https://www.theiphonewiki.com/w/api.php?action=feedcontributions&user=Darkmen&feedformat=atom
The iPhone Wiki - User contributions [en]
2024-03-28T15:26:38Z
User contributions
MediaWiki 1.31.14
https://www.theiphonewiki.com/w/index.php?title=S5L8920&diff=4136
S5L8920
2009-07-09T09:08:36Z
<p>Darkmen: /* THUMB-2 */</p>
<hr />
<div>This is the processor used in the [[iPhone 3G S]].<br />
<br />
S5L8920 using [http://www.arm.com/products/CPUs/archi-thumb2.html THUMB-2] instruction set as much as ARM and THUMB ones. So the compiled binaries are not compatable with older CPUs.<br />
<br />
== Exploits ==<br />
=== [[iBoot]] / [[Kernel]] ===<br />
* [[iBoot Environment Variable Overflow]] - Firmware 3.0 and below<br />
<br />
=== [[S5L8920 (Bootrom)|Bootrom]] ===<br />
* [[0x24000 Segment Overflow]]<br />
<br />
== Boot Chain ==<br />
[[S5L8920 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[System|System Software]]<br />
<br />
== See also ==<br />
* [[S5L8920 (Bootrom)]]<br />
* [[S5L8920 (Hardware)]]<br />
* [[S5L8920 (Hardware - Quick Notes)]]</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=User_talk:Darkmen&diff=4106
User talk:Darkmen
2009-07-06T07:40:55Z
<p>Darkmen: /* About smart index titles patches */</p>
<hr />
<div>Excellent work on the yellowsn0w payload reverse<br />
<br />
== About smart index titles patches ==<br />
<br />
'''Q:''' Can you post your email or something like that? (for contact)<br />
<br />
'''A:''' Be my guest: darkmen@i.ua --[[User:Darkmen|Darkmen]] 07:40, 6 July 2009 (UTC)</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=User:Darkmen&diff=4099
User:Darkmen
2009-07-05T23:00:57Z
<p>Darkmen: /* Smart index titles */</p>
<hr />
<div>=Firmware 3.0 patches=<br />
==Smart index titles==<br />
Description: by default the index titles are static: each language has own set of titles array. Sometimes it's not too convinient when you have only 10 sections in Contacts or the iPod but you get A-Z indices. Or if your native language is not English and you have English and non-english contacts / songs. This patch makes possible to see the only index letters whitch your contacts / songs starting from:<br />
[[Image:SmartTitles.png]]<br />
<br />
When you have more then 26 letters in a list - each small (5 or less items) section will stick as second letter. This way you become nice look and feel with a long section list.<br />
<br />
'''There are 3 files should be patched:'''<br />
===/System/Library/Frameworks/AddressBookUI.framework/AddressBookUI===<br />
<pre><br />
-0x316FF000<br />
//sectionIndexTitlesForTableView<br />
31703620: 0C708DE2000D2DE908D04DE264119FE50240A0E101109FE70050A0E1CC8701EB040050E10000A0134F00001A48419FE504408FE0003094E5038095E7000058E34600001A34319FE503309FE7003093E5030095E70E8401EB00A050E23500000A1C119FE5006094E501109FE7B88701EB060085E70A00A0E1058601EB003094E500119FE5030095E701109FE7B08701EBF4109FE501109FE700108DE5EC109FE501A09FE7E8109FE501109FE704108DE500B0A0E1150000EAD8609FE500109DE506608FE00820A0E1003096E5030095E79F8701EB0A10A0E10040A0E10420A0E10500A0E19A8701EB000050E3000054110030A0E1 000D2DE903DF4DE20040A0E102A0A0E11C0094E5000050E31D86011B0000A0E30010A0E30020A0E3758501EB1C0084E50400A0E10A20A0E12FFFFFEB020050E3280000BA0080A0E100008DE50150A0E30400A0E10A20A0E1013045E2B1FFFFEB0070A0E10400A0E10A20A0E1013045E24FFFFFEB0020A0E10210A0E30000A0E33B8601EB060057E30E0000AA190058E30C0000BA080055E10A0000AA0070A0E10400A0E10A20A0E10530A0E140FFFFEB015085E20010A0E10700A0E1188601EB018048E20700A0E1F58501EB0010A0E11C0094E5368501EB015085E200009DE5000055E1D9FFFFDA03DF8DE21C0094E51E0000EA<br />
3170A548: 3C119FE50520A0E101109FE70800A0E1056C01EB2C119FE50251E0E301109FE70060A0E30040A0E10800A0E1FE6B01EB14119FE50A20A0E101109FE704008DE50800A0E1F86B01EB0410A0E108008DE504009DE5EC6901EBF0109FE501109FE700108DE500B0A0E11E0000EA0800A0E1 1C0098E5011044E2C76901EB0010A0E3A16A01EB0040A0E10800A0E10A20A0E16BE3FFEB020050E33A0000BA00B0A0E10050A0E30800A0E10A20A0E10530A0E191E3FFEB000050E33200000A0010A0E3916A01EB040050E12E00000A015085E20B0055E1F2FFFFBA015045E2290000EA<br />
</pre><br />
===/System/Library/Frameworks/UIKit.framework/UIKit===<br />
<pre><br />
-0x308ED000<br />
30A531EC: 626A29EB 2C0090E5 ; sectionIndexTitles = sectionTitles<br />
30984B20: 0E01005A 0E0100EA ; do not make list shorter<br />
</pre><br />
===/Applications/MobileMusicPlayer.app/MobileMusicPlayer===<br />
<pre><br />
-0x1000<br />
//sectionIndexTitlesForTableView<br />
47FE0: 401007E5 400087E5<br />
47FF0: A8239FE5000092E500009BE7000050E3 240087E5A4009BE5000050E389BD001B<br />
48000: 0300000A87BD00EB90239FE5003092E5 0000A0E30010A0E30020A0E30030A0E3<br />
48010: 03408BE788039FE588139FE5000090E5 57BD00EBA4008BE50000A0E30010A0E3<br />
48020: 001091E5FCBE00EB7C139FE5001091E5 0020A0E328BD00EB00A0A0E1240097E5<br />
