The iPhone Wiki - User contributions [en]

S5L8920

2009-07-09T09:08:36Z

Darkmen: /* THUMB-2 */

This is the processor used in the [[iPhone 3G S]].

S5L8920 using [http://www.arm.com/products/CPUs/archi-thumb2.html THUMB-2] instruction set as much as ARM and THUMB ones. So the compiled binaries are not compatable with older CPUs.

== Exploits ==
=== [[iBoot]] / [[Kernel]] ===
* [[iBoot Environment Variable Overflow]] - Firmware 3.0 and below

=== [[S5L8920 (Bootrom)|Bootrom]] ===
* [[0x24000 Segment Overflow]]

== Boot Chain ==
[[S5L8920 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]

== See also ==
* [[S5L8920 (Bootrom)]]
* [[S5L8920 (Hardware)]]
* [[S5L8920 (Hardware - Quick Notes)]]

User talk:Darkmen

2009-07-06T07:40:55Z

Darkmen: /* About smart index titles patches */

Excellent work on the yellowsn0w payload reverse

== About smart index titles patches ==

'''Q:''' Can you post your email or something like that? (for contact)

'''A:''' Be my guest: darkmen@i.ua --[[User:Darkmen|Darkmen]] 07:40, 6 July 2009 (UTC)

User:Darkmen

2009-07-05T23:00:57Z

Darkmen: /* Smart index titles */

=Firmware 3.0 patches=
==Smart index titles==
Description: by default the index titles are static: each language has own set of titles array. Sometimes it's not too convinient when you have only 10 sections in Contacts or the iPod but you get A-Z indices. Or if your native language is not English and you have English and non-english contacts / songs. This patch makes possible to see the only index letters whitch your contacts / songs starting from:
[[Image:SmartTitles.png]]

When you have more then 26 letters in a list - each small (5 or less items) section will stick as second letter. This way you become nice look and feel with a long section list.

'''There are 3 files should be patched:'''
===/System/Library/Frameworks/AddressBookUI.framework/AddressBookUI===
<pre>
-0x316FF000
//sectionIndexTitlesForTableView
31703620: 0C708DE2000D2DE908D04DE264119FE50240A0E101109FE70050A0E1CC8701EB040050E10000A0134F00001A48419FE504408FE0003094E5038095E7000058E34600001A34319FE503309FE7003093E5030095E70E8401EB00A050E23500000A1C119FE5006094E501109FE7B88701EB060085E70A00A0E1058601EB003094E500119FE5030095E701109FE7B08701EBF4109FE501109FE700108DE5EC109FE501A09FE7E8109FE501109FE704108DE500B0A0E1150000EAD8609FE500109DE506608FE00820A0E1003096E5030095E79F8701EB0A10A0E10040A0E10420A0E10500A0E19A8701EB000050E3000054110030A0E1 000D2DE903DF4DE20040A0E102A0A0E11C0094E5000050E31D86011B0000A0E30010A0E30020A0E3758501EB1C0084E50400A0E10A20A0E12FFFFFEB020050E3280000BA0080A0E100008DE50150A0E30400A0E10A20A0E1013045E2B1FFFFEB0070A0E10400A0E10A20A0E1013045E24FFFFFEB0020A0E10210A0E30000A0E33B8601EB060057E30E0000AA190058E30C0000BA080055E10A0000AA0070A0E10400A0E10A20A0E10530A0E140FFFFEB015085E20010A0E10700A0E1188601EB018048E20700A0E1F58501EB0010A0E11C0094E5368501EB015085E200009DE5000055E1D9FFFFDA03DF8DE21C0094E51E0000EA
3170A548: 3C119FE50520A0E101109FE70800A0E1056C01EB2C119FE50251E0E301109FE70060A0E30040A0E10800A0E1FE6B01EB14119FE50A20A0E101109FE704008DE50800A0E1F86B01EB0410A0E108008DE504009DE5EC6901EBF0109FE501109FE700108DE500B0A0E11E0000EA0800A0E1 1C0098E5011044E2C76901EB0010A0E3A16A01EB0040A0E10800A0E10A20A0E16BE3FFEB020050E33A0000BA00B0A0E10050A0E30800A0E10A20A0E10530A0E191E3FFEB000050E33200000A0010A0E3916A01EB040050E12E00000A015085E20B0055E1F2FFFFBA015045E2290000EA
</pre>
===/System/Library/Frameworks/UIKit.framework/UIKit===
<pre>
-0x308ED000
30A531EC: 626A29EB 2C0090E5 ; sectionIndexTitles = sectionTitles
30984B20: 0E01005A 0E0100EA ; do not make list shorter
</pre>
===/Applications/MobileMusicPlayer.app/MobileMusicPlayer===
<pre>
-0x1000
//sectionIndexTitlesForTableView
47FE0: 401007E5 400087E5
47FF0: A8239FE5000092E500009BE7000050E3 240087E5A4009BE5000050E389BD001B
48000: 0300000A87BD00EB90239FE5003092E5 0000A0E30010A0E30020A0E30030A0E3
48010: 03408BE788039FE588139FE5000090E5 57BD00EBA4008BE50000A0E30010A0E3
48020: 001091E5FCBE00EB7C139FE5001091E5 0020A0E328BD00EB00A0A0E1240097E5
48030: 381007E53C0007E50B00A0E1F6BE00EB 020050E33D0000BA0080A0E160009BE5
48040: 68139FE5008091E564139FE5001091E5 F8109FE5001091E5F3BE00EBF0109FE5
48050: FF0010E35C039FE50030A0030130A013 001091E5F0BE00EBE8109FE5001091E5
48060: 283007E500A090E53C0017E5EABE00EB EDBE00EB000050E20110A0130010A003
48070: 0810A0E10020A0E10A00A0E1E6BE00EB 201007E50150A0E30160A0E13C6087E5
48080: 00A050E20C00000A0B00A0E1381017E5 0B00A0E1003045E2204017E5043083E0
48090: E1BE00EBFF0010E30700000A18239FE5 383087E592F5FFEB0060A0E1400097E5
480A0: 18139FE50A00A0E1002092E5001091E5 011045E211BD00EB0020A0E10210A0E3
480B0: 0430A0E1002092E5D7BE00EB401017E5 0000A0E3200000EB060056E30D0000AA
480C0: 0A00A0E1D4BE00EBB8329FE50610A0E1 190058E30B0000BA080055E1090000AA
480D0: 0040A0E3003093E5003093E5240007E5 0060A0E1400097E50510A0E103BD00EB
480E0: 03009BE7CCBE00EBD4129FE5001091E5 015085E20010A0E10600A0E1110000EB
480F0: C9BE00EB401017E5C7BE00EB000050E2 018048E20600A0E14DBD00EB0010A0E1
48100: 0100A013200007E50000A0E30010A0E1 0A00A0E1EABC00EBA4009BE53C6097E5
48110: 0020A0E10030A0E115BD00EBA4129FE5 0610A0E1382097E527BD00EB016086E2
48120: 001091E5341007E59C129FE5001091E5 015085E2240097E5000055E1D2FFFFDA
48130: 301007E594129FE5006091E50080A0E1 0A00A0E18F0000EA0CF09FE50CF09FE5
48140: 120000EA441017E50500A0E1B2BE00EB F05409001C5D09000047090041BB2330
48150: 0420A0E1 B5A52530
</pre>

