The iPhone Wiki - User contributions [en]

BBUpdaterExtreme

2012-04-13T07:59:23Z

JackR1: /* Commands */

This is the tool used by Apple to updateflash the Baseband of XGOLD basebands.
It also allow to do some more things like changing the IMEI SV or just powercycling damaged baseband.

The tool seems to make a connection to the device to flash the firmware, the eeprom and the bootloader.
The Device is the Emergency Bootloader of the iPhone which also is the only gate to flash the baseband.

There have been some tries to make custom fls / eep files ( which are needed to flash the baseband of the device ).
This method could bring back 06.15.00 devices back which are now damaged.

With this tool it is not possible to downgrade any baseband version.

==Commands==
*BBUpdaterExtreme help [unknown option] [?]
*BBUpdaterExtreme queryversion | prints the current status of baseband firmware
*BBUpdaterExtreme update -f ICE2_xx.xx.xx.fls -e ICE2_xx.xx.xx.eep | UPDATES ( not downgrades!!! ) Firmware version
*BBUpdaterExtreme imeisv [option] | changes the imeisv value
*BBUpdaterExtreme automatic -S -F [or -L for BL] | for automatic update (while firmware restores)
*BBUpdaterExtreme audioparameters [?]
*BBUpdaterExtreme ice3dump [?]
*BBUpdaterExtreme staticeep [?]

==Undocumented Commands==

Source: [http://forum.gsmhosting.com/vbb/8058886-post191.html]

update // performs manual update of Baseband
BBUpdaterExtreme update -f /mnt1/gecko/bin/ICE2_05.16.05.fls
^^attempts an upgrade of single .FLS (flash) file only
BBUpdaterExtreme update -e /usr/local/standalone/firmware/ICE2_05.16.05.fls
^^attempts an upgrade of single .EEP '(eeprom) file only
BBUpdaterExtreme update -l bl.fls
^^attempts an upgrade of single .FLS bootloader file only

automatic // performs automatic update of Baseband
BBUpdaterExtreme automatic -S -L /mnt1/bin -x
^^ this will update bootloader (if newer versions is available)
BBUpdaterExtreme automatic -S -F /mnt1/bin -x
^^ this will update both fls and EEP in specified folder (if newer version is available)

imeisv // Sets the IMEI software version bits
BBUpdaterExtreme imeisv -v 018

queryversion // prints current Baseband status (AT+XGENDATA)
BBUpdaterExtreme queryversion

audioparameters // sets baseband EEP audio parameters
BBUpdaterExtreme audioparameters -p /mnt1/bin/BasebandAudioParameters.c

powercycle // powercycles the modem
BBUpdaterExtreme powercycle -o 5

staticeepcheck // Checks the backup of a static eep
BBUpdaterExtreme staticeepcheck -F /mnt1/tmp

nukegnvram // Clears specific data from non volatile RAM
BBUpdaterExtreme nukegnvram

memtest // Performs a Memory test
BBUpdaterExtreme memtest

staticeep // Backs up static eep?
BBUpdaterExtreme staticeep -d backup.bin -f ICE2_05.16.05.eep -S < ??? change

help
supposed to show help, does nothing in recent versions

List of switches with args

-a ??
example: BBUpdaterExtreme update -e ICE2_05.16.05.eep -a 10

-b sets a specific boot code
example: BBUpdaterExtreme update -e ICE2_05.15.04.eep -S -b 4154 <X-GOLD

-i Version ID; customize flashing per device
example:
BBUpdaterExtreme queryversion -i K48 < iPad 1 (X-GOLD)
BBUpdaterExtreme queryversion -i 1 <iPhone 3G? (S-GOLD)
BBUpdaterExtreme queryversion -i 2 <iPhone 3GS? (X-GOLD)
BBUpdaterExtreme queryversion -i 3 <iPhone 4? (XMM)

on 3GS :
choosing 1 will give you "Opening device for pinging failed, did you forget to stop CommCenter?"
Choosing 2 will successfully boot and flash
Choosing 3 will hang on sending Boot code
Choosing K48 will successfully boot and flash

-f file / flash file / firmware
example: BBUpdaterExtreme update -f /mnt1/bin/ICE2_05.16.05.fls

-F Folder
example: BBUpdaterExtreme automatic -S -F /mnt1/bin -x

-v Version
example: BBUpdaterExtreme imeisv -v 018

-t test count? (iterations)
example: memtest -t 5

-L points to a folder for bootloader upgrade in automatic mode
example: BBUpdaterExtreme automatic -S -L /mnt1/bin

-p path? / parameters?
example: BBUpdaterExtreme audioparameters -p /mnt1/bin/params.c

Switches with no args

-! uses "old style" AT upgrade sequence (boot pattern 0x41, 0x54)
example: BBUpdaterExtreme update -f ICE2_05.16.05.fls -!

-# ??
example: BBUpdaterExtreme update -f ICE2_05.16.05.fls -#

-D Disable sleep (useful when flashing from userland)
example: BBUpdater queryversion -D

-P disables the initial AT+ XGENDATA ping/check sequence (baseband info will shown as 'unknown')
example: BBUpdaterExtreme queryversion -P

-S run without disabling sleep (useful in ramdisk)
example: BBUpdater queryversion -S

-l load/ bootloader

BBUpdaterExtreme

2012-04-13T07:58:18Z

JackR1: /* Compatible Chipsets */

This is the tool used by Apple to updateflash the Baseband of XGOLD basebands.
It also allow to do some more things like changing the IMEI SV or just powercycling damaged baseband.

The tool seems to make a connection to the device to flash the firmware, the eeprom and the bootloader.
The Device is the Emergency Bootloader of the iPhone which also is the only gate to flash the baseband.

