The iPhone Wiki - User contributions [en]

Keynote

2012-02-01T00:21:30Z

Grisolp:

A special nickname given to keynotes by Steve Jobs because of how unique they are. You would have to watch one, then you will immediately realize why they are special

Talk:Leftover Strings

2011-08-25T12:09:20Z

Grisolp:

Don't want to ruin the fun, but just FYI, super is a very dry Objective C technical term about the Superclass of an object.. Not trying to pee on anyone's parade though... [[User:Iemit737|Iemit737]] 04:00, 13 September 2010 (UTC)
:...Durp. <:B I totally need to pick up Objective-C (or any programming language, for that manner)... --[[User:Dialexio|Dialexio]] 04:35, 13 September 2010 (UTC)

Wait... was WiFi syncing somewhere in iOS 4.3.3? According to some of these strings (however funny) it looks like it was there... --[[User:Rdqronos|rdqronos]] 18:23, 24 August 2011 (MDT)
:I don't think it exists (completely) in 4.x. But of course, it will be present in iOS 5. --[[User:Dialexio|Dialexio]] 18:43, 24 August 2011 (MDT)
:That's what I figured. --[[User:Rdqronos|rdqronos]] 05:48, 25 August 2011 (MDT)
Is this for real?--Grisolp 06:09, 25 August 2011 (MDT)

Unlock

2011-06-15T11:51:28Z

Grisolp:

This is the process by which the iPhone is modified such that the baseband will accept the [[wikipedia: Subscriber Identity Module|SIM]] card of any GSM carrier. This is entirely different than a [[jailbreak]]. Contrary to popular thought, jailbreaking one's iPhone does not unlock it. A jailbreak is, however, required for all currently public, unofficial software unlocks (see "Official Unlock" below).

==Official Unlock==
[[Image:iTunesUnlock.png|thumb|Unlock in iTunes]]
At +0x400 in the [[seczone]], a token is stored encrypted with (NCK + NORID + HWID). Apple, knowing the [[NCK]], sends it using an [[activation token]] over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated [[Baseband_TEA_Keys|key]]. If that decryption, after deRSAing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.

This type of unlock does not require a jailbreak and is permanent, even surviving a restore (unless Apple or your carrier decides to re-lock the phone, something that has rarely happened http://m.yahoo.com/rs/aHR0cHM6Ly9kaXNjdXNzaW9ucy5hcHBsZS5jb20vdGhyZWFkLzI3Nzk0NzE_c3RhcnQ9MCZ0c3RhcnQ9MA--/1308224534/VpFaYXZh%3B_ylt=A0WTcJWVmvhNEGEAdAq4RXMJ%3B_ylu=X3oDMTMwZXR0Y2NsBGNiaWQDBGNvbmNlcHQDBGNwb3MDBGNzZWMDBHBvcwMxBHF1ZXJ5A2lPUyA0LjMgbG9ja2VkIG15IGZhY3RvcnkgdW5sb2NrZWQgaVBob25lBHNlYwN3ZWIEc2xrA3dlYg--).

==Hardware Unlock==
It is not possible to hardware unlock current devices. The only way to mention here would be [[Gevey SIM]], which is actually not a hardware modification.
Back in the days of the original iPhone, on 1.0.2 firmware it was possible to hardware unlock your iPhone. The instructions were on geohots blog, which is currently private. http://www.iphone-hacks.com/downloads/iphoneunlock.pdf
==Old AnySim Patch (1.0.X)==
This deprecated patch disabled signature checks. So the RSA signature would always validate, and the phone would always appear to be unlocked and every NCK would appear to be valid. This patch caused the locktables to be rewritten to the unlocked state which resulted in a cypto failure once the patch was removed during a BB upgrade, causing the 0049 IMEI issue. The virginizer was written in response to this problem and allowed users to write locked, virgin locktables. This removed the crypto failure and allowed the application of the ignore MCC/MNC patch.
Y
==New AnySIM Patch (1.1+)==
This patch, also know as the ignore MCC/MNC patch, makes every MCC/MNC pair appear valid. This patch is overwritten on a reflash of the baseband, and doesn't touch the seczone or the locktables at all. It must be reapplied for every baseband upgrade to maintain the unlock.

In addition, AnySIM 1.1 fixed the "Spamming AT" problems from [[iUnlock]] and earlier AnySIM versions.

==IPSF==
See [[IPSF]] for main article. This exploit changed the lockstate table in the [[seczone]] to read unlocked and created a spoofed RSA token that was seen as valid by BL3.9 (BL4.6 was ''not'' vulnerable to IPSF). It overwrote your previous token, which means the phone could nor longer be officially unlocked, unless a restore of the token was performed from a previously made backup. Since the token isn't modified in a baseband flash, this unlock survived a baseband downgrade or upgrade. Apple attempted to combat this by requiring AT+CLCK command to be sent every startup. In a officially unlocked iPhones, lockdownd does this. In a late version IPSF phone, signal.app does this.

== Cloning Officially Unlocked Phones ==
This has been suggested by many people, however it has been well investigated and virtually ruled out for these reasons:
# Replacing the [[Baseband Bootloader|baseband bootloader]] or [[Baseband Firmware|firmware]] of a locked phone with that of an officially unlocked phone does ''not'' unlock the phone, as the unlock information resides in a different flash area, known as the [[seczone]] and is unique to each phone.
# Cloning the [[seczone]] would duplicate [[wikipedia:International Mobile Equipment Identity|IMEIs]] which would be illegal in most places and would likely result in a ban of these.
# Phones with cloned [[seczone]]s would not even be unlocked by the [[NCK]]s of the phone they were cloned from as the [[CHIPID]] and [[NORID]] is concatenated with the [[NCK]] to produce the decryption key used on the RSA [[seczone]] token. The only way to make this work is to change the [[NORID]] and [[CHIPID]] which is not possible.

== External Links ==
*[http://caniunlock.com/ English Website from chpwn with overview of unlock status]
*[http://caniunlock.de/ Deutsche Website von pattyland mit einer Übersicht des Unlockstatus's]

IPad 2

2011-05-29T18:51:08Z

Grisolp: "impressions". It could be released tomorrow. Unlikely, but possible.

[[Image:Ipad2.png|right|thumb|iPad 2]]
{{lowercase}}
The iPad 2 was announced on March 2, 2011. It was initially released on March 11 in the United States, and March 25 elsewhere. There are three variants of the iPad 2.

As of May 29, 2011, the iPad 2 does not have any (publicly released) exploits to run unsigned code. (there is impression there is exploit to be release within about 3 weeks.)

* [[K93ap|Wi-Fi only]]
* [[K94ap|GSM model]]
* [[K95ap|CDMA model]]

== Application processor ==
It makes use of the dual-core 1 GHz[http://www.apple.com/ipad/specs/] [[S5L8940]] CPU (A5 chip).

== Baseband (3G versions) ==
The [[K94ap|GSM model]] uses the [[X-Gold 618]] baseband chip, same as in the [[N90ap|iPhone 4 GSM model]].

The [[K95ap|CDMA model]] uses Qualcomm's Gobi chipset, like the [[N90ap|iPhone 4 CDMA model]].

==Wireless==
The iPad 2 uses the [[BCM4329]] for [[Bluetooth]] and Wi-Fi communication.

== Specifications ==
* '''Screen:''' 9.7" 1024x768 LED-backlit IPS display at 132 ppi
* '''Size:''' 9.5 inches (241.2 mm) (height) x 7.31 inches (185.7 mm) (width) x 0.34 inch (8.8 mm) (depth)
* '''Weight:''' 1.33 pounds (601 g) [[K93ap|Wi-Fi model]]; 1.35 pounds (613 g) [[K94ap|GSM model]]; 1.34 pounds (607 g) [[K95ap|CDMA model]]
* '''Battery:''' Up to 10 hours of Internet use, one month of standby
* '''3G:''' UMTS/HSDPA/HSUPA (850, 900, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz) [[K94ap|GSM model]]; CDMA EV-DO Rev. A (800, 1900 MHz) [[K95ap|CDMA model]]
* '''Rear camera''': 0.7MP, supporting HD video recording @ 30 FPS
* '''Front camera''': VGA photos and video @ 30 FPS, supporting [[FaceTime]] video calls

IPad 2

2011-05-29T13:01:34Z

Grisolp:

[[Image:Ipad2.png|right|thumb|iPad 2]]
{{lowercase}}
The iPad 2 was announced on March 2, 2011. It was initially released on March 11 in the United States, and March 25 elsewhere. There are three variants of the iPad 2.

As of May 29, 2011, the iPad 2 does not have any (publicly released) exploits to run unsigned code.

* [[K93ap|Wi-Fi only]]
* [[K94ap|GSM model]]
* [[K95ap|CDMA model]]

== Application processor ==
It makes use of the dual-core 1 GHz[http://www.apple.com/ipad/specs/] [[S5L8940]] CPU (A5 chip).

== Baseband (3G versions) ==
The [[K94ap|GSM model]] uses the [[X-Gold 618]] baseband chip, same as in the [[N90ap|iPhone 4 GSM model]].

The [[K95ap|CDMA model]] uses Qualcomm's Gobi chipset, like the [[N90ap|iPhone 4 CDMA model]].

==Wireless==
The iPad 2 uses the [[BCM4329]] for [[Bluetooth]] and Wi-Fi communication.

== Specifications ==
* '''Screen:''' 9.7" 1024x768 LED-backlit IPS display at 132 ppi
* '''Size:''' 9.5 inches (241.2 mm) (height) x 7.31 inches (185.7 mm) (width) x 0.34 inch (8.8 mm) (depth)
* '''Weight:''' 1.33 pounds (601 g) [[K93ap|Wi-Fi model]]; 1.35 pounds (613 g) [[K94ap|GSM model]]; 1.34 pounds (607 g) [[K95ap|CDMA model]]
* '''Battery:''' Up to 10 hours of Internet use, one month of standby
* '''3G:''' UMTS/HSDPA/HSUPA (850, 900, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz) [[K94ap|GSM model]]; CDMA EV-DO Rev. A (800, 1900 MHz) [[K95ap|CDMA model]]
* '''Rear camera''': 0.7MP, supporting HD video recording @ 30 FPS
* '''Front camera''': VGA photos and video @ 30 FPS, supporting [[FaceTime]] video calls

BBUpdaterExtreme

2011-05-27T20:41:45Z

Grisolp:

This is the tool used by Apple to updateflash the Baseband of XGOLD basebands.
It also allow to do some more things like changing the IMEI SV or just powercycling damaged baseband.

The tool seems to make a connection to the device to flash the firmware, the eeprom and the bootloader.
The Device is the Emergency Bootloader of the iPhone which also is the only gate to flash the baseband.

There have been some tries to make custom fls / eep files ( which are needed to flash the baseband of the device ).
This method could bring back 06.15.00 devices back which are now damaged.

With this tool it is not possible to downgrade any baseband version.

==Commands==
*BBUpdaterExtreme help [unknown option] [?]
*BBUpdaterExtreme queryversion | prints the current status of baseband firmware
*BBUpdaterExtreme update -f ICE2_xx.xx.xx.fls -e ICE2_xx.xx.xx.eep | UPDATES ( not downgrades!!! ) Firmware version
*BBUpdaterExtreme imeisv [option] | changes the imeisv value
*BBUpdaterExtreme automatic -S -F [or -L for BL] | for automatic update (while firmware restores)
*BBUpdaterExtreme audioparameters [?]
*BBUpdaterExtreme ice3dump [?]
*BBUpdaterExtreme staticeep [?]

==Compatible Chipsets==

Talk:NCK Brute Force

2011-05-27T20:37:01Z

Grisolp:

== Permanent unlock? ==
Is this method usable to permanently unlock the iPhone (like IPSF) aka upgrade resistant and not needing a software like signal.app (and being able to use SIM PIN Code)?
This would allowed to have the "official" unlock (except activation)?

== Time calculations ==

How long would it take to search the 15 digit one?

Geohots NCKBF program could do around 100,000 keys/second which would produce a hit in many years, or complete a search in 317 years.

To get to a point where this is actually doable we would need many orders of magnitude of improvement. Even if you use a PSP3 or special hardware (within 1,000 US$ range) you will only get an improvement of 20-100 times.. which doesn't help much. - Deco

I assume in the article there's something wrong regarding time calculation. It states that for 8 bit you need 5 mins and we have 15 bit. That would mean 128 fold more or only 11 hours with a PC two years old. That must be wrong. -- [[User:Http|http]] 08:26, 24 July 2010 (UTC)

It's clear now. We are talking about decimal digits, not bits! So it takes 10(15-8) times longer, or about 95 years. -- [[User:Http|http]] 21:53, 5 August 2010 (UTC)

I read somewhere that the phone perminatley locks to a carrier after 5 incorrect NCK entries...is that true?

== Cloud project ==

Using a system like BOINC ( known for seti @ home) would not help to distribute the load ?

If Apple sold 10 Million devices, and lets say maybe 10k to 100k people participated,
we should be able to reduce that time from, lets say 200 years to a maximum of 2 weeks to 2 months.

Now we would just need someone to create a modified client, manage the calculated packages and provide the packages which would need to be calculated/crunched.

Just an idea.

Chris

And you'll end up with exactly ''one'' unlocked iPhone. Better off selling the machine hours. ~geohot

But with such a project you could compare the results of every calculation not only with one iPhone, but with a list of all iPhones that have registered in the project. That's the advantage of brute force attack. So it would still be possible I think - assuming we could create such a network. But it could also arise legal problems. -- [[User:Http|http]] 08:33, 24 July 2010 (UTC)

== Brute force master key ==

Is it not possible to brute force the key that apple uses and then use that to unlock all iPhones?

if we get say 1 million computers then how long would it theoretically take to generate one key? 1 million isn't that impossible given that 3 million iPhone 3Gs have been sold of most geeks have more than one computer. Assuming that on average everyone contributes 2 computers then we only need 500000 people to reach 1 million. subtract the speed of networking and the fact that some people will turn their computers off every so often and we should be able to generate 5 or 6 keys a day? this is kinda pathetic for just a proof of concept but just proving that we can generate code and can harness this much power would be a massive psychological blow to apple. also i would assume that we would need some main server to control all the computers which probably doesn't exist :P

blog.iphone-dev.org had 276,688 unique visitors on July 20th (PwnageTool release 2.0/2.0.1), so I would assume that number is the sort of participants we would get. I think 2 computers from each person is also optimistic, it would probably be less than 1 on average as most people won't run it 24/7.

