https://www.theiphonewiki.com/w/api.php?action=feedcontributions&user=Whiteshinyapple&feedformat=atomThe iPhone Wiki - User contributions [en]2024-03-29T11:56:34ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=ASR&diff=20316ASR2011-08-14T10:14:51Z<p>Whiteshinyapple: </p>
<hr />
<div>'''A'''pple '''S'''ystem '''R'''estore.<br />
<br />
Application found on the [[Restore/Update Ramdisks]]. It writes the rootfs image to the actual [[NAND|system drive]] (ASR RESTORE), then checksums it. (ASR VERIFY)<br />
==ASR Verify Disassembly==<br />
__text:00014204 loc_14204 ; CODE XREF: sub_13AB4+61E�j<br />
__text:00014204 ; sub_13AB4+73E�j<br />
__text:00014204 LDR R3, =(off_235E8 - 0x1420A)<br />
__text:00014206 ADD R3, PC<br />
__text:00014208 LDR R3, [R3]<br />
__text:0001420A LDR R3, [R3]<br />
__text:0001420C CMP R3, #0<br />
__text:0001420E BEQ loc_1427A<br />
__text:00014210 LDR R0, =(aImagePassedSig - 0x14216)<br />
__text:00014212 ADD R0, PC ; "Image passed signature verification"<br />
__text:00014214 BLX _warnx<br />
__text:00014218 B loc_1427A<br />
__text:0001421A ; ---------------------------------------------------------------------------<br />
__text:0001421A<br />
__text:0001421A loc_1421A ; CODE XREF: sub_13AB4+622�j<br />
__text:0001421A ; sub_13AB4+628�j ...<br />
__text:0001421A LDR.W R0, =(aImageFailedSig - 0x14222)<br />
__text:0001421E ADD R0, PC ; "Image failed signature verification"<br />
__text:00014220 BLX _warnx<br />
__text:00014224 MOVS R2, #0x50<br />
__text:00014226 B loc_1426E<br />
__text:00014228 ; ---------------------------------------------------------------------------<br />
<br />
{{stub|Apple Inc.}}</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Nuit_du_hack_2010&diff=20274Nuit du hack 20102011-08-12T11:55:00Z<p>Whiteshinyapple: removed invalid links</p>
<hr />
<div>{{DISPLAYTITLE:Nuit du Hack 2010}}<br />
"Night da Hack" comes from a rough translation from French "Nuit du Hack". Started in 2003 by Hackerz Voice team, and inspired by world famous [[DEF CON]], "Nuit du Hack" is one of the oldest French underground hacking conference. (from its homepage)<br />
<br />
At the conference 2010, which took place the [[Timeline#June|19 June 2010]], [[User:Geohot|geohot]] held a speech about embedded security and told some things about the iPhone, although this speech was more general about embedded systems and mainly for the PS3 hacking. One interesting thing is a mathematical approach to crack the RSA signing using the [http://en.wikipedia.org/wiki/Daniel_Bleichenbacher Bleichenbacher attack] (used for unlocking a Nokia phone). At the conference [[User:Geohot|geohot]] mentioned the term "[[pwned 4 life]]", which got famous afterwards.<br />
<br />
==English description of the presentation==<br />
The PS3 has been considered unbreakable for 3 years, during which it has not been affected by piracy. On 23 January 2010, and after 5 weeks of research, George Hotz claimed on his blog: "I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3." In this conference, the author will explain security mechanisms enforced by Sony to protect the console, and how to bypass them.<br />
<br />
==Links==<br />
* [http://nuitduhack.com/ Official website]<br />
* [http://2010.nuitduhack.com/slides/2010/night_da_hack_talk.pdf PDF Slides]<br />