There have been some tries to make custom fls / eep files ( which are needed to flash the baseband of the device ).
This method could bring back 06.15.00 devices back which are now damaged.

With this tool it is not possible to downgrade any baseband version.

==Commands==
*BBUpdaterExtreme help [unknown option] [?]
*BBUpdaterExtreme queryversion | prints the current status of baseband firmware
*BBUpdaterExtreme update -f ICE2_xx.xx.xx.fls -e ICE2_xx.xx.xx.eep | UPDATES ( not downgrades!!! ) Firmware version
*BBUpdaterExtreme imeisv [option] | changes the imeisv value
*BBUpdaterExtreme automatic -S -F [or -L for BL] | for automatic update (while firmware restores)
*BBUpdaterExtreme audioparameters [?]
*BBUpdaterExtreme ice3dump [?]
*BBUpdaterExtreme staticeep [?]

Source: [http://forum.gsmhosting.com/vbb/8058886-post191.html]

update // performs manual update of Baseband
BBUpdaterExtreme update -f /mnt1/gecko/bin/ICE2_05.16.05.fls
^^attempts an upgrade of single .FLS (flash) file only
BBUpdaterExtreme update -e /usr/local/standalone/firmware/ICE2_05.16.05.fls
^^attempts an upgrade of single .EEP '(eeprom) file only
BBUpdaterExtreme update -l bl.fls
^^attempts an upgrade of single .FLS bootloader file only

automatic // performs automatic update of Baseband
BBUpdaterExtreme automatic -S -L /mnt1/bin -x
^^ this will update bootloader (if newer versions is available)
BBUpdaterExtreme automatic -S -F /mnt1/bin -x
^^ this will update both fls and EEP in specified folder (if newer version is available)

imeisv // Sets the IMEI software version bits
BBUpdaterExtreme imeisv -v 018

queryversion // prints current Baseband status (AT+XGENDATA)
BBUpdaterExtreme queryversion

audioparameters // sets baseband EEP audio parameters
BBUpdaterExtreme audioparameters -p /mnt1/bin/BasebandAudioParameters.c

powercycle // powercycles the modem
BBUpdaterExtreme powercycle -o 5

staticeepcheck // Checks the backup of a static eep
BBUpdaterExtreme staticeepcheck -F /mnt1/tmp

nukegnvram // Clears specific data from non volatile RAM
BBUpdaterExtreme nukegnvram

memtest // Performs a Memory test
BBUpdaterExtreme memtest

staticeep // Backs up static eep?
BBUpdaterExtreme staticeep -d backup.bin -f ICE2_05.16.05.eep -S < ??? change

help
supposed to show help, does nothing in recent versions

List of switches with args

-a ??
example: BBUpdaterExtreme update -e ICE2_05.16.05.eep -a 10

-b sets a specific boot code
example: BBUpdaterExtreme update -e ICE2_05.15.04.eep -S -b 4154 <X-GOLD

-i Version ID; customize flashing per device
example:
BBUpdaterExtreme queryversion -i K48 < iPad 1 (X-GOLD)
BBUpdaterExtreme queryversion -i 1 <iPhone 3G? (S-GOLD)
BBUpdaterExtreme queryversion -i 2 <iPhone 3GS? (X-GOLD)
BBUpdaterExtreme queryversion -i 3 <iPhone 4? (XMM)

on 3GS :
choosing 1 will give you "Opening device for pinging failed, did you forget to stop CommCenter?"
Choosing 2 will successfully boot and flash
Choosing 3 will hang on sending Boot code
Choosing K48 will successfully boot and flash

-f file / flash file / firmware
example: BBUpdaterExtreme update -f /mnt1/bin/ICE2_05.16.05.fls

-F Folder
example: BBUpdaterExtreme automatic -S -F /mnt1/bin -x

-v Version
example: BBUpdaterExtreme imeisv -v 018

-t test count? (iterations)
example: memtest -t 5

-L points to a folder for bootloader upgrade in automatic mode
example: BBUpdaterExtreme automatic -S -L /mnt1/bin

-p path? / parameters?
example: BBUpdaterExtreme audioparameters -p /mnt1/bin/params.c

Switches with no args

-! uses "old style" AT upgrade sequence (boot pattern 0x41, 0x54)
example: BBUpdaterExtreme update -f ICE2_05.16.05.fls -!

-# ??
example: BBUpdaterExtreme update -f ICE2_05.16.05.fls -#

-D Disable sleep (useful when flashing from userland)
example: BBUpdater queryversion -D

-P disables the initial AT+ XGENDATA ping/check sequence (baseband info will shown as 'unknown')
example: BBUpdaterExtreme queryversion -P

-S run without disabling sleep (useful in ramdisk)
example: BBUpdater queryversion -S

-l load/ bootloader

IDA Pro Setup

2012-02-10T09:18:33Z

JackR1:

==How to set up IDA pro to reverse the 3G baseband==

The [[X-Gold 608]] has a memory map, as seen in it's page.

The [[Secpack 2.0]] takes up the first 0xCF8 of the .fls file.

