 13, 2008

open it in IDA and find things for yourself if you are not satisfied :)

Comment by dmwc...@gmail.com, Dec 13, 2008

IDA thats the keyword i needed :D many thanks

Comment by project member will.chr...@gmail.com, Dec 13, 2008

huh?

IDA Pro is a powerful tool for reverse egnineering software. if you had loked at the 'blocks of code' you would see they are commented :)

Comment by dmwc...@gmail.com, Dec 13, 2008

i just finished downloading the program. and i got a hold of the 2.2 firmware ipsw file.

but i'm having a hard time dissassembling the thing. not too sure which files i'm supposed to look into (dfu, wtf, img3,dmg) plus i'm getting gibberish code when i open. i assume i need to select arm as the processor type. what do i put in the ROM start address, loading address, file offset?

i know you dont have time to tutor me, but i'd just like to have a look at the code. thats all.

Comment by dmwc...@gmail.com, Dec 13, 2008

0x22000000

i figured it out. thanks man. this program is friggin awesome.

Comment by project member will.chr...@gmail.com, Dec 13, 2008

indeed. kinda interesting, i have never met someone who knows how to disassm arm but does not know about IDA o.O

Comment by dmwc...@gmail.com, Dec 13, 2008

well.. actually, i didn't even know what ARM was until i wrote a paper on it last semester. and the language is really similar to the language i used for programming lego mindstorm robots. the thing is, they teach you a shitload of programming at school.. but they don't show you anything useful... i guess i need to find for myself.

IDA is incredible.

Comment by project member will.chr...@gmail.com, Dec 13, 2008

indeed it is. what had you used in the past? :P

Comment by dmwc...@gmail.com, Dec 13, 2008

lol i don't even remember, i just know it had an assembly language syntax and it was painful to use because it would take 20 lines to make a simple loop statement. but i've programmed in java, C, C++, MIPS and VHDL(which doesn't really count).

ok i don't wan't to prolong this conversation too much because you have some serious business to do, but I'd like to ask you one last thing.

Where can I get some detailed information on jailbreaking/hacking the ipod touch, besides the iphone dev wiki? I wanna learn on my own.

Comment by project member will.chr...@gmail.com, Dec 13, 2008

http://theiphonewiki.org/ is a very good start. let me know if there is something you cant find there, I might know.

Btw, VHDL deff counts. Stuff like VHDL and Verilog and such is quite different than something like C, i barely understand it :P

Comment by szWerew...@gmail.com, Dec 14, 2008

Hello there) Where i can find binary iBoot for learning (or WTF,iBEC,kernel)?) I cannot use it from ipsw couse encrypted(((

Comment by project member will.chr...@gmail.com, Dec 14, 2008

Hi

iBoot may be encrypted, but you can reverse iBEC which is a slimmer version of iBoot. The kernel, well, you can get that from an iPhone ipsw and reverse that.

Comment by szWerew...@gmail.com, Dec 14, 2008

Big Thanks)

Comment by dmwc...@gmail.com, Dec 14, 2008

chronic, one last noob question, when you try to convert into instruction code, do you have a specific approach to do it? like, i randomly select some rom addresses and press c. and i got a crazy amount of subroutines. the decrypted stuff is in blue, but i also get some brown or grey code. at what point do i need to stop? is everything gonna become blue in the end if i keep converting randomly?

Comment by ryanald...@gmail.com, Dec 14, 2008

im actually wondering this too i got most of it blue but alot is still grey and brown

Comment by DawsDes...@gmail.com, Dec 14, 2008

Chronic is so amazing. I don't even know how you can handle all this pressure :)

Comment by mack...@gmail.com, Dec 14, 2008

ok i have a Mac and have no idea wut im doin but like 2 mess around with things SO

what are good programs for the Mac that will let me extract the filesystem or anything else?

Comment by raqi...@gmail.com, Dec 14, 2008

What happened to the homepage? Everything used to be there, and now it's less than half o.o

Unless this is all that's left?

Comment by project member will.chr...@gmail.com, Dec 15, 2008

ragib12: after finding out something tht i did not know before we had to revise the goals to correspond to what is actually neded

mackmgg: there are no public tools for that at this time.

Comment by raqi...@gmail.com, Dec 15, 2008

Then... Those are really the final steps before the jailbreak?