* [http://www.dailymotion.com/video/xdsqmy_pcgen-fr-conference-geohot-nuit-du_videogames/ Video on DailyMotion]<br />
* [http://www.youtube.com/watch?v=0NValNoW5Rc Another video on YouTube]<br />
* [http://v.youku.com/v_show/id_XMTgzNjQxMDQ4.html Another (or same?) video on a chinese site]<br />
<br />
==Transcript==<br />
<br />
(not done yet)<br />
<br />
[[Category:Events]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Nuit_du_hack_2010&diff=20273Nuit du hack 20102011-08-12T11:48:50Z<p>Whiteshinyapple: updated old links</p>
<hr />
<div>{{DISPLAYTITLE:Nuit du Hack 2010}}<br />
"Night da Hack" comes from a rough translation from French "Nuit du Hack". Started in 2003 by Hackerz Voice team, and inspired by world famous [[DEF CON]], "Nuit du Hack" is one of the oldest French underground hacking conference. (from its homepage)<br />
<br />
At the conference 2010, which took place the [[Timeline#June|19 June 2010]], [[User:Geohot|geohot]] held a speech about embedded security and told some things about the iPhone, although this speech was more general about embedded systems and mainly for the PS3 hacking. One interesting thing is a mathematical approach to crack the RSA signing using the [http://en.wikipedia.org/wiki/Daniel_Bleichenbacher Bleichenbacher attack] (used for unlocking a Nokia phone). At the conference [[User:Geohot|geohot]] mentioned the term "[[pwned 4 life]]", which got famous afterwards.<br />
<br />
==English description of the presentation==<br />
The PS3 has been considered unbreakable for 3 years, during which it has not been affected by piracy. On 23 January 2010, and after 5 weeks of research, George Hotz claimed on his blog: "I have read/write access to the entire system memory, and HV level access to the processor. In other words, I have hacked the PS3." In this conference, the author will explain security mechanisms enforced by Sony to protect the console, and how to bypass them.<br />
<br />
==Links==<br />
* [http://nuitduhack.com/ Official website]<br />
* [http://2010.nuitduhack.com/slides/2010/night_da_hack_talk.pdf PDF Slides]<br />
* [http://www.dailymotion.com/video/xdsqmy_pcgen-fr-conference-geohot-nuit-du_videogames/ Video on DailyMotion]<br />
* [http://www.youtube.com/watch?v=0NValNoW5Rc Another video on YouTube]<br />
* [http://www.youtube.com/watch?v=Z3W8n_vq8hA Another YouTube video part 1] and [http://www.youtube.com/watch?v=DApEj_9AS-g part 2]<br />
* [http://v.youku.com/v_show/id_XMTgzNjQxMDQ4.html Another (or same?) video on a chinese site]<br />
<br />
==Transcript==<br />
<br />
(not done yet)<br />
<br />
[[Category:Events]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=S5L8930&diff=19193S5L89302011-07-13T10:06:28Z<p>Whiteshinyapple: updated info</p>
<hr />
<div>An SoC developed by Apple in-house chip design department. It is currently used in [[k48ap|iPad]], [[N90ap|iPhone 4 GSM model]], [[K66ap|Apple TV 2G]], [[N81ap|iPod touch 4G]], and the [[N92ap|iPhone 4 CDMA model]]. Publicly, Apple refers to this chip as the '''A4'''.<br />
<br />
== Exploits ==<br />
<br />
=== [[S5L8930 (Bootrom)|Bootrom]] ===<br />
* [[limera1n]]<br />
* SHAtter<br />
<br />
=== [[iBoot]] ===<br />
* [http://www.youtube.com/watch?v=0NValNoW5Rc Unreleased Untethered iBoot Exploit]<br />
<br />
=== [[Kernel]] ===<br />
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.2<br />
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0.1 (excluding iOS 3.2.2)<br />