== Mirror ==
Does anyone have a mirror for the Multithreaded NCK Brute Forcer I think the link is down.--[[User:Bob|Bob]] 14:49, 22 August 2008 (UTC)

Reply: done --[[User:Zuezuo|Zuezuo]] 10:32, 9 March 2010 (UTC)

The link doesn't appear to be active anymore. I have an interest in this code, and maybe porting it to some faster machines. Does it still exist, or did someone erase it/stop hosting it? ---[[User:Unrstuart|Unrstuart]] 15:10, 24 July 2010 (PDT)

I have updated the page with a valid link to a blog discussing geohot's Multithreaded NCK Brute Forcer. This page contains a link to the source code and a Windows binary. --[[User:Jmh9072|Jmh9072]] Feb 4, 2011, 23:52 (EST)

== RSA attack ==

Some researches recently published this paper:
"Fault-Based Attack of RSA Authentication" - http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf

Could that be useful in this NCK attack? --[[User:Zuezuo|Zuezuo]] 10:32, 9 March 2010 (UTC)
:NO, just if you are in apple's server and shot-circuit one of the servers. {{unsigned|XiiiX|22:42, 14 March 2011 (UTC)}}

User talk:5urd

2011-05-26T21:22:35Z

Grisolp:

==Stub==
Hi Cole. I don't like having the stub mark everywhere. Well, it's done now, so we'll leave it. Better you ask next time before making such big changes. The problem I see is that many pages will never get updated, for example the old baseband version pages. Adding this stub mark will add no value to the page, nor help in getting the page extended. This might be good for Wikipedia, but not here. On other pages (like the [[AT+XNONCE]]) I don't see what should be missing there. If you know what is missing, please add it. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)
:It looked too short is why. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)

==Pictures==
And for the new pictures for the stub pages, you probably just copied them from somewhere on the Internet. Please draw your own images instead of stealing it from somewhere. I'll delete them otherwise. We cannot have the official Apple logo just as a mark for general Apple issues. We might be able to use official product photos or the Apple logo on a page describing Apple, but nothing else. Treat images the same way as software. The jailbreak image probably comes from a scammers page, but it's still not yours, even if they do bad things. [[User:geohot|Geohot]] has enough trouble right now, so don't add copyrighted material to this wiki. I'll delete the images tomorrow if you haven't replaced them by then. Thanks. --[[User:Http|http]] 17:23, 19 February 2011 (UTC)
:Ok, i'll replace the copywrited images with Public domain. --[[User:Balloonhead66|Balloonhead66]] 17:31, 19 February 2011 (UTC)
::Thanks. (I had to laugh when I saw your new Apple!) --[[User:Http|http]] 17:39, 19 February 2011 (UTC)
:::Images:
::::[[:Image:Android logo.png|Android logo.png]] - public domain, kept [[commons:File:Android_robot.svg|On Commons]]
::::[[:Image:Generic iPhone.png|Generic iPhone.png]] - public domain, kept [[commons:File:iPhone.svg|On Commons]]
::::[[:Image:Apple-logo.png|Apple-logo.png]] - logo, copyrited, replaced with [[commons:File:Apple Mac.png|Apple Mac.png from Commons]]
::::[[:Image:Jailbreak.jpg|Jailbreak.jpg]] - unknown license, replaced with [[:Image:Gp.png|Gp.png]]
::::[[:Image:Filesystem Listing.png|Filesystem Listing.jpg]] - from [http://www.hp9845.net/9845/projects/hpdir/ blog], unknown license, replaced with [http://cole.freehostingcloud.com/wiki/File:iphonefw.png Iphonefw.png from my site]
::::[[:Image:Hacking.png|Hacking.png]] - icon from {{wp|GNOME}} project - unreplaced
::::[[:Image:Software Icon.png|Software Icon.png]] - icon, copyrited, replaced wth [[commons:File:Crystal Clear device cdrom unmount.png|Crystal Clear device cdrom unmound.png from Commons]]
::::[[:Image:P2P.gif|P2P.gif]] - unknown license, replaced with [[commons:File:P2P-network.svg|P2P-network.svg from Commons (2000px)]] at [[:Image:P2P.png|P2P.png]]
:::--[[User:Balloonhead66|Balloonhead66]] 17:53, 19 February 2011 (UTC)

Please stop flooding the wiki with your changes about your vfdecrypt GUI (one of what like 200?) all the recent changes most of the time are from you about little menial stuff that i doubt most people care about, i had to stop following the wiki twitter account because it seemed like 99.99% of the updates were from you, all useless. PLEASE STOP --[[User:Nito|Nito]] 19:53, 26 May 2011 (UTC)
:Obviously keeping the wiki up to date is more important than inconveniencing anyone regarding their twitter feeds. The more accurate the wiki, the better. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)
::Yes but when his updates are about stupid crap re: ANOTHER vfdecrypt GUI then i think it does a disservice to everyone who uses the wiki. --[[User:Nito|Nito]] 20:37, 26 May 2011 (UTC)
:::I think it's better not to judge *anyone's* contributions, large or small. This is a community of contributors. [[User:MuscleNerd|MuscleNerd]] 20:40, 26 May 2011 (UTC)
:::: I understand that, but mostly every time i look in the recent changes pages its filled up with garbage about idecryptit or whatever, rendering "recent changes" 99.99% useless imo. --[[User:Nito|Nito]] 20:42, 26 May 2011 (UTC)
::::: The more active the wiki, the better. It means (1) people are contributing (2) info is being refined and corrected. Even if it's the tiniest details, over time that makes a big difference. [[User:MuscleNerd|MuscleNerd]] 20:44, 26 May 2011 (UTC)
::::::Yes, because people learn a lot from a GUI. He uses the wiki as an advertisement for it. --[[User:Cj|cj]] 20:50, 26 May 2011 (UTC)
:::::::If it's a valid wiki topic, then it "deserves" to be updated as much as any other topic. If it's not a valid topic, ask to have it removed. He's actually marking all of his minor edits properly (that bold "m"). Perhaps whoever owns that twitter account shouldn't rebroadcast edits marked as minor like that. [[User:MuscleNerd|MuscleNerd]] 20:54, 26 May 2011 (UTC)
:::::::: I think it straddles the line of "valid" i definitely remember reading somewhere that geo didn't want the wiki to be used as an advertisement for apps --[[User:Nito|Nito]] 20:56, 26 May 2011 (UTC)
::::::::: The rule is actually "don't create a page just to advertise your new website please". More details on the Ground Rules page. [[User:MuscleNerd|MuscleNerd]] 21:02, 26 May 2011 (UTC)

User talk:5urd

2011-05-26T21:21:47Z

Grisolp:

User talk:5urd

2011-05-26T21:19:13Z

Grisolp:

User talk:5urd

2011-05-26T21:18:28Z

Grisolp:

Talk:Durango 8J2 (iPhone3,1)

2011-05-05T11:31:45Z

Grisolp:

This is iOS 4.3.3, right?

Yes sir--Grisolp 11:31, 5 May 2011 (UTC)

Talk:Durango 8J2 (iPhone3,1)

2011-05-05T11:31:15Z

Grisolp:

This is iOS 4.3.3, right?
Yes sir--Grisolp 11:31, 5 May 2011 (UTC)

Talk:Unlock

2011-04-28T14:59:43Z

Grisolp:

== Page naming ==

I propose we name this page iPhone(2G) unlock due to links to this page on xgold 608 unlock page (and others) that may be confusing to some. Or we could move the contentets of this page and replace it with some basic info about unlock (what unlocking is. And some links to more specific pages) --[[User:Toddyt1|Toddyt1]] 20:24 (edited 20:45), 9 January 2011 (UTC)

If you get your phone officially unlocked through cutyoursim.com or other services, ad they send the NCK and an updated wildcardticket then apple decides to re-lock it, isnt that only through wildcardticket? so the NCK is still entered? So if the NCK is still there, couldnt you just hacktivate and not accept the wildcardticket? so then its unlocked?--Grisolp 14:59, 28 April 2011 (UTC)

Unlock

2011-04-28T14:56:26Z

Grisolp:

This is the process by which the iPhone baseband is modified to accept the [[wikipedia: Subscriber Identity Module|SIM]] card of any GSM carrier. This is entirely different than a [[jailbreak]]. Contrary to what you might have been told, just because you jailbreak your iPhone it does not mean you are unlocked, But most of the time a jailbreak is required to use an unlock, except in certain circumstances (see "Official Unlock" below).

==Official Unlock==
[[Image:iTunesUnlock.png|thumb|Unlock in iTunes]]
At +0x400 in the [[seczone]], a token is stored encrypted with (NCK + NORID + HWID). Apple, knowing the [[NCK]], sends it using an [[activation token]] over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated [[Baseband_TEA_Keys|key]]. If that decryption, after deRSAing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.

This type of unlock does not require a jailbreak and is permanent, even through a restore unless Apple or your Carrier decide to re-lock your phone.

==Hardware Unlock==
How to unlock your phone http://www.iphone-hacks.com/downloads/iphoneunlock.pdf

==Old AnySim Patch (1.0.X)==
This deprecated patch disabled signature checks. So the RSA signature would always validate, and the phone would always appear to be unlocked and every NCK would appear to be valid. This patch caused the locktables to be rewritten to the unlocked state which resulted in a cypto failure once the patch was removed during a BB upgrade, causing the 0049 IMEI issue. The virginizer was written in response to this problem and allowed users to write locked, virgin locktables. This removed the crypto failure and allowed the application of the ignore MCC/MNC patch.

==New AnySIM Patch (1.1+)==
This patch, also know as the ignore MCC/MNC patch, makes every MCC/MNC pair appear valid. This patch is overwritten on a reflash of the baseband, and doesn't touch the seczone or the locktables at all. It must be reapplied for every baseband upgrade to maintain the unlock.

In addition, AnySIM 1.1 fixed the "Spamming AT" problems from [[iUnlock]] and earlier AnySIM versions.

==IPSF==
See [[IPSF]] for main article. This exploit changed the lockstate table in the [[seczone]] to read unlocked and created a spoofed RSA token that was seen as valid by BL3.9 (BL4.6 was ''not'' vulnerable to IPSF). It overwrote your previous token, which means the phone could nor longer be officially unlocked, unless a restore of the token was performed from a previously made backup. Since the token isn't modified in a baseband flash, this unlock survived a baseband downgrade or upgrade. Apple attempted to combat this by requiring AT+CLCK command to be sent every startup. In a officially unlocked iPhones, lockdownd does this. In a late version IPSF phone, signal.app does this.

== Cloning Officially Unlocked Phones ==
This has been suggested by many people, however it has been well investigated and virtually ruled out for these reasons:
# Replacing the [[Baseband Bootloader|baseband bootloader]] or [[Baseband Firmware|firmware]] of a locked phone with that of an officially unlocked phone does ''not'' unlock the phone, as the unlock information resides in a different flash area, known as the [[seczone]] and is unique to each phone.
# Cloning the [[seczone]] would duplicate [[wikipedia:International Mobile Equipment Identity|IMEIs]] which would be illegal in most places and would likely result in a ban of these.
# Phones with cloned [[seczone]]s would not even be unlocked by the [[NCK]]s of the phone they were cloned from as the [[CHIPID]] and [[NORID]] is concatenated with the [[NCK]] to produce the decryption key used on the RSA [[seczone]] token. The only way to make this work is to change the [[NORID]] and [[CHIPID]] which is not possible.

== External Links ==
*[http://caniunlock.com/ English Website from chpwn with overview of unlock status]
*[http://caniunlock.de/ Deutsche Website von pattyland mit einer Übersicht des Unlockstatus's]

FaceTime

2011-04-22T16:48:46Z

Grisolp: /* General */

== General ==

FaceTime is iChat AV for iPhone and iPod touch (latest generation only). Jobs presented an "alphabet soup" of technologies that were involved in making FaceTime work, many of which are shared with iChat AV, including:

* H.264 and AAC, its ISO/MPEG video and audio codecs (just like iChat).
* [https://wiki.tools.ietf.org/html/rfc3261 SIP (Session Initiation Protocol)], the open IETF signaling protocol for VoIP used by iChat AV.
* STUN (Session Traversal Utilities for NAT), an IETF standard for dealing with lots of different kinds of NAT.
* TURN (Traversal Using Relay NAT), an IETF standard for allowing a client behind NAT to receive incoming requests like a server.
* ICE (Interactive Connectivity Establishment) an IETF standard which helps set up connections through NAT firewalls.
* RTP (Real-time Transport Protocol), an iETF standard for delivering media streams in VoIP.
* SRTP (Secure RTP) an IETF standard designed to provide encryption, message authentication and integrity for the data streams.

FaceTime uses ports 53, 80, 443, 4080, 5223, and 16393-16472 (UDP).

A Mac Client for FaceTime is available on The Mac app store. More info can be found at http://www.apple.com/mac/facetime/

== FaceTime Activation / Registration ==

FaceTime is activated by sending a couple of SMS text messages in the background between the iPhone and an Apple server. If your carrier does not officially support the iPhone 4, you may be charged for sending the activation SMS to an international (UK) number. Your carrier might also have issues delivering the SMS correctly which will prevent FaceTime from activating.

After enabling FaceTime in iPhone settings, your iPhone will attempt to send a "silent text message" (i. e. a text you don't know about) to Apple, that registers your telephone number on Apple's servers used for FaceTime. Apple then returns a "silent coded text message" to your iPhone, that activates the FaceTime within iOS4.

