Sheep Sun

For loading various kinds of images, of course (xD)! lk2nd has suffered from stock bootloader's inconvenience, that is, have to be packed into Android's bootimg format, faking itself as a...

`and ELF64 yet` https://github.com/msm8916-mainline/lk2nd/pull/128/commits/40b51b2ca7bf274c76615a539ff60c452022887f#diff-98e604322de9eb517fa4bbf8c15445115f362f7d1e996a33a5e616297e21a4fdR15 The ELF library from LK is designed to load (and boot) images that matches the current LK's architecture only (using compile-time macros), in our case, AArch32...

Do note that this two commands (among many other lk2nd debugging-orientated features) give the possibility to severely and permanently damage the hardware (e.g. one wrong voltage and half of motherboard...

Thanks for clarification and advice. I'm closing this temporarily.

iPhone7,2 boots up to SSH ramdisk properly with NAND physically desoldered. (Yes, it does complain about absense of NAND)

有可能。需要在EDL固件里找到设备对应的firehose mbn, 然后用https://github.com/bkerler/edl 试试看能否读出PBL和QFPROM。如果可以，说明这条路走得通。但是后面的过程仍然漫长且繁琐，并且vendor对bootloader的修改越多就会越麻烦。同时，由于使用了EDL中的exploit，设备每次启动都需要借助USB。如果你编译的bootloader指的是aboot/lk，或者你不需要获取设备的trustzone/hypervisor权限，建议参考https://github.com/msm8916-mainline/lk2nd

目前只支持软件重启到9008，不支持冷启动9008, i.e. 必须通过reboot edl / fastboot oem edl等方式进EDL。个人认为lk2nd已经足够方便了，毕竟有secure boot就认命吧。菊厂的8916,8952有部分无secboot的型号，想体验的话可以去收一个。如果没有修改底层(sbl1/tz/rpm/dsp)的需求，就没有必要。如果一定要用这个实现修改aboot，需要修改sbl1、修改pbl，然后把https://github.com/fxsheep/lk4edl 移植到8953

PBL用https://github.com/bkerler/edl 读取 不是真正意义上修改PBL，是通过MMU重映射“修改”，重启就会失效，所以每次都需要从USB启动 这个项目就是基于https://alephsecurity.com/2018/01/22/qualcomm-edl-1/ 而来的，可以看一下

> How much do we know (or do we need to know) about the layout of the fuse addresses/bits?Is this platform-specific? Will it need adjustment for every SoC supported in...

Yeah, the actual part of toggling QDSD registers can be done easily, but since QDSD documentation in the TRM is rather scarce, how it actually works is still not clear....