* [[Packet Filter Kernel Exploit]] - Works up to [[iOS]] 4.1<br />
* [[HFS Legacy Volume Name Stack Buffer Overflow]] - Works up to [[iOS]] 4.2.8<br />
* [[ndrv_setspec() Integer Overflow]] - Works up to [[iOS]] 4.3.3<br />
<br />
=== [[Userland]] ===<br />
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.2<br />
* [[Malformed CFF Vulnerability]] - Works up to [[iOS]] 4.0.1 (excluding iOS 3.2.2)<br />
<br />
== Boot Chain ==<br />
[[S5L8930 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]<br />
<br />
== Specifications ==<br />
* '''CPU''': ARM Cortex-A8<br />
* '''GPU''': PowerVR SGX 535<br />
* '''A/V Playback''': PowerVR VXD<br />
* '''RAM''': 256 MB ([[K66ap|Apple TV 2G]], [[K48ap|iPad]], and [[N81ap|iPod touch 4G]]) or 512 MB ([[N90ap|iPhone 4]])<br />
<br />
Aside from the [[N90ap|iPhone 4]]'s additional RAM and an overall higher clock speed, these are the same specifications as the [[S5L8920]] and [[S5L8922]].<br />
<br />
== See also ==<br />
* [[S5L8930 (Bootrom)]]<br />
<br />
== Links ==<br />
* http://www.apple.com/ipad/specs/<br />
* http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=JailbreakMe&diff=18865JailbreakMe2011-07-06T06:45:39Z<p>Whiteshinyapple: </p>
<hr />
<div>JailbreakMe is a site that has been used multiple times to jailbreak iDevices. It is currently online with the [[Star]] Jailbreak by [[User:Comex|comex]].<br />
<br />
== First Incarnation (AppSnapp) ==<br />
Initially, [http://www.conceitedsoftware.com/ Conceited Software] utilized the [[LibTiff]] exploit with jailbreakme.com, which also went by the name "AppSnapp," to jailbreak iOS 1.1.1. Upon the release of iOS 2.0 and the debut of the App Store, Conceited Software closed JailbreakMe, when it remained dormant for a while.<br />
<br />
== Second Incarnation (Star) ==<br />
{{main|Star}}<br />
[[User:Comex|comex]] has since repurposed the domain for [[Star]], his userland [[jailbreak]] for iOS 3.1.2 through 4.0.1. However, comex stated that the bug used for the untethered jailbreak was there until 4.3 as Apple did not patch the bug correctly. It was properly patched on 4.3.1 in order to prevent the jailbreak of the iPad 2. It's still possible the site could be repurposed to jailbreak iDevices up to 4.3, but this has not yet been done.<br />
<br />
== Third Incarnation (Saffron) ==<br />
{{main|Saffron}}<br />
<br />
== External Link ==<br />
[http://jailbreakme.com/ JailbreakME.com]<br />
<br />
{{stub|jailbreaking}}</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=S5L8930&diff=18529S5L89302011-06-13T06:35:54Z<p>Whiteshinyapple: new bootchain for iOS 5?</p>
<hr />
<div>An SoC developed by Apple in-house chip design department. It is currently used in [[k48ap|iPad]], [[N90ap|iPhone 4 GSM model]], [[K66ap|Apple TV 2G]], [[N81ap|iPod touch 4G]], and the [[N92ap|iPhone 4 CDMA model]]. Publicly, Apple refers to this chip as the '''A4'''.<br />
<br />
== Exploits ==<br />
<br />
=== [[S5L8930 (Bootrom)|Bootrom]] ===<br />
* [[User:Geohot|Geohot]] used a bootrom exploit in [[limera1n]] that does not have publicly released technical details.<br />
* SHAtter<br />
<br />
=== [[iBoot]] ===<br />
* [http://www.youtube.com/watch?v=0NValNoW5Rc Unreleased Untethered iBoot Exploit]<br />
<br />
=== [[Kernel]] ===<br />
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.2<br />
