https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=Bbip4The iPhone Wiki - User contributions [en]2026-04-28T23:47:30ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=Talk:XMM6180&diff=24362Talk:XMM61802012-01-31T02:47:45Z<p>Bbip4: /* Using Replay-attack */</p>
<hr />
<div>== Flash Possibility ==<br />
Okay, so hypothetically speaking, if I flashed my baseband to [[1.59.00]] from [[3.10.01]] while my phone is on 4.2.1 (ONLY 4.2.1 [[SHSH]] IS AVAILABLE), it would enter the boot loop because the baseband doesnt meet the requirements for [[iOS]] 4.2.1. I am willing to try and flash my baseband in an attempt to downgrade and use [[ultrasn0w]]. And if the downgrade was to work and I restored it to a pwned 4.2.1 fw where the baseband update would be neglected, would the boot loop occur? [[User:Leobruh|Leobruh]] 01:20, 10 February 2011 (UTC)!<br />
:You can't flash baseband [[1.59.00]]; Apple's not signing it anymore. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 02:47, 10 February 2011 (UTC)<br />
:Well look at [http://tysiphonehelp.com/forum/showthread.php?7908-Manually-flash-iphone-to-05.11.07-baseband this]. I don't know whether or not this could be done to the [[n90ap|iPhone 4]] but it proves that a manual flash can be used so long as you have the proper firmware ipsw available. I mean if this is possible for the [[n90ap|iPhone 4]], then I will do it without a doubt. [[User:Leobruh|Leobruh]] 04:05, 10 February 2011 (UTC)!<br />
::Um, that is for the iPhone 3G/3GS basebands. That probably wont work on the [[n90ap|iPhone 4]]. For those devices, Apple didn't sign the baseband, so a manual flash was possible (going up version #'s). Downgrading required one to have the 5.8 bootloader iPhone 3G. Sorry to burst your bubble, but you are mistaken. --[[User:Gamer765|Gamer765]] 04:28, 10 February 2011 (UTC)<br />
:::Word I got you bro, haha I wish it would be easier I have had an i4 for almost 2 months with the carrier lock. I will keep waiting sooner or later it will come out. [[User:Leobruh|Leobruh]] 20:43, 10 February 2011 (UTC)!<br />
<br />
== Device for iPhone 4 ==<br />
Are we sure this is the baseband? The infineon spec-sheet says "HSDPA/HSUPA capabilities of 7.2Mbps/2.9Mbps". At the keynote Steve mentioned 5.8Mbps HSUPA. --[[User:Iemit737|Iemit737]] 19:26, 21 June 2010 (UTC)<br />
:Running "string" on the new baseband files shows "XGold 618" multiple times. --[[User:Miketress|Miketress]] 19:35, 21 June 2010 (UTC)<br />
::Ok, awesome. Thanks for finding this so quickly! [[User:Iemit737|Iemit737]] 19:50, 21 June 2010 (UTC)<br />
:::Very unlikely it's the 618 after looking at the spec sheet.<br />
In case anyone is interested, [http://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a39470bb00555 X-Gold 616 spec sheet], [https://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a3948dc76055b X-Gold 618 spec sheet]. --[[User:D235j|D235j]] 21:43, 22 June 2010 (UTC)<br />
::::Actually, it's the XMM 6180. ebl.fls says so. --[[User:Oranav|oranav]] 21:56, 22 June 2010 (UTC)<br />
<br />
== Downgrade ==<br />
Anybody knows more about the bb downgrade signatures? Or how to backup them like the shsh certs? Or how to use the replay attack here? Actually this is more related to baseband firmware and not to this iPhone 4 hardware. [[User:http|http]]<br />
:The baseband is signed with an [[AT+XNONCE]] which is a random string generated on every bootup. Therefore, it is not possible to cache the SHSH signatures with a replay attack. I think this info either belongs on this page because it is specific to its baseband or in a special section on [[Baseband Firmware]]. [[User:Iemit737|Iemit737]] 18:18, 16 July 2010 (UTC)<br />
::I think, why dont we save the signature for every random string? In that way, when your iPhone gives the same string, it will accept the saved signature of that string and accept changes in BB. --[[User:XiiiX|XiiiX]]<br />
:::For every random string? That would be millions of SHSH's for every phone. Impossible. Thea idea of a nonce is that it NEVER gives the same value. --[[User:Http|http]] 17:37, 19 February 2011 (UTC)<br />
<br />
::Ah, that's what [[User:MuscleNerd|MuscleNerd]] meant with [http://twitter.com/MuscleNerd/status/18667056119 "stricter signed"]. I also found [http://iphwn.org/nonce.txt this example]. And someone suggested to change iTunes to always send the same string. That would work, but BB wouldn't accept the response. My only idea would be to let BB generate (or store) the same string on every boot (I don't know how though). But even then we would have to backup the signatures at the time they were available. -- [[User:Http|http]] 23:11, 16 July 2010 (UTC)<br />