Do not forget to sign patched binaries with codesign tool before upload to a phone

User:Darkmen

2009-07-05T22:52:23Z

Darkmen:

=Firmware 3.0 patches=
==Smart index titles==
Description: by default the index titles are static: each language has own set of titles array. Sometimes it's not too convinient when you have only 10 sections in Contacts or the iPod but you get A-Z indices. Or if your native language is not English and you have English and non-english contacts / songs. This patch makes possible to see the only index letters whitch your contacts / songs starting from:
[[Image:SmartTitles.png]]

'''There are 3 files should be patched:'''
===/System/Library/Frameworks/AddressBookUI.framework/AddressBookUI===
<pre>
-0x316FF000
31703620: 0C708DE2000D2DE908D04DE264119FE50240A0E101109FE70050A0E1CC8701EB040050E10000A0134F00001A48419FE504408FE0003094E5038095E7000058E34600001A34319FE503309FE7003093E5030095E70E8401EB00A050E23500000A1C119FE5006094E501109FE7B88701EB060085E70A00A0E1058601EB003094E500119FE5030095E701109FE7B08701EBF4109FE501109FE700108DE5EC109FE501A09FE7E8109FE501109FE704108DE500B0A0E1150000EAD8609FE500109DE506608FE00820A0E1003096E5030095E79F8701EB0A10A0E10040A0E10420A0E10500A0E19A8701EB000050E3000054110030A0E1 000D2DE903DF4DE20040A0E102A0A0E11C0094E5000050E31D86011B0000A0E30010A0E30020A0E3758501EB1C0084E50400A0E10A20A0E12FFFFFEB020050E3280000BA0080A0E100008DE50150A0E30400A0E10A20A0E1013045E2B1FFFFEB0070A0E10400A0E10A20A0E1013045E24FFFFFEB0020A0E10210A0E30000A0E33B8601EB060057E30E0000AA190058E30C0000BA080055E10A0000AA0070A0E10400A0E10A20A0E10530A0E140FFFFEB015085E20010A0E10700A0E1188601EB018048E20700A0E1F58501EB0010A0E11C0094E5368501EB015085E200009DE5000055E1D9FFFFDA03DF8DE21C0094E51E0000EA
3170A548: 3C119FE50520A0E101109FE70800A0E1056C01EB2C119FE50251E0E301109FE70060A0E30040A0E10800A0E1FE6B01EB14119FE50A20A0E101109FE704008DE50800A0E1F86B01EB0410A0E108008DE504009DE5EC6901EBF0109FE501109FE700108DE500B0A0E11E0000EA0800A0E1 1C0098E5011044E2C76901EB0010A0E3A16A01EB0040A0E10800A0E10A20A0E16BE3FFEB020050E33A0000BA00B0A0E10050A0E30800A0E10A20A0E10530A0E191E3FFEB000050E33200000A0010A0E3916A01EB040050E12E00000A015085E20B0055E1F2FFFFBA015045E2290000EA
</pre>
===/System/Library/Frameworks/UIKit.framework/UIKit===
<pre>
-0x308ED000
30A531EC: 626A29EB 2C0090E5 ; sectionIndexTitles = sectionTitles
30984B20: 0E01005A 0E0100EA ; do not make list shorter
</pre>
===/Applications/MobileMusicPlayer.app/MobileMusicPlayer===
<pre>
-0x1000
47FE0: 401007E5 400087E5
47FF0: A8239FE5000092E500009BE7000050E3 240087E5A4009BE5000050E389BD001B
48000: 0300000A87BD00EB90239FE5003092E5 0000A0E30010A0E30020A0E30030A0E3
48010: 03408BE788039FE588139FE5000090E5 57BD00EBA4008BE50000A0E30010A0E3
48020: 001091E5FCBE00EB7C139FE5001091E5 0020A0E328BD00EB00A0A0E1240097E5
48030: 381007E53C0007E50B00A0E1F6BE00EB 020050E33D0000BA0080A0E160009BE5
48040: 68139FE5008091E564139FE5001091E5 F8109FE5001091E5F3BE00EBF0109FE5
48050: FF0010E35C039FE50030A0030130A013 001091E5F0BE00EBE8109FE5001091E5
48060: 283007E500A090E53C0017E5EABE00EB EDBE00EB000050E20110A0130010A003
48070: 0810A0E10020A0E10A00A0E1E6BE00EB 201007E50150A0E30160A0E13C6087E5
48080: 00A050E20C00000A0B00A0E1381017E5 0B00A0E1003045E2204017E5043083E0
48090: E1BE00EBFF0010E30700000A18239FE5 383087E592F5FFEB0060A0E1400097E5
480A0: 18139FE50A00A0E1002092E5001091E5 011045E211BD00EB0020A0E10210A0E3
480B0: 0430A0E1002092E5D7BE00EB401017E5 0000A0E3200000EB060056E30D0000AA
480C0: 0A00A0E1D4BE00EBB8329FE50610A0E1 190058E30B0000BA080055E1090000AA
480D0: 0040A0E3003093E5003093E5240007E5 0060A0E1400097E50510A0E103BD00EB
480E0: 03009BE7CCBE00EBD4129FE5001091E5 015085E20010A0E10600A0E1110000EB
480F0: C9BE00EB401017E5C7BE00EB000050E2 018048E20600A0E14DBD00EB0010A0E1
48100: 0100A013200007E50000A0E30010A0E1 0A00A0E1EABC00EBA4009BE53C6097E5
48110: 0020A0E10030A0E115BD00EBA4129FE5 0610A0E1382097E527BD00EB016086E2
48120: 001091E5341007E59C129FE5001091E5 015085E2240097E5000055E1D2FFFFDA
48130: 301007E594129FE5006091E50080A0E1 0A00A0E18F0000EA0CF09FE50CF09FE5
48140: 120000EA441017E50500A0E1B2BE00EB F05409001C5D09000047090041BB2330
48150: 0420A0E1 B5A52530
</pre>

Do not forget to sign patched binaries with codesign tool before upload to a phone

File:SmartTitles.png

2009-07-05T22:25:00Z

Darkmen: The iPod smart index titles

The iPod smart index titles

Decrypting Firmwares

2009-07-05T09:19:55Z

Darkmen: Undo revision 4087 by Darkmen (Talk)

==1.0.x==
If you want to decrypt 1.0.x iPhone ramdisk you must remove some trash from the beginning of them. You can do this in Terminal.app (on Mac OS X you can find them in /Applications/Utilities/).