48030: 381007E53C0007E50B00A0E1F6BE00EB 020050E33D0000BA0080A0E160009BE5<br />
48040: 68139FE5008091E564139FE5001091E5 F8109FE5001091E5F3BE00EBF0109FE5<br />
48050: FF0010E35C039FE50030A0030130A013 001091E5F0BE00EBE8109FE5001091E5<br />
48060: 283007E500A090E53C0017E5EABE00EB EDBE00EB000050E20110A0130010A003<br />
48070: 0810A0E10020A0E10A00A0E1E6BE00EB 201007E50150A0E30160A0E13C6087E5<br />
48080: 00A050E20C00000A0B00A0E1381017E5 0B00A0E1003045E2204017E5043083E0<br />
48090: E1BE00EBFF0010E30700000A18239FE5 383087E592F5FFEB0060A0E1400097E5<br />
480A0: 18139FE50A00A0E1002092E5001091E5 011045E211BD00EB0020A0E10210A0E3<br />
480B0: 0430A0E1002092E5D7BE00EB401017E5 0000A0E3200000EB060056E30D0000AA<br />
480C0: 0A00A0E1D4BE00EBB8329FE50610A0E1 190058E30B0000BA080055E1090000AA<br />
480D0: 0040A0E3003093E5003093E5240007E5 0060A0E1400097E50510A0E103BD00EB<br />
480E0: 03009BE7CCBE00EBD4129FE5001091E5 015085E20010A0E10600A0E1110000EB<br />
480F0: C9BE00EB401017E5C7BE00EB000050E2 018048E20600A0E14DBD00EB0010A0E1<br />
48100: 0100A013200007E50000A0E30010A0E1 0A00A0E1EABC00EBA4009BE53C6097E5<br />
48110: 0020A0E10030A0E115BD00EBA4129FE5 0610A0E1382097E527BD00EB016086E2<br />
48120: 001091E5341007E59C129FE5001091E5 015085E2240097E5000055E1D2FFFFDA<br />
48130: 301007E594129FE5006091E50080A0E1 0A00A0E18F0000EA0CF09FE50CF09FE5<br />
48140: 120000EA441017E50500A0E1B2BE00EB F05409001C5D09000047090041BB2330<br />
48150: 0420A0E1 B5A52530<br />
</pre><br />
<br />
Do not forget to sign patched binaries with codesign tool before upload to a phone</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=User:Darkmen&diff=4098
User:Darkmen
2009-07-05T22:52:23Z
<p>Darkmen: </p>
<hr />
<div>=Firmware 3.0 patches=<br />
==Smart index titles==<br />
Description: by default the index titles are static: each language has own set of titles array. Sometimes it's not too convinient when you have only 10 sections in Contacts or the iPod but you get A-Z indices. Or if your native language is not English and you have English and non-english contacts / songs. This patch makes possible to see the only index letters whitch your contacts / songs starting from:<br />
[[Image:SmartTitles.png]]<br />
<br />
'''There are 3 files should be patched:'''<br />
===/System/Library/Frameworks/AddressBookUI.framework/AddressBookUI===<br />
<pre><br />
-0x316FF000<br />
31703620: 0C708DE2000D2DE908D04DE264119FE50240A0E101109FE70050A0E1CC8701EB040050E10000A0134F00001A48419FE504408FE0003094E5038095E7000058E34600001A34319FE503309FE7003093E5030095E70E8401EB00A050E23500000A1C119FE5006094E501109FE7B88701EB060085E70A00A0E1058601EB003094E500119FE5030095E701109FE7B08701EBF4109FE501109FE700108DE5EC109FE501A09FE7E8109FE501109FE704108DE500B0A0E1150000EAD8609FE500109DE506608FE00820A0E1003096E5030095E79F8701EB0A10A0E10040A0E10420A0E10500A0E19A8701EB000050E3000054110030A0E1 000D2DE903DF4DE20040A0E102A0A0E11C0094E5000050E31D86011B0000A0E30010A0E30020A0E3758501EB1C0084E50400A0E10A20A0E12FFFFFEB020050E3280000BA0080A0E100008DE50150A0E30400A0E10A20A0E1013045E2B1FFFFEB0070A0E10400A0E10A20A0E1013045E24FFFFFEB0020A0E10210A0E30000A0E33B8601EB060057E30E0000AA190058E30C0000BA080055E10A0000AA0070A0E10400A0E10A20A0E10530A0E140FFFFEB015085E20010A0E10700A0E1188601EB018048E20700A0E1F58501EB0010A0E11C0094E5368501EB015085E200009DE5000055E1D9FFFFDA03DF8DE21C0094E51E0000EA<br />
3170A548: 3C119FE50520A0E101109FE70800A0E1056C01EB2C119FE50251E0E301109FE70060A0E30040A0E10800A0E1FE6B01EB14119FE50A20A0E101109FE704008DE50800A0E1F86B01EB0410A0E108008DE504009DE5EC6901EBF0109FE501109FE700108DE500B0A0E11E0000EA0800A0E1 1C0098E5011044E2C76901EB0010A0E3A16A01EB0040A0E10800A0E10A20A0E16BE3FFEB020050E33A0000BA00B0A0E10050A0E30800A0E10A20A0E10530A0E191E3FFEB000050E33200000A0010A0E3916A01EB040050E12E00000A015085E20B0055E1F2FFFFBA015045E2290000EA<br />
</pre><br />
===/System/Library/Frameworks/UIKit.framework/UIKit===<br />
<pre><br />
-0x308ED000<br />
30A531EC: 626A29EB 2C0090E5 ; sectionIndexTitles = sectionTitles<br />
30984B20: 0E01005A 0E0100EA ; do not make list shorter<br />
</pre><br />
===/Applications/MobileMusicPlayer.app/MobileMusicPlayer===<br />
<pre><br />
-0x1000<br />
47FE0: 401007E5 400087E5<br />
47FF0: A8239FE5000092E500009BE7000050E3 240087E5A4009BE5000050E389BD001B<br />
48000: 0300000A87BD00EB90239FE5003092E5 0000A0E30010A0E30020A0E30030A0E3<br />
48010: 03408BE788039FE588139FE5000090E5 57BD00EBA4008BE50000A0E30010A0E3<br />
48020: 001091E5FCBE00EB7C139FE5001091E5 0020A0E328BD00EB00A0A0E1240097E5<br />
48030: 381007E53C0007E50B00A0E1F6BE00EB 020050E33D0000BA0080A0E160009BE5<br />
48040: 68139FE5008091E564139FE5001091E5 F8109FE5001091E5F3BE00EBF0109FE5<br />
48050: FF0010E35C039FE50030A0030130A013 001091E5F0BE00EBE8109FE5001091E5<br />
48060: 283007E500A090E53C0017E5EABE00EB EDBE00EB000050E20110A0130010A003<br />