So to load the 3G .fls file into IDA pro, the file offset is 0xCF8(for the secpack), and the CODE starts at the ROM start address of 0x20040000(since it's the main firmware)

For real noobs:
1. Drag the fls file into IDA
2. Select ARM
3. Change ROM start address to 0x20040000
4. Change Loading address to 0x20040000
5. Change File offset to 0xCF8
6. Copy Loading size into ROM size
7. Press OK
8. The entry point is the address at 0x20040408
9. Go to 20100004 and Press "C" to start. ~Deco
10. Read the instructions so you can find other places where you can press "C" to get more code. ~Deco

Here are some key combinations to use:
* c = turn the 'gibberish' into code
* d = turn the 'gibberish' into data
* a = turn the 'gibberish' into a string
* u = undefine what you just may have done, i usually use this since there is no real edit+undo in IDA so this is the next best thing
* Alt+G = toggle the Register T from 0 / 1 to toggle arm and thumb mode when needed

== some hints for getting the mnemonics from n00b for noobs (read: master noob for noobs ;-) )==

The autoanalysis didn't work very well. There were a lot of silly mnemonics, simply interleaving thumb and arm mode or other nasty stuff. I then tried to identify strings, pressing 'A'. Boring... What pushed it up a little bit is this:

Most code is 'embraced' by 'embracing' code:
- push / pop for thumb mod
- STMFD / LDMFD for arm mode

Even better, all versions of above codes have similar instruction sets. So you can find all occurences of STMFD by hex searching '2D E9', going two bytes back (did I say code is aligned? 4bytes in arm starting at 00 04 08 0c, 2bytes in thumb mode!) and pressing 'C'. If you see scrambled code, then (probably) the wrong mode (thumb) is enabled. Just press Alt-G, change the value for T to zero. See?!
The same goes for thumb mode. Push instructions are 'B5' preceeded by 02 0B 4E 72 30 10 F0 70 F3 7C 55 1F 30 3E 0E 1C 08 7F ... So just look for e.g. '10 B5' at two-byte boarders (Alt-B to set, Ctrl-B to search again) and you will easily find all occurences. Again, if it is scrambled, switch back to thumb mode (Alt-G, T=1).
After all, you can hex browse a little bit and press 'C' for missing code or 'A' for text.

Above is a very simple 'algorithm', maybe there is an appropiate IDA plugin. Or you could write one :-) !

[http://code.assembla.com/ks360/subversion/nodes/utils/Analyze.py Script] with [http://d-dome.net/idapython/ IDAPython]

== IDA Pro Signature Files ==

Link to download signature files that can be used in reversing the iPhone baseband.

They are mostly Real View runtime library sigs:

RVCT RTL 2.2
RVCT RTL 3.1
RVCT RTL 4.4

ThreadX sig for iPhone 4 - however this only picks up a couple of functions, not sure how Apple compiled threadx, with which compiler, optimizations.

On an iPhone 4 firmware can pickup upto 800 functions when all the sigs applied.

[http://www.mediafire.com/?kz4dlcnzfwixkkv Sigs]

==Addresses of known functions / code locations==
===Baseband 02.28.00===
* 0x201497B0 - maybe AT Command handler? (uses strings such as "OK", "ERROR", "UNKNOWN COMMAND")
* 0x203C51BC - probably prints text
* 0x201420AC - malloc (according to Darkmen)
* 0x203C58A0 - bytecpy (according to Darkmen)
* 0x203FB540 - NU_Create_Task (according to Darkmen)
* 0x2046DD00 - sprintf (according to Darkmen)
* 0x20165998 - NU_Receive_From_Mailbox (according to Darkmen)
* 0x203ED568 - NU_Send_To_Mailbox (according to Darkmen)

===Baseband 5.12.01 3.1.3 (Build 7E18)===
* 0x203C2714 - IMEI routine
* 0x2062CF28 - default IMEI (0A 40 99 09 01 46 00 00)

List of baseband commands

2011-11-13T10:03:41Z

JackR1: /* AT+X... */

For instructions how to use these commands, please see [[Baseband Commands]].

List compiled by [[User:keps|keps]].

==Other==
*ASSIGN (Present in [[2.10.04]])
* AT
* AT@ (Present in [[2.10.04]])
* ATD
* AT&H (Show more baseband commands)
* AT&V (Display the profiles in the baseband)
* ATE (Present in [[2.10.04]])
* ATH (Present in [[2.10.04]])
* ATZ (Present in [[2.10.04]])

==AT+A... (present in [[2.10.04]])==
* AT+ATA
* AT+ATAC
* AT+ATAD
* AT+ATAE
* AT+ATAF
* AT+ATAH
* AT+ATAK
* AT+ATAS
* AT+ATAV
* AT+ATAW
* AT+ATAY
* AT+ATBQ
* AT+ATD
* AT+ATDL
* AT+ATDPBK
* AT+ATE
* AT+ATH
* AT+ATI
* AT+ATL
* AT+ATM
* AT+ATO
* AT+ATON
* AT+ATP
* AT+ATQ
* AT+ATSN
* AT+ATT
* AT+ATV
* AT+ATX
* AT+ATZ