After being activated, FaceTime will happily operate solely over WiFi. However, FaceTime activation currently requires the iPhone to be activated, have an active SIM card with the ability to send and receive SMSes. If there's an issue sending or receiving SMS messages, FaceTime can't be enabled or activated.

FaceTime will work successfully in Airplane Mode over WiFi, however it requires FaceTime to be activated, and a SIM card inserted in your device.

=== FaceTime Registration Request ===

The iPhone sends a Registration Request SMS silently to this UK number (as identified by the [http://en.wikipedia.org/wiki/%2B44_%28country_code%29 +44 country code]): +44 7786 205094. AT&T customers have their own local number for FaceTime activations: 28818773. In Bell and Telus carrier bundles, version 7.2 the number is: 49988.

The Activation Servers number (PhoneNumberRegistrationGatewayAddress) is set in carrier.plist in System/Library/Carrier Bundles/<Your carrier>.bundle (or Unknown.bundle):

<key>PhoneNumberRegistrationGatewayAddress</key>
<string>+447786205094</string>

You can change this to i. e. your own number and FaceTime will send the FaceTime Registration Request SMS to your own number.

Some carrier bundles (i.e. T-Mobile Germany Carrier Update 7.1) also contain the following key, which displays a warning that SMS charges might be applied when trying to activate FaceTime.
<key>RegistrationOptInRequired</key>
<true/>

Registration Request:
REG-REQ?v=2;t=char[64];i=char[40];r=char[8]

Registration Request Example:
REG-REQ?v=2;t=0C11F1ACF776391387797F5EEC1B87E9FC33DAD9 B86583270B8E8DDE78A7A23C;i=2CFA805D9A0D1D43CE57429 B4DA8E454B9AADB5D;r=5917c44d
It was noticed the last portion i= has different character for every FaceTime request.

The Request is saved on:

* /var/wireless/spool/MobileOriginated/s.sms.1073741825 (or another identifier)

FaceTime will continue to retry sending the activation SMS multiple times before failing. [http://discussions.apple.com/thread.jspa?threadID=2483442&start=15&tstart=150][http://modmyi.com/forums/t-mobile/722445-iphone-4-t-mobile-users-beware-international-text-charges-facetime.html#post5380385]

=== FaceTime Registration Response ===

If your carrier doesn't officially support silent SMS messages, you may see the FaceTime Registration Response messages displayed.

Registration Response:
<pre>
¿¿¿¿y¿¿REG-RESP?v=2;r=XXXXXXX;n=+XXXXXXXXX;s=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
</pre>

(X are numbers and codes received, it looks like a password and a hash code).

== Packet Capture - original from [http://fryguypa.wordpress.com/2010/06/25/iphone-4-and-facetime/ FryGuy's Blog] ==

* 1st iPhone IP Private – 192.168.0.128
* 1st iPhone IP NAT – 216.164.100.100
* 2nd iPhone IP Private 192.168.2.106
* 2nd iPhone IP NAT – 72.81.200.200

Note: NATs changed to protect the guilty

=== Packets ===
<pre>
No. Time Source Destination Protocol Info
1 0.000000 192.168.0.128 17.155.5.251 UDP Source port: 16402 Destination port: connected
2 0.431054 17.155.5.251 192.168.0.128 UDP Source port: connected Destination port: 16402
3 0.715713 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: connected
4 0.716064 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: 16385
5 0.717147 192.168.0.128 17.155.5.252 UDP Source port: 51136 Destination port: 16386
6 0.958285 17.155.5.252 192.168.0.128 UDP Source port: 16386 Destination port: 51136
7 0.960329 17.155.5.251 192.168.0.128 UDP Source port: 16385 Destination port: 51136
8 0.960588 17.155.5.251 192.168.0.128 UDP Source port: connected Destination port: 51136
9 1.016402 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
10 1.018172 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
11 1.019912 192.168.0.128 17.155.4.14 TCP 50697 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=2 TSV=469580285 TSER=0
12 1.020140 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
13 1.298294 17.155.4.14 192.168.0.128 TCP https > 50697 [SYN, ACK] Seq=0 Ack=1 Win=8190 Len=0 MSS=1360 WS=4
14 1.318312 192.168.0.128 17.155.4.14 TCP 50697 > https [ACK] Seq=1 Ack=1 Win=131920 Len=0
15 1.321211 192.168.0.128 17.155.4.14 TLSv1 Client Hello
16 1.645657 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: connected
17 1.645978 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: 16385
18 1.646130 192.168.0.128 17.155.5.252 UDP Source port: 51136 Destination port: 16386
19 1.662234 192.168.0.128 208.59.216.10 TCP 50698 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=2 TSV=469580291 TSER=0
20 1.730834 17.155.4.14 192.168.0.128 TCP [TCP segment of a reassembled PDU]
21 1.731963 17.155.4.14 192.168.0.128 TLSv1 Server Hello, Certificate, Server Hello Done
22 1.808298 208.59.216.10 192.168.0.128 TCP http > 50698 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1380 TSV=941715237 TSER=469580291 WS=1
23 1.832208 192.168.0.128 17.155.4.14 TCP 50697 > https [ACK] Seq=160 Ack=1361 Win=130560 Len=0
24 1.834588 192.168.0.128 17.155.4.14 TCP 50697 > https [ACK] Seq=160 Ack=2490 Win=130788 Len=0
25 1.834954 192.168.0.128 208.59.216.10 TCP 50698 > http [ACK] Seq=1 Ack=1 Win=131328 Len=0 TSV=469580293 TSER=941715237
26 1.836526 192.168.0.128 208.59.216.10 HTTP GET /WebObjects/VCInit.woa/wa/getBag?ix=1 HTTP/1.1
27 1.881018 17.155.5.252 192.168.0.128 UDP Source port: 16386 Destination port: 51136
28 1.882147 17.155.5.251 192.168.0.128 UDP Source port: connected Destination port: 51136
29 1.883124 17.155.5.251 192.168.0.128 UDP Source port: 16385 Destination port: 51136
30 1.884207 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
31 1.886053 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
32 1.886343 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
33 1.930729 192.168.0.128 17.155.4.14 TLSv1 Client Key Exchange
34 1.930835 192.168.0.128 17.155.4.14 TLSv1 Change Cipher Spec
35 1.931583 192.168.0.128 17.155.4.14 TLSv1 Encrypted Handshake Message
36 2.190008 208.59.216.10 192.168.0.128 TCP http > 50698 [ACK] Seq=1 Ack=229 Win=6432 Len=0 TSV=941715619 TSER=469580293
37 2.190313 208.59.216.10 192.168.0.128 TCP [TCP segment of a reassembled PDU]
38 2.191366 208.59.216.10 192.168.0.128 TCP [TCP segment of a reassembled PDU]
39 2.192312 208.59.216.10 192.168.0.128 HTTP/XML HTTP/1.1 200 OK
40 2.242678 192.168.0.128 208.59.216.10 TCP 50698 > http [ACK] Seq=229 Ack=2737 Win=128592 Len=0 TSV=469580297 TSER=941715619
41 2.243014 192.168.0.128 208.59.216.10 TCP 50698 > http [ACK] Seq=229 Ack=3506 Win=127820 Len=0 TSV=469580297 TSER=941715619
42 2.393275 17.155.4.14 192.168.0.128 TCP https > 50697 [ACK] Seq=2490 Ack=299 Win=35216 Len=0
43 2.393305 17.155.4.14 192.168.0.128 TCP https > 50697 [ACK] Seq=2490 Ack=305 Win=35216 Len=0
44 2.393351 17.155.4.14 192.168.0.128 TCP https > 50697 [ACK] Seq=2490 Ack=342 Win=35184 Len=0
45 2.394633 17.155.4.14 192.168.0.128 TLSv1 Change Cipher Spec, Encrypted Handshake Message
46 2.448112 192.168.0.128 17.155.4.14 TCP 50697 > https [ACK] Seq=342 Ack=2533 Win=131876 Len=0
47 2.449760 192.168.0.128 17.155.4.14 TLSv1 Application Data
48 2.450325 192.168.0.128 17.155.4.14 TLSv1 Application Data
49 2.511448 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: connected
50 2.512608 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: 16385
51 2.512776 192.168.0.128 17.155.5.252 UDP Source port: 51136 Destination port: 16386
52 2.905644 17.155.5.252 192.168.0.128 UDP Source port: 16386 Destination port: 51136
53 2.905690 17.155.4.14 192.168.0.128 TCP https > 50697 [ACK] Seq=2533 Ack=966 Win=34560 Len=0
54 2.905782 17.155.4.14 192.168.0.128 TCP https > 50697 [ACK] Seq=2533 Ack=1453 Win=34064 Len=0
55 2.906896 17.155.5.251 192.168.0.128 UDP Source port: 16385 Destination port: 51136
56 2.907536 17.155.5.251 192.168.0.128 UDP Source port: connected Destination port: 51136
57 2.923466 17.155.4.14 192.168.0.128 TLSv1 Application Data
58 2.923924 17.155.4.14 192.168.0.128 TLSv1 Application Data
59 3.060254 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
60 3.060422 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
61 3.062146 192.168.0.128 17.155.4.14 TCP 50697 > https [ACK] Seq=1453 Ack=2894 Win=131556 Len=0
62 3.062451 192.168.0.128 17.155.4.14 TCP 50697 > https [ACK] Seq=1453 Ack=3240 Win=131212 Len=0
63 3.062741 192.168.0.128 199.7.52.190 TCP 50699 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=2 TSV=469580305 TSER=0
64 3.063122 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
65 3.532458 199.7.52.190 192.168.0.128 TCP http > 50699 [SYN, ACK] Seq=0 Ack=1 Win=8190 Len=0 MSS=1380
66 3.571122 192.168.0.128 199.7.52.190 TCP 50699 > http [ACK] Seq=1 Ack=1 Win=65535 Len=0
67 3.579117 192.168.0.128 199.7.52.190 HTTP GET /EVIntl2006.cer HTTP/1.1
68 3.690690 192.168.0.128 17.155.4.14 TLSv1 Encrypted Alert
69 3.692505 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: connected
70 3.696701 192.168.0.128 17.155.4.14 TCP 50697 > https [FIN, ACK] Seq=1476 Ack=3240 Win=131920 Len=0
71 3.697007 192.168.0.128 208.59.216.10 TCP 50698 > http [FIN, ACK] Seq=229 Ack=3506 Win=131328 Len=0 TSV=469580312 TSER=941715619
72 3.697388 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: 16385
73 3.697617 192.168.0.128 17.155.5.252 UDP Source port: 51136 Destination port: 16386
74 3.809626 199.7.52.190 192.168.0.128 TCP [TCP segment of a reassembled PDU]
75 3.810572 199.7.52.190 192.168.0.128 HTTP HTTP/1.0 200 OK (text/plain)
76 3.881720 192.168.0.128 199.7.52.190 TCP 50699 > http [ACK] Seq=154 Ack=1865 Win=65535 Len=0
77 3.890585 192.168.0.128 199.7.52.190 TCP 50699 > http [FIN, ACK] Seq=154 Ack=1865 Win=65535 Len=0
78 3.952258 208.59.216.10 192.168.0.128 TCP http > 50698 [FIN, ACK] Seq=3506 Ack=230 Win=6432 Len=0 TSV=941717381 TSER=469580312
79 3.954256 192.168.0.128 208.59.216.10 TCP 50698 > http [ACK] Seq=230 Ack=3507 Win=131328 Len=0 TSV=469580314 TSER=941717381
80 4.007781 17.155.4.14 192.168.0.128 TCP https > 50697 [ACK] Seq=3240 Ack=1476 Win=40928 Len=0
81 4.007965 17.155.4.14 192.168.0.128 TCP https > 50697 [FIN, ACK] Seq=3240 Ack=1477 Win=40928 Len=0
82 4.009155 17.155.5.251 192.168.0.128 UDP Source port: 16385 Destination port: 51136
83 4.009170 17.155.5.251 192.168.0.128 UDP Source port: connected Destination port: 51136
84 4.009948 192.168.0.128 17.155.4.14 TCP 50697 > https [FIN, ACK] Seq=1476 Ack=3240 Win=131920 Len=0
85 4.014495 192.168.0.128 17.155.4.14 TCP 50697 > https [ACK] Seq=1477 Ack=3241 Win=131920 Len=0
86 4.019866 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
87 4.023955 17.155.5.252 192.168.0.128 UDP Source port: 16386 Destination port: 51136
88 4.025984 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
89 4.034971 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
90 4.504292 199.7.52.190 192.168.0.128 TCP http > 50699 [ACK] Seq=1865 Ack=155 Win=8190 Len=0
91 4.671800 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: connected
92 4.672167 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: 16385
93 4.672411 192.168.0.128 17.155.5.252 UDP Source port: 51136 Destination port: 16386
94 5.139092 17.155.5.252 192.168.0.128 UDP Source port: 16386 Destination port: 51136
95 5.140068 17.155.5.251 192.168.0.128 UDP Source port: 16385 Destination port: 51136
96 5.140129 17.155.5.251 192.168.0.128 UDP Source port: connected Destination port: 51136
97 5.210011 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
98 5.215809 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
99 5.216068 192.168.0.128 216.164.100.100 UDP Source port: 51136 Destination port: 52585
100 5.715774 192.168.0.128 17.155.5.251 UDP Source port: 51136 Destination port: 16385
101 6.054578 17.155.5.251 192.168.0.128 UDP Source port: 16385 Destination port: 51136
102 8.258196 192.168.0.128 192.168.2.106 STUN2 Binding Request
103 8.286606 192.168.0.128 192.168.2.106 STUN2 Binding Request
104 8.303893 192.168.0.128 72.81.200.200 STUN2 Binding Request
105 8.313353 192.168.0.128 192.168.2.106 STUN2 Binding Request
106 8.313582 72.81.200.200 192.168.0.128 STUN2 Binding Request
107 8.316909 192.168.0.128 72.81.200.200 STUN2 Binding Success Response
108 8.333677 192.168.0.128 72.81.200.200 STUN2 Binding Request
109 8.344419 72.81.200.200 192.168.0.128 STUN2 Binding Request
110 8.350980 192.168.0.128 72.81.200.200 STUN2 Binding Success Response
111 8.360852 192.168.0.128 72.81.200.200 STUN2 Binding Request
112 8.374294 72.81.200.200 192.168.0.128 STUN2 Binding Request
113 8.376750 192.168.0.128 72.81.200.200 STUN2 Binding Success Response
114 8.467002 192.168.0.128 192.168.2.106 STUN2 Binding Request
115 8.496083 192.168.0.128 192.168.2.106 STUN2 Binding Request
116 8.528156 72.81.200.200 192.168.0.128 STUN2 Binding Request
117 8.530139 192.168.0.128 72.81.200.200 STUN2 Binding Request
118 8.530765 192.168.0.128 72.81.200.200 STUN2 Binding Success Response
119 8.553316 72.81.200.200 192.168.0.128 STUN2 Binding Request
120 8.555467 192.168.0.128 72.81.200.200 STUN2 Binding Request
121 8.556032 192.168.0.128 72.81.200.200 STUN2 Binding Success Response
122 8.626234 72.81.200.200 192.168.0.128 STUN2 Binding Success Response
123 8.629896 72.81.200.200 192.168.0.128 STUN2 Binding Success Response123
124 8.730361 192.168.0.128 72.81.200.200 SIP/SDP Request: INVITE sip:user@72.81.200.200:50925, with session description
125 8.748746 72.81.200.200 192.168.0.128 STUN2 Binding Success Response
126 8.771618 192.168.0.128 192.168.2.106 STUN2 Binding Request
127 8.797557 192.168.0.128 192.168.2.106 STUN2 Binding Request
128 8.925571 72.81.200.200 192.168.0.128 STUN2 Binding Success Response
129 8.927723 72.81.200.200 192.168.0.128 STUN2 Binding Success Response
130 9.232700 192.168.0.128 72.81.200.200 SIP/SDP Request: INVITE sip:user@72.81.200.200:50925, with session description
131 9.258562 192.168.0.128 192.168.2.106 STUN2 Binding Request
132 9.262926 72.81.200.200 192.168.0.128 SIP Status: 100 Trying
133 9.268831 72.81.200.200 192.168.0.128 SIP Status: 180 Ringing
134 9.296692 192.168.0.128 192.168.2.106 STUN2 Binding Request
135 9.320586 72.81.200.200 192.168.0.128 SIP/SDP Status: 200 OK, with session description
136 9.326857 192.168.0.128 72.81.200.200 SIP Request: ACK sip:user@72.81.200.200:50925
137 9.334699 192.168.0.128 72.81.200.200 SIP Request: MESSAGE sip:user@72.81.200.200:50925
138 9.688477 72.81.200.200 192.168.0.128 SIP/SDP Status: 200 OK, with session description
139 9.716567 192.168.0.128 72.81.200.200 SIP Request: ACK sip:user@72.81.200.200:50925
140 9.834542 192.168.0.128 72.81.200.200 SIP Request: MESSAGE sip:user@72.81.200.200:50925
141 10.216053 72.81.200.200 192.168.0.128 SIP Status: 200 OK
142 10.230152 192.168.0.128 72.81.200.200 SIP Request: MESSAGE sip:user@72.81.200.200:50925
143 10.442848 72.81.200.200 192.168.0.128 SIP Status: 200 OK
144 10.491689 72.81.200.200 192.168.0.128 SIP Status: 200 OK
145 10.727812 192.168.0.128 72.81.200.200 SIP Request: MESSAGE sip:user@72.81.200.200:50925
146 11.229984 192.168.0.128 72.81.200.200 SIP Request: MESSAGE sip:user@72.81.200.200:50925
147 11.318007 72.81.200.200 192.168.0.128 SIP Status: 200 OK
148 11.367565 192.168.0.128 72.81.200.200 SIP Request: MESSAGE sip:user@72.81.200.200:50925
149 11.618986 72.81.200.200 192.168.0.128 SIP Status: 200 OK
150 11.866691 192.168.0.128 72.81.200.200 SIP Request: MESSAGE sip:user@72.81.200.200:50925
151 11.998932 192.168.0.128 72.81.200.200 UDP Source port: 16402 Destination port: 50925
152 12.035444 72.81.200.200 192.168.0.128 SIP Status: 200 OK
153 12.063916 192.168.0.128 72.81.200.200 UDP Source port: 16402 Destination port: 50925
154 12.129174 192.168.0.128 72.81.200.200 UDP Source port: 16402 Destination port: 50925
155 12.180258 192.168.0.128 72.81.200.200 UDP Source port: 16402 Destination port: 50925
156 12.183416 192.168.0.128 72.81.200.200 UDP Source port: 16402 Destination port: 50925
157 12.187093 72.81.200.200 192.168.0.128 SIP Status: 200 OK
158 12.195043 192.168.0.128 72.81.200.200 UDP Source port: 16402 Destination port: 50925
159 12.200932 72.81.200.200 192.168.0.128 SIP Request: BYE sip:user@192.168.0.128:16402
160 12.206181 192.168.0.128 72.81.200.200 SIP Status: 200 OK
</pre>