48070: 0810A0E10020A0E10A00A0E1E6BE00EB 201007E50150A0E30160A0E13C6087E5<br />
48080: 00A050E20C00000A0B00A0E1381017E5 0B00A0E1003045E2204017E5043083E0<br />
48090: E1BE00EBFF0010E30700000A18239FE5 383087E592F5FFEB0060A0E1400097E5<br />
480A0: 18139FE50A00A0E1002092E5001091E5 011045E211BD00EB0020A0E10210A0E3<br />
480B0: 0430A0E1002092E5D7BE00EB401017E5 0000A0E3200000EB060056E30D0000AA<br />
480C0: 0A00A0E1D4BE00EBB8329FE50610A0E1 190058E30B0000BA080055E1090000AA<br />
480D0: 0040A0E3003093E5003093E5240007E5 0060A0E1400097E50510A0E103BD00EB<br />
480E0: 03009BE7CCBE00EBD4129FE5001091E5 015085E20010A0E10600A0E1110000EB<br />
480F0: C9BE00EB401017E5C7BE00EB000050E2 018048E20600A0E14DBD00EB0010A0E1<br />
48100: 0100A013200007E50000A0E30010A0E1 0A00A0E1EABC00EBA4009BE53C6097E5<br />
48110: 0020A0E10030A0E115BD00EBA4129FE5 0610A0E1382097E527BD00EB016086E2<br />
48120: 001091E5341007E59C129FE5001091E5 015085E2240097E5000055E1D2FFFFDA<br />
48130: 301007E594129FE5006091E50080A0E1 0A00A0E18F0000EA0CF09FE50CF09FE5<br />
48140: 120000EA441017E50500A0E1B2BE00EB F05409001C5D09000047090041BB2330<br />
48150: 0420A0E1 B5A52530<br />
</pre><br />
<br />
Do not forget to sign patched binaries with codesign tool before upload to a phone</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=File:SmartTitles.png&diff=4097
File:SmartTitles.png
2009-07-05T22:25:00Z
<p>Darkmen: The iPod smart index titles</p>
<hr />
<div>The iPod smart index titles</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=Decrypting_Firmwares&diff=4088
Decrypting Firmwares
2009-07-05T09:19:55Z
<p>Darkmen: Undo revision 4087 by Darkmen (Talk)</p>
<hr />
<div>==1.0.x==<br />
If you want to decrypt 1.0.x iPhone ramdisk you must remove some trash from the beginning of them. You can do this in Terminal.app (on Mac OS X you can find them in /Applications/Utilities/).<br />
<br />
Unzip firmware image (change extension .ipsw to .zip and double click on archive) and find restore ramdisk. In Terminal.app enter simple command:<br />
<br />
''dd if=restore_ramdisk.dmg of=restore_ramdisk.stripped.dmg bs=512 skip=4 count=37464 conv=sync''<br />
<br />
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 1.0 iPhone firmware restore ramdisk is 694-5259-38.dmg), and '''restore_ramdisk.stripped.dmg''' is 'decrypted' image, that you can mount and explore from Finder.<br />
<br />
Note: If after mounting stripped ramdisk you see errors, ignore them.<br />
<br />
==1.1.x==<br />
To decrypt the 1.1.x ramdisk, strip the first 0x800 bytes. I'm not proficient in dd, but the above command could be modified for this, or it could be done in a hex editor. Once that's complete, run this command:<br />
<br />
''openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0''<br />
<br />
This uses the iPhone's 0x837 key which was first leaked by Zibri and had its purpose revealed on Geohot's blog.<br />
<br />
==2.x+==<br />
The ramdisk on both 2.x and 3.x firmwares is a simple [http://www.theiphonewiki.com/wiki/index.php?title=IMG3_File_Format img3 file], that you can decrypt using [http://code.google.com/p/img3decrypt/ img3decrypt] or [http://github.com/planetbeing/xpwn/tree/master xpwntool]. You must download one of these utilities. For easier access, put them in '''/usr/local/bin'''<br />
<br />
In Terminal.app enter:<br />
<br />
''img3decrypt e restore_ramdisk.dmg restore_ramdisk_decrypted.dmg Ramdisk_IV Ramdisk_Key''<br />
<br />
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 3.0 beta 1 iPhone GSM firmware restore ramdisk is 018-4793-1.dmg), and r'''estore_ramdisk_decrypted.dmg''' is decrypted image, that you can mount and explore from Finder. Ramdisk_IV and Ramdisk_Key is a decrypted keys that you can find in [http://www.theiphonewiki.com/wiki/index.php?title=VFDecrypt_Keys:_3.x vfdecrypt page] or in Info.plist from PwnageTool FirmwareBundles folder (when Dev Team include support for this firmware).<br />
<br />
P.S.<br />
img3decrypt doesn't seems to work propertly with 3.0 ramdisks. The DMG becomes mountable, but 99% of files are zerosize.</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=Decrypting_Firmwares&diff=4087
Decrypting Firmwares
2009-07-05T09:10:43Z
<p>Darkmen: /* 2.x+ */</p>
<hr />
<div>==1.0.x==<br />
If you want to decrypt 1.0.x iPhone ramdisk you must remove some trash from the beginning of them. You can do this in Terminal.app (on Mac OS X you can find them in /Applications/Utilities/).<br />
<br />
Unzip firmware image (change extension .ipsw to .zip and double click on archive) and find restore ramdisk. In Terminal.app enter simple command:<br />
<br />
''dd if=restore_ramdisk.dmg of=restore_ramdisk.stripped.dmg bs=512 skip=4 count=37464 conv=sync''<br />
<br />