:::So how does TinyUmbrella give baseband protection ? ---Whiteshinyapple<br />
::::It manages to error out the signature for the baseband, that's why you get the 1004 error, not sure exactly how it's done but I'd assume that's how. ---OMEGA_RAZER<br />
:::::I think there's not much to do. When hosts is pointing to Cydia, you also won't get baseband downgraded, even if it would work when pointing to real Apple server. Same should apply for upgrade. Maybe local TSS server from TinyUmbrella just handles error returns better, so that firmware up/downgrade doesn't fail - maybe it just returns an invalid certificate for the baseband, but returns 'ok'. --[[User:Http|http]] 11:08, 9 September 2010 (UTC)<br />
<br />
== Using Replay-attack ==<br />
Can't we make the baseband send just one message to iTunes to, in that way, using replay-attack, downgrade the baseband? I mean, the baseband sends a random message to iTunes to allow the downgrade/upgrade, but it just allows when Apple is still signing the firmware. If we made the baseband send just one message, not a random, we could downgrade the baseband even if Apple is not signing anymore, of course if used a replay-attack. So, how can we make the baseband send just one message? --[[User:XiiiX|XiiiX]] 16:39, 14 August 2011 (MDT)<br />
:I feel like you'd have to edit the bbfw file... and so far, I've found no program that can read that code. Also, as an open question to everyone, how does Apple's baseband signing work?<br />
::SHSH Files? --[[User:Balloonhead66|Balloonhead66]] 19:13, 14 August 2011 (MDT)<br />
:Really? Damn... I don't read enough. Idea though... can we get access to the signature created at boot up?<br />
:[[4.11.08]] vuln can not be in the AT commands this time, can be? I tried to go through most of them using MiniCOM 2.2. Looks like there is nothing to get. Another thing, could the contents of [[AT+XNONCE]] be modified, so we get a constant output always? {{unsigned|Bpip4|19:31, January 30, 2012 MST}}</div>Bbip4https://www.theiphonewiki.com/w/index.php?title=Talk:XMM6180&diff=24350Talk:XMM61802012-01-31T02:31:06Z<p>Bbip4: /* Using Replay-attack */</p>
<hr />
<div>== Flash Possibility ==<br />
Okay, so hypothetically speaking, if I flashed my baseband to [[1.59.00]] from [[3.10.01]] while my phone is on 4.2.1 (ONLY 4.2.1 [[SHSH]] IS AVAILABLE), it would enter the boot loop because the baseband doesnt meet the requirements for [[iOS]] 4.2.1. I am willing to try and flash my baseband in an attempt to downgrade and use [[ultrasn0w]]. And if the downgrade was to work and I restored it to a pwned 4.2.1 fw where the baseband update would be neglected, would the boot loop occur? [[User:Leobruh|Leobruh]] 01:20, 10 February 2011 (UTC)!<br />
:You can't flash baseband [[1.59.00]]; Apple's not signing it anymore. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 02:47, 10 February 2011 (UTC)<br />
:Well look at [http://tysiphonehelp.com/forum/showthread.php?7908-Manually-flash-iphone-to-05.11.07-baseband this]. I don't know whether or not this could be done to the [[n90ap|iPhone 4]] but it proves that a manual flash can be used so long as you have the proper firmware ipsw available. I mean if this is possible for the [[n90ap|iPhone 4]], then I will do it without a doubt. [[User:Leobruh|Leobruh]] 04:05, 10 February 2011 (UTC)!<br />
::Um, that is for the iPhone 3G/3GS basebands. That probably wont work on the [[n90ap|iPhone 4]]. For those devices, Apple didn't sign the baseband, so a manual flash was possible (going up version #'s). Downgrading required one to have the 5.8 bootloader iPhone 3G. Sorry to burst your bubble, but you are mistaken. --[[User:Gamer765|Gamer765]] 04:28, 10 February 2011 (UTC)<br />
:::Word I got you bro, haha I wish it would be easier I have had an i4 for almost 2 months with the carrier lock. I will keep waiting sooner or later it will come out. [[User:Leobruh|Leobruh]] 20:43, 10 February 2011 (UTC)!<br />
<br />
== Device for iPhone 4 ==<br />
Are we sure this is the baseband? The infineon spec-sheet says "HSDPA/HSUPA capabilities of 7.2Mbps/2.9Mbps". At the keynote Steve mentioned 5.8Mbps HSUPA. --[[User:Iemit737|Iemit737]] 19:26, 21 June 2010 (UTC)<br />
:Running "string" on the new baseband files shows "XGold 618" multiple times. --[[User:Miketress|Miketress]] 19:35, 21 June 2010 (UTC)<br />
::Ok, awesome. Thanks for finding this so quickly! [[User:Iemit737|Iemit737]] 19:50, 21 June 2010 (UTC)<br />
:::Very unlikely it's the 618 after looking at the spec sheet.<br />
In case anyone is interested, [http://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a39470bb00555 X-Gold 616 spec sheet], [https://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a3948dc76055b X-Gold 618 spec sheet]. --[[User:D235j|D235j]] 21:43, 22 June 2010 (UTC)<br />