==AT+B...==
* AT+BINP
* AT+BLDN
* AT+BRSF
* AT+BVRA

==AT+C...==
* AT+CACM
* AT+CAEMLPP
* AT+CALA
* AT+CALD
* AT+CALM
* AT+CAMM (present in [[2.10.04]])
* AT+CAOC
* AT+CBC
* AT+CBST
* AT+CCFC
* AT+CCID
* AT+CCLK
* AT+CCUG
* AT+CCWA
* AT+CCWE
* AT+CDIS (present in [[2.10.04]])
* AT+CEER
* AT+CFUN
* AT+CGACT
* AT+CGANS
* AT+CGATT
* AT+CGAUTO
* AT+CGCLASS
* AT+CGCMOD
* AT+CGDATA
* AT+CGDCONT
* AT+CGDSCONT
* AT+CGED
* AT+CGEQMIN
* AT+CGEQNEG
* AT+CGEQREQ
* AT+CGEREP
* AT+CGMI
* AT+CGMM
* AT+CGMR
* AT+CGPADDR
* AT+CGQMIN
* AT+CGQREQ
* AT+CGREG
* AT+CGSMS
* AT+CGSN
* AT+CGTFT
* AT+CHLD
* AT+CHUP
* AT+CIMI
* AT+CIND
* AT+CKPD (Present in [[2.10.04]])
* AT+CLAC (Show some baseband commands.)
* AT+CLAN (Present in [[5.12.01]])
* AT+CLCC
* AT+CLCK (Traditional unlock method.)
* AT+CLIP
* AT+CLIR
* AT+CLVL
* AT+CMDR (Present in [[2.10.04]])
* AT+CMDW (Present in [[2.10.04]])
* AT+CMEC
* AT+CMEE
* AT+CMER
* AT+CMGC
* AT+CMGD
* AT+CMGF (SMS operating mode.)
* AT+CMGL
* AT+CMGR
* AT+CMGS (Sends SMS message.)
* AT+CMGW
* AT+CMMS
* AT+CMOD
* AT+CMSS
* AT+CMUT
* AT+CMUX
* AT+CNAP
* AT+CNMA
* AT+CNMI
* AT+CNUM
* AT+COLP
* AT+COLR
* AT+COPN
* AT+COPS
* AT+CPAS
* AT+CPBF
* AT+CPBR
* AT+CPBS
* AT+CPBW
* AT+CPGR (Present in [[2.10.04]])
* AT+CPIN
* AT+CPLS
* AT+CPMS (Present in [[2.10.04]])
* AT+CPOL
* AT+CPUC
* AT+CPWAC (Present in [[2.10.04]])
* AT+CPWD
* AT+CPWROFF
* AT+CR
* AT+CRC
* AT+CREG
* AT+CRES
* AT+CRLP
* AT+CRSL
* AT+CRSM
* AT+CSAS
* AT+CSCA
* AT+CSCB
* AT+CSCC (Present in [[2.10.04]])
* AT+CSCS
* AT+CSDH
* AT+CSGT
* AT+CSIM
* AT+CSMP
* AT+CSMS
* AT+CSQ
* AT+CSSN
* AT+CSTA
* AT+CSVM
* AT+CTFR
* AT+CTZR
* AT+CTZU
* AT+CUSD
* AT+CUUS1 (Present in [[5.12.01]])
* AT+CXAR (Present in [[2.10.04]])
* AT+CXDR (Present in [[2.10.04]])
* AT+CXDW (Present in [[2.10.04]])
* AT+CXRR (Present in [[2.10.04]])

==AT+D... (Present in [[2.10.04]])==
* AT+DDLD
* AT+DDLE
* AT+DDLI
* AT+DDLL
* AT+DDLR
* AT+DDLS
* AT+DDLU
* AT+DDLW
* AT+DS

==AT+E... (Present in [[2.10.04]])==
* AT+ETBM

==AT+F...==
* AT+FAA
* AT+FAP
* AT+FBO
* AT+FBS
* AT+FBU
* AT+FCC
* AT+FCLASS
* AT+FCQ
* AT+FCR
* AT+FCS
* AT+FCT
* AT+FDR
* AT+FDT
* AT+FEA
* AT+FFC
* AT+FFD
* AT+FHS
* AT+FIE
* AT+FIP
* AT+FIS
* AT+FIT
* AT+FKS
* AT+FLI
* AT+FLO
* AT+FLP
* AT+FMR (Present in [[5.12.01]])
* AT+FMS
* AT+FND
* AT+FNR
* [[AT+FNS]]
** (exploitable crash in [[4.26.08]])
* AT+FPA
* AT+FPI
* AT+FPP
* AT+FPS
* AT+FPW
* AT+FRQ
* AT+FRY
* AT+FSA
* AT+FSP

==AT+G...==
* AT+GCAP
* AT+GMI
* AT+GMM
* AT+GMR
* AT+GSN

==AT+I...==
* AT+ICF
* AT+IFC
* AT+IPR

==AT+L... (Present in [[2.10.04]])==
* AT+LAST_CMD
* AT+LEGACY

==AT+N...==
* AT+NREC

==AT+P... (Present in [[2.10.04]])==
* AT+PDU_INFO

==AT+S...==
* AT+SBEG (Present in [[2.10.04]])
* AT+SMSSRESUL (Present in [[5.12.01]])
* AT+STKENV
* AT+STKLBR
* AT+STKPRO
* [[AT+stkprof|AT+STKPROF]]
** (exploitable crash in [[2.28.00]])
* AT+STKTR

==AT+T...==
* AT+TRACE

==AT+U... (Present in [[2.10.04]])==
* AT+UNKNOWN

==AT+V...==
* AT+VGM
* AT+VGR (Present in [[5.12.01]])
* AT+VGS
* AT+VGT (Present in [[5.12.01]])
* AT+VTD
* AT+VTS