Unzip firmware image (change extension .ipsw to .zip and double click on archive) and find restore ramdisk. In Terminal.app enter simple command:

''dd if=restore_ramdisk.dmg of=restore_ramdisk.stripped.dmg bs=512 skip=4 count=37464 conv=sync''

Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 1.0 iPhone firmware restore ramdisk is 694-5259-38.dmg), and '''restore_ramdisk.stripped.dmg''' is 'decrypted' image, that you can mount and explore from Finder.

Note: If after mounting stripped ramdisk you see errors, ignore them.

==1.1.x==
To decrypt the 1.1.x ramdisk, strip the first 0x800 bytes. I'm not proficient in dd, but the above command could be modified for this, or it could be done in a hex editor. Once that's complete, run this command:

''openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0''

This uses the iPhone's 0x837 key which was first leaked by Zibri and had its purpose revealed on Geohot's blog.

==2.x+==
The ramdisk on both 2.x and 3.x firmwares is a simple [http://www.theiphonewiki.com/wiki/index.php?title=IMG3_File_Format img3 file], that you can decrypt using [http://code.google.com/p/img3decrypt/ img3decrypt] or [http://github.com/planetbeing/xpwn/tree/master xpwntool]. You must download one of these utilities. For easier access, put them in '''/usr/local/bin'''

In Terminal.app enter:

''img3decrypt e restore_ramdisk.dmg restore_ramdisk_decrypted.dmg Ramdisk_IV Ramdisk_Key''

Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 3.0 beta 1 iPhone GSM firmware restore ramdisk is 018-4793-1.dmg), and r'''estore_ramdisk_decrypted.dmg''' is decrypted image, that you can mount and explore from Finder. Ramdisk_IV and Ramdisk_Key is a decrypted keys that you can find in [http://www.theiphonewiki.com/wiki/index.php?title=VFDecrypt_Keys:_3.x vfdecrypt page] or in Info.plist from PwnageTool FirmwareBundles folder (when Dev Team include support for this firmware).

P.S.
img3decrypt doesn't seems to work propertly with 3.0 ramdisks. The DMG becomes mountable, but 99% of files are zerosize.

Decrypting Firmwares

2009-07-05T09:10:43Z

Darkmen: /* 2.x+ */

Decrypting Firmwares

2009-07-05T09:03:58Z

Darkmen: /* 2.x+ */

User:Darkmen

2009-07-04T23:13:59Z

Darkmen: New page: '''Under construction'''

'''Under construction'''

Ultrasn0w

2009-07-04T23:12:11Z

Darkmen: /* Handler replace */

ultrasn0w (previously: '''yellowsn0w''') is the only [[iPhone 3G]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].

==Credit==
MuscleNerd, and [[The dev team]]

==Exploit==
Relies on an unsigned code injection vulnerability.

The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.

==Current Injection Vector==
ultrasn0w refers to the reuseable '''payload''', but it requires an injection vector in order to be inserted into the baseband. yellowsn0w was originally to be released with an injection vector that works on pre-2.28.00 baseband versions. However, [[geohot]] had an injection vector for 2.28.00 and the decision was made to release yellowsn0w with this injection vector to benefit the most people. This injection vector is discussed [[AT+stkprof Exploit|here]]. ultrasn0w uses a different injection vector - [[AT+XLOG Exploit]].

==ultrasn0w payload with comments (by Oranav)==

===Code loader (incl. Stage2)===
<pre>
ROM:00000000 ; =============== S U B R O U T I N E =======================================
ROM:00000000
ROM:00000000
ROM:00000000 code_loader
ROM:00000000 dest_addr = R1
ROM:00000000 src_addr = R6
ROM:00000000 MOVLS dest_addr, 0x110
ROM:00000004 ADDS dest_addr, #6
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing
ROM:0000000A
ROM:0000000A loop ; CODE XREF: code_loader+24�j
ROM:0000000A MOVLS R0, 0x22 ; '"'
ROM:0000000E LDRB R3, [src_addr] ; first nibble
ROM:00000010 CMP R0, R3
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble
ROM:00000014 BEQ run ; branch if end of string
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte
ROM:0000001E STRB R3, [dest_addr]
ROM:00000020 ADDS dest_addr, #1
ROM:00000022 ADDS src_addr, #2
ROM:00000024 B loop
ROM:00000026 ; ---------------------------------------------------------------------------
ROM:00000026
ROM:00000026 run ; CODE XREF: code_loader+14�j
ROM:00000026 BLX R2 ; handler_replace()
ROM:00000028 MOVLS R0, 0 ; safe exit
ROM:0000002C ADDS dest_addr, R0, #0
ROM:0000002E BLX R4
ROM:00000030 MOV SP, R5
ROM:00000032 POP {R0-src_addr,PC}
ROM:00000032 ; End of function code_loader
</pre>

===Handler replace===
<pre>
RAM:00011600 ; =============== S U B R O U T I N E =======================================
RAM:00011600
RAM:00011600
RAM:00011600 handler_replace
RAM:00011600 PUSH {LR}
RAM:00011602 LDR R0, =0x40492FC0 ; (probably) where to save task_loop_jmp + task_loop
RAM:00011604 ADR R1, task_loop_jmp
RAM:00011606 ADR R2, task_loop_end
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70
RAM:0001160A LDR R3, =0x2040882C ; memcpy()
RAM:0001160C BLX R3
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator
RAM:00011610 ADR R1, task_creator_jmp
RAM:00011612 ADR R2, task_creator_end
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0
RAM:00011616 LDR R3, =0x2040882C ; memcpy()
RAM:00011618 BLX R3
RAM:0001161A LDR R0, =0x40492C20
RAM:0001161C BLX R0 ; task_creator_jmp()
RAM:0001161E POP {PC}
RAM:0001161E ; End of function handler_replace
</pre>