=== Comments (by FryGuy) ===

==== Packets 1 – 10 ====
* The phones communicates to a server at Apple (17.155.5.251 is what I saw). Communication is sourced from port 16402 via UDP initially and then looks to dynamically allocate ports for communication (16385 and 16386 are what appeared on my end).

==== Packets 11 – 101 ====

* The phone then negotiates an HTTPS connection to the servers at Apple for the setup and communication. There also seems to be some communication to other servers (in this case i see RCN 208.59.216.10) – and they are my cable provider.

==== Packets 102 – 123 ====

* After Client (iPhone) and server negotiation you start to see Stun requests via the private IPs, after they fail you see them from the Public IP NAT ranges. They success via the Public peering at that point.

==== Packets 124 – 160 ====

* A SIP call is then initiated between the phones for the video portion of the call

== How does Apples (FaceTime) Server know the IP Address of the 2nd (to be called) iPhone ? ==

Easy, every iPhone registers itself at Apple whenever Wifi is available ("calls" Home).

Basic Process:

* iPhone senses Wifi Connection
* iPhone gets IP Adress i.e. via DHCP
* iPhone sends HTTP Request to www.apple.com/library/test/success.html
* iPhone receives HTTP Response (HTML Page containing "Success" in the Body part - without hyphens)
* iPhone knows it is connected to the Internet
* (iPhone gets iphone-wu.apple.com/7day/v2/latest/lto2.dat) - ''this request is unrelated to FaceTime. It's used by location services to enable quick GPS fix ("lto" stands for long-term orbit).''
* iPhone contacts init.ess.apple.com
* iPhone contacts EVIntl-aia.verisign.com/EVIntl2006.cer
* iPhone joins Apples "Jabber" Server 17.149.36.99
* Apple knows iPhones IP - this is used for FaceTime (and Push Notifications on iPod touchs)

== Additional Information ==

* Interesting Packet Trace & Discussion: http://blog.roychowdhury.org/2010/06/25/facetime-on-iphone-4-vanilla-unencrypted-stun-and-sip/
* Excellent Analysis: http://www.packetstan.com/
* Highly Rumorous: http://www.addictivetips.com/mobile/apple-gathering-facetime-information-ability-to-see-video-calls/

[[Category:Software]]

User talk:Geohot

2011-04-16T15:02:44Z

Grisolp:

{{lowercase|User talk:}}
== Future of this Wiki ==
[[User:geohot|geohot]] is the founder of this wiki. Now that he has retired (or whatever) I would be interested to know how this Wiki continues. I'm a little scared that he could just turn it off. Maybe we should make some backups now? Or can geohot or a close insider provide some infos about the future of this Wiki? If geohot needs someone to take over this project, I would be happy to do so (and probably many others also). It would be awful to see all our contributions fade away. A clear statement by any insider would help. Thanks. --[[User:Http|http]] 18:58, 13 July 2010 (UTC)
:I currently have no plans to shut down this wiki. Rest assured that if I do, I will make a backup available online. --[[User:Geohot|geohot]] 19:17, 13 July 2010 (UTC)
::Thanks for clarification. This helps a lot. --[[User:Http|http]] 22:39, 13 July 2010 (UTC)

::The Sony case made me think of this again, especially when this wiki was down for a few hours. Perhaps you could give a backup to some trusted friend or so on a monthly or weekly basis? I would be happy to take the backups if you have no idea whom to give them - you have my email. -- [[User:Http|http]] 11:35, 1 April 2011 (UTC)

::I do make offsite backups about once a week. There's a privacy issue with letting someone else have the data. Also, how is the spam still happening? Using accounts they already have? --[[User:Geohot|geohot]] 06:54, 16 April 2011 (UTC)
:::Privacy: Because of the user emails and passwords or something else? It can only be someone you really trust of course. Otherwise encrypted with a key you don't give out would be an alternative way. Weekly offsite backups are sufficient for now I think. Maybe I'll create a regular backup of the visible pages if that's not a problem for you. Spam: No, all new accounts. For the discussion see here: [[Spam#Captcha]]. -- [[User:Http|http]] 08:37, 16 April 2011 (UTC)

== Access to [http://iphonejtag.blogspot.com/ blog] archives ==
Will you post the information on your initial iPhone 2G unlock anywhere? This used to be on your blog (in the archives) and was quite fascinating... :( [[User:D235j|D235j]] 01:41, 14 July 2010 (UTC)

== Other ==
You made a rational decision leaving the jailbreak community. After all the crap you had to take from people I dont blame you. Im sorry for ever adding to the BS you deal with on a day-to-day basis. [[User:Leobruh|Leobruh]] 22:42, 13 July 2010 (UTC)!

== Blog ==
Hey mate, do you have any plans to make your blog public again? There was a lot of good information on there and it would be an official source of information and updates from you! Best! =) [[User:LiNK|LiNK]] 19:01, 23 October 2010 (UTC)

Yeah, Please Open your Blog... Even if it doesnt have to do with jailbreaking or anything like that! I just want to know the real george hotz... [[User:xX-BLACK_OPS-Xx|LOLZ]] 9:53, 2 December 2010 (UTC)

== About GUIs ==
Hi. What do you think about GUIs in this wiki.There are some programs which calls another program like [[iDecrypt]](Calls VFDecrypt) [[iDecrypter]](Calls VFDecypt) [[WinDecrypt]](Calls VFDecrypt) [[Seas0npass]](Calls XPwn). Should these programs have a wiki page? Isnt it considered as advertising their program using this wiki? --[[User:Whiteshinyapple|Whiteshinyapple]] 02:07, 30 January 2011 (UTC)
:Mine ([[User:balloonhead66/iDecryptIt|iDecryptIt]]) calls VFDecrypt '''''and''''' {{wp|7-Zip}} --[[User:Balloonhead66|Balloonhead66]] 02:16, 30 January 2011 (UTC)
::Why are we discussing this on geohot's page? --[[User:Gamer765|Gamer765]] 04:24, 30 January 2011 (UTC)
:::The intial message was directed at geohot, inquiring about his thoughts on GUI apps on this wiki. He doesn't make his presence here known that often, though. --[[User:Dialexio|Dialexio]] 04:46, 30 January 2011 (UTC)
::::The Sysops here do such a good job I rarely have to step in. With regards to the GUI issue, it's not the most useful content on the wiki, but the idea of "advertising" a free program kind of seems like something not worth deleting over. Hard drive space is quite cheap. But then again, I'm not a dictator and perhaps this should be discussed somewhere besides my user page :P --[[User:Geohot|geohot]] 04:56, 30 January 2011 (UTC)

== Rap Video ==

Love the rap video! It could be the start of a whole new career! Plans to do another? [[User:Acheron|acheron]] 17:17, 18 February 2011 (UTC)

Talk:0x24000 Segment Overflow

2011-04-09T21:51:11Z

Grisolp:

I have questions.
What is the LR?
How do we write to the NOR?

LR is the link register. it usually contains a pointer to where the current routine is to return to.
NOR is written by putting the device into dfu mode and writing to the nor0 block device using a tools like iRecovery
--[[User:Posixninja|posixninja]] 17:58, 12 March 2009 (UTC)

I rewrote the article as one geared more toward the technical/security community than hobbyists trying to manually perform the patch. My hope is that it will be more useful in this form for the linux4nano community, who are trying to jailbreak the iPod Nano 4G, which apparently uses the same SoC. --[[User:Planetbeing|Planetbeing]] 07:46, 13 March 2009 (UTC)

Nice work guys. Did you use a debugger of some sort? this would be difficult without a debugger. Here's how I understand it, so we overwrite pointers pointing to where and what data is written. By writing to the stack, we can overwrite the subroutine's return address(LR). The subroutine will now return to the payload. Is this correct?--[[User:Paul0|paulzero]] 11:23, 13 March 2009 (UTC)

'''Answer to Paul0 :'''
Hi Paul0. No debugger at all. Only hundreds of tests to find the LR in the stack :) [thx to posixninja for the tests, planetbeing for the analysis of the tests]. --[[User:Pod2g|Pod2g]]

== Patch for iTunes restore ==

When planetbeing says "However, MuscleNerd discovered that this could be bypassed by including the padding in another tag, such as CERT" in order to allow a restore with iTunes, is this patch included in http://iphwn.org/24kpwn.zip? In other words, if I made a virgin ipt2g, made a 2.2.1 IPSW with the bundles that are out there, and then applied the LLB patch would I be able to successfully restore the IPSW using iTunes?