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 1.0 iPhone firmware restore ramdisk is 694-5259-38.dmg), and '''restore_ramdisk.stripped.dmg''' is 'decrypted' image, that you can mount and explore from Finder.<br />
<br />
Note: If after mounting stripped ramdisk you see errors, ignore them.<br />
<br />
==1.1.x==<br />
To decrypt the 1.1.x ramdisk, strip the first 0x800 bytes. I'm not proficient in dd, but the above command could be modified for this, or it could be done in a hex editor. Once that's complete, run this command:<br />
<br />
''openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0''<br />
<br />
This uses the iPhone's 0x837 key which was first leaked by Zibri and had its purpose revealed on Geohot's blog.<br />
<br />
==2.x+==<br />
The ramdisk on both 2.x and 3.x firmwares is a simple [http://www.theiphonewiki.com/wiki/index.php?title=IMG3_File_Format img3 file], that you can decrypt using [http://code.google.com/p/img3decrypt/ img3decrypt] or [http://github.com/planetbeing/xpwn/tree/master xpwntool]. You must download one of these utilities. For easier access, put them in '''/usr/local/bin'''<br />
<br />
In Terminal.app enter:<br />
<br />
''img3decrypt e restore_ramdisk.dmg restore_ramdisk_decrypted.dmg Ramdisk_IV Ramdisk_Key''<br />
<br />
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 3.0 beta 1 iPhone GSM firmware restore ramdisk is 018-4793-1.dmg), and r'''estore_ramdisk_decrypted.dmg''' is decrypted image, that you can mount and explore from Finder. Ramdisk_IV and Ramdisk_Key is a decrypted keys that you can find in [http://www.theiphonewiki.com/wiki/index.php?title=VFDecrypt_Keys:_3.x vfdecrypt page] or in Info.plist from PwnageTool FirmwareBundles folder (when Dev Team include support for this firmware).</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=Decrypting_Firmwares&diff=4086
Decrypting Firmwares
2009-07-05T09:03:58Z
<p>Darkmen: /* 2.x+ */</p>
<hr />
<div>==1.0.x==<br />
If you want to decrypt 1.0.x iPhone ramdisk you must remove some trash from the beginning of them. You can do this in Terminal.app (on Mac OS X you can find them in /Applications/Utilities/).<br />
<br />
Unzip firmware image (change extension .ipsw to .zip and double click on archive) and find restore ramdisk. In Terminal.app enter simple command:<br />
<br />
''dd if=restore_ramdisk.dmg of=restore_ramdisk.stripped.dmg bs=512 skip=4 count=37464 conv=sync''<br />
<br />
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 1.0 iPhone firmware restore ramdisk is 694-5259-38.dmg), and '''restore_ramdisk.stripped.dmg''' is 'decrypted' image, that you can mount and explore from Finder.<br />
<br />
Note: If after mounting stripped ramdisk you see errors, ignore them.<br />
<br />
==1.1.x==<br />
To decrypt the 1.1.x ramdisk, strip the first 0x800 bytes. I'm not proficient in dd, but the above command could be modified for this, or it could be done in a hex editor. Once that's complete, run this command:<br />
<br />
''openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0''<br />
<br />
This uses the iPhone's 0x837 key which was first leaked by Zibri and had its purpose revealed on Geohot's blog.<br />
<br />
==2.x+==<br />
The ramdisk on both 2.x and 3.x firmwares is a simple [http://www.theiphonewiki.com/wiki/index.php?title=IMG3_File_Format img3 file], that you can decrypt using [http://code.google.com/p/img3decrypt/ img3decrypt] or [http://github.com/planetbeing/xpwn/tree/master xpwntool]. You must download one of these utilities. For easier access, put them in '''/usr/local/bin'''<br />
<br />
In Terminal.app enter:<br />
<br />
''img3decrypt e restore_ramdisk.dmg restore_ramdisk_decrypted.dmg Ramdisk_IV Ramdisk_Key''<br />
<br />
Where '''restore_ramdisk.dmg''' is image of restore ramdisk (for example 3.0 beta 1 iPhone GSM firmware restore ramdisk is 018-4793-1.dmg), and r'''estore_ramdisk_decrypted.dmg''' is decrypted image, that you can mount and explore from Finder. Ramdisk_IV and Ramdisk_Key is a decrypted keys that you can find in [http://www.theiphonewiki.com/wiki/index.php?title=VFDecrypt_Keys:_3.x vfdecrypt page] or in Info.plist from PwnageTool FirmwareBundles folder (when Dev Team include support for this firmware).<br />
<br />
P.S.<br />
img3decrypt doesn't seems to work propertly with 3.0 ramdisks. The DMG becomes mountable, but 99% of files are zerosize.</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=User:Darkmen&diff=4084
User:Darkmen
2009-07-04T23:13:59Z
<p>Darkmen: New page: '''Under construction'''</p>
<hr />
<div>'''Under construction'''</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=4083
Ultrasn0w
2009-07-04T23:12:11Z
<p>Darkmen: /* Handler replace */</p>
<hr />
<div>ultrasn0w (previously: '''yellowsn0w''') is the only [[iPhone 3G]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