===Task creator (thanks Darkmen for the comments!)===
I'm also missing here a comment.
<pre>
RAM:40492C20 ; =============== S U B R O U T I N E =======================================
RAM:40492C20
RAM:40492C20
RAM:40492C20 task_creator_jmp
RAM:40492C20 STMFD SP!, {R1-R12,LR}
RAM:40492C24 BLX task_creator
RAM:40492C28 LDMFD SP!, {R1-R12,PC}
RAM:40492C28 ; End of function task_creator_jmp
RAM:40492C28
RAM:40492C2C
RAM:40492C2C ; =============== S U B R O U T I N E =======================================
RAM:40492C2C
RAM:40492C2C
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p
RAM:40492C2C PUSH {R4-R7,LR}
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var
RAM:40492C30 MOVLS R4, 0x800
RAM:40492C34 SUB SP, SP, #0x24
RAM:40492C36 STRH R0, [R3] ; R0 = task_creator_jmp addr
RAM:40492C38 LDR R5, =0x201493F0 ; malloc
RAM:40492C3A ADDS R0, R4, #0 ; 0x800
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string
RAM:40492C3E BLX R5 ; malloc(0x800)
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))
RAM:40492C46 MOVS R2, #0
RAM:40492C48 MOVS R3, #0x44
RAM:40492C4A LDR R1, =aDevteam1 ; char *name
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44
RAM:40492C50 MOVS R3, #0xA
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT
RAM:40492C54 MOVS R3, #0xC
RAM:40492C56 STR R2, [SP] ; void *argv = 0
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START
RAM:40492C5E LDR R2, =0x40492FC0 ; ???
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)
RAM:40492C62 MOVS R3, #0
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task
RAM:40492C66 BLX R4 ; status = NU_Create_Task()
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)
RAM:40492C6A CMP R0, #0 ; success = zero
RAM:40492C6C BNE status_error
RAM:40492C6E LDR R1, =aOk ; "OK!"
RAM:40492C70 ADDS R0, R7, #0 ; resp_string
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")
RAM:40492C76 B exit
RAM:40492C78 ; ---------------------------------------------------------------------------
RAM:40492C78
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"
RAM:40492C7A ADDS R0, R7, #0 ; resp_string
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)
RAM:40492C80
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack
RAM:40492C82 POP {R4-R7,PC}
RAM:40492C82 ; End of function task_creator
</pre>

===Unlock task loop (thanks Darkmen for the comments!)===
<pre>
RAM:00011630 ; =============== S U B R O U T I N E =======================================
RAM:00011630
RAM:00011630
RAM:00011630 task_loop_jmp
RAM:00011630 STMFD SP!, {R1-R12,LR}
RAM:00011634 BLX task_loop
RAM:00011634 ; ---------------------------------------------------------------------------
RAM:00011638 LDMFD SP!, {R1-R12,PC}
RAM:00011638 ; End of function task_loop_jmp
RAM:00011638
RAM:0001163C
RAM:0001163C ; =============== S U B R O U T I N E =======================================
RAM:0001163C
RAM:0001163C
RAM:0001163C task_loop
RAM:0001163C PUSH {R4,R5,LR}
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox
RAM:00011640 SUB SP, SP, #0x14
RAM:00011642
RAM:00011642 loop ; CODE XREF: task_loop+44�j
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox
RAM:00011646 MOV R1, SP ; void *Message
RAM:00011648 MOVS R2, #0xFF ; Timeout
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)
RAM:0001164C LDR R3, [SP] ; Message[0]
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?
RAM:00011650 BNE skip
RAM:00011652 LDR R1, [SP,#4] ; Message[1]
RAM:00011654 LDR R3, =0x40301650
RAM:00011656 LDR R2, [R1] ; Message[1].field0
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0
RAM:0001165A ADDS R3, #4 ; 0x40301654
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2
RAM:00011662 LDR R3, =0x100FF00
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00
RAM:00011666 LDR R3, =0x4020401
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401
RAM:0001166A LDR R3, =0x4040403
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403
RAM:0001166E MOVS R3, #1
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1
RAM:00011672 MOVS R3, #0x20 ; ' '
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20
RAM:00011676
RAM:00011676 skip ; CODE XREF: task_loop+14�j
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox
RAM:00011678 MOV R1, SP ; void *Message
RAM:0001167A MOVS R2, #0xFF ; timeout
RAM:0001167C LDR R3, =0x20430040
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()
RAM:00011680 B loop
RAM:00011680 ; End of function task_loop
RAM:00011680
RAM:00011680 ; ---------------------------------------------------------------------------
</pre>

==Old yellowsn0w payload w/ comments (by Darkmen) ===

The exploit consists from 4 parts:

===Code loader===
<pre>
ROM:00000000 ; =============== S U B R O U T I N E =======================================
ROM:00000000
ROM:00000000
ROM:00000000 loader
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code
ROM:00000002 ADDS R4, R2, #1 ; thumb switch
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are
ROM:00000006
ROM:00000006 copy.loop ; CODE XREF: loader+12�j
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes
ROM:00000008 CMP R0, #0x22 ; '"'
ROM:0000000A BEQ run ; jump thumb code
ROM:0000000C STRB R0, [R2]
ROM:0000000E ADDS R2, #1
ROM:00000010 ADDS R3, #1
ROM:00000012 B copy.loop ;
ROM:00000014 run ; CODE XREF: loader+A�j
ROM:00000014 BX R4 ; jump stage2 code
ROM:00000014 ; End of function loader
ROM:00000014
ROM:00000014 ; ---------------------------------------------------------------------------
</pre>

===Stage2(tm)===
<pre>
RAM:00000000 ; =============== S U B R O U T I N E =======================================
RAM:00000000 stage2
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size
RAM:00000002 MOVS R7, #0xF
RAM:00000004 BICS R2, R7 ; align offset by 0x10
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string
RAM:0000000A ADR R5, char2byte ; loading routine addr
RAM:0000000C ADDS R5, #1 ; thumb
RAM:0000000E
RAM:0000000E loop ; CODE XREF: stage2+2C�j
RAM:0000000E LDRB R1, [R4] ; at-string[index]
RAM:00000010 CMP R1, #'x' ; end of line?
RAM:00000012 BEQ jump_code
RAM:00000014 BLX R5 ; char2byte first hakfbyte
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]
RAM:0000001A BLX R5 ; char2hex second halfbyte
RAM:0000001C NOP
RAM:0000001E NOP
RAM:00000020 NOP
RAM:00000022 NOP
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte
RAM:00000026 STRB R1, [R2] ; storing byte to dst
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2
RAM:0000002A ADDS R2, #1 ; dst++
RAM:0000002C B loop ; at-string[index]
RAM:0000002E jump_code
RAM:0000002E NOP
RAM:00000030 NOP
RAM:00000032 ADDS R7, #1 ; thumbing
RAM:00000034 BX R7 ; run Task creator code
RAM:00000034 ; End of function stage2
RAM:00000038
RAM:00000038 ; =============== S U B R O U T I N E =======================================
RAM:00000038 char2byte ; DATA XREF: stage2+A�o
RAM:00000038 CMP R1, #0x41 ; 'A'
RAM:0000003A BGE letter ; letter to number
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number
RAM:0000003E BX LR
RAM:00000040 letter ; CODE XREF: char2byte+2�j
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number
RAM:00000042 BX LR ; ret
RAM:00000042 ; End of function char2byte
</pre>

