The iPhone Wiki - User contributions [en]

PMB8878

2009-04-14T17:10:18Z

Expired-: Removed circular wiki reference :)

This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the PMB8878.

==Datasheet==
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.

==Secpack 2.0==
This is the security region in the files sent to the [[X-Gold 608]]. This is the first 0xCF8 is new fls and eep files.

===Layout===
0x634--Memory Map
0x714--Descriptor
0xCD4--Post secpack pointer to name
0xCEC--Data length

==Endpack==
The fls and eep files also have a footer tacked onto the end containing the loader and signature.

==Memory Map==
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

==MMU relocation table==
===Bootloader===
[[Image:Bltbl.png]]

===Firmware===
[[Image:Bbmmu.png]]

==Complete memory dump==
[http://depositfiles.com/files/i5119hpzm 0x00000000-0x0001FFFF]

[http://depositfiles.com/files/mxslfu4dp 0x20000000-0x20FFFFFF]

[http://depositfiles.com/files/6wiet73wn 0x40000000-0x407FFFFF]

[http://depositfiles.com/files/fioppsphe 0xFFFF0000-0xFFFFFFFF]

== Known Firmware Versions ==
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)
[[1.48.02]] 2.0.1 (Build 5B108)
[[2.04.03]] 2.1 (Build 5F90)
[[2.08.01]] 2.0.2 (Build 5C1)
[[2.11.07]] 2.1 (Build 5F136)
[[2.28.00]] 2.2 (Build 5G77)
[[2.30.03]] 2.2.1 (Build 5H11)
[[4.20.01]] 3.0 beta 1 (Build 7A238j)
[[4.22.01]] 3.0 beta 2 (Build 7A259g)

==Accessing Interactive Mode==
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset

[[Category:Baseband]]

PMB8878

2009-04-14T17:09:38Z

Expired-:

This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the [[PMB8878]]

==Datasheet==
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.

==Secpack 2.0==
This is the security region in the files sent to the [[X-Gold 608]]. This is the first 0xCF8 is new fls and eep files.

===Layout===
0x634--Memory Map
0x714--Descriptor
0xCD4--Post secpack pointer to name
0xCEC--Data length

==Endpack==
The fls and eep files also have a footer tacked onto the end containing the loader and signature.

==Memory Map==
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

==MMU relocation table==
===Bootloader===
[[Image:Bltbl.png]]

===Firmware===
[[Image:Bbmmu.png]]

==Complete memory dump==
[http://depositfiles.com/files/i5119hpzm 0x00000000-0x0001FFFF]

[http://depositfiles.com/files/mxslfu4dp 0x20000000-0x20FFFFFF]

[http://depositfiles.com/files/6wiet73wn 0x40000000-0x407FFFFF]

[http://depositfiles.com/files/fioppsphe 0xFFFF0000-0xFFFFFFFF]

== Known Firmware Versions ==
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)
[[1.48.02]] 2.0.1 (Build 5B108)
[[2.04.03]] 2.1 (Build 5F90)
[[2.08.01]] 2.0.2 (Build 5C1)
[[2.11.07]] 2.1 (Build 5F136)
[[2.28.00]] 2.2 (Build 5G77)
[[2.30.03]] 2.2.1 (Build 5H11)
[[4.20.01]] 3.0 beta 1 (Build 7A238j)
[[4.22.01]] 3.0 beta 2 (Build 7A259g)

==Accessing Interactive Mode==
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset

[[Category:Baseband]]

Ultrasn0w

2009-04-14T17:09:09Z

Expired-:

The first [[iPhone 3G]] [[Unlock 2.0|unlock]] payload. Released on 01/01/09. [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]

==Credit==
MuscleNerd, and [[The dev team]]

==Exploit==
Relies on an unsigned code injection vulnerability.

The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.

==Current Injection Vector==
yellowsn0w refers to the reuseable '''payload''', but it requires an injection vector in order to be inserted into the baseband. yellowsn0w was originally to be released with an injection vector that works on pre-2.28.00 baseband versions. However, [[geohot]] had an injection vector for 2.28.00 and the decision was made to release yellowsn0w with this injection vector to benefit the most people.