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0.1 (excluding iOS 3.2.2)<br />
* [[Packet Filter Kernel Exploit]] - Works up to [[iOS]] 4.1<br />
* [[HFS Legacy Volume Name Stack Buffer Overflow]] - Works up to [[iOS]] 4.2.8<br />
* [[ndrv_setspec() Integer Overflow]] - Works up to [[iOS]] 4.3.3<br />
<br />
=== [[Userland]] ===<br />
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.2<br />
* [[Malformed CFF Vulnerability]] - Works up to [[iOS]] 4.0.1 (excluding iOS 3.2.2)<br />
<br />
== Boot Chain ==<br />
[[S5L8930 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]<br />
<br />
iOS 5<br />
<br />
== Specifications ==<br />
* '''CPU''': ARM Cortex-A8<br />
* '''GPU''': PowerVR SGX 535<br />
* '''A/V Playback''': PowerVR VXD<br />
* '''RAM''': 256 MB ([[K66ap|Apple TV 2G]], [[K48ap|iPad]], and [[N81ap|iPod touch 4G]]) or 512 MB ([[N90ap|iPhone 4]])<br />
<br />
Aside from the [[N90ap|iPhone 4]]'s additional RAM and an overall higher clock speed, these are the same specifications as the [[S5L8920]] and [[S5L8922]].<br />
<br />
== See also ==<br />
* [[S5L8930 (Bootrom)]]<br />
<br />
== Links ==<br />
* http://www.apple.com/ipad/specs/<br />
* http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=IBooty&diff=17809IBooty2011-05-02T13:13:33Z<p>Whiteshinyapple: /* iBooty Version later then 2.0 */</p>
<hr />
<div>{{DISPLAYTITLE:iBooty}}<br />
[[Image:WFCF.png|left|Waiting For Custom Firmware]] <br />
== iBooty Version earlier then 1.8 ==<br />
It was a utility to aid in jailbreaking all [[iBoot-359.3.2|new bootrom]] devices on iOS 3.1.2<br />
<br />
=== "Boot it!" Function ===<br />
iBooty uploads the payload which is a pwned 3.1.2 iBoot and then uploads [[iBEC]] and jumps to it. It resets the connection and then uploads and sets up the device tree. Now it uploads and sets up iH8sn0w's logo.Finally, it uploads the [[kernelcache]] for it to boot the device.<br />
<br />
=== "Prepare" Function ===<br />
It uploads the payload, then the [[iBEC]], and uploads and prepares the logo, which notifies you to begin the restore process.<br />
== iBooty Version later then 2.0 ==<br />
Utility to boot tethered jailbroken device<br />
<br>1. Exploits [[bootrom]] with [[limera1n]]/[[steaks4uce]] exploits<br />
<br>2. Uploads the pwned [[iBoot]] and [[LLB]]<br />
<br />
== Resources ==<br />
There's a open-source version of iBooty by [[User:Fallensn0w|Fallensn0w]] available at [http://github.com/fallensn0w/openiBooty @github]<br />
<br>This "version" of iBooty lets the user to do "booty callz!" on any OS. (Mac, Linux, Windows)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=IBooty&diff=17808IBooty2011-05-02T12:59:07Z<p>Whiteshinyapple: </p>
<hr />
<div>{{DISPLAYTITLE:iBooty}}<br />
[[Image:WFCF.png|left|Waiting For Custom Firmware]] <br />
== iBooty Version earlier then 1.8 ==<br />
It was a utility to aid in jailbreaking all [[iBoot-359.3.2|new bootrom]] devices on iOS 3.1.2<br />
<br />
=== "Boot it!" Function ===<br />
iBooty uploads the payload which is a pwned 3.1.2 iBoot and then uploads [[iBEC]] and jumps to it. It resets the connection and then uploads and sets up the device tree. Now it uploads and sets up iH8sn0w's logo.Finally, it uploads the [[kernelcache]] for it to boot the device.<br />
<br />
=== "Prepare" Function ===<br />