===Task creator===
<pre>
RAM:000119A0 ; =============== S U B R O U T I N E =======================================
RAM:000119A0
RAM:000119A0
RAM:000119A0 handler_replace
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr
RAM:000119A2 ADR R1, new_handler
RAM:000119A4 ADDS R1, #1 ; thumbing
RAM:000119A6 STR R1, [R0] ; setting new handler
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack
RAM:000119A8 ; End of function handler_replace

RAM:000119B0 ; =============== S U B R O U T I N E =======================================
RAM:000119B0
RAM:000119B0
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o
RAM:000119B0 PUSH {R4-R7,LR}
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var
RAM:000119B4 MOVS R6, #0x80
RAM:000119B6 SUB SP, SP, #0x2C
RAM:000119B8 LSLS R6, R6, #4 ; 0x200
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack
RAM:000119BE LDR R4, =0x201420AC ; malloc
RAM:000119C0 ADDS R0, R6, #0
RAM:000119C2 BLX R4 ; malloc(0x200)
RAM:000119C4 MOVS R5, #0
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)
RAM:000119CA BLX R4 ; malloc(0x98)
RAM:000119CC ADDS R7, R0, #0 ; R7 = task
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0
RAM:000119D0 MOVS R0, 0x100
RAM:000119D4 BLX R4 ; malloc(0x100)
RAM:000119D6 MOVS R2, #0x80
RAM:000119D8 LDR R1, =task_loop ; src
RAM:000119DA LSLS R2, R2, #1 ; size to copy
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)
RAM:000119E6 MOVS R3, #0x44
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44
RAM:000119EA MOVS R3, #0xA
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT
RAM:000119F0 MOVS R3, #0xC
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START
RAM:000119F6 LDR R1, =devteam1 ; char *name
RAM:000119F8 STR R5, [SP] ; void *argv = 0
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task
RAM:00011A00 MOVS R3, #0 ; int argc = 0
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task
RAM:00011A04 BLX R4 ; status = NU_Create_Task()
RAM:00011A06 ADDS R2, R0, #0
RAM:00011A08 CMP R0, #0 ; success = zero
RAM:00011A0A BNE status_error
RAM:00011A0C LDR R1, =OK
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")
RAM:00011A14 B exit ; fixing stack
RAM:00011A16 ; ---------------------------------------------------------------------------
RAM:00011A16
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j
RAM:00011A16 LDR R1, =ERROR
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")
RAM:00011A1E
RAM:00011A1E exit ; CODE XREF: new_handler+64�j
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack
RAM:00011A20 POP {R4-R7,PC} ; bye
RAM:00011A20 ; End of function new_handler
RAM:00011A20
RAM:00011A20 ; ---------------------------------------------------------------------------
</pre>

===Unlock task loop===
<pre>
RAM:00011A64 ; =============== S U B R O U T I N E =======================================
RAM:00011A64
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o
RAM:00011A64 PUSH {R4,R5,LR}
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox
RAM:00011A68 SUB SP, SP, #0x14
RAM:00011A6A
RAM:00011A6A loop ; CODE XREF: task_loop+44�j
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox
RAM:00011A6E MOV R1, SP ; void *Message
RAM:00011A70 MOVS R2, #0xFF ; Timeout
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)
RAM:00011A74 LDR R3, [SP] ; Message[0]
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?
RAM:00011A78 BNE skip ;
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]
RAM:00011A7C LDR R3, =0x402F79BC
RAM:00011A7E LDR R2, [R1] ; Message[1].field0
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2
RAM:00011A8A LDR R3, =0x100FF00
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00
RAM:00011A8E LDR R3, =0x4020401
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401
RAM:00011A92 LDR R3, =0x4040403
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403
RAM:00011A96 MOVS R3, #1
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1
RAM:00011A9A MOVS R3, #0x20
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20
RAM:00011A9E
RAM:00011A9E skip ; CODE XREF: task_loop+14�j
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox
RAM:00011AA0 MOV R1, SP ; void *Message
RAM:00011AA2 MOVS R2, #0xFF ; timeout
RAM:00011AA4 LDR R3, =0x203ED568
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox
RAM:00011AA8 ; End of function task_loop
</pre>

==Source Code==
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]

==See Also==
* [[X-Gold 608 Unlock]]
* [[X-Gold 608]]
* [[Baseband]]

==External links==
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]
* [http://yellowsn0w.com yellowsn0w Official Website]
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]

[[Category:Unlocking Methods]]
[[Category:Baseband]]

PMB8878

2009-01-13T09:49:56Z

Darkmen: complete memory dump

This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the [[PMB8878]]

==Datasheet==
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.

==Memory Map==
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

==MMU relocation table==
===Bootloader===
[[Image:Bltbl.png]]

===Firmware===
[[Image:Bbmmu.png]]

==Complete memory dump==
[http://depositfiles.com/files/i5119hpzm 0x00000000-0x0001FFFF]

[http://depositfiles.com/files/mxslfu4dp 0x20000000-0x20FFFFFF]

[http://depositfiles.com/files/6wiet73wn 0x40000000-0x407FFFFF]

[http://depositfiles.com/files/fioppsphe 0xFFFF0000-0xFFFFFFFF]

== Known Firmware Versions ==
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)
[[1.48.02]] 2.0.1(Build 5B108)
[[2.04.03]] 2.1 (Build 5F90)
[[2.08.01]] 2.0.2 (Build 5C1)
[[2.11.07]] 2.1 (Build 5F136)
[[2.28.00]] 2.2 (Build 5G77)

==Accessing Interactive Mode==
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset

PMB8878

2009-01-12T10:58:04Z

Darkmen: /* bootloader table added */

This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the [[PMB8878]]

==Datasheet==
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.

==Memory Map==
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

==MMU relocation table==
===Bootloader===
[[Image:Bltbl.png]]

===Firmware===
[[Image:Bbmmu.png]]

== Known Firmware Versions ==
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)
[[1.48.02]] 2.0.1(Build 5B108)
[[2.04.03]] 2.1 (Build 5F90)
[[2.08.01]] 2.0.2 (Build 5C1)
[[2.11.07]] 2.1 (Build 5F136)
[[2.28.00]] 2.2 (Build 5G77)

==Accessing Interactive Mode==
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset

File:Bltbl.png

2009-01-12T10:55:42Z

Darkmen: mmu relocation table at bootloader stage

mmu relocation table at bootloader stage

Ultrasn0w

2009-01-09T09:12:54Z

Darkmen: /* stage2(tm) comments added) = */

The first [[iPhone 3G]] [[Unlock 2.0|unlock]] payload. Released on 01/01/09. [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]

==Credit==
MuscleNerd, and [[The dev team]]

==Exploit==
Relies on an unsigned code injection vulnerability.

The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.