The injection vector is discussed [[AT+stkprof Exploit|here]]

==Payload w/ Comments (by Darkmen) ===

The exploit consists from 4 parts:

===Code loader===
<pre>
ROM:00000000 ; =============== S U B R O U T I N E =======================================
ROM:00000000
ROM:00000000
ROM:00000000 loader
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code
ROM:00000002 ADDS R4, R2, #1 ; thumb switch
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are
ROM:00000006
ROM:00000006 copy.loop ; CODE XREF: loader+12�j
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes
ROM:00000008 CMP R0, #0x22 ; '"'
ROM:0000000A BEQ run ; jump thumb code
ROM:0000000C STRB R0, [R2]
ROM:0000000E ADDS R2, #1
ROM:00000010 ADDS R3, #1
ROM:00000012 B copy.loop ;
ROM:00000014 run ; CODE XREF: loader+A�j
ROM:00000014 BX R4 ; jump stage2 code
ROM:00000014 ; End of function loader
ROM:00000014
ROM:00000014 ; ---------------------------------------------------------------------------
</pre>

===Stage2(tm)===
<pre>
RAM:00000000 ; =============== S U B R O U T I N E =======================================
RAM:00000000 stage2
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size
RAM:00000002 MOVS R7, #0xF
RAM:00000004 BICS R2, R7 ; align offset by 0x10
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string
RAM:0000000A ADR R5, char2byte ; loading routine addr
RAM:0000000C ADDS R5, #1 ; thumb
RAM:0000000E
RAM:0000000E loop ; CODE XREF: stage2+2C�j
RAM:0000000E LDRB R1, [R4] ; at-string[index]
RAM:00000010 CMP R1, #'x' ; end of line?
RAM:00000012 BEQ jump_code
RAM:00000014 BLX R5 ; char2byte first hakfbyte
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]
RAM:0000001A BLX R5 ; char2hex second halfbyte
RAM:0000001C NOP
RAM:0000001E NOP
RAM:00000020 NOP
RAM:00000022 NOP
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte
RAM:00000026 STRB R1, [R2] ; storing byte to dst
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2
RAM:0000002A ADDS R2, #1 ; dst++
RAM:0000002C B loop ; at-string[index]
RAM:0000002E jump_code
RAM:0000002E NOP
RAM:00000030 NOP
RAM:00000032 ADDS R7, #1 ; thumbing
RAM:00000034 BX R7 ; run Task creator code
RAM:00000034 ; End of function stage2
RAM:00000038
RAM:00000038 ; =============== S U B R O U T I N E =======================================
RAM:00000038 char2byte ; DATA XREF: stage2+A�o
RAM:00000038 CMP R1, #0x41 ; 'A'
RAM:0000003A BGE letter ; letter to number
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number
RAM:0000003E BX LR
RAM:00000040 letter ; CODE XREF: char2byte+2�j
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number
RAM:00000042 BX LR ; ret
RAM:00000042 ; End of function char2byte
</pre>

===Task creator===
<pre>
RAM:000119A0 ; =============== S U B R O U T I N E =======================================
RAM:000119A0
RAM:000119A0
RAM:000119A0 handler_replace
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr
RAM:000119A2 ADR R1, new_handler
RAM:000119A4 ADDS R1, #1 ; thumbing
RAM:000119A6 STR R1, [R0] ; setting new handler
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack
RAM:000119A8 ; End of function handler_replace