::::Actually, it's the XMM 6180. ebl.fls says so. --[[User:Oranav|oranav]] 21:56, 22 June 2010 (UTC)<br />
<br />
== Downgrade ==<br />
Anybody knows more about the bb downgrade signatures? Or how to backup them like the shsh certs? Or how to use the replay attack here? Actually this is more related to baseband firmware and not to this iPhone 4 hardware. [[User:http|http]]<br />
:The baseband is signed with an [[AT+XNONCE]] which is a random string generated on every bootup. Therefore, it is not possible to cache the SHSH signatures with a replay attack. I think this info either belongs on this page because it is specific to its baseband or in a special section on [[Baseband Firmware]]. [[User:Iemit737|Iemit737]] 18:18, 16 July 2010 (UTC)<br />
::I think, why dont we save the signature for every random string? In that way, when your iPhone gives the same string, it will accept the saved signature of that string and accept changes in BB. --[[User:XiiiX|XiiiX]]<br />
:::For every random string? That would be millions of SHSH's for every phone. Impossible. Thea idea of a nonce is that it NEVER gives the same value. --[[User:Http|http]] 17:37, 19 February 2011 (UTC)<br />
<br />
::Ah, that's what [[User:MuscleNerd|MuscleNerd]] meant with [http://twitter.com/MuscleNerd/status/18667056119 "stricter signed"]. I also found [http://iphwn.org/nonce.txt this example]. And someone suggested to change iTunes to always send the same string. That would work, but BB wouldn't accept the response. My only idea would be to let BB generate (or store) the same string on every boot (I don't know how though). But even then we would have to backup the signatures at the time they were available. -- [[User:Http|http]] 23:11, 16 July 2010 (UTC)<br />
:::So how does TinyUmbrella give baseband protection ? ---Whiteshinyapple<br />
::::It manages to error out the signature for the baseband, that's why you get the 1004 error, not sure exactly how it's done but I'd assume that's how. ---OMEGA_RAZER<br />
:::::I think there's not much to do. When hosts is pointing to Cydia, you also won't get baseband downgraded, even if it would work when pointing to real Apple server. Same should apply for upgrade. Maybe local TSS server from TinyUmbrella just handles error returns better, so that firmware up/downgrade doesn't fail - maybe it just returns an invalid certificate for the baseband, but returns 'ok'. --[[User:Http|http]] 11:08, 9 September 2010 (UTC)<br />
<br />
== Using Replay-attack ==<br />
Can't we make the baseband send just one message to iTunes to, in that way, using replay-attack, downgrade the baseband? I mean, the baseband sends a random message to iTunes to allow the downgrade/upgrade, but it just allows when Apple is still signing the firmware. If we made the baseband send just one message, not a random, we could downgrade the baseband even if Apple is not signing anymore, of course if used a replay-attack. So, how can we make the baseband send just one message? --[[User:XiiiX|XiiiX]] 16:39, 14 August 2011 (MDT)<br />
:I feel like you'd have to edit the bbfw file... and so far, I've found no program that can read that code. Also, as an open question to everyone, how does Apple's baseband signing work?<br />
::SHSH Files? --[[User:Balloonhead66|Balloonhead66]] 19:13, 14 August 2011 (MDT)<br />
:Really? Damn... I don't read enough. Idea though... can we get access to the signature created at boot up?<br />
:4.11.08vuln can not be in the AT commands this time,can be? I tried to go through most of`em using minicom2.2. looks nothing 2 get. other thing, could the contents of AT+XCNONCE be modified, so we get a constant output always?</div>Bbip4https://www.theiphonewiki.com/w/index.php?title=User_talk:Bbip4&diff=24345User talk:Bbip42012-01-31T01:53:16Z<p>Bbip4: 4.11.08`s Vulnerability</p>
<hr />
<div>4.11.08vuln can not be in the [[AT commands]] this time,can be? I tried to go through most of`em using minicom2.2. looks nothing 2 get. <br />
other thing, could the contents of [[AT+XCNONCE]] be modified, so we get a constant output always?</div>Bbip4https://www.theiphonewiki.com/w/index.php?title=User_talk:Bbip4&diff=24344User talk:Bbip42012-01-31T01:48:20Z<p>Bbip4: BB Talk 4.11.08</p>
<hr />
<div>4.11.08 can not be in the AT commands this time,can be? I tried to go through most of`em using minicom2.2. looks nothing 2 get. (see[[http://theiphonewiki.com/wiki/index.php?title=AT_Commands]]<br />
other thing, could the contents of AT+XCNONCE be modified, so we get a constant output always?</div>Bbip4