This article needs to be updated.(February 2023)
1.1.4 > 2.0 Restore[edit source]
This restore was performed, logged and dumped by scotty2. It was originally in a manifesto made while cracking the img3 format, so it may be typed up a little oddly
The Process[edit source]
- iTunes maps iBEC (WTF.m68ap.RELEASE.dfu) at 0x90000000.
- iBoot decrypts it, as it is an Img2 file, then runs it.
- iBEC does a check to see if it is mapped at 0x18000000, and if it is not, it remaps itself there.
- Sometime at the beginning of the iBEC's routine, it gives the iPhone whatever it needs to decrypt Img3 files, as you will obviously guess by reading the rest of these
- iTunes sends iBEC the kernelcache and the ramdisk. Both in Img3 format.
- iBEC decrypts ramdisk and kernelcache then boots kernelcache.
- The ramdisk/kernel then copy the rootfs over, then flash the new devicetree, iBEC, iBSS, and iBoot.
- After the rootfs and the img3 files, it will flash over the baseband and friends.