==Current Injection Vector==
yellowsn0w refers to the reuseable '''payload''', but it requires an injection vector in order to be inserted into the baseband. yellowsn0w was originally to be released with an injection vector that works on pre-2.28.00 baseband versions. However, [[geohot]] had an injection vector for 2.28.00 and the decision was made to release yellowsn0w with this injection vector to benefit the most people.

The injection vector is discussed [[AT+stkprof Exploit|here]]

==Payload w/ Comments (by Darkmen) ===

The exploit consists from 4 parts:

===Code loader===
<pre>
ROM:00000000 ; =============== S U B R O U T I N E =======================================
ROM:00000000
ROM:00000000
ROM:00000000 loader
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code
ROM:00000002 ADDS R4, R2, #1 ; thumb switch
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are
ROM:00000006
ROM:00000006 copy.loop ; CODE XREF: loader+12�j
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes
ROM:00000008 CMP R0, #0x22 ; '"'
ROM:0000000A BEQ run ; jump thumb code
ROM:0000000C STRB R0, [R2]
ROM:0000000E ADDS R2, #1
ROM:00000010 ADDS R3, #1
ROM:00000012 B copy.loop ;
ROM:00000014 run ; CODE XREF: loader+A�j
ROM:00000014 BX R4 ; jump stage2 code
ROM:00000014 ; End of function loader
ROM:00000014
ROM:00000014 ; ---------------------------------------------------------------------------
</pre>

===Stage2(tm)===
<pre>
RAM:00000000 ; =============== S U B R O U T I N E =======================================
RAM:00000000 stage2
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size
RAM:00000002 MOVS R7, #0xF
RAM:00000004 BICS R2, R7 ; align offset by 0x10
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string
RAM:0000000A ADR R5, char2byte ; loading routine addr
RAM:0000000C ADDS R5, #1 ; thumb
RAM:0000000E
RAM:0000000E loop ; CODE XREF: stage2+2C�j
RAM:0000000E LDRB R1, [R4] ; at-string[index]
RAM:00000010 CMP R1, #'x' ; end of line?
RAM:00000012 BEQ jump_code
RAM:00000014 BLX R5 ; char2byte first hakfbyte
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]
RAM:0000001A BLX R5 ; char2hex second halfbyte
RAM:0000001C NOP
RAM:0000001E NOP
RAM:00000020 NOP
RAM:00000022 NOP
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte
RAM:00000026 STRB R1, [R2] ; storing byte to dst
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2
RAM:0000002A ADDS R2, #1 ; dst++
RAM:0000002C B loop ; at-string[index]
RAM:0000002E jump_code
RAM:0000002E NOP
RAM:00000030 NOP
RAM:00000032 ADDS R7, #1 ; thumbing
RAM:00000034 BX R7 ; run Task creator code
RAM:00000034 ; End of function stage2
RAM:00000038
RAM:00000038 ; =============== S U B R O U T I N E =======================================
RAM:00000038 char2byte ; DATA XREF: stage2+A�o
RAM:00000038 CMP R1, #0x41 ; 'A'
RAM:0000003A BGE letter ; letter to number
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number
RAM:0000003E BX LR
RAM:00000040 letter ; CODE XREF: char2byte+2�j
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number
RAM:00000042 BX LR ; ret
RAM:00000042 ; End of function char2byte
</pre>

===Task creator===
<pre>
RAM:000119A0 ; =============== S U B R O U T I N E =======================================
RAM:000119A0
RAM:000119A0
RAM:000119A0 handler_replace
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr
RAM:000119A2 ADR R1, new_handler
RAM:000119A4 ADDS R1, #1 ; thumbing
RAM:000119A6 STR R1, [R0] ; setting new handler
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack
RAM:000119A8 ; End of function handler_replace

RAM:000119B0 ; =============== S U B R O U T I N E =======================================
RAM:000119B0
RAM:000119B0
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o
RAM:000119B0 PUSH {R4-R7,LR}
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var
RAM:000119B4 MOVS R6, #0x80
RAM:000119B6 SUB SP, SP, #0x2C
RAM:000119B8 LSLS R6, R6, #4 ; 0x200
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack
RAM:000119BE LDR R4, =0x201420AC ; malloc
RAM:000119C0 ADDS R0, R6, #0
RAM:000119C2 BLX R4 ; malloc(0x200)
RAM:000119C4 MOVS R5, #0
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)
RAM:000119CA BLX R4 ; malloc(0x98)
RAM:000119CC ADDS R7, R0, #0 ; R7 = task
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0
RAM:000119D0 MOVS R0, 0x100
RAM:000119D4 BLX R4 ; malloc(0x100)
RAM:000119D6 MOVS R2, #0x80
RAM:000119D8 LDR R1, =task_loop ; src
RAM:000119DA LSLS R2, R2, #1 ; size to copy
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)
RAM:000119E6 MOVS R3, #0x44
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44
RAM:000119EA MOVS R3, #0xA
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT
RAM:000119F0 MOVS R3, #0xC
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START
RAM:000119F6 LDR R1, =devteam1 ; char *name
RAM:000119F8 STR R5, [SP] ; void *argv = 0
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task
RAM:00011A00 MOVS R3, #0 ; int argc = 0
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task
RAM:00011A04 BLX R4 ; status = NU_Create_Task()
RAM:00011A06 ADDS R2, R0, #0
RAM:00011A08 CMP R0, #0 ; success = zero
RAM:00011A0A BNE status_error
RAM:00011A0C LDR R1, =OK
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")
RAM:00011A14 B exit ; fixing stack
RAM:00011A16 ; ---------------------------------------------------------------------------
RAM:00011A16
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j
RAM:00011A16 LDR R1, =ERROR
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")
RAM:00011A1E
RAM:00011A1E exit ; CODE XREF: new_handler+64�j
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack
RAM:00011A20 POP {R4-R7,PC} ; bye
RAM:00011A20 ; End of function new_handler
RAM:00011A20
RAM:00011A20 ; ---------------------------------------------------------------------------
</pre>

===Unlock task loop===
<pre>
RAM:00011A64 ; =============== S U B R O U T I N E =======================================
RAM:00011A64
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o
RAM:00011A64 PUSH {R4,R5,LR}
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox
RAM:00011A68 SUB SP, SP, #0x14
RAM:00011A6A
RAM:00011A6A loop ; CODE XREF: task_loop+44�j
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox
RAM:00011A6E MOV R1, SP ; void *Message
RAM:00011A70 MOVS R2, #0xFF ; Timeout
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)
RAM:00011A74 LDR R3, [SP] ; Message[0]
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?
RAM:00011A78 BNE skip ;
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]
RAM:00011A7C LDR R3, =0x402F79BC
RAM:00011A7E LDR R2, [R1] ; Message[1].field0
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2
RAM:00011A8A LDR R3, =0x100FF00
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00
RAM:00011A8E LDR R3, =0x4020401
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401
RAM:00011A92 LDR R3, =0x4040403
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403
RAM:00011A96 MOVS R3, #1
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1
RAM:00011A9A MOVS R3, #0x20
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20
RAM:00011A9E
RAM:00011A9E skip ; CODE XREF: task_loop+14�j
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox
RAM:00011AA0 MOV R1, SP ; void *Message
RAM:00011AA2 MOVS R2, #0xFF ; timeout
RAM:00011AA4 LDR R3, =0x203ED568
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox
RAM:00011AA8 ; End of function task_loop
</pre>