It uploads the payload, then the [[iBEC]], and uploads and prepares the logo, which notifies you to begin the restore process.<br />
== iBooty Version later then 2.0 ==<br />
<br />
== Resources ==<br />
There's a open-source version of iBooty by [[User:Fallensn0w|Fallensn0w]] available at [http://github.com/fallensn0w/openiBooty @github]<br />
<br>This "version" of iBooty lets the user to do "booty callz!" on any OS. (Mac, Linux, Windows)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=IBooty&diff=17807IBooty2011-05-02T12:58:50Z<p>Whiteshinyapple: update</p>
<hr />
<div>{{DISPLAYTITLE:iBooty}}<br />
[[Image:WFCF.png|left|Waiting For Custom Firmware]] <br />
== iBooty Version earlier then 1.8 ==<br />
It was a utility to aid in jailbreaking all [[iBoot-359.3.2|new bootrom]] devices on iOS 3.1.2<br />
<br />
=== "Boot it!" Function ==<br />
iBooty uploads the payload which is a pwned 3.1.2 iBoot and then uploads [[iBEC]] and jumps to it. It resets the connection and then uploads and sets up the device tree. Now it uploads and sets up iH8sn0w's logo.Finally, it uploads the [[kernelcache]] for it to boot the device.<br />
<br />
=== "Prepare" Function ==<br />
It uploads the payload, then the [[iBEC]], and uploads and prepares the logo, which notifies you to begin the restore process.<br />
== iBooty Version later then 2.0 ==<br />
<br />
== Resources ==<br />
There's a open-source version of iBooty by [[User:Fallensn0w|Fallensn0w]] available at [http://github.com/fallensn0w/openiBooty @github]<br />
<br>This "version" of iBooty lets the user to do "booty callz!" on any OS. (Mac, Linux, Windows)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Activation_Token&diff=17610Activation Token2011-04-25T11:14:46Z<p>Whiteshinyapple: iActivator v2 for windows</p>
<hr />
<div>==Layout Activation Token==<br />
This is the [[wikipedia:Core Foundation|CFDictionary]] string representation which gets sent to Apple's server.The object can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value<br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
===Key: ActivationInfoXML===<br />
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationRandomness</key><br />
<string>(GUID)</string><br />
<key>ActivationRequiresActivationTicket</key><br />
<true/><br />
<key>ActivationState</key><br />
<string>Unactivated</string><br />
<key>BasebandMasterKeyHash</key><br />
<string>(Hash of hardware IDs)<string><br />
<key>[[Baseband TEA Keys#Hardware Thumbprint Generation|BasebandThumbprint]]</key><br />
<string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string><br />
<key>BuildVersion</key><br />
<string>8A306</string><br />
<key>DeviceCertRequest</key><br />
<data><br />
(base64 encoded cert)<br />
</data><br />
<key>DeviceClass</key><br />
<string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string><br />
<key>IntegratedCircuitCardIdentity</key><br />
<string>(ICCID as base-10 string)</string><br />
<key>InternationalMobileEquipmentIdentity</key><br />
<string>(IMEI as base-10 string)</string><br />
<key>InternationalMobileSubscriberIdentity</key><br />
<string>(IMSI as base-10 string)</string><br />
<key>ModelNumber</key><br />
<string>MC135</string><br />
<key>PhoneNumber</key><br />
<string>(String like "+1 (555) 555-5555")</string><br />
<key>ProductType</key><br />
<string>iPhone2,1</string><br />
<key>ProductVersion</key><br />
<string>4.0.1</string><br />