==AT+W... (Present in [[5.12.01]])==
* AT+WS46

==AT+X...==
* AT+XADDTRACE
* AT+XALS
* AT+XALSBLOCK
* AT+XAPOXI
* [[AT+XAPP Vulnerability|AT+XAPP]]
** (exploitable crash in [[5.13.04]] with command "AT+XAPP="kepskepskepskepskepskepskepskeps")
* AT+XBANDSEL
* AT+XCALLREFUSE
* AT+XCALLSTAT
* AT+XCAOC
* AT+XCBS
* AT+XAT+CCBS
* AT+XCEER
* AT+XCELLINFO
* AT+XCFC
* AT+XCGCLASS
* AT+XCGEDPAGE (Present in [[5.12.01]])
* AT+XCHNSIM
* AT+XCIND
* AT+XCIPH
* AT+XCONFIG
* AT+XCOPS
* AT+XCRSM
* AT+XCSIM
* AT+XCSP
* AT+XCSPAGING
* AT+XCSSMS
* AT+XCTMDR
* AT+XCTMS
* AT+XDATACHANNEL (Present in [[5.12.01]])
* AT+XDEV
* AT+XDEVICE
* AT+XDIAG
* AT+XDNOABORT
* AT+XDNS
* AT+XDRV
* AT+XDTMF
* AT+XEMC (Present in [[5.12.01]])
* [[AT+XEMN Heap Overflow|AT+XEMN]] (Present in [[5.11.07]])
** (exploitable crash in [[5.11.07]] with lots of zeroes)
* AT+XEONS
* AT+XETFT
* AT+XFDOR (Present in [[5.12.01]])
* AT+XFDORT (Present in [[5.12.01]])
* AT+XGAUTH
* AT+XGCNTRD
* AT+XGCNTSET
* AT+XGENDATA (Displays some information about the baseband.)
* AT+XGENDATE (Present in [[02.10.04]])
* AT+XGPRSERRMAP (Present in [[5.12.01]])
* AT+XHANDSFREE
* AT+XHOMEZR
* AT+XHSDUPA (Present in [[5.12.01]])
* AT+XIA (Present in [[5.12.01]])
* AT+XIMS
* AT+XL1SET
* AT+XLCAPS
* AT+XLCK
* AT+XLGASSIST (Present in [[5.12.01]])
* AT+XLGCPL (Present in [[5.12.01]])
* AT+XLGEMSRS (Present in [[04.10.01]])
* AT+XLGINFO (Present in [[5.12.01]])
* AT+XLGLOGLEV (Present in [[5.12.01]])
* AT+XLGMODE (Present in [[5.12.01]])
* AT+XLGMOTIONTYPE (Present in [[5.12.01]])
* AT+XLGNAV (Present in [[5.12.01]])
* AT+XLGNMEA (Present in [[5.12.01]])
* AT+XLGNVRAM (Present in [[5.12.01]])
* AT+XLGPOS (Present in [[5.12.01]])
* AT+XLGSENSORDATA (Present in [[5.12.01]])
* AT+XLGTEST (Present in [[5.12.01]])
* AT+XLGTIME (Present in [[5.12.01]])
* AT+XLIN
* AT+XLOCK (Wildcard unlock. Present in [[5.12.01]])
* [[AT+XLOG Vulnerability|AT+XLOG]]
** (exploitable crash in [[4.26.08]] with command "AT+XLOG=1,"kepskepskepskepskepskepskepskepskepskepskepskeps")
* AT+XLOOPBACK
* AT+XLQOS
* AT+XLRMT
* AT+XLRSUPL (Present in [[5.12.01]])
* AT+XLRTA
* AT+XLRV
* AT+XLRWAP (Present in [[2.10.04]])
* AT+XLSR
* AT+XLSRSTOP (Present in [[5.12.01]])
* AT+XMAGETBLOCK
* AT+XMAGETKEY
* AT+XMER
* AT+XMSG
* AT+XMULTISLOT
* AT+XMUX
* AT+XNMI
* [[AT+XNONCE]] (Random string generated on bootup. Present in [[5.12.01]].)
* AT+XPIN
* AT+XPINCNT
* AT+XPOW
* AT+XPPP
* AT+XPROGRESS
* AT+XQNEG
* AT+XRAT
* AT+XREDIAL
* AT+XREG
* AT+XREL
* AT+XRFS
* AT+XRLCSET
* AT+XRRSET
* AT+XSCELLLOCK (Present in [[5.12.01]])
* AT+XSECSTATE
* AT+XSELFRXSTAT
* AT+XSERVICE
* AT+XSIMCHG
* AT+XSIMLG
* AT+XSIMLOOPBACK
* AT+XSIMSIMUL (Present in [[2.10.04]])
* AT+XSIMSTATE (Reports lock state.)
* AT+XSIMVALID
* AT+XSIO
* AT+XSLN
* AT+XSMS
* AT+XSTK
* AT+XSTRESSSIM
* AT+XSVM
* AT+XSYSERR (Present in [[5.12.01]])
* AT+XTDEV
* AT+XTERM (Present in [[5.12.01]])
* AT+XTESM
* AT+XTEST (Present in [[5.12.01]])
* AT+XTFILTER
* AT+XTHUMB
* AT+XTOS
* AT+XTRACECONFIG (Present in [[5.12.01]])
* AT+XTRACEIP
* AT+XTRACESYSTIME
* AT+XTRANSPORTMODE
* AT+XUBANDSEL (Present in [[5.12.01]])
* AT+XUICC (Present in [[5.12.01]])
* AT+XUSBFLASH
* AT+XVTS

[[Category:Baseband]]

AT+XNONCE

2011-10-08T03:49:27Z

JackR1:

The AT+NONCE command returns a random string that was generated at boot time. This string is used together with some other device specific identifiers as a base to let Apple generate a certificate, similar to [[SHSH]], to allow installation of [[Baseband Firmware|baseband firmware]]. The baseband checks the certificate and allows or denies installation of its firmware.

This string can be obtained by using the [[MobileDevice Library]] to call for AMDeviceCopyValue on "BasebandNonce".

===References / More infos===
*<del>[http://iphwn.org/nonce.txt example command]</del>

at+xnonce?
+XNONCE: "10552274670825F9892C22752D9509378F2154CA"

OK

*[[Talk:XMM_6180#Downgrade|discussion]]
*[[User:MuscleNerd|MuscleNerd]] says [http://twitter.com/MuscleNerd/status/18667056119 "baseband is stricter signed"].