RAM:000119B0 ; =============== S U B R O U T I N E =======================================
RAM:000119B0
RAM:000119B0
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o
RAM:000119B0 PUSH {R4-R7,LR}
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var
RAM:000119B4 MOVS R6, #0x80
RAM:000119B6 SUB SP, SP, #0x2C
RAM:000119B8 LSLS R6, R6, #4 ; 0x200
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack
RAM:000119BE LDR R4, =0x201420AC ; malloc
RAM:000119C0 ADDS R0, R6, #0
RAM:000119C2 BLX R4 ; malloc(0x200)
RAM:000119C4 MOVS R5, #0
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)
RAM:000119CA BLX R4 ; malloc(0x98)
RAM:000119CC ADDS R7, R0, #0 ; R7 = task
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0
RAM:000119D0 MOVS R0, 0x100
RAM:000119D4 BLX R4 ; malloc(0x100)
RAM:000119D6 MOVS R2, #0x80
RAM:000119D8 LDR R1, =task_loop ; src
RAM:000119DA LSLS R2, R2, #1 ; size to copy
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)
RAM:000119E6 MOVS R3, #0x44
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44
RAM:000119EA MOVS R3, #0xA
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT
RAM:000119F0 MOVS R3, #0xC
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START
RAM:000119F6 LDR R1, =devteam1 ; char *name
RAM:000119F8 STR R5, [SP] ; void *argv = 0
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task
RAM:00011A00 MOVS R3, #0 ; int argc = 0
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task
RAM:00011A04 BLX R4 ; status = NU_Create_Task()
RAM:00011A06 ADDS R2, R0, #0
RAM:00011A08 CMP R0, #0 ; success = zero
RAM:00011A0A BNE status_error
RAM:00011A0C LDR R1, =OK
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")
RAM:00011A14 B exit ; fixing stack
RAM:00011A16 ; ---------------------------------------------------------------------------
RAM:00011A16
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j
RAM:00011A16 LDR R1, =ERROR
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")
RAM:00011A1E
RAM:00011A1E exit ; CODE XREF: new_handler+64�j
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack
RAM:00011A20 POP {R4-R7,PC} ; bye
RAM:00011A20 ; End of function new_handler
RAM:00011A20
RAM:00011A20 ; ---------------------------------------------------------------------------
</pre>

===Unlock task loop===
<pre>
RAM:00011A64 ; =============== S U B R O U T I N E =======================================
RAM:00011A64
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o
RAM:00011A64 PUSH {R4,R5,LR}
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox
RAM:00011A68 SUB SP, SP, #0x14
RAM:00011A6A
RAM:00011A6A loop ; CODE XREF: task_loop+44�j
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox
RAM:00011A6E MOV R1, SP ; void *Message
RAM:00011A70 MOVS R2, #0xFF ; Timeout
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)
RAM:00011A74 LDR R3, [SP] ; Message[0]
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?
RAM:00011A78 BNE skip ;
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]
RAM:00011A7C LDR R3, =0x402F79BC
RAM:00011A7E LDR R2, [R1] ; Message[1].field0
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2
RAM:00011A8A LDR R3, =0x100FF00
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00
RAM:00011A8E LDR R3, =0x4020401
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401
RAM:00011A92 LDR R3, =0x4040403
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403
RAM:00011A96 MOVS R3, #1
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1
RAM:00011A9A MOVS R3, #0x20
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20
RAM:00011A9E
RAM:00011A9E skip ; CODE XREF: task_loop+14�j
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox
RAM:00011AA0 MOV R1, SP ; void *Message
RAM:00011AA2 MOVS R2, #0xFF ; timeout
RAM:00011AA4 LDR R3, =0x203ED568
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox
RAM:00011AA8 ; End of function task_loop
</pre>

==Source Code==
The source code for yellowsn0w is now live [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]

==Compatibility==

{| class="wikitable sortable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! Country
! Provider
! yellowsn0w Version
! SIM/USIM
! Ingoing Calls?
! Outgoing Calls?
! SMS?
! GPRS/EDGE?
! UMTS/HSDPA?
! Comments
|-
| Bermuda
| Mobility
| 0.9.6
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| Not Available
| Works but often loses signal.
|-
| Germany
| O2
| 0.9.6
| SIM
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
|
|-
| Israel
| IL Orange
| 0.9.6
| USIM
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| {{yes}}
| Works perfect.
|}

Additional information:
http://report.yellowsn0w.com/

==See Also==
* [[Unlock 2.0]]
* [[X-Gold 608]]
* [[Baseband]]

==External links==
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]
* [http://qik.com/video/729275 MuscleNerd's Demo]
* [http://yellowsn0w.com Official Website]

[[Category:Unlocking Methods]]
[[Category:Baseband]]

NCK Brute Force

2009-04-14T17:08:28Z

Expired-:

This is a theoretical exploit which involves brute forcing the NCK from the [[seczone]] the CHIPID and the NORID. So far no one has made public an instance of NCK discovery using this theortical approach.