Answer: Sort of... From a virgin device, you'd have to do two separate set of "Restores". The first will be made from a normal iBoot environment with all signature checking enabled. You will be able to restore the pwned bootloaders (LLB, iBoot) onto the NOR. The second will be made from the pwned iBoot environment, installing the pwned kernel, Cydia, and other filesystem modifications. This is because initially the ramdisk and kernel of the Restore environment has to be loaded from the non-pwned environment, because that very ramdisk and kernel set will be writing the pwned NOR. Since the ramdisk and kernel are both signature checked, the asr binary on the ramdisk cannot be altered to patch out signature checking on the root filesystem image. Therefore, any root filesystem changes will have to be made on the second round. --[[User:Planetbeing|Planetbeing]] 02:22, 14 March 2009 (UTC)

Planetbeing: Thanks for the explanation, I think I understand it now. If I am correct, this exploit also hinges on the fact that the kernel does not sigcheck the stuff it writes to NOR, so it is just blindly writing images to NOR. --[[User:Cool name|Cool name]] 02:47, 14 March 2009 (UTC)

Nice exploit and documentation. It always amazes me to see the stuff they forgot. --[[User:Geohot|geohot]] 15:24, 14 March 2009 (UTC)

== iPod touch 3G and 24kpwn ==

Which units have 24kpwn? The ones that don't have an "MC" model number? --[[User:Dialexio|Dialexio]] 04:11, 13 October 2009 (UTC

== Downgrade 3GS (old bootrom) without [[SHSH]] through 24kpwn ==
So since this is a bootrom exploit, can I use it to downgrade iPhone 3GS without shsh? --[[User:Grisolp|Grisolp]] 21:51, 9 April 2011 (UTC)
Not true. The 3GS is suspeptible to the 24kpwn exploit. Only the new bootrom 3GS Isn't susceptible.

Talk:0x24000 Segment Overflow

2011-04-09T17:31:03Z

Grisolp:

I have questions.
What is the LR?
How do we write to the NOR?

LR is the link register. it usually contains a pointer to where the current routine is to return to.
NOR is written by putting the device into dfu mode and writing to the nor0 block device using a tools like iRecovery
--[[User:Posixninja|posixninja]] 17:58, 12 March 2009 (UTC)

I rewrote the article as one geared more toward the technical/security community than hobbyists trying to manually perform the patch. My hope is that it will be more useful in this form for the linux4nano community, who are trying to jailbreak the iPod Nano 4G, which apparently uses the same SoC. --[[User:Planetbeing|Planetbeing]] 07:46, 13 March 2009 (UTC)

Nice work guys. Did you use a debugger of some sort? this would be difficult without a debugger. Here's how I understand it, so we overwrite pointers pointing to where and what data is written. By writing to the stack, we can overwrite the subroutine's return address(LR). The subroutine will now return to the payload. Is this correct?--[[User:Paul0|paulzero]] 11:23, 13 March 2009 (UTC)

'''Answer to Paul0 :'''
Hi Paul0. No debugger at all. Only hundreds of tests to find the LR in the stack :) [thx to posixninja for the tests, planetbeing for the analysis of the tests]. --[[User:Pod2g|Pod2g]]

== Patch for iTunes restore ==

When planetbeing says "However, MuscleNerd discovered that this could be bypassed by including the padding in another tag, such as CERT" in order to allow a restore with iTunes, is this patch included in http://iphwn.org/24kpwn.zip? In other words, if I made a virgin ipt2g, made a 2.2.1 IPSW with the bundles that are out there, and then applied the LLB patch would I be able to successfully restore the IPSW using iTunes?

Answer: Sort of... From a virgin device, you'd have to do two separate set of "Restores". The first will be made from a normal iBoot environment with all signature checking enabled. You will be able to restore the pwned bootloaders (LLB, iBoot) onto the NOR. The second will be made from the pwned iBoot environment, installing the pwned kernel, Cydia, and other filesystem modifications. This is because initially the ramdisk and kernel of the Restore environment has to be loaded from the non-pwned environment, because that very ramdisk and kernel set will be writing the pwned NOR. Since the ramdisk and kernel are both signature checked, the asr binary on the ramdisk cannot be altered to patch out signature checking on the root filesystem image. Therefore, any root filesystem changes will have to be made on the second round. --[[User:Planetbeing|Planetbeing]] 02:22, 14 March 2009 (UTC)

Planetbeing: Thanks for the explanation, I think I understand it now. If I am correct, this exploit also hinges on the fact that the kernel does not sigcheck the stuff it writes to NOR, so it is just blindly writing images to NOR. --[[User:Cool name|Cool name]] 02:47, 14 March 2009 (UTC)

Nice exploit and documentation. It always amazes me to see the stuff they forgot. --[[User:Geohot|geohot]] 15:24, 14 March 2009 (UTC)

== iPod touch 3G and 24kpwn ==

Which units have 24kpwn? The ones that don't have an "MC" model number? --[[User:Dialexio|Dialexio]] 04:11, 13 October 2009 (UTC

----
So since this is a bootrom exploit, can I use it to downgrade iPhone 3GS without shsh?

The iPhone Wiki:Spam

2011-04-09T03:38:25Z

Grisolp:

How do we combat this recent spamming of this wiki? I suggest a possible invite system or similar? --[[User:Srts|Srts]] 02:24, 9 November 2009 (UTC)
:I have already blocked account signup, they must have had this account for a while. --[[User:Geohot|geohot]] 02:29, 9 November 2009 (UTC)
::Well if they don't stop, we can't have account creation disabled forever, defeats the purpose of the wiki. People like him are sad. Great work to all the sysops et all. keeping disruption to a minimal :D --[[User:Srts|Srts]] 02:34, 9 November 2009 (UTC)
:::Yea thanks a lot guys for putting up with this. We'll give a bit of time, and if they continue, we'll figure something out. This kid keep trying to reset my password for hosting and the wiki. Too bad he doesn't have a life. --[[User:Geohot|geohot]] 03:10, 9 November 2009 (UTC)
:::An invite system might not be a bad idea actually [[User:ChronicDev|Will Strafach]] 03:16, 9 November 2009 (UTC)
::::feel free to post their IP addresses, lol --[[User:Posixninja|posixninja]] 04:08, 9 November 2009 (UTC)
::::Well, if you need an extra admin to block them (and delete spam pages), I volunteer. --[[User:Dranfi|Dranfi]]
:::::Congrats, you're an admin --[[User:Geohot|geohot]] 13:22, 9 November 2009 (UTC)

----

How many different IPs are we dealing with? Is it within a specific range? For the time being, it may be possible to blacklist an entire subnet if they are all coming from the same place. But if a botnet is doing this, may be more difficult. Is it possible for MediaWiki to require admin approval of an edit prior to it being commited? Not well versed with MediaWiki administration, just thossing out some ideas. --[[User:Tsuehpsyde|tsuehpsyde]] 17:29, 9 November 2009 (UTC)
:It is not within a specific range. On my wiki, people post almost the exact same stuff as IP's and I get from 64.*.*.* al the way to 96.*.*.* I think it is a botnet --[[User:Balloonhead66|Balloonhead66]] 23:13, 16 March 2011 (UTC)
:We could figure out where they come rom and do the same to them. Secondly, we could create a filter that unless your part of a specific group you cannot do more than this many edits in this amount of time. We could try making a period where the admins have to approve the users. Lastly, we could make it so that in the first 12 hours of a user account that user could not edit pages so it would give time for the sysops to ban the users. [[User:Revolution|Revolution]] 00:02, 10 November 2009 (UTC)
::That might not be a good idea as we could get ou butts sued. --[[User:Balloonhead66|Balloonhead66]]
:::Why don't we just do this apple-style and have a group of moderators approve of every comment, page edit or revision? I would love to be a part of such group.
::::The extension for mediawiki [[mediawikiwiki:Extension:FlaggedRevs|FlaggedRevs]] is 1.14 and above. This wiki is running 1.12 :( --[[User:Balloonhead66|Balloonhead66]] 23:13, 16 March 2011 (UTC)

----

If the ones you refer to as 'they' are the [http://code.google.com/p/pois0nhack pois0nhack] group then 'they' don't really seem to pose much of a threat in my opinion. I agree that for the time being we could impose some kind of 12/24 hr posting limitation (maybe no more than +-300 char changes?), but no more than that since this is, after all, a public wiki. Sorry if I'm intruding on some kind of admin/mod meeting, just figured I should have my say. --[[User:Rekoil|adriaaan]] 00:27, 10 November 2009 (UTC)
:I am in favor of a 12hr limit for new users, but since it's a public wiki, during this time, contributions would have to be approved by sysops. --Untagged
::Personally I think it would be good to have it so that all edits by new users a thrown into a moderation pool, then once a good amount of worthwhile contributions, that user can be "whitelisted".
::Maybe we could extend the Twitter-Service to display more information (i.e. "Main Page (-2,439) http://u.nu/5x2t3 " instead of "Main Page - http://u.nu/5x2t3"). That could allow fast detection (and reversal) of vandalism attempts because large edits by "unknown" would be easy to spot. May also add the username and/or the commit message, but then we'd have to check for anything Twitter might interpret or block. --[[User:CleanAir|CleanAir]] 13:58, 12 November 2009 (UTC)

----

Can we add a Captchure to the logon process? I don't think all these recent spam pages are done manually. --[[User:Http|http]] 06:29, 15 March 2011 (UTC)
:Good idea [[User:Http|http]], add a Captcha to the logon process and the sign up process for some time --[[User:Whiteshinyapple|Whiteshinyapple]] 09:53, 16 March 2011 (UTC).
:Uhm better idea [[User:Http|http]], add a Captcha when making new pages. Having to fill in a captcha at every login seems to be a pain in the ass :/ the only thing the spam is doing is making new pages, (at least as far as i see.) --[[User:IMaximusX|IMaximusX]]
::What I meant was for the registration process (new user), not for every login. Only [[User:Geohot|geohot]] could implement that. --[[User:Http|http]] 17:37, 16 March 2011 (UTC)
::[http://recaptcha.net Recaptcha] might work. I requires 1.8+, but only works on the sign in, edits with a new external link (anon only), and passwork cracking. --[[User:Balloonhead66|Balloonhead66]] 23:13, 16 March 2011 (UTC)
::[[User:http|http]] im pretty sure they already have accounts, :p --[[User:IMaximusX|IMaximusX]]

Does this wiki currently take advantage of IP banning capability or would that just be subverted anyways? --[[User:Iemit737|Iemit737]] 03:48, 6 April 2011 (UTC)
:The wiki does indeed employ IP banning. The spambots are getting around it, though. --[[User:Dialexio|Dialexio]] 04:13, 6 April 2011 (UTC)
::IP bans are largely useless anyways as -Most Internet users have dynamic IP's and they could simply use a proxy anyways (It's relatively easy to create a VPN once you know where the option is in your OS). They'll also probably block innocent users. --[[User:Ryccardo|Ryccardo]] 14:54, 6 April 2011 (UTC)

We have all these options but have any of them actually been implemented? Somebodys got to do something, The spam is getting out of control. --[[User:Grisolp|Grisolp]] 03:38, 9 April 2011 (UTC)

Talk:WildcardTicket

2011-04-08T20:34:13Z

Grisolp:

Theoretically, can't we just edit the .plist? and make it into the factory unlocked IMSI Mask? -- {{unsigned|Leobruh|5:32, 19 August 2010 (UTC)}}

:The activation plist is signed, so to do this you require a jailbreak anyway. --[[User:Lilstevie|Lilstevie]] 09:45, 20 August 2010 (UTC)- lilstevie

i realize that. but wouldnt this result in a permanent unlock? [[User:Leobruh|Leobruh]] 07:37, 19 August 2010 (UTC)!

I'm guessing the ticket is handled by the baseband, which requires an exploit to get unsigned code running in the first place? [[User:Iemit737|Iemit737]] 07:41, 19 August 2010 (UTC)

The wildcard ticket is also signed - simple edits break the signature and the ticket gets rejected then. rtfm cryptography 101. [[User:dogbert|dogbert]] 16:02, 19 August 2010 (UTC)

kay but unsigned code already runs when the phone is jailbroken and has access to the filesystem. wouldnt editing the .plist be okay since the sig checks arent needed. again this is all theoretical. im jw [[User:Leobruh|Leobruh]] 18:33, 19 August 2010 (UTC)!

The baseband processor checks the signature, not the application processor. [[User:dogbert|dogbert]] 18:36, 19 August 2010 (UTC)

ahh got ya! but would my theory work though through an exploit such as AT+XAPP? instead of a payload it just changes the .plist? [[User:Leobruh|Leobruh]] 00:15, 20 August 2010 (UTC)!

:you would still require the valid NCK for it to process the unlock in that method, the current way the payloads work for exploits in the baseband processor are adequate --[[User:Lilstevie|Lilstevie]] 09:44, 20 August 2010 (UTC)

:i thought NKC was only for the iPhone 2G? 0.o [[User:Leobruh|Leobruh]] 14:47, 21 August 2010 (UTC)!
::NCK or Network Code Key is on any cellular device that gets locked to a carrier --[[User:Lilstevie|Lilstevie]] 14:52, 19 September 2010 (UTC)

Is there are ability to decode WildcardTicket received from Apple to see NCK or lockstate table?
What about unlocked by request to carrier iPhones? Is it some differences in WildcardTicket? --[[User:Requilence|Requilence]] 13:17, 20 March 2011 (UTC)

:Decrypting is possible since the key is known. Changing the ticket is, however, not possible since it breaks the signatures. For carrier unlocked phones, Apple sends a new WildcardTicket without a lock table during sync.--[[User:Dogbert|Dogbert]] 16:43, 20 March 2011 (UTC)

::Tell me this, if the signature is broken, what happens to the phone? DFU, Recovery...? [[User:Leobruh|Leobruh]] 17:41, 20 March 2011 (UTC)!