MuscleNerd, and [[The dev team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Current Injection Vector==<br />
ultrasn0w refers to the reuseable '''payload''', but it requires an injection vector in order to be inserted into the baseband. yellowsn0w was originally to be released with an injection vector that works on pre-2.28.00 baseband versions. However, [[geohot]] had an injection vector for 2.28.00 and the decision was made to release yellowsn0w with this injection vector to benefit the most people. This injection vector is discussed [[AT+stkprof Exploit|here]]. ultrasn0w uses a different injection vector - [[AT+XLOG Exploit]].<br />
<br />
==ultrasn0w payload with comments (by Oranav)==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; (probably) where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
I'm also missing here a comment.<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; R0 = task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; ???<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ===<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://yellowsn0w.com yellowsn0w Official Website]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=PMB8878&diff=2810
PMB8878
2009-01-13T09:49:56Z
<p>Darkmen: complete memory dump</p>
<hr />
<div>This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the [[PMB8878]]<br />
<br />
==Datasheet==<br />
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.<br />
<br />
==Memory Map==<br />
FLASH 0x20000000 0x1000000<br />
CODE 0x20000000 0x40000 0b0010(bootstrapper)<br />
CODE 0x20040000 0xDC0000 0b0100(main firmware)<br />
FFS 0x20A00000 0x100000 0b1100(empty)<br />
DYNFFS 0x20A00000 0x100000 0b1100(empty)<br />
FFS 0x20B00000 0x40000 0b1011(empty)<br />
DYN_EEP 0x20E40000 0x80000 0b0110<br />
SECPACK 0x20EC0000 0x40000<br />
SECZONE 0x20F80000 0x40000<br />
STATIC_EEP 0x20FC0000 0x40000 0b0111<br />
RAM 0x40000000 0x800000<br />
<br />
==MMU relocation table==<br />
===Bootloader===<br />
[[Image:Bltbl.png]]<br />
<br />
===Firmware===<br />
[[Image:Bbmmu.png]]<br />
<br />
==Complete memory dump==<br />
[http://depositfiles.com/files/i5119hpzm 0x00000000-0x0001FFFF]<br />
<br />
[http://depositfiles.com/files/mxslfu4dp 0x20000000-0x20FFFFFF]<br />
<br />
[http://depositfiles.com/files/6wiet73wn 0x40000000-0x407FFFFF]<br />
<br />
[http://depositfiles.com/files/fioppsphe 0xFFFF0000-0xFFFFFFFF]<br />
<br />
== Known Firmware Versions ==<br />
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)<br />
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)<br />
[[1.48.02]] 2.0.1(Build 5B108)<br />
[[2.04.03]] 2.1 (Build 5F90)<br />
[[2.08.01]] 2.0.2 (Build 5C1)<br />
[[2.11.07]] 2.1 (Build 5F136)<br />
[[2.28.00]] 2.2 (Build 5G77)<br />
<br />
==Accessing Interactive Mode==<br />
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.<br />
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset<br />
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set<br />
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux<br />
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle<br />
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=PMB8878&diff=2808
PMB8878
2009-01-12T10:58:04Z
<p>Darkmen: /* bootloader table added */</p>
<hr />
<div>This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the [[PMB8878]]<br />
<br />
==Datasheet==<br />
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.<br />
<br />
==Memory Map==<br />
FLASH 0x20000000 0x1000000<br />
CODE 0x20000000 0x40000 0b0010(bootstrapper)<br />
CODE 0x20040000 0xDC0000 0b0100(main firmware)<br />
FFS 0x20A00000 0x100000 0b1100(empty)<br />
DYNFFS 0x20A00000 0x100000 0b1100(empty)<br />
FFS 0x20B00000 0x40000 0b1011(empty)<br />
DYN_EEP 0x20E40000 0x80000 0b0110<br />
SECPACK 0x20EC0000 0x40000<br />
SECZONE 0x20F80000 0x40000<br />
STATIC_EEP 0x20FC0000 0x40000 0b0111<br />
RAM 0x40000000 0x800000<br />
<br />
==MMU relocation table==<br />
===Bootloader===<br />
[[Image:Bltbl.png]]<br />
<br />
===Firmware===<br />
[[Image:Bbmmu.png]]<br />
<br />
== Known Firmware Versions ==<br />
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)<br />
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)<br />
[[1.48.02]] 2.0.1(Build 5B108)<br />
[[2.04.03]] 2.1 (Build 5F90)<br />
[[2.08.01]] 2.0.2 (Build 5C1)<br />
[[2.11.07]] 2.1 (Build 5F136)<br />
[[2.28.00]] 2.2 (Build 5G77)<br />
<br />
==Accessing Interactive Mode==<br />
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.<br />
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset<br />
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set<br />
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux<br />
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle<br />
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=File:Bltbl.png&diff=2807
File:Bltbl.png