==Credit==
gray, geohot

==Feasibility==
Given that [[NCK]]s are 15 digits long, the keyspace is log(10^15)/log(2)~=2^50 This would be searchable if all the cryptography used was symmetric. But the algo is TEA(RSA(token), NCK+CHIPID+NORID) [[http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm TEA]]. So that inside [http://en.wikipedia.org/wiki/RSA RSA] has to be done. A modern machine can search the 8 digit keyspace in about 5 minutes, which means we need a couple orders of magnitude speed increase to consider 15 digit.

==Implementation==
[http://lpahome.com/nckbf/nckbf.rar Multithreaded NCK Brute Forcer]

[[Category:Baseband]]
[[Category:Unlocking Methods]]

Baseband Device

2009-04-14T17:08:04Z

Expired-:

This is the device in the iPhone that manages all the functions which require an antenna. The baseband processor has its own RAM and firmware in NOR flash, separate from the ARM core resources. The baseband is a resource to the OS. The Wi-Fi and bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in it's NVRAM.

The [[iPhone]]'s baseband processor is the [[S-Gold 2]] and the [[iPhone 3G]] makes use of the [[X-Gold 608]] chip for this purpose.

You can check some [[Baseband Commands]] too (by pH and EvilPenguin)

==Seczone==
This is the area in the baseband where the lock state is stored.

===Layout===
0x400--NCK token
0xB00--IMEI
0xB10--IMEI signature
0xC00--Locks table

===Encryption===
Many of the sections are encrypted using TEA based off the CHIPID and NORID. See [[NCK Brute Force]] for more info.

==Exploits==
* [[SIM hacks]]
* [[Fakeblank|Hardware Fakeblank]]
* [[IPSF]]
* [[Minus 0x400]]
* [[Jerrysim]]
* [[Minus 0x20000 with Back Extend Erase]]
* [[yellowsn0w]]

==Theoretical Attacks==
* [[NCK Brute Force]]
* [[Baseband JTAG]]

==Boot Chain==
[[Baseband Bootrom|bootrom]]->[[Baseband Bootloader|bootloader]]->[[Baseband Firmware|firmware]]

[[Category:Baseband]]

Baseband Bootloader

2009-04-14T17:07:43Z

Expired-:

The baseband bootloader is the code which runs before the baseband FW, it is responsible for signature checking and updating the baseband. See also [[bootloader]].

==Revisions==
===3.9===
This is the old bootloader from the [[iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x400]] and [[IPSF]]

===4.6===
This is the new bootloader from the [[iPhone]]/[[S-Gold 2]]. It is vulnerable to [[Minus 0x20000 with Back Extend Erase]]

===5.8===
This is the bootloader from the [[iPhone 3G]]/[[X-Gold 608]]. It is, in contrast to 3.9 and 4.6, sig checked on startup. There is an exploit where the main fw cert is passed with the loader instead of the loader cert, and it checks the main firmware instead, allowing you to upload unsigned loader code. This has been fixed in 5.9. You can downgrade from 02.30.03 to 02.28.00 using [[pHaseBanDowngrader]] (by pH) in the Bootloader 5.8.

DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.8.fls.

===5.9===
This is the bootloader of version 2.1 and 2.2 OTB (and some 2.0 OTB) [[iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could downgrade their iPhone 3G baseband from 1.48 to 1.45. Now, all the iPhone 3G has bootloader 5.9 and higher.

DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.5.9.fls

===6.2===
This is the latest bootloader of version 2.2.1 OTB [[iPhone 3G]]/[[X-Gold 608]]. Still has no known exploits and it was released as soon as Apple knew [[iPhone Dev Team]] could unlock their iPhone 3G baseband version 2.28 by yellowsn0w. Now, all the iPhone 3G 2.2.1 OTB has bootloader 6.2.