:::The ticket is rejected and the baseband stays unactivated, e.g. locked.--[[User:Dogbert|Dogbert]] 22:20, 20 March 2011 (UTC)

:: Apple send it to iphone only on sync after activate? I try SAM on unlocked by request iphone, it's activate properly with right IMSI and IMEI, but seems like WildcardTicket doesn't have lock table accept any IMSI. How can i check this? --[[User:Requilence|Requilence]] 19:52, 20 March 2011 (UTC)

:::Just decrypt the activation ticket and check the tables. All the information is given in the wiki, you just have to piece it together on your own.--[[User:Dogbert|Dogbert]] 22:20, 20 March 2011 (UTC)

How do you decrypt it? And wait does apple send it on sync or on activation? For instance, if I had a locked iPhone at activation, and called my carrier to get it unlocked then sync it, would apple issue a new wildcardticket unlocking it without deactivating? Or tell me to restore and deactivate?
:The decryption is implicitly described on various pages of this wiki (TEA in CBC with a pre-salted key). When your iPhone becomes unlock, Apple will issue a new WildcardTicket during sync so a restore is unnecessary. --[[User:Dogbert|Dogbert]] 19:51, 28 March 2011 (UTC)
Not true. On rogers I got my phone unlocked, and I had to restore to be able to use the unlock.--[[User:Grisolp|Grisolp]] 20:34, 8 April 2011 (UTC)

Talk:Baseband TEA Keys

2011-04-07T20:15:46Z

Grisolp: New page: Where do I stick this code in?

Where do I stick this code in?

Talk:Baseband Commands

2011-04-05T22:26:23Z

Grisolp:

i bought an iphone from 2weeks with baseband 02.30.03 and bootlooder 6.2 and i need to unlock it to work with vodafone sim card need you'r help plz find me a sulution to unlock or downgrade my baseband so i can use yellowsn0w

I am having trouble figuring out how to run these commands on my iPhone 4. I mean minicom does not work. I saved and all but it wont let me see what command im typing and it says "offline" in the bottom.

Talk:Baseband Commands

2011-04-05T22:26:02Z

Grisolp:

i bought an iphone from 2weeks with baseband 02.30.03 and bootlooder 6.2 and i need to unlock it to work with vodafone sim card need you'r help plz find me a sulution to unlock or downgrade my baseband so i can use yellowsn0w

I am having trouble figuring out how to run these commands on my iPhone 4. I mean minicom does not work. i saves and all but it wont let me see what command im typing and it says "offline" in the bottom.

Talk:Baseband Commands

2011-04-05T22:25:11Z

Grisolp:

i bought an iphone from 2weeks with baseband 02.30.03 and bootlooder 6.2 and i need to unlock it to work with vodafone sim card need you'r help plz find me a sulution to unlock or downgrade my baseband so i can use yellowsn0w
I am having trouble figuring out how to run these commands on my iPhone 4. I meam minicom does not work. i saves and all but it wont let me see what command im typing and it says "offline" in the bottom.

User talk:Geohot

2011-04-01T12:10:06Z

Grisolp: /* Blog */

{{lowercase|User talk:}}
== Future of this Wiki ==
[[User:geohot|geohot]] is the founder of this wiki. Now that he has retired (or whatever) I would be interested to know how this Wiki continues. I'm a little scared that he could just turn it off. Maybe we should make some backups now? Or can geohot or a close insider provide some infos about the future of this Wiki? If geohot needs someone to take over this project, I would be happy to do so (and probably many others also). It would be awful to see all our contributions fade away. A clear statement by any insider would help. Thanks. --[[User:Http|http]] 18:58, 13 July 2010 (UTC)
:I currently have no plans to shut down this wiki. Rest assured that if I do, I will make a backup available online. --[[User:Geohot|geohot]] 19:17, 13 July 2010 (UTC)
::Thanks for clarification. This helps a lot. --[[User:Http|http]] 22:39, 13 July 2010 (UTC)

::The Sony case made me think of this again, especially when this wiki was down for a few hours. Perhaps you could give a backup to some trusted friend or so on a monthly or weekly basis? I would be happy to take the backups if you have no idea whom to give them - you have my email. -- [[User:Http|http]] 11:35, 1 April 2011 (UTC)

== Access to [http://iphonejtag.blogspot.com/ blog] archives ==
Will you post the information on your initial iPhone 2G unlock anywhere? This used to be on your blog (in the archives) and was quite fascinating... :( [[User:D235j|D235j]] 01:41, 14 July 2010 (UTC)

== Other ==
You made a rational decision leaving the jailbreak community. After all the crap you had to take from people I dont blame you. Im sorry for ever adding to the BS you deal with on a day-to-day basis. [[User:Leobruh|Leobruh]] 22:42, 13 July 2010 (UTC)!

== Blog ==
Hey mate, do you have any plans to make your blog public again? There was a lot of good information on there and it would be an official source of information and updates from you! Best! =) [[User:LiNK|LiNK]] 19:01, 23 October 2010 (UTC)

Yeah, Please Open your Blog... Even if it doesnt have to do with jailbreaking or anything like that! I just want to know the real george hotz... [[User:xX-BLACK_OPS-Xx|LOLZ]] 9:53, 2 December 2010 (UTC)

Geohot,
Is It possible that you could invite me to your blog?

== About GUIs ==
Hi. What do you think about GUIs in this wiki.There are some programs which calls another program like [[iDecrypt]](Calls VFDecrypt) [[iDecrypter]](Calls VFDecypt) [[WinDecrypt]](Calls VFDecrypt) [[Seas0npass]](Calls XPwn). Should these programs have a wiki page? Isnt it considered as advertising their program using this wiki? --[[User:Whiteshinyapple|Whiteshinyapple]] 02:07, 30 January 2011 (UTC)
:Mine ([[User:balloonhead66/iDecryptIt|iDecryptIt]]) calls VFDecrypt '''''and''''' {{wp|7-Zip}} --[[User:Balloonhead66|Balloonhead66]] 02:16, 30 January 2011 (UTC)
::Why are we discussing this on geohot's page? --[[User:Gamer765|Gamer765]] 04:24, 30 January 2011 (UTC)
:::The intial message was directed at geohot, inquiring about his thoughts on GUI apps on this wiki. He doesn't make his presence here known that often, though. --[[User:Dialexio|Dialexio]] 04:46, 30 January 2011 (UTC)
::::The Sysops here do such a good job I rarely have to step in. With regards to the GUI issue, it's not the most useful content on the wiki, but the idea of "advertising" a free program kind of seems like something not worth deleting over. Hard drive space is quite cheap. But then again, I'm not a dictator and perhaps this should be discussed somewhere besides my user page :P --[[User:Geohot|geohot]] 04:56, 30 January 2011 (UTC)

== Rap Video ==

Love the rap video! It could be the start of a whole new career! Plans to do another? [[User:Acheron|acheron]] 17:17, 18 February 2011 (UTC)

== [[Spam]] ==

The spam bots are taking overhand. We will continue to clean it manually, but I suggest to add a Captcha to the new user signup process. That should be sufficient. But you might need to update mediawiki. See [http://code.google.com/apis/recaptcha/docs/mediawiki.html]. -- [[User:Http|http]] 11:35, 1 April 2011 (UTC)

:I can help to clean up the mess as well since I'm from a different timezone (UTC+8). -- [[User:nannoid|nannoid]] 7:51, 1 April 2011 (UTC+8)

Talk:WildcardTicket

2011-03-30T21:12:45Z

Grisolp:

Theoretically, can't we just edit the .plist? and make it into the factory unlocked IMSI Mask? -- {{unsigned|Leobruh|5:32, 19 August 2010 (UTC)}}

:The activation plist is signed, so to do this you require a jailbreak anyway. --[[User:Lilstevie|Lilstevie]] 09:45, 20 August 2010 (UTC)- lilstevie

i realize that. but wouldnt this result in a permanent unlock? [[User:Leobruh|Leobruh]] 07:37, 19 August 2010 (UTC)!

I'm guessing the ticket is handled by the baseband, which requires an exploit to get unsigned code running in the first place? [[User:Iemit737|Iemit737]] 07:41, 19 August 2010 (UTC)

The wildcard ticket is also signed - simple edits break the signature and the ticket gets rejected then. rtfm cryptography 101. [[User:dogbert|dogbert]] 16:02, 19 August 2010 (UTC)

kay but unsigned code already runs when the phone is jailbroken and has access to the filesystem. wouldnt editing the .plist be okay since the sig checks arent needed. again this is all theoretical. im jw [[User:Leobruh|Leobruh]] 18:33, 19 August 2010 (UTC)!

The baseband processor checks the signature, not the application processor. [[User:dogbert|dogbert]] 18:36, 19 August 2010 (UTC)

ahh got ya! but would my theory work though through an exploit such as AT+XAPP? instead of a payload it just changes the .plist? [[User:Leobruh|Leobruh]] 00:15, 20 August 2010 (UTC)!

:you would still require the valid NCK for it to process the unlock in that method, the current way the payloads work for exploits in the baseband processor are adequate --[[User:Lilstevie|Lilstevie]] 09:44, 20 August 2010 (UTC)

:i thought NKC was only for the iPhone 2G? 0.o [[User:Leobruh|Leobruh]] 14:47, 21 August 2010 (UTC)!
::NCK or Network Code Key is on any cellular device that gets locked to a carrier --[[User:Lilstevie|Lilstevie]] 14:52, 19 September 2010 (UTC)

Is there are ability to decode WildcardTicket received from Apple to see NCK or lockstate table?
What about unlocked by request to carrier iPhones? Is it some differences in WildcardTicket? --[[User:Requilence|Requilence]] 13:17, 20 March 2011 (UTC)

:Decrypting is possible since the key is known. Changing the ticket is, however, not possible since it breaks the signatures. For carrier unlocked phones, Apple sends a new WildcardTicket without a lock table during sync.--[[User:Dogbert|Dogbert]] 16:43, 20 March 2011 (UTC)

::Tell me this, if the signature is broken, what happens to the phone? DFU, Recovery...? [[User:Leobruh|Leobruh]] 17:41, 20 March 2011 (UTC)!

:::The ticket is rejected and the baseband stays unactivated, e.g. locked.--[[User:Dogbert|Dogbert]] 22:20, 20 March 2011 (UTC)

:: Apple send it to iphone only on sync after activate? I try SAM on unlocked by request iphone, it's activate properly with right IMSI and IMEI, but seems like WildcardTicket doesn't have lock table accept any IMSI. How can i check this? --[[User:Requilence|Requilence]] 19:52, 20 March 2011 (UTC)

:::Just decrypt the activation ticket and check the tables. All the information is given in the wiki, you just have to piece it together on your own.--[[User:Dogbert|Dogbert]] 22:20, 20 March 2011 (UTC)

How do you decrypt it? And wait does apple send it on sync or on activation? For instance, if I had a locked iPhone at activation, and called my carrier to get it unlocked then sync it, would apple issue a new wildcardticket unlocking it without deactivating? Or tell me to restore and deactivate?
:The decryption is implicitly described on various pages of this wiki (TEA in CBC with a pre-salted key). When your iPhone becomes unlock, Apple will issue a new WildcardTicket during sync so a restore is unnecessary. --[[User:Dogbert|Dogbert]] 19:51, 28 March 2011 (UTC)

So in english, how do i go about decrypting it on a mac?

Talk:WildcardTicket

2011-03-28T01:57:58Z

Grisolp:

XMM6180

2011-03-21T19:41:20Z

Grisolp:

This is the baseband platform used in the iPhone 4 and iPad 2 and build by Infineon. It uses the X-Gold 618.

The firmware is based on [http://rtos.com/products/threadx/ ThreadX], a realtime OS.

Firmware files are signed for a specific device by Apple during the restore process. As a result, the baseband will allow downgrades provided that Apple is still signing the firmware.

==Main Features (according to [http://de.sitestat.com/infineon/infineon/s?infineon.Products.Mobile_Phone_Platforms.WCDMA___HSDPA.XMM__6180.PRODUCT_TYPE_DOCUMENTS.X-GOLD%20618.pdf&ns_type=pdf&ns_url=http://www.infineon.com/dgdl/X-GOLD+618.pdf?folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431ed1d7b2011f5bec418f75e6 Datasheet])==

===Modem===
* HSDPA/HSUPA 7.2Mbps/2.9Mbps (Apple confirmed upload was 5.8Mbps)
* WCDMA: 384kbps DL/UL
* EDGE up to MSC33 with SAIC
* Speech: NB-AMR, WB-AMR

===CPU===
* ARM1176 @ 416MHz

=== Memory===
* LPDDR1-SDRAM
* NOR & NAND Flash
* eSD/eMMC

=== Connectivity and Interfaces ===
* Digital RF interface V3.09
* High speed SIM card interface
* USB 2.0 HS
* 3 x USIF; 2xI2S; 2xI2C
* 3 x SD/MMC card interface
[[Category:Baseband]]

==Memory Map==
*0x40FE0000-0x41000000 -- Bootloader(0x2)
*0x40040000-0x40800000 -- Main Code(0x4)
*0x40800000-0x41000000 -- AENEAS(0x5)
*0x60000000-0x60200000 -- EBL(0x3)
*0x00080000-0x00A00000 -- PSI_RAM(0x1)
*0x40800000-0x40A00000 -- CDS(0x4)
Although the crash dump would seem to contradict this, code running from 0x60xxxxxx

==Flash Files in 01.59.00==
*psi_ram.fls
**RAM bootloader?
**0x80000 size 0xFF00
*psi_flash.fls
**Flash bootloader
**0x40FE0000 size 0x8000
*stack.fls(ICE3.fls)
**Main baseband code
**0x40040000 size 0x6F7E5C
**start vector @ 0x40040408
*ebl.fls
**Flashing loader??
**0x60000000 size 0xDFB0

== Known Firmware Versions ==
[[01.59.00]] 4.0 (Build 8A293), 4.0.1 (Build 8A306), and 4.0.2 (Build 8A400)
[[02.07.01]] 4.1 beta 1 (Build 8B5080c)
[[02.10.04]] 4.1 (Build 8B117)
[[03.08.00]] 4.2 beta 1 (Build 8C5091e)
[[03.09.00]] 4.2 beta 2 (Build 8C5101c)
[[03.10.01]] 4.2.1 (Build 8C148)
[[04.08.00]] 4.3 beta 1 (Build 8F5148b)
[[04.09.00]] 4.3 beta 2 (Build 8F5153d)
[[04.10.01]] 4.3 beta 3 (Build 8F5166b) and 4.3 (Builds 8F190 and 8F191)

SHSH

2011-03-17T01:13:45Z

Grisolp: /* Timeline */

0x80 byte RSA signature of a firmware image.

