The iPhone Wiki - User contributions [en]

PMB8878

2009-07-12T00:34:35Z

Luke1908:

This is the baseband processor used in the iPhone 3G and the iPhone 3Gs. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the PMB8878.

==Datasheet==
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.

==Secpack 2.0==
This is the security region in the files sent to the [[X-Gold 608]]. This is the first 0xCF8 is new fls and eep files.

===Layout===
0x634--Memory Map
0x714--Descriptor
0xCD4--Post secpack pointer to name
0xCEC--Data length

==Endpack==
The fls and eep files also have a footer tacked onto the end containing the loader and signature.

==Memory Map==
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

==MMU relocation table==
===Bootloader===
[[Image:Bltbl.png]]

===Firmware===
[[Image:Bbmmu.png]]

==Complete memory dump==
[http://depositfiles.com/files/i5119hpzm 0x00000000-0x0001FFFF]

[http://depositfiles.com/files/mxslfu4dp 0x20000000-0x20FFFFFF]

[http://depositfiles.com/files/6wiet73wn 0x40000000-0x407FFFFF]

[http://depositfiles.com/files/fioppsphe 0xFFFF0000-0xFFFFFFFF]

== Known Firmware Versions ==
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)
[[1.48.02]] 2.0.1 (Build 5B108)
[[2.04.03]] 2.1 (Build 5F90)
[[2.08.01]] 2.0.2 (Build 5C1)
[[2.11.07]] 2.1 (Build 5F136)
[[2.28.00]] 2.2 (Build 5G77)
[[2.30.03]] 2.2.1 (Build 5H11)
[[4.20.01]] 3.0 beta 1 (Build 7A238j)
[[4.22.01]] 3.0 beta 2 (Build 7A259g)
[[4.24.02]] 3.0 beta 3 (Build 7A280f)
[[4.26.08]] 3.0 (Build 7A341 - Gold Master)
[[5.08.01]] 3.1 beta 1 (Build 7C97d)

==Accessing [[Interactive Mode]]==
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset

[[Category:Baseband]]

Jailbreak (S5L8920+)

2009-07-12T00:33:08Z

Luke1908:

Apple did not have the time to fix the [[24kpwn]] hole in the [[S5L8920 (Bootrom)|iPhone 3G[s] Bootrom]]. Thus, the following needs to be done:
* '''Find [[iBoot]] exploit''' - In order to flash 24kPwned [[LLB]].
* '''"Port" the [[24kpwn]] exploit''' - In order to run our patched [[LLB]] and to skip the ECID checks.

==ECID==
Apple added a new tag to the img3 format called ECID. The ECID is ''unique'' to each phone, and is being sigchecked. So Apple could block downgrades once newer firmware becomes available, unless you have a dump of your unique old firmware's img3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered JBs, because such exploits will be closed in new FWs. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html].

The issue with this is that, even with [[24kpwn]] still in bootrom, an [[iBoot]] exploit is still needed to actually flash the 24kpwned [[LLB]]. If Apple uses this ECID stuff to block downgrades, then a new [[iBoot]] exploit will be needed whenever they fix the last, so that [[24kpwn]] can be applied. This is because Apple could choose to not let you upload an older / exploitable iBEC / iBoot / iBSS to the device. 3GS owners can save a file which contains the signature of an iBSS for 3.0GM containing their [[ECID]], using http://purplera1n.com/ should Apple try to block this in the future.

==Jailbreak tools==
There is two possible methods to jailbreak which use the same iboot exploit discovered independently by Geohot and the iPhone Dev team. you can use redsn0w by the iphone dev team to jailbreak or purplera1n by geohot. These currently only work on firmware version 3.0 (12/7/09).

Jailbreak (S5L8920+)

2009-07-12T00:32:14Z

Luke1908:

Apple did not have the time to fix the [[24kpwn]] hole in the [[S5L8920 (Bootrom)|iPhone 3G[s] Bootrom]]. Thus, the following needs to be done:
* '''Find [[iBoot]] exploit''' - In order to flash 24kPwned [[LLB]].
* '''"Port" the [[24kpwn]] exploit''' - In order to run our patched [[LLB]] and to skip the ECID checks.

==ECID==
Apple added a new tag to the img3 format called ECID. The ECID is ''unique'' to each phone, and is being sigchecked. So Apple could block downgrades once newer firmware becomes available, unless you have a dump of your unique old firmware's img3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered JBs, because such exploits will be closed in new FWs. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html].