DWD_ICE2_SECURE_BOOTLOADER/Secure_ICE2_Bootloader.6.2.fls

[[Category:Baseband]]

GenPass

2009-04-14T00:00:47Z

Expired-: Added category

<pre>
// genpass
// get asr key for 3.x firmware
//
// by posixninja, geohot, and chronic

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <openssl/sha.h>
#include <openssl/evp.h>

#define BUF_SIZE 0x100000
#define SHA256_DIGEST_LENGTH 32

typedef unsigned char uint8;
typedef unsigned int uint32;
typedef unsigned long long uint64;

uint64 u32_to_u64(uint32 msq, uint32 lsq) {
uint64 ms = (uint64)msq;
uint64 ls = (uint64)lsq;
return ls | (ms << 32);
}

uint64 hash_platform(const char* platform) {
uint8* md = malloc(SHA_DIGEST_LENGTH);
SHA1(platform, strlen(platform), md);

uint64 hash = u32_to_u64(
((md[0] << 24) | (md[1] << 16) | (md[2] << 8) | md[3]),
((md[4] << 24) | (md[5] << 16) | (md[6] << 8) | md[7])
);
free(md);
return hash;
}

uint64 ramdisk_size(const char* ramdisk) {
struct stat filestat;
if(stat(ramdisk, &filestat) < 0) {
return 0;
}

return (uint64)filestat.st_size;
}

void keydump(uint8* passphrase,int l) {
int i=0;
for(i=0; i<l; i++) {
printf("%02x", passphrase[i]);
} printf("\n");
}

int compare(const uint32* a, const uint32* b) {
if(*a < *b) return -1;
if(*a > *b) return 1;
return 0;
}

const char platform[]="s5l8900x";
const char ramdisk[]="ramdisk.dmg";

int main(int argc, char* argv[]) {

if(argc<3) {printf("%s: <platform> <ramdisk> <main>\n", argv[0]); return -1;}

uint32 saltedHash[4];
uint64 salt[4];

salt[0] = 0xad79d29de5e2ac9e;
salt[1] = 0xe6af2eb19e23925b;
salt[2] = 0x3f1375b4bd88815c;
salt[3] = 0x3bdff4e5564a9f87;

FILE* fd = fopen(argv[2], "rb");
int i = 0;
int x = 0;
SHA256_CTX ctx;
uint8* buffer = NULL;
uint8* passphrase = NULL;
uint64 totalSize = ramdisk_size(argv[2]);
uint64 platformHash = hash_platform(argv[1]);

/*printf("size: %I64x plat: %s plathash %I64x\n", totalSize,
platform,platformHash);*/

for(i=0;i<4;i++)
{
salt[i]+=platformHash;
//printf("%d: %I64x\n", i, salt[i]);
}

for(i = 0; i < 4; i++) {
saltedHash[i] = ((uint32)(salt[i] % totalSize)) & 0xFFFFFE00;
}

qsort(&saltedHash, 4, 4, &compare);

SHA256_Init(&ctx);
SHA256_Update(&ctx, salt, 32);

int r=0;
i=0; //hash count

buffer = malloc(BUF_SIZE);
passphrase = malloc(SHA256_DIGEST_LENGTH);

while(r<totalSize) {
x = fread(buffer, 1, BUF_SIZE, fd);
SHA256_Update(&ctx, buffer, x);

if(i<4) //some salts remain
{
if(r >= (saltedHash[i]+0x4000)) i++;
else if( r < saltedHash[i] && saltedHash[i] < (r+x) )
{
if( (saltedHash[i]+0x4000) < r )
SHA256_Update(&ctx, buffer, saltedHash[i]-r);
else SHA256_Update(&ctx, buffer+(saltedHash[i]-r),
( (x-(saltedHash[i]-r))<0x4000) ? (x-(saltedHash[i]-r)) : 0x4000 );
}
}
r+=x;
}

fclose(fd);