Comment by project member will.chr...@gmail.com, Dec 15, 2008

yeah. due to unforseen circumstances, we modified the goals to fit what we realy need.

Comment by dhruvja...@gmail.com, Dec 15, 2008

"unforseen circumstances" is that good or bad.. sounds bad.. i hope everything is A-OK on your end.. or is it like that something "interesting" you found a while back..

Comment by geoffrus...@gmail.com, Dec 15, 2008

Hey Will is there any way we can donate to you for your hard work on this? It seems you're at this every day. I can't imagine how you could have a job too.

Comment by project member will.chr...@gmail.com, Dec 15, 2008

its a step back, yet, its a step forward, because we now are aware of it and will not run into it in the long run

Comment by mack...@gmail.com, Dec 15, 2008

nobody has ported IDA or anything similar 2 the Mac?

Comment by project member will.chr...@gmail.com, Dec 15, 2008

no IDA GUI for Mac, but there is a CLI version. you could use otool, but that is also CLI and in the longrun IDA would just be easier.

or you could buy Parallels, and use that with a copy of XP to run IDA Pro

Comment by Beatlema...@gmail.com, Dec 15, 2008

Instead of using Parallels or the Terminal for IDA, I just load the windows version through Darwine. It doesn't run (GUI-wise) as well as it would in Parallels, but Parallels is slower.

Comment by mack...@gmail.com, Dec 15, 2008

i have boot camp but i hate it so i guess ill try darwine or crossover (yay lame duck challenge)

Comment by mack...@gmail.com, Dec 15, 2008

ok i got IDA Pro Free, and it says this version cannot do ARM. what should i do?

Comment by project member will.chr...@gmail.com, Dec 15, 2008

Beatleman523 - thats true, I actually bought 4 gigs of RAM just so IDA would run well on Parallels.

mackmgg - free version is not too good.

Comment by geforce2...@yahoo.com, Dec 16, 2008

im not to good with all this yall is talkin about but one question ... Y cant u just forge apples sig in order to get the 2g to run the app

Comment by project member will.chr...@gmail.com, Dec 18, 2008

because that is not quite how this works :)

Comment by eddy.gue...@gmail.com, Dec 19, 2008

hey will, quick question, i'm not asking for an exact date and i'm also pretty sure that this project will be done sometime in the new year, but do you have a timetable for it? Can you narrow it down to a specific month when it will be done (an educated guess would be greatly appreciated). BTW, like geoffrus mentioned, i wouldn't mind donating either, just tell me how. A million thanks in advance will!!!!!!!!

Comment by brandon....@gmail.com, Dec 19, 2008

dude, its been covered over and over, he has no clue when it will be available. Don't you understand this isn't simple do a bunch of work, get a result, use that to get the next result, and poof. Dude, relax. Most likely, it will be released in 2009, but thats all chronic will be able to tell you

Comment by spiderfa...@gmail.com, Dec 20, 2008

@eddy.guerrero.1 think of it like a brute force hack. there is no way to tell how close you are until its finished. he has to try many combinations of different things that i don't completely understand. even though i don't understand the technical stuff, i do understand that the devs work at their own pace and they all have their REAL LIVES. imagine that! but really, give the devs time to work on things. what would happen if they rushed it and there were a ton of bugs. then you would complain about that. just let the developers have time to do it right. you'll appreciate it in the long run.

Comment by anthony....@gmail.com, Dec 20, 2008

Would having a apple dev cert hellp at all?

Comment by dmwc...@gmail.com, Dec 20, 2008

chronic, you should take a break and enjoy your christmas holidays. you deserve to rest and spend some time doing other stuff.

people have no clue how long the process of finding an exploit is.... it's insane...

Comment by spiderfa...@gmail.com, Dec 21, 2008

@dmwchiu i may not understand the process, but i do understand that it takes a LONG time. i'm not rushing them, they are still real people with real lives. just take your time chronic.

Comment by victorwi...@gmail.com, Dec 21, 2008

Chronic, i know a lot of ARM processors and how they work, and i know a lot about Jailbreaking the Ipod Touch. I have IDA and i have a Mac. I want to help you with this project! Plz, Reply, so we can talk about this... (mail: victorwitkamp@hotmail.com).. Victor

Comment by mack...@gmail.com, Dec 22, 2008

chronic, since your going through the firmware and all, do you know if theres ANY hint of bluetooth in the iPod touch 2g's firmware or anywhere else on the iPod?