This often also refers to the backup file with the signature. This signature is needed to restore a specific firmware version. The signature is being created by Apple and is being generated based on some hardware keys of the device and the hash of the firmware. Using a [[wikipedia:replay attack|replay attack]], with the saved signature old firmware can be restored, although Apple doesn't issue the signatures anymore and therefore disallows installing older firmware. Therefore it is recommended to save the signature for your device as long as Apple issues it.

To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to [[Saurik]]'s server instead, if your certificate is there. If you have the file yourself, run [[TinyUmbrella]] on your local machine.

Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[K48ap|iPad]], [[n81ap|iPod touch 4G]], [[K66ap|Apple TV 2G]]) (later 2010 model) and all newer devices. (Note that no versions of the [[iPod touch 2G]] requires SHSH blobs: even the 'MC' models). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the [[N72ap|iPod touch 2G]] and [[N82ap|iPhone 3G]]. Not only does [[DFU Mode]] require the [[iBSS]]/[[iBEC]] files to be signed with an SHSH that includes the device's [[ECID]], but the normal boot-chain requires the [[LLB]] to be fully signed with an [[ECID]]+SHSH, so a downgrade [[IPSW File Format|IPSW]] is not possible without a bootrom exploit of normal boot-chain (e.g. [[0x24000 Segment Overflow]]). See also the [http://blog.iphone-dev.org/post/833937433 Dev Team Blog post] about this.

With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the shsh signature file is stored on [[Cydia Server|Saurik's server]]. If it is stored there, then you can see in the top of [[Cydia Application|Cydia]] (on jailbroken devices) for which version a backup exists.

Users usually make the mistake that (even if they understand all this) they think the shsh firmware version they backup depends on the firmware version they have installed on their device. It does NOT depend on the device which signature you can save - it only depends on which version Apple signs. And that depends on the date. For example in April 2010 you could only backup the certificate for firmware 3.1.3, even if you have still 3.1.2 installed on you phone. Here's a timeline:

==Timeline==
{| class="wikitable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! width="50" | iOS
! width="480" | for Device(s)
! width="130" | From
! width="130" | Until
! width="130" | Status
|-
| <= 3.1.3
| [[M68ap|iPhone 2G]], [[N82ap|3G]], [[N45ap|iPod touch 1G]], [[N72ap|iPod touch 2G]]
| Unused
| Unused
| {{partial|Unused}}
|-
| 3.0
| [[N88ap|iPhone 3GS]]
| 19 June 2009
| 9 September 2009
| {{no|Closed}}
|-
| 3.0.1
| [[N88ap|iPhone 3GS]]
| 31 July 2009
| 9 September 2009
| {{no|Closed}}
|-
| 3.1
| [[N88ap|iPhone 3GS]]
| 9 September 2009
| 8 October 2009
| {{no|Closed}}
|-
| 3.1.1
| [[N18ap|iPod touch 3G]]
| 9 September 2009
| 8 October 2009
| {{no|Closed}}
|-
| 3.1.2
| [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]]
| 8 October 2009
| 2 February 2010
| {{no|Closed}}
|-
| 3.1.3
| [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]]
| 2 February 2010
| 21 June 2010
| {{no|Closed}}
|-
| 3.2
| [[K48ap|iPad]]
| 3 April 2010
| 15 July 2010
| {{no|Closed}}
|-
| 3.2.1
| [[K48ap|iPad]]
| 15 July 2010
| 19 August 2010
| {{no|Closed}}
|-
| 3.2.2
| [[K48ap|iPad]]
| 11 August 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.0
| [[N72ap|iPod touch 2G]]
| 21 June 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.0
| [[N18ap|iPod touch 3G]]
| 21 June 2010
| 19 August 2010
| {{no|Closed}}
|-
| 4.0
| [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]]
| 21 June 2010
| 15 July 2010
| {{no|Closed}}
|-
| 4.0
| [[N90ap|iPhone 4]]
| 24 June 2010
| 15 July 2010
| {{no|Closed}}
|-
| 4.0.1
| [[N82ap|iPhone 3G]]
| 15 July 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.0.1
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]]
| 15 July 2010
| 19 August 2010
| {{no|Closed}}
|-
| 4.0.2
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 11 August 2010
| 18 September 2010
| {{no|Closed}}
|-
| 4.0.2
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]]
| 11 August 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.1
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 8 September 2010
| -
| {{yes|Open}}
|-
| 4.1
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 8 September 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.1
| [[K66ap|Apple TV 2G]]
| 29 September 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.2
| [[K66ap|Apple TV 2G]]
| 22 November 2010
| 14 December 2010
| {{no|Closed}}
|-
| 4.2.1
| [[K48ap|iPad]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 22 November 2010
| 11 March 2011
| {{No|Closed}}
|-
| 4.2.1
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 22 November 2010
| -
| {{yes|Open}}
|-
| 4.2.1
| [[K66ap|Apple TV 2G]]
| 14 December 2010
| 11 March 2011
| {{No|Closed}}
|-
| 4.2.5
| [[N92ap|iPhone 4 CDMA]]
| 11 January 2011
| closed before product release
| {{No|Closed}}
|-
| 4.2.6
| [[N92ap|iPhone 4 CDMA]]
| 1 February 2011
| -
| {{yes|Open}}
|-
| 4.3
| [[K48ap|iPad]], [[iPad 2]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 9 March 2011
| -
| {{yes|Open}}
|}

==Protocol==
To request a SHSH blob from Apple, a simple [[wikipedia:Hypertext Transfer Protocol|HTTP]] request can be made. For a full description, please see the separate article [[SHSH Protocol]].

==Links and Tools==
* [[TinyUmbrella]] (Java needed)
* [http://www.saurik.com/id/12 Detailed background info from Saurik]

[[Category:Firmware Tags]]

The iPhone Wiki:Spam

2011-03-16T14:05:41Z

Grisolp:

How do we combat this recent spamming of this wiki? I suggest a possible invite system or similar? --[[User:Srts|Srts]] 02:24, 9 November 2009 (UTC)

I have already blocked account signup, they must have had this account for a while. --[[User:Geohot|geohot]] 02:29, 9 November 2009 (UTC)

Well if they don't stop, we can't have account creation disabled forever, defeats the purpose of the wiki. People like him are sad. Great work to all the sysops et all. keeping disruption to a minimal :D --[[User:Srts|Srts]] 02:34, 9 November 2009 (UTC)

Yea thanks a lot guys for putting up with this. We'll give a bit of time, and if they continue, we'll figure something out. This kid keep trying to reset my password for hosting and the wiki. Too bad he doesn't have a life. --[[User:Geohot|geohot]] 03:10, 9 November 2009 (UTC)

An invite system might not be a bad idea actually [[User:ChronicDev|Will Strafach]] 03:16, 9 November 2009 (UTC)

feel free to post their IP addresses, lol --[[User:Posixninja|posixninja]] 04:08, 9 November 2009 (UTC)

Well, if you need an extra admin to block them (and delete spam pages), I volunteer. --[[User:Dranfi|Dranfi]] Congrats, you're an admin --[[User:Geohot|geohot]] 13:22, 9 November 2009 (UTC)

How many different IPs are we dealing with? Is it within a specific range? For the time being, it may be possible to blacklist an entire subnet if they are all coming from the same place. But if a botnet is doing this, may be more difficult. Is it possible for MediaWiki to require admin approval of an edit prior to it being commited? Not well versed with MediaWiki administration, just thossing out some ideas. --[[User:Tsuehpsyde|tsuehpsyde]] 17:29, 9 November 2009 (UTC)

We could figure out where they come rom and do the same to them. Secondly, we could create a filter that unless your part of a specific group you cannot do more than this many edits in this amount of time. We could try making a period where the admins have to approve the users. Lastly, we could make it so that in the first 12 hours of a user account that user could not edit pages so it would give time for the sysops to ban the users. [[User:Revolution|Revolution]] 00:02, 10 November 2009 (UTC)

Why don't we just do this apple-style and have a group of moderators approve of every comment, page edit or revision?
I would love to be a part of such group.

If the ones you refer to as 'they' are the [http://code.google.com/p/pois0nhack pois0nhack] group then 'they' don't really seem to pose much of a threat in my opinion. I agree that for the time being we could impose some kind of 12/24 hr posting limitation (maybe no more than +-300 char changes?), but no more than that since this is, after all, a public wiki. Sorry if I'm intruding on some kind of admin/mod meeting, just figured I should have my say. --[[User:Rekoil|adriaaan]] 00:27, 10 November 2009 (UTC)

I am in favor of a 12hr limit for new users, but since it's a public wiki, during this time, contributions would have to be approved by sysops. --Untagged

Personally I think it would be good to have it so that all edits by new users a thrown into a moderation pool, then once a good amount of worthwhile contributions, that user can be "whitelisted".

Maybe we could extend the Twitter-Service to display more information (i.e. "Main Page (-2,439) http://u.nu/5x2t3 " instead of "Main Page - http://u.nu/5x2t3"). That could allow fast detection (and reversal) of vandalism attempts because large edits by "unknown" would be easy to spot. May also add the username and/or the commit message, but then we'd have to check for anything Twitter might interpret or block. --[[User:CleanAir|CleanAir]] 13:58, 12 November 2009 (UTC)

Can we add a Captchure to the logon process? I don't think all these recent spam pages are done manually. --[[User:Http|http]] 06:29, 15 March 2011 (UTC)

Good idea [[User:Http|http]], add a Captcha to the logon process and the sign up process for some time --[[User:Whiteshinyapple|Whiteshinyapple]] 09:53, 16 March 2011 (UTC).

SHSH

2011-03-12T16:43:29Z

Grisolp: /* Timeline */

0x80 byte RSA signature of a firmware image.

This often also refers to the backup file with the signature. This signature is needed to restore a specific firmware version. The signature is being created by Apple and is being generated based on some hardware keys of the device and the hash of the firmware. Using a [[wikipedia:replay attack|replay attack]], with the saved signature old firmware can be restored, although Apple doesn't issue the signatures anymore and therefore disallows installing older firmware. Therefore it is recommended to save the signature for your device as long as Apple issues it.

To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to [[Saurik]]'s server instead, if your certificate is there. If you have the file yourself, run [[TinyUmbrella]] on your local machine.

Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[K48ap|iPad]], [[n81ap|iPod touch 4G]], [[K66ap|Apple TV 2G]]) (later 2010 model) and all newer devices. (Note that no versions of the [[iPod touch 2G]] requires SHSH blobs: even the 'MC' models). To restore to arbitrary versions of iOS 4.0, the SHSH is also needed for the [[N72ap|iPod touch 2G]] and [[N82ap|iPhone 3G]]. Not only does [[DFU Mode]] require the [[iBSS]]/[[iBEC]] files to be signed with an SHSH that includes the device's [[ECID]], but the normal boot-chain requires the [[LLB]] to be fully signed with an [[ECID]]+SHSH, so a downgrade [[IPSW File Format|IPSW]] is not possible without a bootrom exploit of normal boot-chain (e.g. [[0x24000 Segment Overflow]]). See also the [http://blog.iphone-dev.org/post/833937433 Dev Team Blog post] about this.

With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the shsh signature file is stored on [[Cydia Server|Saurik's server]]. If it is stored there, then you can see in the top of [[Cydia Application|Cydia]] (on jailbroken devices) for which version a backup exists.

Users usually make the mistake that (even if they understand all this) they think the shsh firmware version they backup depends on the firmware version they have installed on their device. It does NOT depend on the device which signature you can save - it only depends on which version Apple signs. And that depends on the date. For example in April 2010 you could only backup the certificate for firmware 3.1.3, even if you have still 3.1.2 installed on you phone. Here's a timeline:

==Timeline==
{| class="wikitable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
|-
! width="50" | iOS
! width="480" | for Device(s)
! width="130" | From
! width="130" | Until
! width="130" | Status
|-
| <= 3.1.3
| [[M68ap|iPhone 2G]], [[N82ap|3G]], [[N45ap|iPod touch 1G]], [[N72ap|iPod touch 2G]]
| Unused
| Unused
| {{partial|Unused}}
|-
| 3.0
| [[N88ap|iPhone 3GS]]
| 19 June 2009
| 9 September 2009
| {{no|Closed}}
|-
| 3.0.1
| [[N88ap|iPhone 3GS]]
| 31 July 2009
| 9 September 2009
| {{no|Closed}}
|-
| 3.1
| [[N88ap|iPhone 3GS]]
| 9 September 2009
| 8 October 2009
| {{no|Closed}}
|-
| 3.1.1
| [[N18ap|iPod touch 3G]]
| 9 September 2009
| 8 October 2009
| {{no|Closed}}
|-
| 3.1.2
| [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]]
| 8 October 2009
| 2 February 2010
| {{no|Closed}}
|-
| 3.1.3
| [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]]
| 2 February 2010
| 21 June 2010
| {{no|Closed}}
|-
| 3.2
| [[K48ap|iPad]]
| 3 April 2010
| 15 July 2010
| {{no|Closed}}
|-
| 3.2.1
| [[K48ap|iPad]]
| 15 July 2010
| 19 August 2010
| {{no|Closed}}
|-
| 3.2.2
| [[K48ap|iPad]]
| 11 August 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.0
| [[N72ap|iPod touch 2G]]
| 21 June 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.0
| [[N18ap|iPod touch 3G]]
| 21 June 2010
| 19 August 2010
| {{no|Closed}}
|-
| 4.0
| [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]]
| 21 June 2010
| 15 July 2010
| {{no|Closed}}
|-
| 4.0
| [[N90ap|iPhone 4]]
| 24 June 2010
| 15 July 2010
| {{no|Closed}}
|-
| 4.0.1
| [[N82ap|iPhone 3G]]
| 15 July 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.0.1
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]]
| 15 July 2010
| 19 August 2010
| {{no|Closed}}
|-
| 4.0.2
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 11 August 2010
| 18 September 2010
| {{no|Closed}}
|-
| 4.0.2
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]]
| 11 August 2010
| 9 September 2010
| {{no|Closed}}
|-
| 4.1
| [[N82ap|iPhone 3G]], [[N72ap|iPod touch 2G]]
| 8 September 2010
| -
| {{yes|Open}}
|-
| 4.1
| [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 8 September 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.1
| [[K66ap|Apple TV 2G]]
| 29 September 2010
| 2 December 2010 (?)
| {{no|Closed}}
|-
| 4.2
| [[K66ap|Apple TV 2G]]
| 22 November 2010
| 14 December 2010
| {{no|Closed}}
|-
| 4.2.1
| [[K48ap|iPad]], [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N72ap|iPod touch 2G]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 22 November 2010
| 11 March 2011
| {{No|Closed}}
|-
| 4.2.1
| [[K66ap|Apple TV 2G]]
| 14 December 2010
| -
| {{yes|Open}}
|-
| 4.2.6
| [[N92ap|iPhone 4 CDMA]]
| 1 February 2011
| -
| {{yes|Open}}
|-
| 4.3
| [[K48ap|iPad]], [[iPad 2]], [[N88ap|iPhone 3GS]], [[N90ap|iPhone 4]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]]
| 9 March 2011
| -
| {{yes|Open}}
|}

==Protocol==
To request a SHSH blob from Apple, a simple [[wikipedia:Hypertext Transfer Protocol|HTTP]] request can be made. For a full description, please see the separate article [[SHSH Protocol]].