SHA256_Final(passphrase, &ctx);
printf("passphrase: ");
keydump(passphrase, SHA256_DIGEST_LENGTH);

if(buffer) free(buffer);

if(argc==4) //do main as well
{
fd=fopen(argv[3],"rb");
EVP_CIPHER_CTX ctx;

int offset=0x1D4;
uint8 data[0x30];
uint8 out[0x30]; int outlen,tmplen;
int a;
for(a=0;a<7;a++)
{
fseek(fd, offset, SEEK_SET); offset+=0x268;
fread(data, 1, 0x30, fd);
EVP_CIPHER_CTX_init(&ctx);
EVP_DecryptInit_ex(&ctx, EVP_des_ede3_cbc(),
NULL, passphrase, &passphrase[24]);
EVP_DecryptUpdate(&ctx, out, &outlen, data, 0x30);
if(!EVP_DecryptFinal_ex(&ctx, out + outlen, &tmplen))
printf("not block %d\n", a);
else
break;
}
printf("vfdecryptk: ");
keydump(out, 0x24);
}

if(passphrase) free(passphrase);

return 0;
}
</pre>

[[Category:VFDecrypt]]

Firmware Keys

2009-04-13T23:59:30Z

Expired-: Added category

== Introduction ==
These keys are for use with the 'vfdecrypt' tool to decrypt the main filesystem DMG found in every iPhone/iPhone 3G/iPod touch .ipsw file. Every key will work on the main filesystem DMG for that build, regardless if it is for the iPhone or iPod touch unless specified. The DMG that you are after is the bigger one, in the case of current builds of 2.0, it can sometimes be 200+ MB!

== VFDecrypt Usage ==
./vfdecrypt -i <dmg> -o decrypted_fs.dmg -k <key>

== Gaps ==
As you will notice, there may be a gap or two, or a key for a current build that is not there. Please feel free to add them, but please be sure that it is only the key for a User or Developer build, as if you gave the key for another type of build that might or may not be out there '''people could get in trouble, and we do not want that'''. Thanks for contributing!

== Downloads ==

* http://rgov.org/files/vfdecrypt-mac.zip (Mac OS X Universal)
* http://iphoneelite.googlecode.com/files/vfdecrypt.zip (Windows)

* Source Credit: http://lorenzo.yellowspace.net/corrupt-sparseimage.html

== Firmwares ==
* [[VFDecrypt Keys: 1.x|1.x]]
* [[VFDecrypt Keys: 2.x|2.x]]
* [[VFDecrypt Keys: 3.x|3.x]]

== See also ==
* [[System]] - a page with links to download the firmware images

[[Category:VFDecrypt]]

Baseband Commands

2009-04-12T20:30:40Z

Expired-: /* Running Minicom 2.2 from MobileTerminal */

==About==
In this page, you'll find some Baseband Commands. You can use them with Minicom 2.2, that can be found on Cydia.

==Setting up Minicom 2.2==
# After installing Minicom from Cydia, make sure the folder /usr/etc exists. SSH into your iPhone and then, type: ''minicom -s''.
# Now, select ''Serial Port Setup'' in the Menu and press Enter. Then, press "a" and set Serial Device to ''/dev/tty.debug''.
# Press Esc, and in the Main Menu, select ''Save setup as dfl''. Now, select "exit".
# To run minicom using ssh, just run minicom -w

==Running Minicom 2.2 from MobileTerminal==
'''Note''': minicom does work on MobileTerminal only on root (use su) and only after it has been configured (through the steps above).
# Open MobileTerminal.
# Run the command su, enter your root password (default alpine) and then run minicom -w.
# To exit minicom, slide your finger on the screen ("gesture") to the bottom right (if you haven't changed this setting in MobileTerminal settings), then press A, X and enter.

==How to run Baseband Commands==

Here is the list that me (pH) and EvilPenguin are doing of Baseband Commands.

First, run Minicom. Then, type "at" and press Enter. Then, you can type the command that you want, have fun.