2009-01-12T10:55:42Z
<p>Darkmen: mmu relocation table at bootloader stage</p>
<hr />
<div>mmu relocation table at bootloader stage</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=2793
Ultrasn0w
2009-01-09T09:12:54Z
<p>Darkmen: /* stage2(tm) comments added) = */</p>
<hr />
<div>The first [[iPhone 3G]] [[Unlock 2.0|unlock]] payload. Released on 01/01/09. [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]<br />
<br />
==Credit==<br />
MuscleNerd, and [[The dev team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Current Injection Vector==<br />
yellowsn0w refers to the reuseable '''payload''', but it requires an injection vector in order to be inserted into the baseband. yellowsn0w was originally to be released with an injection vector that works on pre-2.28.00 baseband versions. However, [[geohot]] had an injection vector for 2.28.00 and the decision was made to release yellowsn0w with this injection vector to benefit the most people.<br />
<br />
The injection vector is discussed [[AT+stkprof Exploit|here]]<br />
<br />
==Payload w/ Comments (by Darkmen) ===<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w is now live [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==Compatibility==<br />
<br />
{| class="wikitable sortable" style="text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"<br />
|-<br />
! Country<br />
! Provider<br />
! yellowsn0w Version<br />
! SIM/USIM<br />
! Ingoing Calls?<br />
! Outgoing Calls?<br />
! SMS?<br />
! GPRS/EDGE?<br />
! UMTS/HSDPA?<br />
! Comments<br />
|-<br />
| Bermuda<br />
| Mobility<br />
| 0.9.5<br />
| SIM<br />
| {{no}}<br />
| {{no}}<br />
| {{no}}<br />
| {{no}}<br />
| Not Available<br />
| Still stops working after a while of regular use :(<br />
|-<br />
| Germany<br />
| O2<br />
| <=0.9.4<br />
| SIM<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes}}<br />
| Icon shown but not tested<br />
| Icon shown but not tested<br />
| <br />
|-<br />
| Israel<br />
| IL Orange<br />
| 0.9.5<br />
| USIM<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes}}<br />
| {{yes}}<br />
| Requires turning airplane mode on and off to get signal. After that, works perfectly.<br />
|}<br />
<br />
Additional information:<br />
http://report.yellowsn0w.com/<br />
<br />
==See Also==<br />
* [[Unlock 2.0]]<br />
* [[X-Gold 608]]<br />
* [[Baseband]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's Demo]<br />
* [http://yellowsn0w.com Official Website]<br />
<br />
[[Category:Unlocking Methods]]</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=Talk:Ultrasn0w&diff=2792
Talk:Ultrasn0w
2009-01-09T07:31:49Z
<p>Darkmen: /* Darkmen's analysis */</p>
<hr />
<div>== Darkmen's analysis ==<br />
<br />
This analysis is somewhat incomplete, as it leaves out stage 2 of the injector that performs the hex to binary conversion for the payload. As it stands, the comment for offset 4 of the "Code loader" (internally called "stage 1" of the injector), the one that says "at-handler buffer where StrToHex result of the at-command is" is incorrect. The reason for the error is probably that the reverse engineer used "strings" on the yellowsn0w executable to find the injected payload of yellowsn0w and since the injector's stage 2 is in binary (the contents of memory at 0x40159FBF is thus ready-to-execute binary code, albeit misaligned), "strings", therefore, would not have yielded the code for stage 2. Overall, though, my cursory examination seems to indicate that the rest of the analysis (of the "meat" of the thing) is fairly accurate and commendable. :)<br />
<br />
--[[User:Planetbeing|Planetbeing]] 23:12, 8 January 2009 (UTC)<br />
<br />
Its true. I just took the at-string from the iphone wiki post ;) Anyway, my point was to get main idea<br />
<br />
--[[User:Darkmen|Darkmen]] 07:31, 9 January 2009 (UTC)<br />
<br />
== Geohot's commentary ==<br />
<br />
Thinking about this, I know how I could've done the unlock. I'm so lazy. This might be what yellowsn0w does already; theres a little object code in your source, so I don't know :-)<br />
<br />
1. copy task_sim into memory<br />
2. patch task_sim in the usual way(too bad i don't really understand the baseband at all)<br />
3. modify the nucleus task struct to use the in memory task_sim(although idk why theres no execute on the stack, normal ram seems ok)<br />
4. reset the sim card<br />
<br />
no real reversing required. i could've had this in july dammit :-P<br />
<br />
i also think this approach might solve some peoples problems with it dying after 10 minutes<br />
<br />
~geohot<br />
<br />
== Payload vs injection vector ==<br />
<br />