Comment by victorwi...@gmail.com, Dec 24, 2008

Only at the Ipod Touch 1G's firmware, because it's almost the same as the Iphone. If its jailbroken, then you can change the name of the processor in your Ipod. Then, if you look at your Ipod you'll see all the features of the Iphone on your screen ( Like, Camera, and Messages etc. ). In the settings menu you'll see the standard Bluetooth Settings Menu. Donnu if the Ipod Touch 2G has it, because it's not jailbroken. Take a look at IDA Pro, and Open the Firmware file.

Comment by victorwi...@gmail.com, Dec 24, 2008

BTW, sorry for my bad english, I'm dutch

Comment by project member will.chr...@gmail.com, Dec 24, 2008

mackmgg: I believe it actually has bluetooth hardware built into it :)

Comment by victorwi...@gmail.com, Dec 24, 2008

iPod Touch? does that mean, (if the jailbreak is ready) that it's possible to code a bleutooth tool for touch? didn't found it in the firmware files

Comment by wolv...@gmail.com, Dec 24, 2008

yea the ipod touch has a processor with a radio and bluetooth in it or something like that. Merry xmas

Comment by project member will.chr...@gmail.com, Dec 25, 2008

no, it does not have a baseband, afaik, but does have a bluecore chip

Comment by sloppy...@gmail.com, Dec 25, 2008

Would it be possible to patch the recovery mode to redirect to unsigned code, or is their still signature protection in that area?

Comment by mack...@gmail.com, Dec 25, 2008

yeah i heard it has a possibility of a bluetooth chip, thats y i was askin cuz i only have the free ida

Comment by r0ckstar...@aim.com, Dec 28, 2008

You guys are great im so glad your doing this for everyone and ignore the dumb people who keep discriminating .... tell them to do it themselves (X i wish i could help but i'm not really good at programing but i was wondering if apple has an update for the touch 2g should we update it or leave it at its current firmware?

Comment by sirmaj...@gmail.com, Dec 31, 2008

Peoples just need to sit back and open can of beer for a while and soon enough the day will come XD.

Comment by motionso...@gmail.com, Dec 31, 2008

Hmm,

Comment by motionso...@gmail.com, Dec 31, 2008

oops, hit the enter key. As i was saying, i reckon its gonna be a while before someone cracks this 2g Touch. Although i did buy the iGPS360 for the 2g touch in the hope 2g is jailbroken so i can use xGPS with it. Hey Chronic dev, whats the latest ? on holidays are yu ? A few have said your efforst may be a fake. I dunno, i reckon you sound like your makin some progress. How about a general overview of your thoughts ? Not a timeline as such but just a little insight to your method of doing this :)

Comment by tempfe...@gmail.com, Feb 18, 2009

new update! glad to hear the effort is still in full force.

Comment by evANG...@aim.com, Feb 20, 2009

i found this it sayed it was the bluerom bootscript wen i was searching throght the SSH of my device lookn for were they uploAD custom bootlogos to c if i culd mod it on my device after ive already jailbnroke it but anyway this is wat i found # # BlueTool? iPod2,1 script # device -d /dev/cu.bluetooth

## Make sure the device is awake and reset wake on reset pulse 100

## Standard HCI Reset hci reset

## Set the baud rate (Baud rate will eventually come from server in the form of an env variable) bcm -b 2400000 ##bcm -b$BT_BAUD_RATE

msleep 200

## Download the config file bcm -w /etc/bluetool/BCM4325D0_100108.hcd

msleep 200

#### Repeat initialization again fix <6284640> #### device -s 115200 wake on reset pulse 100 hci reset bcm -b 2400000 msleep 200 bcm -w /etc/bluetool/BCM4325D0_100108.hcd msleep 200 ####

## Config file resets baud rate to 115200 so change our local speed device -s 115200

msleep 200

## Change the baud rate back to what we want (Baud rate will eventually come from server) bcm -b 2400000 ##bcm -b$BT_BAUD_RATE

msleep 200

## Set the BT Address bcm -a $BT_DEVICE_ADDRESS

## Set the friendly name to equal the host name bcm -N

## Set the sleep mode params bcm -s 0x01,0x00,0x00,0x01,0x01,0x00,0x01,0x00,0x00,0x00,0x00,0x01

## That was easy! quit


Sign in to add a comment
Powered by Google Project Hosting