{{stub|firmware}}

Talk:Baseband Commands

2011-09-23T13:44:12Z

JackR1: /* Working on the iPhone 4? */

i bought an iphone from 2weeks with baseband 02.30.03 and bootlooder 6.2 and i need to unlock it to work with vodafone sim card need you'r help plz find me a sulution to unlock or downgrade my baseband so i can use yellowsn0w {{unsigned|Na7la|15:57, April 16, 2009 (UTC)}}

I am having trouble figuring out how to run these commands on my iPhone 4. I mean minicom does not work. I saved and all but it wont let me see what command im typing and it says "offline" in the bottom. {{unsigned|Grisolp|22:25, April 5, 2011 (UTC)}}
:You have to remember, minicom hasn't been updated in a while. It's probably not going to work very well with iOS 4+, and pretty much any device after the iPhone 3G... also, sign your talk page comments :) --[[User:Rdqronos|rdqronos]] 06:22, 23 July 2011 (MDT)

== Working on the iPhone 4? ==

Well, I tried tty.debug, dlci.baseband.blablabla... amd it didn't seem to work very well. Are there new releases of minicom? Or the source of it? --[[User:XiiiX|XiiiX]] 17:09, 14 August 2011 (MDT)
:Minicom is an open source project: [http://alioth.debian.org/projects/minicom/] --pjakuszew 12:45, 15 August 2011 (MDT)
::The days of <code>tty.baseband</code> are gone (1.x?). <code>tty.debug</code> does not require CommCenter to be shut down, but you have to spam AT[enter] until you get a reply and then issue your command hoping the connection doesn't fail as CommCenter is using the BB pretty much all the time making you unable to connect. Also, the OFFLINE message is normal. --[[User:Ryccardo|Ryccardo]] 05:37, 16 August 2011 (MDT)
:Would shutting down CommCenter help though? Like honestly, if it's that much of an issue, I'll run the command to kill it... Also, if I did kill CC, would I have to spam AT or would one typing of AT do it? --[[User:Rdqronos|rdqronos]] 17:00, 16 August 2011 (MDT)
::According to my experience in 3.x, shutting down CommCenter ''barely'' helps yet it's pretty much a requirement. Remember that shutting it down remover Wi-Fi until a reboot, so you have to permanently disable it (<code>launchctl unload -w /System…</code>), reboot until you can't get signal as per the status bar + get the non-visual voicemail indicator (empty badge over Phone icon), try your luck then enable CCenter with <code>launchctl load -w /System…</code>. --[[User:Ryccardo|Ryccardo]] 16:50, 18 August 2011 (MDT)

One way around this is to install signal iphone app found in cydia:

"...Signal was designed for iOS 4, and contacts /dev/tty.debug in a iOS 4 compatible way, it does this to receive baseband information, one of them being, the exact measurement in dBm. This opens the port to /dev/tty.debug..." (http://applehack23.blogspot.com/2010/09/smscl-on-iphone-4-and-ios-4.html#comments)

I can confirm this works.--[[User:JackR1|JackR1]] 07:44, 23 September 2011 (MDT)

Blacksn0w

2011-01-14T12:35:57Z

JackR1:

[[User:Geohot|Geohot]]'s runtime [[unlock]] for [[Baseband Firmware|baseband]] [[5.11.07]] (used by the [[N82ap|iPhone 3G]] & [[N88ap|3GS]]). blacksn0w exploits the [[AT+XEMN Heap Overflow]], and can be installed via [[blackra1n]] or its [[Cydia Application|Cydia]] repo (http://blackra1n.com/).

== Installing ==
blacksn0w can be installed by adding http://blackra1n.com/ as a [[Cydia Application|Cydia]] repository.

If the iPhone was jailbroken with [[blackra1n]], the blackra1n app can install blacksn0w. Run the blackra1n app on the [[SpringBoard]], and tap ra1n to update the app. Load blackra1n.app again and choose the 'sn0w' option to install. [[Commcenter]] will restart and you will have an unlocked iPhone 3G(S).

==Links==
* [http://iphone-commcenter-injection.googlecode.com/svn-history/trunk/ Source code - msftguy (Reversed blacksn0w dylib, refactored to support safe mode and work on multiple OS versions.)]

[[Category:Unlocking Methods]]
[[Category:Baseband]]

Blacksn0w

2011-01-14T12:32:12Z

JackR1:

[[User:Geohot|Geohot]]'s runtime [[unlock]] for [[Baseband Firmware|baseband]] [[5.11.07]] (used by the [[N82ap|iPhone 3G]] & [[N88ap|3GS]]). blacksn0w exploits the [[AT+XEMN Heap Overflow]], and can be installed via [[blackra1n]] or its [[Cydia Application|Cydia]] repo (http://blackra1n.com/).

== Installing ==
blacksn0w can be installed by adding http://blackra1n.com/ as a [[Cydia Application|Cydia]] repository.

If the iPhone was jailbroken with [[blackra1n]], the blackra1n app can install blacksn0w. Run the blackra1n app on the [[SpringBoard]], and tap ra1n to update the app. Load blackra1n.app again and choose the 'sn0w' option to install. [[Commcenter]] will restart and you will have an unlocked iPhone 3G(S).

==Links==
* [http://iphone-commcenter-injection.googlecode.com/svn-history/trunk/ Source code - msftguy]

[[Category:Unlocking Methods]]
[[Category:Baseband]]

Purplesn0w

2011-01-08T05:16:06Z

JackR1:

purplesn0w is [[User:geohot|geohot]]'s [[unlock]] which used the [[AT+XLOG Vulnerability]]. Its implementation of the vulnerability differs from [[ultrasn0w]]'s, and requires a legitimately [[Activation|activated]] [[iPhone]].