==Source Code==
The source code for yellowsn0w is now live [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]

==Compatibility==

{| class="wikitable sortable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Country
! Provider
! yellowsn0w Version
! SIM/USIM
! Ingoing Calls?
! Outgoing Calls?
! SMS?
! GPRS/EDGE?
! UMTS/HSDPA?
! Comments
|-
| Bermuda
| Mobility
| 0.9.5
| SIM
| {{no}}
| {{no}}
| {{no}}
| {{no}}
| Not Available
| Still stops working after a while of regular use :(
|-
| Germany
| O2
| <=0.9.4
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| Icon shown but not tested
| Icon shown but not tested
|
|-
| Israel
| IL Orange
| 0.9.5
| USIM
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| Requires turning airplane mode on and off to get signal. After that, works perfectly.
|}

Additional information:
http://report.yellowsn0w.com/

==See Also==
* [[Unlock 2.0]]
* [[X-Gold 608]]
* [[Baseband]]

==External links==
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]
* [http://qik.com/video/729275 MuscleNerd's Demo]
* [http://yellowsn0w.com Official Website]

[[Category:Unlocking Methods]]

Talk:Ultrasn0w

2009-01-09T07:31:49Z

Darkmen: /* Darkmen's analysis */

== Darkmen's analysis ==

This analysis is somewhat incomplete, as it leaves out stage 2 of the injector that performs the hex to binary conversion for the payload. As it stands, the comment for offset 4 of the "Code loader" (internally called "stage 1" of the injector), the one that says "at-handler buffer where StrToHex result of the at-command is" is incorrect. The reason for the error is probably that the reverse engineer used "strings" on the yellowsn0w executable to find the injected payload of yellowsn0w and since the injector's stage 2 is in binary (the contents of memory at 0x40159FBF is thus ready-to-execute binary code, albeit misaligned), "strings", therefore, would not have yielded the code for stage 2. Overall, though, my cursory examination seems to indicate that the rest of the analysis (of the "meat" of the thing) is fairly accurate and commendable. :)

--[[User:Planetbeing|Planetbeing]] 23:12, 8 January 2009 (UTC)

Its true. I just took the at-string from the iphone wiki post ;) Anyway, my point was to get main idea

--[[User:Darkmen|Darkmen]] 07:31, 9 January 2009 (UTC)

== Geohot's commentary ==

Thinking about this, I know how I could've done the unlock. I'm so lazy. This might be what yellowsn0w does already; theres a little object code in your source, so I don't know :-)

1. copy task_sim into memory
2. patch task_sim in the usual way(too bad i don't really understand the baseband at all)
3. modify the nucleus task struct to use the in memory task_sim(although idk why theres no execute on the stack, normal ram seems ok)
4. reset the sim card

no real reversing required. i could've had this in july dammit :-P

i also think this approach might solve some peoples problems with it dying after 10 minutes

~geohot

== Payload vs injection vector ==

I edited the page in a way I felt was more accurate. Geohot deserves massive props for finding the vuln in 2.28, and maybe there should be a separate "iPhone 3G Unlock" page that notes that more prominently (noting the 2.2 unlock was dev team's payload with geohot's vuln), but yellowsn0w IS the payload and it doesn't make sense to give separate credits on this page for the injection vector.

I don't know much about how yellowsn0w works myself, but I understand it took a lot of careful reverse engineering of the Nucleus OS and baseband tasks in order to pull off, so the payload honestly doesn't take the backseat to the vuln in this case.

--[[User:Planetbeing|Planetbeing]] 16:47, 3 January 2009 (UTC)

== nx ==

heh, I think it is a standard thing for ARM for the stack to be nx. btw, of course there was reversing required, how else would you have found the injection hack itself x)

== About AT+STKPROF exploit ==

Does only 2.28 vulnerable to at+stkprof exploit?

== RE: About AT+STKPROF exploit ==

afaik all versions 1.45 through 2.28 are vulnerable, but devteam only designed a payload for 2.28. not 100% on that though.

AT+stkprof

2009-01-08T16:32:31Z

Darkmen: /* Unlock task loop */

Used as an injection vector for the first [[iPhone 3G]] [[Unlock 2.0|unlock]] [[yellowsn0w|payload]].

==Credit==
[[geohot]]

==Exploit==
There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the [[X-Gold 608|iPhone 3G baseband]].

==Implementation==
The [[dev team]] used this exploit in the first public iPhone 3G unlock called [[yellowsn0w]]. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.

The source code is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]

===New Implementation (yellowsn0w 0.9.6)===
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.

<pre>
at+stkprof=122064a541c044b1878222803d0107001320133f8e720470000bf9f1
54000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8905120
000000001010101020202020611301000c000000223B22270F32101C1743BAA
50BA40E78213501D00C297810B47A847A8786146C046C046C046C0701118C
93201340246C0E7EF370146C03030473829411+09pG79pG024803A10131016
01FBD00004C711140F0B51C4B80268BB03601188008911A4C301CA0470025
09909820A047071CC56080204000A047802214495200144B041C9847099B01
93442303930A23013405930C23221C06930F49009502960495381C00230D4C
A047021C002804D10B4908980B4B984703E00B490898094B98470BB0F0BD00
0044B33B40AC201420641A0100A0583C20481A010040B53F20541A010000DD
4620581A01006465767465616D31000000004F4B21004552524F52202564000
0000030B5114D85B0114B281C6946FF229847009B0D2B11D101990D4B0A68
1A6004334A681A608A680B4B13600B4B53600B4B93600123CB602023009328
1C6946FF22074B9847DFE700005427234098591620BC792F4000FF000101040
2040304040468D53E207878220
</pre>

Anyone with a better insight feel free to comment / modify, as I didn't look any further into this, I just looked at the ztringz :)