==Links and Tools==
* [[TinyUmbrella]] (Java needed)
* [http://www.saurik.com/id/12 Detailed background info from Saurik]

[[Category:Firmware Tags]]

List of iPhones

2011-03-08T02:46:57Z

Grisolp: /* Differences between iPhone Models */

{{DISPLAYTITLE:iPhone}}
There are many iterations of the iPhone.

== Differences between iPhone Models ==
{| class="wikitable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
! Phone
! [[M68ap|iPhone 2G]]
! [[N82ap|iPhone 3G]]
! [[N88ap|iPhone 3GS]]
! [[N90ap|iPhone 4 (GSM model)]]
! [[N92ap|iPhone 4 (CDMA model)]]
|-
! Image
| [[Image:iPhone1G.png|160px|frameless]]
| [[Image:iPhone3G.png|163px|frameless]]
| [[Image:iPhone3GS.png|163px|frameless]]
| [[Image:iPhone4.png|154px|frameless]]
| [[Image:iPhone 4 CDMA.png|156px|frameless]]
|-
! Case Material
| Aluminum
|colspan="2"| Plastic
|colspan="2"| Glass/Steel
|-
! Colors
| Aluminum
|colspan="2"| Black/White
|colspan="2"| Black
|-
! Dimensions
| 4.5x2.4x0.46 in.
|colspan="2"| 4.5x2.4x0.48 in.
|colspan="2"| 4.5x2.31x0.37 in.
|-
! Weight
| 4.8 oz
| 4.7 oz.
| 4.8 oz.
|colspan="2"| 4.8 oz.
|-
! Capacity (GB)
| 4/8/16
| 8/16
| 8/16/32
|colspan="2"| 16/32
|-
! CPU Speed (MHz)
| 412 (initially 400)
| 412
| 620
|colspan="2"| 1024
|-
! RAM (MB)
| 128
| 128
| 256
|colspan="2"| 512
|-
! Cellular Radio (<code>telephony-maximum-generation</code>)
| EDGE (2.5G)
|colspan="2"| HSDPA (3.5G)
| HSDPA + HSUPA (3.5G)
| CDMA EV-DO Rev. A (3G)
|-
! Rated Battery Life (Standby)(hrs.)
| ?
| ?
| 300
|colspan="2"| 300
|-
! Rated Battery Life (2G talk)(hrs.)
| ?
| ?
| 12
| 14
| N/A
|-
! Rated Battery Life (3G talk and data)(hrs.)
| N/A
| ?
| 5
|colspan="2"| 6 (data)
7 (talk)
|-
! Rated Battery Life (Wi-Fi data)(hrs.)
| ?
| ?
| 9
| 10
| 10
|-
! Rated Battery Life (Music playback)(hrs.)
| 24
| 24
| 30
|colspan="2"| 40
|-
! Rated Battery Life (Video playback)(hrs.)
| 7
| 7
| 10
|colspan="2"| 10
|-
! Internal Name
| iPhone1,1
| iPhone1,2
| iPhone2,1
| iPhone3,1
| iPhone3,3
|-
! Initial Firmware
|[[Heavenly 1A543a (iPhone)|1.0 (1A543a)]]
|[[Big Bear 5A345 (iPhone 3G)|2.0 (5A345)]]
|[[Kirkwood 7A341 (iPhone 3GS)|3.0 (7A341)]]
|[[Apex 8A293 (iPhone 4)|4.0 (8A293)]]
|[[Phoenix 8E200 (iPhone 4 CDMA)|4.2.6 (8E200)]]
|-
! Latest (publicly available) firmware
|[[SUNorthstarTwo 7E18 (iPhone)|3.1.3 (7E18)]]
|[[Jasper 8C148 (iPhone 3G)|4.2.1 (8C148)]]
|[[Jasper 8C148a (iPhone 3GS)|4.2.1 (8C148a)]]
|[[Jasper 8C148 (iPhone 4)|4.2.1 (8C148)]]
|[[Phoenix 8E200 (iPhone 4 CDMA)|4.2.6 (8E200)]]
|-
! Latest firmware
|[[SUNorthstarTwo 7E18 (iPhone)|3.1.3 (7E18)]]
|[[Jasper 8C148 (iPhone 3G)|4.2.1 (8C148)]]
|[[DurangoVail 8F5153d (iPhone 3GS)|4.3GM (8F153d)]]
|[[DurangoVail 8F5153d (iPhone 4)|4.3GM(8F153d)]]
|[[Phoenix 8E200 (iPhone 4 CDMA)|4.2.6 (8E200)]]
|-
! [[Bluetooth]] (<code>bluetooth</code>)
| [[BlueCore 4|2.0 EDR]]
| [[BlueCore 6|2.0 EDR]]
| [[BCM4325|2.1 EDR]]
|colspan="2"| [[BCM4329|2.1 EDR]]
|-
! Camera (MP) (<code>still-camera</code>)
| 2
| 2
| 3.2
|colspan="2"| 5
|-
! Video recording (<code>video-camera</code>)
| colspan="2" {{no}}
| colspan="3" {{yes}}
|-
! Auto-Focus (<code>auto-focus-camera</code>)
| colspan="2" {{no}}
| colspan="3" {{yes}}
|-
! LED Flash
| colspan="3" {{no}}
| colspan="2" {{yes}}
|-
! Voice Controls (<code>voice-control</code>)
| colspan="2" {{no}}
| colspan="3" {{yes}}
|-
! Nike+iPod (<code>victoria</code>)
| colspan="2" {{no}}
| colspan="3" {{yes}}
|-
! Hardware encryption (<code>encrypted-data-partition</code>)
| colspan="2" {{no}}
| colspan="3" {{yes}}
|-
! GPS (<code>gps</code>)
| colspan="1" {{no}}
| colspan="4" {{yes}}
|-
! [[Magnetometer|Digital Compass]] (<code>magnetometer</code>)
| colspan="2" {{no}}
| colspan="3" {{yes}}
|-
! Gyroscope
| colspan="3" {{no}}
| colspan="2" {{yes}}
|-
! Video Calls (<code>venice</code>)
| colspan="3" {{no}}
| colspan="2" {{yes}}
|}

XMM6180

2011-02-14T01:11:44Z

Grisolp: /* Modem */

This is the baseband platform used in the iPhone 4 and build by Infineon. It uses the X-Gold 618.

The firmware is based on [http://rtos.com/products/threadx/ ThreadX], a realtime OS.

Firmware files are signed for a specific device by Apple during the restore process. As a result, the baseband will allow downgrades provided that Apple is still signing the firmware.

==Main Features (according to [http://de.sitestat.com/infineon/infineon/s?infineon.Products.Mobile_Phone_Platforms.WCDMA___HSDPA.XMM__6180.PRODUCT_TYPE_DOCUMENTS.X-GOLD%20618.pdf&ns_type=pdf&ns_url=http://www.infineon.com/dgdl/X-GOLD+618.pdf?folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431ed1d7b2011f5bec418f75e6 Datasheet])==

===Modem===
* HSDPA/HSUPA 7.2Mbps/2.9Mbps (Apple confirmed upload was 5.8mbps)
* WCDMA: 384kbps DL/UL
* EDGE up to MSC33 with SAIC
* Speech: NB-AMR, WB-AMR

===CPU===
* ARM1176 @ 416MHz

=== Memory===
* LPDDR1-SDRAM
* NOR & NAND Flash
* eSD/eMMC

=== Connectivity and Interfaces ===
* Digital RF interface V3.09
* High speed SIM card interface
* USB 2.0 HS
* 3 x USIF; 2xI2S; 2xI2C
* 3 x SD/MMC card interface
[[Category:Baseband]]

==Memory Map==
*0x40FE0000-0x41000000 -- Bootloader(0x2)
*0x40040000-0x40800000 -- Main Code(0x4)
*0x40800000-0x41000000 -- AENEAS(0x5)
*0x60000000-0x60200000 -- EBL(0x3)
*0x00080000-0x00A00000 -- PSI_RAM(0x1)
*0x40800000-0x40A00000 -- CDS(0x4)
Although the crash dump would seem to contradict this, code running from 0x60xxxxxx

==Flash Files in 01.59.00==
*psi_ram.fls
**RAM bootloader?
**0x80000 size 0xFF00
*psi_flash.fls
**Flash bootloader
**0x40FE0000 size 0x8000
*stack.fls(ICE3.fls)
**Main baseband code
**0x40040000 size 0x6F7E5C
**start vector @ 0x40040408
*ebl.fls
**Flashing loader??
**0x60000000 size 0xDFB0

== Known Firmware Versions ==
[[1.59.00]] 4.0 (Build 8A293), 4.0.1 (Build 8A306), and 4.0.2 (Build 8A400)
[[2.07.01]] 4.1 beta 1 (Build 8B5080c)
[[2.10.04]] 4.1 (Build 8B117)
[[3.08.00]] 4.2 beta 1 (Build 8C5091e)
[[3.09.00]] 4.2 beta 2 (Build 8C5101c)
[[3.10.01]] 4.2.1 (Build 8C148)
[[4.08.00]] 4.3 beta 1 (Build 8F5148b)
[[4.09.00]] 4.3 beta 2 (Build 8F5153d)
[[4.10.01]] 4.3 beta 3 (Build 8F5166b)

XMM6180

2011-02-14T01:11:33Z

Grisolp: /* Modem */

This is the baseband platform used in the iPhone 4 and build by Infineon. It uses the X-Gold 618.

The firmware is based on [http://rtos.com/products/threadx/ ThreadX], a realtime OS.

Firmware files are signed for a specific device by Apple during the restore process. As a result, the baseband will allow downgrades provided that Apple is still signing the firmware.

==Main Features (according to [http://de.sitestat.com/infineon/infineon/s?infineon.Products.Mobile_Phone_Platforms.WCDMA___HSDPA.XMM__6180.PRODUCT_TYPE_DOCUMENTS.X-GOLD%20618.pdf&ns_type=pdf&ns_url=http://www.infineon.com/dgdl/X-GOLD+618.pdf?folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431ed1d7b2011f5bec418f75e6 Datasheet])==

===Modem===
* HSDPA/HSUPA 7.2Mbps/2.9Mbps (Apple confirmed upload was 5.8)
* WCDMA: 384kbps DL/UL
* EDGE up to MSC33 with SAIC
* Speech: NB-AMR, WB-AMR

===CPU===
* ARM1176 @ 416MHz

=== Memory===
* LPDDR1-SDRAM
* NOR & NAND Flash
* eSD/eMMC

=== Connectivity and Interfaces ===
* Digital RF interface V3.09
* High speed SIM card interface
* USB 2.0 HS
* 3 x USIF; 2xI2S; 2xI2C
* 3 x SD/MMC card interface
[[Category:Baseband]]

==Memory Map==
*0x40FE0000-0x41000000 -- Bootloader(0x2)
*0x40040000-0x40800000 -- Main Code(0x4)
*0x40800000-0x41000000 -- AENEAS(0x5)
*0x60000000-0x60200000 -- EBL(0x3)
*0x00080000-0x00A00000 -- PSI_RAM(0x1)
*0x40800000-0x40A00000 -- CDS(0x4)
Although the crash dump would seem to contradict this, code running from 0x60xxxxxx

==Flash Files in 01.59.00==
*psi_ram.fls
**RAM bootloader?
**0x80000 size 0xFF00
*psi_flash.fls
**Flash bootloader
**0x40FE0000 size 0x8000
*stack.fls(ICE3.fls)
**Main baseband code
**0x40040000 size 0x6F7E5C
**start vector @ 0x40040408
*ebl.fls
**Flashing loader??
**0x60000000 size 0xDFB0

== Known Firmware Versions ==
[[1.59.00]] 4.0 (Build 8A293), 4.0.1 (Build 8A306), and 4.0.2 (Build 8A400)
[[2.07.01]] 4.1 beta 1 (Build 8B5080c)
[[2.10.04]] 4.1 (Build 8B117)
[[3.08.00]] 4.2 beta 1 (Build 8C5091e)
[[3.09.00]] 4.2 beta 2 (Build 8C5101c)
[[3.10.01]] 4.2.1 (Build 8C148)
[[4.08.00]] 4.3 beta 1 (Build 8F5148b)
[[4.09.00]] 4.3 beta 2 (Build 8F5153d)
[[4.10.01]] 4.3 beta 3 (Build 8F5166b)