<string>SIMGID1</string><br />
<data><br />
(base64-encoded binary GID1)<br />
</data><br />
<string>SIMGID2</string><br />
<data><br />
(base64-encoded binary GID2)<br />
</data><br />
<key>SIMStatus</key><br />
<string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string><br />
<key>SerialNumber</key><br />
<string>...</string><br />
<key>SupportsPostponement</key><br />
<true/><br />
<key>UniqueChipID</key><br />
<integer>...</integer><br />
<key>UniqueDeviceID</key><br />
<string>(hex UUID)</string><br />
</dict><br />
</plist><br />
<br />
==Activation Protocol==<br />
Use SSL and send the request below with the values<br />
POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1<br />
Accept-Encoding: gzip<br />
Accept-Language: en-us, en;q=0.50<br />
Content-Type: multipart/form-data; boundary=DeviceActivation<br />
Content-Length: 1234<br />
Host: albert.apple.com<br />
Cache-Control: no-cache<br />
<br />
--DeviceActivation<br />
Content-Disposition: form-data; name="activation-info"<br />
<br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
==Resources==<br />
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]<br />
* [[User:sn0wra1n|iSn0wra1n]]'s [http://github.com/iSn0wra1n/iActivator iActivator v2 for Windows]<br />
<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Talk:SIM_hacks&diff=17579Talk:SIM hacks2011-04-20T10:15:32Z<p>Whiteshinyapple: </p>
<hr />
<div>== drg ==<br />
<br />
i suggest we keep commercial links off this page<br />
<br />
==Gevey Sim==<br />
Someone should add about the [http://www.redmondpie.com/gevey-sim-unlock-for-iphone-4-ios-4.3-4.2.1-on-2.10.04-3.10.01-baseband-video/ Gevey Sim] --[[User:Whiteshinyapple|Whiteshinyapple]] 10:15, 20 April 2011 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=MobileDevice_Library&diff=17380MobileDevice Library2011-04-12T13:04:34Z<p>Whiteshinyapple: Manzana doesnt work with latest iTunes :( so CFManzana</p>
<hr />
<div>MobileDevice Library is used by [[iTunes]] to transfer data between iPhone and computer over the USB connection.<br />
<br />
===PC Windows : iTunesMobileDevice.dll===<br />
The DLL is written using Microsoft Visual C++ 8.0 DLL Method [2].<br />
<br />
* Location : Location is stored in '''iTunesMobileDeviceDLL''' registry value under '''HKLM\SOFTWARE\Apple Inc.\Apple Mobile Device Support\Shared''' key. Usually - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\iTunesMobileDevice.dll.<br />
<br />
* Supporting CoreFoundation.dll (used for CFStringRef, CFPropertyListRef management) is located in the same dir (when using iTunes prior 9.0). <br />
<br />
* For iTunes 9.0 location of CoreFoundation.dll is stored in '''InstallDir''' registry value under '''HKLM\SOFTWARE\Apple Inc.\Apple Application Support''' key, usually C:\Program Files\Common Files\Apple\Apple Application Support\. CoreFoundation.dll from Mobile Device Support\bin should not be used.<br />
<br />
===Mac OSX : MobileDevice.framework===<br />
<br />
* Location : /System/Library/PrivateFrameworks/MobileDevice.framework<br />
* Export command : "nm /System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice"<br />
<br />
===MobileDevice Header (mobiledevice.h)===<br />
<br />
Reverse engineered C header for MobileDevice Library.<br />
<br />
<pre><br />
/* ----------------------------------------------------------------------------<br />