==Baseband Commands==
===Getting Information===
* '''at+xgendata''': Display some baseband informations
* '''at&v''': Display the profiles in the Baseband (Active Profile, Stored Profile 0 and Stored Profile 1)
* '''at+clac''': Show some baseband commands
* '''at&h''': Show more Baseband Commands

===Unlock===
* '''at+clck''': Traditional unlock command
* '''at+xlock''': Wildcard unlock
* '''at+xsimstate''': Print lock state (write at+xsimstate=1 to turn on, at+xsimstate=0 to turn off)

Baseband Commands

2009-04-12T01:31:47Z

Expired-: /* Baseband Commands */

==About==
In this page, you'll find some Baseband Commands. You can use them with Minicom 2.2, that can be found on Cydia.

==Setting up Minicom 2.2==
# After installing Minicom from Cydia, make sure the folder /usr/etc exists. SSH into your iPhone and then, type: ''minicom -s''.
# Now, select ''Serial Port Setup'' in the Menu and press Enter. Then, press "a" and set Serial Device to ''/dev/tty.debug''.
# Press Esc, and in the Main Menu, select ''Save setup as dfl''. Now, select "exit".
#* '''Note''': minicom does work on MobileTerminal only on root (use su) and only after it has been configured.
# Run the command su, enter your root password (default alpine) and then run minicom -w.
# To exit minicom, slide your finger on the screen ("gesture") to the bottom right (if you haven't changed this setting in MobileTerminal settings), then press A, X and enter.

==Running Minicom==
To run minicom, is pretty simple: just type "minicom -w".

==How to run Baseband Commands==

Here is the list that me (pH) and EvilPenguin are doing of Baseband Commands.

First, run Minicom. Then, type "at" and press Enter. Then, you can type the command that you want, have fun.

==Baseband Commands==
===Getting Information===
* '''at+xgendata''': Display some baseband informations
* '''at&v''': Display the profiles in the Baseband (Active Profile, Stored Profile 0 and Stored Profile 1)
* '''at+clac''': Show some baseband commands
* '''at&h''': Show more Baseband Commands

===Unlock===
* '''at+clck''': Traditional unlock command
* '''at+xlock''': Wildcard unlock
* '''at+xsimstate''': Print lock state (write at+xsimstate=1 to turn on, at+xsimstate=0 to turn off)

Baseband Commands

2009-04-12T01:30:34Z

Expired-: /* Setting up Minicom 2.2 */ - reformatting

==About==
In this page, you'll find some Baseband Commands. You can use them with Minicom 2.2, that can be found on Cydia.

==Setting up Minicom 2.2==
# After installing Minicom from Cydia, make sure the folder /usr/etc exists. SSH into your iPhone and then, type: ''minicom -s''.
# Now, select ''Serial Port Setup'' in the Menu and press Enter. Then, press "a" and set Serial Device to ''/dev/tty.debug''.
# Press Esc, and in the Main Menu, select ''Save setup as dfl''. Now, select "exit".
#* '''Note''': minicom does work on MobileTerminal only on root (use su) and only after it has been configured.
# Run the command su, enter your root password (default alpine) and then run minicom -w.
# To exit minicom, slide your finger on the screen ("gesture") to the bottom right (if you haven't changed this setting in MobileTerminal settings), then press A, X and enter.

==Running Minicom==
To run minicom, is pretty simple: just type "minicom -w".

==How to run Baseband Commands==

Here is the list that me (pH) and EvilPenguin are doing of Baseband Commands.

First, run Minicom. Then, type "at" and press Enter. Then, you can type the command that you want, have fun.

==Baseband Commands==
===Getting Information===
'''at+xgendata''': Display some baseband informations

'''at&v''': Display the profiles in the Baseband (Active Profile, Stored Profile 0 and Stored Profile 1)

'''at+clac''': Show some baseband commands

'''at&h''': Show more Baseband Commands

===Unlock===
'''at+clck''': Traditional unlock command

'''at+xlock''': Wildcard unlock

'''at+xsimstate''': Print lock state (write at+xsimstate=1 to turn on, at+xsimstate=0 to turn off)