The issue with this is that, even with [[24kpwn]] still in bootrom, an [[iBoot]] exploit is still needed to actually flash the 24kpwned [[LLB]]. If Apple uses this ECID stuff to block downgrades, then a new [[iBoot]] exploit will be needed whenever they fix the last, so that [[24kpwn]] can be applied. This is because Apple could choose to not let you upload an older / exploitable iBEC / iBoot / iBSS to the device. 3GS owners can save a file which contains the signature of an iBSS for 3.0GM containing their [[ECID]], using http://purplera1n.com/ should Apple try to block this in the future.

==Jailbreak tools==
There is two possible methods to jailbreak which use the same iboot exploit discovered independently by Geohot and the iPhone dev team. you can use redsn0w by the iphone dev team to jailbreak or purplara1n by geohot. These curently only work on firmware version 3.0 (12/7/09).

Jailbreak (S5L8920+)

2009-07-12T00:31:53Z

Luke1908:

Apple did not have the time to fix the [[24kpwn]] hole in the [[S5L8920 (Bootrom)|iPhone 3G[s] Bootrom]]. Thus, the following needs to be done:
* '''Find [[iBoot]] exploit''' - In order to flash 24kPwned [[LLB]].
* '''"Port" the [[24kpwn]] exploit''' - In order to run our patched [[LLB]] and to skip the ECID checks.

==ECID==
Apple added a new tag to the img3 format called ECID. The ECID is ''unique'' to each phone, and is being sigchecked. So Apple could block downgrades once newer firmware becomes available, unless you have a dump of your unique old firmware's img3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered JBs, because such exploits will be closed in new FWs. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html].

The issue with this is that, even with [[24kpwn]] still in bootrom, an [[iBoot]] exploit is still needed to actually flash the 24kpwned [[LLB]]. If Apple uses this ECID stuff to block downgrades, then a new [[iBoot]] exploit will be needed whenever they fix the last, so that [[24kpwn]] can be applied. This is because Apple could choose to not let you upload an older / exploitable iBEC / iBoot / iBSS to the device. 3GS owners can save a file which contains the signature of an iBSS for 3.0GM containing their [[ECID]], using http://purplera1n.com/ should Apple try to block this in the future.

==Jailbreak tools==
There is two possible method to jailbreak which use the same iboot exploit discovered independently by Geohot and the iPhone dev team. you can use redsn0w by the iphone dev team to jailbreak or purplara1n by geohot. These curently only work on firmware version 3.0 (12/7/09).

Jailbreak (S5L8920+)

2009-07-12T00:31:28Z

Luke1908:

Apple did not have the time to fix the [[24kpwn]] hole in the [[S5L8920 (Bootrom)|iPhone 3G[s] Bootrom]]. Thus, the following needs to be done:
* '''Find [[iBoot]] exploit''' - In order to flash 24kPwned [[LLB]].
* '''"Port" the [[24kpwn]] exploit''' - In order to run our patched [[LLB]] and to skip the ECID checks.

==ECID==
Apple added a new tag to the img3 format called ECID. The ECID is ''unique'' to each phone, and is being sigchecked. So Apple could block downgrades once newer firmware becomes available, unless you have a dump of your unique old firmware's img3 or signed certificate. Therefore, iBoot exploits won't be so useful for tethered JBs, because such exploits will be closed in new FWs. [http://iphonejtag.blogspot.com/2009/06/ecid-field-downgrades-no-dice.html].

The issue with this is that, even with [[24kpwn]] still in bootrom, an [[iBoot]] exploit is still needed to actually flash the 24kpwned [[LLB]]. If Apple uses this ECID stuff to block downgrades, then a new [[iBoot]] exploit will be needed whenever they fix the last, so that [[24kpwn]] can be applied. This is because Apple could choose to not let you upload an older / exploitable iBEC / iBoot / iBSS to the device. 3GS owners can save a file which contains the signature of an iBSS for 3.0GM containing their [[ECID]], using http://purplera1n.com/ should Apple try to block this in the future.

==JAILBREAK TOOLS==
There is two possible method to jailbreak which use the same iboot exploit discovered independently by Geohot and the iPhone dev team. you can use redsn0w by the iphone dev team to jailbreak or purplara1n by geohot. These curently only work on firmware version 3.0 (12/7/09).

04.26.08

2009-07-12T00:23:36Z

Luke1908: New page: Vulnerable to at+xlog crash which is used to inject ultrasn0w for unlocking

Vulnerable to at+xlog crash which is used to inject ultrasn0w for unlocking

05.08.01

2009-07-12T00:22:26Z

Luke1908: tqh

This baseband makes ultrasn0w useless in it current form because it closes the whole discovered by Oranav (at+xlog crash). Apple also tighens the securtiy in this baseband by removing 120 AT commands.