==How it works==
purplesn0w copies the page that needs patching to an unused region of memory. It gets patched in RAM. Using the MMU, the flash page is mapped out and the patched memory page is remapped in its place. No new iPhones are really [[unlock]]ed; [[activation]] creates a [[WildcardTicket|ticket]] allowing the baseband to be used with that SIM. The lockstate of the phone really lies on Apple's servers. Being unlocked means all SIMs are authorized, and being locked means only certain carriers' SIMs are authorized (for instance, AT&T). Fortunately, this ticket system provides an easy way to deliver the payload and re-execute the patched code all in one. And since the ticket is already delivered on baseband resets, there's no need to write another daemon to use the battery. Instead the daemon already designed for this, [[lockdownd]], is used. A patch to CommCenter gets it to run the payload on ticket delivery. And a patch to your activation record contains the payload.

==Installation notes==
* Be sure to have a legitimately activated iPhone.
* Disable 3G if you don't have it (like T-Mobile in the US).
* Watch for success output in Cydia (actually do this step)
* Wait for signal, and enjoy your unlocked iPhone (no reboot required)

==purplesn0w RC2 payload with comments==
<pre>
ROM:00000000 LDR R4, =0x201436C8 ; /* copy the page*/
ROM:00000004 MOV R0, #0x40000000
ROM:00000008 LDR R1, =0x203C1000
ROM:0000000C MOV R2, #0x1000
ROM:00000010 BLX R4
ROM:00000014 LDR R5, =0x4000082C ; /*at 4000083C or 203C183C
ROM:00000014 ; put the code to branch to 0x404F0980*/
ROM:00000018 ADD R0, R5, #0x10
ROM:0000001C ADR R1, loc_D4
ROM:00000020 MOV R2, #0xC
ROM:00000024 BLX R4
ROM:00000028 MOV R7, #0 ; /* interrupt disable */
ROM:0000002C MRS R0, CPSR
ROM:00000030 ORR R0, R0, #0xC0
ROM:00000034 MSR CPSR_c, R0
ROM:00000038 MRC p15, 0, R6,c1,c0 ; /* MMU disable */
ROM:0000003C BIC R0, R6, #0xFF
ROM:00000040 MCR p15, 0, R0,c1,c0
ROM:00000044 NOP
ROM:00000048 NOP
ROM:0000004C LDR R0, =0x2030055E
ROM:00000050 LDR R1, =0x40001000
ROM:00000054 ADD R2, R1, #0x400
ROM:00000058
ROM:00000058 loop ; CODE XREF: ROM:00000064�j
ROM:00000058 STR R0, [R1],#4 ; build a page table in memory
ROM:00000058 ; increments of 0x1000
ROM:00000058 ; from 0x2030055E to 0x2040055E
ROM:00000058 ;
ROM:00000058 ; put 0x2030055E in [0x40001000]
ROM:00000058 ; 0x40001000 + 0x4
ROM:00000058 ; 0x2030055E + 0x1000
ROM:00000058 ; cmp 0x40001004 to 0x40001400
ROM:00000058 ; ...
ROM:00000058 ;
ROM:00000058 ;
ROM:0000005C ADD R0, R0, #0x1000
ROM:00000060 CMP R1, R2
ROM:00000064 BNE loop
ROM:00000068 LDR R1, =0x4000055E ; put 0x4000055E in [0x40001400 - 0xFC]
ROM:00000068 ; where 203C155E put 4000055E
ROM:00000068 ; i.e point 0x203C1000 pagetable entry to ram 0x40000000
ROM:0000006C STR R1, [R2,#-0xFC]
ROM:00000070 LDR R0, =0x40001011 ; this section points the 0x203 mmu mapping to built page table
ROM:00000070 ; at 0x40001000.
ROM:00000070 ;
ROM:00000070 ; when this code runs again it returns the mapping the way it
ROM:00000070 ; was that i.e no trace left behind.
ROM:00000070 ;
ROM:00000070 ; put [0x800 + 0x8] + 0x100000 at [0x800 + 0xC]
ROM:00000070 ; if what was at [0x800 + 0xC] = 0x40001011 then break
ROM:00000070 ; else put 0x40001011 at [0x800 + 0xC]
ROM:00000074 MOV R1, #0x800
ROM:00000078 LDR R2, [R1,#0xC]
ROM:0000007C LDR R3, [R1,#8]
ROM:00000080 ADD R3, R3, #0x100000
ROM:00000084 STR R3, [R1,#0xC]
ROM:00000088 CMP R2, R0
ROM:0000008C BEQ break
ROM:00000090 STR R0, [R1,#0xC]
ROM:00000094
ROM:00000094 break ; CODE XREF: ROM:0000008C�j
ROM:00000094 MCR p15, 0, R7,c8,c7 ; /* invalidate TLB */
ROM:00000098 MCR p15, 0, R6,c1,c0 ; /* MMU enable */
ROM:0000009C MCR p15, 0, R7,c7,c5 ; /* flush ICache */
ROM:000000A0 NOP
ROM:000000A4 NOP
ROM:000000A8 NOP
ROM:000000AC MRS R0, CPSR ; /* interrupt enable */
ROM:000000B0 BIC R0, R0, #0xC0
ROM:000000B4 MSR CPSR_c, R0
ROM:000000B8 LDR R4, =0x20525359 ; /* go home */
ROM:000000BC LDR R1, =0x203C1830
ROM:000000C0 ADR R0, dword_D0
ROM:000000C4 STR R1, [R0]
ROM:000000C8 MOV R0, #0
ROM:000000CC BX R4
ROM:000000CC ; ---------------------------------------------------------------------------
ROM:000000D0 dword_D0 DCD 0x20525359 ; DATA XREF: ROM:000000B8�r
ROM:000000D0 ; ROM:000000C0�o
ROM:000000D4 ; ---------------------------------------------------------------------------
ROM:000000D4
ROM:000000D4 loc_D4 ; DATA XREF: ROM:0000001C�o
ROM:000000D4 LDR R4, =0x404F0980
ROM:000000D8 BX R4
ROM:000000D8 ; ---------------------------------------------------------------------------
ROM:000000DC dword_DC DCD 0x404F0980 ; DATA XREF: ROM:loc_D4�r
ROM:000000E0 dword_E0 DCD 0x201436C8 ; DATA XREF: ROM:00000000�r
ROM:000000E4 dword_E4 DCD 0x203C1000 ; DATA XREF: ROM:00000008�r
ROM:000000E8 dword_E8 DCD 0x4000082C ; DATA XREF: ROM:00000014�r
ROM:000000EC dword_EC DCD 0x2030055E ; DATA XREF: ROM:0000004C�r
ROM:000000F0 dword_F0 DCD 0x40001000 ; DATA XREF: ROM:00000050�r
ROM:000000F4 dword_F4 DCD 0x4000055E ; DATA XREF: ROM:00000068�r
ROM:000000F8 dword_F8 DCD 0x40001011 ; DATA XREF: ROM:00000070�r
ROM:000000FC dword_FC DCD 0x203C1830 ; DATA XREF: ROM:000000BC�r
ROM:000000FC ; ROM ends
</pre>