I edited the page in a way I felt was more accurate. Geohot deserves massive props for finding the vuln in 2.28, and maybe there should be a separate "iPhone 3G Unlock" page that notes that more prominently (noting the 2.2 unlock was dev team's payload with geohot's vuln), but yellowsn0w IS the payload and it doesn't make sense to give separate credits on this page for the injection vector.<br />
<br />
I don't know much about how yellowsn0w works myself, but I understand it took a lot of careful reverse engineering of the Nucleus OS and baseband tasks in order to pull off, so the payload honestly doesn't take the backseat to the vuln in this case.<br />
<br />
--[[User:Planetbeing|Planetbeing]] 16:47, 3 January 2009 (UTC)<br />
<br />
== nx ==<br />
<br />
heh, I think it is a standard thing for ARM for the stack to be nx. btw, of course there was reversing required, how else would you have found the injection hack itself x)<br />
<br />
== About AT+STKPROF exploit ==<br />
<br />
Does only 2.28 vulnerable to at+stkprof exploit?<br />
<br />
== RE: About AT+STKPROF exploit ==<br />
<br />
afaik all versions 1.45 through 2.28 are vulnerable, but devteam only designed a payload for 2.28. not 100% on that though.</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=AT%2Bstkprof&diff=2756
AT+stkprof
2009-01-08T16:32:31Z
<p>Darkmen: /* Unlock task loop */</p>
<hr />
<div>Used as an injection vector for the first [[iPhone 3G]] [[Unlock 2.0|unlock]] [[yellowsn0w|payload]].<br />
<br />
==Credit==<br />
[[geohot]]<br />
<br />
==Exploit==<br />
There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the [[X-Gold 608|iPhone 3G baseband]].<br />
<br />
==Implementation==<br />
The [[dev team]] used this exploit in the first public iPhone 3G unlock called [[yellowsn0w]]. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.<br />
<br />
The source code is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
===New Implementation (yellowsn0w 0.9.6)===<br />
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.<br />
<br />
<pre><br />
at+stkprof=122064a541c044b1878222803d0107001320133f8e720470000bf9f1<br />
54000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8905120<br />
000000001010101020202020611301000c000000223B22270F32101C1743BAA<br />
50BA40E78213501D00C297810B47A847A8786146C046C046C046C0701118C<br />
93201340246C0E7EF370146C03030473829411+09pG79pG024803A10131016<br />
01FBD00004C711140F0B51C4B80268BB03601188008911A4C301CA0470025<br />
09909820A047071CC56080204000A047802214495200144B041C9847099B01<br />
93442303930A23013405930C23221C06930F49009502960495381C00230D4C<br />
A047021C002804D10B4908980B4B984703E00B490898094B98470BB0F0BD00<br />
0044B33B40AC201420641A0100A0583C20481A010040B53F20541A010000DD<br />
4620581A01006465767465616D31000000004F4B21004552524F52202564000<br />
0000030B5114D85B0114B281C6946FF229847009B0D2B11D101990D4B0A68<br />
1A6004334A681A608A680B4B13600B4B53600B4B93600123CB602023009328<br />
1C6946FF22074B9847DFE700005427234098591620BC792F4000FF000101040<br />
2040304040468D53E207878220<br />
</pre><br />
<br />
Anyone with a better insight feel free to comment / modify, as I didn't look any further into this, I just looked at the ztringz :)<br />
<br />
===yellowsn0w 0.9.6 with comments===<br />
The exploit consists from 3 parts:<br />
====Code loader====<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where StrToHex result of the at-command is<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; copying code until double quotes<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
ROM:00000014<br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump thumb code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
====Task creator====<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
====Unlock task loop====<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
[[Category:Unlocking Methods]]</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=AT%2Bstkprof&diff=2755
AT+stkprof
2009-01-08T10:12:32Z
<p>Darkmen: yellowsn0w exploit comments</p>
<hr />
<div>Used as an injection vector for the first [[iPhone 3G]] [[Unlock 2.0|unlock]] [[yellowsn0w|payload]].<br />
<br />
==Credit==<br />
[[geohot]]<br />
<br />
==Exploit==<br />
There is a stack-based buffer overflow in the at+stkprof command that allows unsigned code execution on the [[X-Gold 608|iPhone 3G baseband]].<br />
<br />
==Implementation==<br />
The [[dev team]] used this exploit in the first public iPhone 3G unlock called [[yellowsn0w]]. It can be downloaded from Cydia, and is a daemon that will run in the background. It will inject their payload whenever the baseband is reset.<br />
<br />
The source code is also available here [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
===New Implementation (yellowsn0w 0.9.6)===<br />
In the newest yellowsn0w, this command is still used as the injection vector for the exploit, but it is used differently. It is still the at+stkprof command, but it seems to send their stuff all in one go.<br />