===yellowsn0w 0.9.6 with comments===
The exploit consists from 3 parts:
====Code loader====
<pre>
ROM:00000000 ; =============== S U B R O U T I N E =======================================
ROM:00000000
ROM:00000000
ROM:00000000 loader
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code
ROM:00000002 ADDS R4, R2, #1 ; thumb switch
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where StrToHex result of the at-command is
ROM:00000006
ROM:00000006 copy.loop ; CODE XREF: loader+12�j
ROM:00000006 LDRB R0, [R3] ; copying code until double quotes
ROM:00000008 CMP R0, #0x22 ; '"'
ROM:0000000A BEQ run ; jump thumb code
ROM:0000000C STRB R0, [R2]
ROM:0000000E ADDS R2, #1
ROM:00000010 ADDS R3, #1
ROM:00000012 B copy.loop ; copying code until double quotes
ROM:00000014 ; ---------------------------------------------------------------------------
ROM:00000014
ROM:00000014 run ; CODE XREF: loader+A�j
ROM:00000014 BX R4 ; jump thumb code
ROM:00000014 ; End of function loader
ROM:00000014
ROM:00000014 ; ---------------------------------------------------------------------------
</pre>

====Task creator====
<pre>
RAM:000119A0 ; =============== S U B R O U T I N E =======================================
RAM:000119A0
RAM:000119A0
RAM:000119A0 handler_replace
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr
RAM:000119A2 ADR R1, new_handler
RAM:000119A4 ADDS R1, #1 ; thumbing
RAM:000119A6 STR R1, [R0] ; setting new handler
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack
RAM:000119A8 ; End of function handler_replace

RAM:000119B0 ; =============== S U B R O U T I N E =======================================
RAM:000119B0
RAM:000119B0
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o
RAM:000119B0 PUSH {R4-R7,LR}
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var
RAM:000119B4 MOVS R6, #0x80
RAM:000119B6 SUB SP, SP, #0x2C
RAM:000119B8 LSLS R6, R6, #4 ; 0x200
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack
RAM:000119BE LDR R4, =0x201420AC ; malloc
RAM:000119C0 ADDS R0, R6, #0
RAM:000119C2 BLX R4 ; malloc(0x200)
RAM:000119C4 MOVS R5, #0
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)
RAM:000119CA BLX R4 ; malloc(0x98)
RAM:000119CC ADDS R7, R0, #0 ; R7 = task
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0
RAM:000119D0 MOVS R0, 0x100
RAM:000119D4 BLX R4 ; malloc(0x100)
RAM:000119D6 MOVS R2, #0x80
RAM:000119D8 LDR R1, =task_loop ; src
RAM:000119DA LSLS R2, R2, #1 ; size to copy
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)
RAM:000119E6 MOVS R3, #0x44
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44
RAM:000119EA MOVS R3, #0xA
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT
RAM:000119F0 MOVS R3, #0xC
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START
RAM:000119F6 LDR R1, =devteam1 ; char *name
RAM:000119F8 STR R5, [SP] ; void *argv = 0
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task
RAM:00011A00 MOVS R3, #0 ; int argc = 0
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task
RAM:00011A04 BLX R4 ; status = NU_Create_Task()
RAM:00011A06 ADDS R2, R0, #0
RAM:00011A08 CMP R0, #0 ; success = zero
RAM:00011A0A BNE status_error
RAM:00011A0C LDR R1, =OK
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")
RAM:00011A14 B exit ; fixing stack
RAM:00011A16 ; ---------------------------------------------------------------------------
RAM:00011A16
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j
RAM:00011A16 LDR R1, =ERROR
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")
RAM:00011A1E
RAM:00011A1E exit ; CODE XREF: new_handler+64�j
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack
RAM:00011A20 POP {R4-R7,PC} ; bye
RAM:00011A20 ; End of function new_handler
RAM:00011A20
RAM:00011A20 ; ---------------------------------------------------------------------------
</pre>

====Unlock task loop====
<pre>
RAM:00011A64 ; =============== S U B R O U T I N E =======================================
RAM:00011A64
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o
RAM:00011A64 PUSH {R4,R5,LR}
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox
RAM:00011A68 SUB SP, SP, #0x14
RAM:00011A6A
RAM:00011A6A loop ; CODE XREF: task_loop+44�j
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox
RAM:00011A6E MOV R1, SP ; void *Message
RAM:00011A70 MOVS R2, #0xFF ; Timeout
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)
RAM:00011A74 LDR R3, [SP] ; Message[0]
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?
RAM:00011A78 BNE skip ;
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]
RAM:00011A7C LDR R3, =0x402F79BC
RAM:00011A7E LDR R2, [R1] ; Message[1].field0
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2
RAM:00011A8A LDR R3, =0x100FF00
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00
RAM:00011A8E LDR R3, =0x4020401
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401
RAM:00011A92 LDR R3, =0x4040403
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403
RAM:00011A96 MOVS R3, #1
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1
RAM:00011A9A MOVS R3, #0x20
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20
RAM:00011A9E
RAM:00011A9E skip ; CODE XREF: task_loop+14�j
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox
RAM:00011AA0 MOV R1, SP ; void *Message
RAM:00011AA2 MOVS R2, #0xFF ; timeout
RAM:00011AA4 LDR R3, =0x203ED568
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox
RAM:00011AA8 ; End of function task_loop
</pre>
[[Category:Unlocking Methods]]

AT+stkprof

2009-01-08T10:12:32Z

Darkmen: yellowsn0w exploit comments

PMB8878

2009-01-07T18:16:49Z

Darkmen:

This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the [[PMB8878]]

==Datasheet==
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.

==Memory Map==
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

==MMU relocation table==
[[Image:Bbmmu.png]]

== Known Firmware Versions ==
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)
[[1.48.02]] 2.0.1(Build 5B108)
[[2.04.03]] 2.1 (Build 5F90)
[[2.08.01]] 2.0.2 (Build 5C1)
[[2.11.07]] 2.1 (Build 5F136)
[[2.28.00]] 2.2 (Build 5G77)

==Accessing Interactive Mode==
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset

File:Bbmmu.png

2009-01-07T18:13:42Z

Darkmen:

Normal Mode

2008-12-27T11:01:34Z

Darkmen: SSL encryption disable

This is the protocol iTunes uses to talk to the booted iPhone. It uses usbmux to provide TCP like connectivity over a USB port using SSL. There is a pairing process iTunes uses to establish the secure channel.
There is a way to disable SSL encyption during iTunes communication on jailbroken devices by patching lockdownd binary:

:(#) Disable SSL protection
:(#) FW 2.1
:(#) binary /usr/libexec/lockdownd
:-0x1000
:000112F8: 0C3098E5 0030A0E3 ; Conn.UseSSL = false

After applying the patch all packets between iPhone and iTunes become plain and clear. Musthave for R&D ppl.
==USBMux Protocol==

===Resources===
* [[MobileDevice Library]]
* [http://wikee.iphwn.org/usb:usbmux The dev team's page on the topic]
* [http://matt.colyer.name/projects/iphone-linux/index.php?title=Protocol_Documentation Protocol Documentation]
* [http://matt.colyer.name/projects/iphone-linux/index.php?title=Main_Page iFuse]