==Links==
* Cydia repo (http://apt.geohot.com/)
* [http://apt.geohot.com/purplesn0w_source.zip Source code]

[[Category:Unlocking Methods]]
[[Category:Baseband]]

IDA Pro Setup

2011-01-03T10:05:42Z

JackR1: /* Baseband 02.28.00 */

==How to set up IDA pro to reverse the 3G baseband==

The [[X-Gold 608]] has a memory map, as seen in it's page.

The [[Secpack 2.0]] takes up the first 0xCF8 of the .fls file.

So to load the 3G .fls file into IDA pro, the file offset is 0xCF8(for the secpack), and the CODE starts at the ROM start address of 0x20040000(since it's the main firmware)

For real noobs:
1. Drag the fls file into IDA
2. Select ARM
3. Change ROM start address to 0x20040000
4. Change Loading address to 0x20040000
5. Change File offset to 0xCF8
6. Copy Loading size into ROM size
7. Press OK
8. The entry point is the address at 0x20040408
9. Go to 20100004 and Press "C" to start. ~Deco
10. Read the instructions so you can find other places where you can press "C" to get more code. ~Deco

Here are some key combinations to use:
* c = turn the 'gibberish' into code
* d = turn the 'gibberish' into data
* a = turn the 'gibberish' into a string
* u = undefine what you just may have done, i usually use this since there is no real edit+undo in IDA so this is the next best thing
* Alt+G = toggle the Register T from 0 / 1 to toggle arm and thumb mode when needed

== some hints for getting the mnemonics from n00b for noobs (read: master noob for noobs ;-) )==

The autoanalysis didn't work very well. There were a lot of silly mnemonics, simply interleaving thumb and arm mode or other nasty stuff. I then tried to identify strings, pressing 'A'. Boring... What pushed it up a little bit is this:

Most code is 'embraced' by 'embracing' code:
- push / pop for thumb mod
- STMFD / LDMFD for arm mode

Even better, all versions of above codes have similar instruction sets. So you can find all occurences of STMFD by hex searching '2D E9', going two bytes back (did I say code is aligned? 4bytes in arm starting at 00 04 08 0c, 2bytes in thumb mode!) and pressing 'C'. If you see scrambled code, then (probably) the wrong mode (thumb) is enabled. Just press Alt-G, change the value for T to zero. See?!
The same goes for thumb mode. Push instructions are 'B5' preceeded by 02 0B 4E 72 30 10 F0 70 F3 7C 55 1F 30 3E 0E 1C 08 7F ... So just look for e.g. '10 B5' at two-byte boarders (Alt-B to set, Ctrl-B to search again) and you will easily find all occurences. Again, if it is scrambled, switch back to thumb mode (Alt-G, T=1).
After all, you can hex browse a little bit and press 'C' for missing code or 'A' for text.

Above is a very simple 'algorithm', maybe there is an appropiate IDA plugin. Or you could write one :-) !

[http://code.assembla.com/ks360/subversion/nodes/utils/Analyze.py Script] with [http://d-dome.net/idapython/ IDAPython]

==Addresses of known functions / code locations==
===Baseband 02.28.00===
* 0x201497B0 - maybe AT Command handler? (uses strings such as "OK", "ERROR", "UNKNOWN COMMAND")
* 0x203C51BC - probably prints text
* 0x201420AC - malloc (according to Darkmen)
* 0x203C58A0 - bytecpy (according to Darkmen)
* 0x203FB540 - NU_Create_Task (according to Darkmen)
* 0x2046DD00 - sprintf (according to Darkmen)
* 0x20165998 - NU_Receive_From_Mailbox (according to Darkmen)
* 0x203ED568 - NU_Send_To_Mailbox (according to Darkmen)

===Baseband 5.12.01 3.1.3 (Build 7E18)===
* 0x203C2714 - IMEI routine
* 0x2062CF28 - default IMEI (0A 40 99 09 01 46 00 00)