<br />
<pre><br />
at+stkprof=122064a541c044b1878222803d0107001320133f8e720470000bf9f1<br />
54000170100546e5640200000005c130100266e5640ddddddddeeeeeeeeb8905120<br />
000000001010101020202020611301000c000000223B22270F32101C1743BAA<br />
50BA40E78213501D00C297810B47A847A8786146C046C046C046C0701118C<br />
93201340246C0E7EF370146C03030473829411+09pG79pG024803A10131016<br />
01FBD00004C711140F0B51C4B80268BB03601188008911A4C301CA0470025<br />
09909820A047071CC56080204000A047802214495200144B041C9847099B01<br />
93442303930A23013405930C23221C06930F49009502960495381C00230D4C<br />
A047021C002804D10B4908980B4B984703E00B490898094B98470BB0F0BD00<br />
0044B33B40AC201420641A0100A0583C20481A010040B53F20541A010000DD<br />
4620581A01006465767465616D31000000004F4B21004552524F52202564000<br />
0000030B5114D85B0114B281C6946FF229847009B0D2B11D101990D4B0A68<br />
1A6004334A681A608A680B4B13600B4B53600B4B93600123CB602023009328<br />
1C6946FF22074B9847DFE700005427234098591620BC792F4000FF000101040<br />
2040304040468D53E207878220<br />
</pre><br />
<br />
Anyone with a better insight feel free to comment / modify, as I didn't look any further into this, I just looked at the ztringz :)<br />
<br />
===yellowsn0w 0.9.6 with comments===<br />
The exploit consists from 3 parts:<br />
====Code loader====<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where StrToHex result of the at-command is<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; copying code until double quotes<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
ROM:00000014<br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump thumb code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
====Task creator====<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
====Unlock task loop====<br />
TBC...<br />
[[Category:Unlocking Methods]]</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=PMB8878&diff=2744
PMB8878
2009-01-07T18:16:49Z
<p>Darkmen: </p>
<hr />
<div>This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the [[PMB8878]]<br />
<br />
==Datasheet==<br />
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.<br />
<br />
==Memory Map==<br />
FLASH 0x20000000 0x1000000<br />
CODE 0x20000000 0x40000 0b0010(bootstrapper)<br />
CODE 0x20040000 0xDC0000 0b0100(main firmware)<br />
FFS 0x20A00000 0x100000 0b1100(empty)<br />
DYNFFS 0x20A00000 0x100000 0b1100(empty)<br />
FFS 0x20B00000 0x40000 0b1011(empty)<br />
DYN_EEP 0x20E40000 0x80000 0b0110<br />
SECPACK 0x20EC0000 0x40000<br />
SECZONE 0x20F80000 0x40000<br />
STATIC_EEP 0x20FC0000 0x40000 0b0111<br />
RAM 0x40000000 0x800000<br />
<br />
==MMU relocation table==<br />
[[Image:Bbmmu.png]]<br />
<br />
== Known Firmware Versions ==<br />
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)<br />
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)<br />
[[1.48.02]] 2.0.1(Build 5B108)<br />
[[2.04.03]] 2.1 (Build 5F90)<br />
[[2.08.01]] 2.0.2 (Build 5C1)<br />
[[2.11.07]] 2.1 (Build 5F136)<br />
[[2.28.00]] 2.2 (Build 5G77)<br />
<br />
==Accessing Interactive Mode==<br />
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.<br />
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset<br />
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set<br />
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux<br />
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle<br />
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset</div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=File:Bbmmu.png&diff=2743
File:Bbmmu.png
2009-01-07T18:13:42Z
<p>Darkmen: </p>
<hr />
<div></div>
Darkmen
https://www.theiphonewiki.com/w/index.php?title=Normal_Mode&diff=2497
Normal Mode
2008-12-27T11:01:34Z
<p>Darkmen: SSL encryption disable</p>
<hr />
<div>This is the protocol iTunes uses to talk to the booted iPhone. It uses usbmux to provide TCP like connectivity over a USB port using SSL. There is a pairing process iTunes uses to establish the secure channel.<br />
There is a way to disable SSL encyption during iTunes communication on jailbroken devices by patching lockdownd binary:<br />
<br />
:(#) Disable SSL protection<br />
:(#) FW 2.1<br />
:(#) binary /usr/libexec/lockdownd<br />
:-0x1000<br />
:000112F8: 0C3098E5 0030A0E3 ; Conn.UseSSL = false<br />
<br />
After applying the patch all packets between iPhone and iTunes become plain and clear. Musthave for R&D ppl.<br />
==USBMux Protocol==<br />
<br />
===Resources===<br />
* [[MobileDevice Library]]<br />
* [http://wikee.iphwn.org/usb:usbmux The dev team's page on the topic]<br />
* [http://matt.colyer.name/projects/iphone-linux/index.php?title=Protocol_Documentation Protocol Documentation]<br />
* [http://matt.colyer.name/projects/iphone-linux/index.php?title=Main_Page iFuse]</div>
Darkmen