* MobileDevice.h - interface to MobileDevice.framework <br />
* ------------------------------------------------------------------------- */<br />
#pragma once<br />
<br />
#ifndef MOBILEDEVICE_H<br />
#define MOBILEDEVICE_H<br />
<br />
#ifdef __cplusplus<br />
extern "C" {<br />
#endif<br />
<br />
#ifndef __GCC__<br />
#pragma pack<br />
#define __PACK<br />
#else<br />
#define __PACK __attribute__((__packed__))<br />
#endif<br />
<br />
#if defined(WIN32)<br />
#define __DLLIMPORT [DllImport("iTunesMobileDevice.dll")]<br />
using namespace System::Runtime::InteropServices;<br />
#include <CoreFoundation.h><br />
typedef unsigned int mach_error_t;<br />
#elif defined(__APPLE__)<br />
#define __DLLIMPORT<br />
#include <CoreFoundation/CoreFoundation.h><br />
#include <mach/error.h><br />
#endif <br />
<br />
/* Error codes */<br />
#define MDERR_APPLE_MOBILE (err_system(0x3a))<br />
#define MDERR_IPHONE (err_sub(0))<br />
<br />
/* Apple Mobile (AM*) errors */<br />
#define MDERR_OK ERR_SUCCESS<br />
#define MDERR_SYSCALL (ERR_MOBILE_DEVICE | 0x01)<br />
#define MDERR_OUT_OF_MEMORY (ERR_MOBILE_DEVICE | 0x03)<br />
#define MDERR_QUERY_FAILED (ERR_MOBILE_DEVICE | 0x04) <br />
#define MDERR_INVALID_ARGUMENT (ERR_MOBILE_DEVICE | 0x0b)<br />
#define MDERR_DICT_NOT_LOADED (ERR_MOBILE_DEVICE | 0x25)<br />
<br />
/* Apple File Connection (AFC*) errors */<br />
#define MDERR_AFC_OUT_OF_MEMORY 0x03<br />
<br />
/* USBMux errors */<br />
#define MDERR_USBMUX_ARG_NULL 0x16<br />
#define MDERR_USBMUX_FAILED 0xffffffff<br />
<br />
/* Messages passed to device notification callbacks: passed as part of<br />
* am_device_notification_callback_info. */<br />
#define ADNCI_MSG_CONNECTED 1<br />
#define ADNCI_MSG_DISCONNECTED 2<br />
#define ADNCI_MSG_UNSUBSCRIBED 3<br />
<br />
#define AMD_IPHONE_PRODUCT_ID 0x1290<br />
//#define AMD_IPHONE_SERIAL ""<br />
<br />
/* Services, found in /System/Library/Lockdown/Services.plist */<br />
#define AMSVC_AFC CFSTR("com.apple.afc")<br />
#define AMSVC_BACKUP CFSTR("com.apple.mobilebackup")<br />
#define AMSVC_CRASH_REPORT_COPY CFSTR("com.apple.crashreportcopy")<br />
#define AMSVC_DEBUG_IMAGE_MOUNT CFSTR("com.apple.mobile.debug_image_mount")<br />
#define AMSVC_NOTIFICATION_PROXY CFSTR("com.apple.mobile.notification_proxy")<br />
#define AMSVC_PURPLE_TEST CFSTR("com.apple.purpletestr")<br />
#define AMSVC_SOFTWARE_UPDATE CFSTR("com.apple.mobile.software_update")<br />
#define AMSVC_SYNC CFSTR("com.apple.mobilesync")<br />
#define AMSVC_SCREENSHOT CFSTR("com.apple.screenshotr")<br />
#define AMSVC_SYSLOG_RELAY CFSTR("com.apple.syslog_relay")<br />
#define AMSVC_SYSTEM_PROFILER CFSTR("com.apple.mobile.system_profiler")<br />
<br />
typedef unsigned int afc_error_t;<br />
typedef unsigned int usbmux_error_t;<br />
<br />
struct am_recovery_device;<br />
<br />
struct am_device_notification_callback_info {<br />
struct am_device *dev; /* 0 device */ <br />
unsigned int msg; /* 4 one of ADNCI_MSG_* */<br />
struct am_device_notification* subscription; <br />
} __PACK;<br />
<br />
/* The type of the device restore notification callback functions.<br />
* TODO: change to correct type. */<br />
typedef void (*am_restore_device_notification_callback)(struct am_recovery_device *);<br />
<br />
/* This is a CoreFoundation object of class AMRecoveryModeDevice. */<br />
struct am_recovery_device {<br />
unsigned char unknown0[8]; /* 0 */<br />
am_restore_device_notification_callback callback; /* 8 */<br />
void *user_info; /* 12 */<br />
unsigned char unknown1[12]; /* 16 */<br />
unsigned int readwrite_pipe; /* 28 */<br />
unsigned char read_pipe; /* 32 */<br />
unsigned char write_ctrl_pipe; /* 33 */<br />
unsigned char read_unknown_pipe; /* 34 */<br />
unsigned char write_file_pipe; /* 35 */<br />
unsigned char write_input_pipe; /* 36 */<br />
} __PACK;<br />
<br />
/* A CoreFoundation object of class AMRestoreModeDevice. */<br />
struct am_restore_device {<br />
unsigned char unknown[32];<br />
int port;<br />
} __PACK;<br />
<br />
/* The type of the device notification callback function. */<br />
typedef void(*am_device_notification_callback)(struct am_device_notification_callback_info *, int cookie);<br />
<br />
/* The type of the _AMDDeviceAttached function.<br />
* TODO: change to correct type. */<br />
typedef void *amd_device_attached_callback;<br />
<br />
/* The type of the device restore notification callback functions.<br />
* TODO: change to correct type. */<br />
typedef void (*am_restore_device_notification_callback)(struct am_recovery_device *);<br />
<br />
/* Structure that contains internal data used by AMDevice... functions. Never try <br />
* to access its members directly! Use AMDeviceCopyDeviceIdentifier, <br />
* AMDeviceGetConnectionID, AMDeviceRetain, AMDeviceRelease instead. */<br />
struct am_device {<br />
unsigned char unknown0[16]; /* 0 - zero */<br />
unsigned int device_id; /* 16 */<br />
unsigned int product_id; /* 20 - set to AMD_IPHONE_PRODUCT_ID */<br />
char *serial; /* 24 - set to UDID, Unique Device Identifier */<br />
unsigned int unknown1; /* 28 */<br />
unsigned int unknown2; /* 32 - reference counter, increased by AMDeviceRetain, decreased by AMDeviceRelease*/<br />
unsigned int lockdown_conn; /* 36 */<br />
unsigned char unknown3[8]; /* 40 */<br />
#if (__ITUNES_VER > 740)<br />
unsigned int unknown4; /* 48 - used to store CriticalSection Handle*/<br />
#endif<br />
#if (__ITUNES_VER >= 800)<br />
unsigned char unknown5[24]; /* 52 */<br />
#endif<br />
} __PACK;<br />
<br />
struct am_device_notification {<br />
unsigned int unknown0; /* 0 */<br />
unsigned int unknown1; /* 4 */<br />
unsigned int unknown2; /* 8 */<br />
am_device_notification_callback callback; /* 12 */ <br />
unsigned int cookie; /* 16 */<br />
} __PACK;<br />
<br />
struct afc_connection {<br />
unsigned int handle; /* 0 */<br />
unsigned int unknown0; /* 4 */<br />
unsigned char unknown1; /* 8 */<br />
unsigned char padding[3]; /* 9 */<br />
unsigned int unknown2; /* 12 */<br />
unsigned int unknown3; /* 16 */<br />
unsigned int unknown4; /* 20 */<br />
unsigned int fs_block_size; /* 24 */<br />
unsigned int sock_block_size; /* 28: always 0x3c */<br />
unsigned int io_timeout; /* 32: from AFCConnectionOpen, usu. 0 */<br />
void *afc_lock; /* 36 */<br />
unsigned int context; /* 40 */<br />
} __PACK;<br />
<br />
<br />
<br />
struct afc_device_info {<br />
unsigned char unknown[12]; /* 0 */<br />
} __PACK;<br />
<br />
struct afc_directory {<br />
unsigned char unknown[0]; /* size unknown */<br />
} __PACK;<br />
<br />
struct afc_dictionary {<br />
unsigned char unknown[0]; /* size unknown */<br />
} __PACK;<br />
<br />
typedef unsigned long long afc_file_ref;<br />
<br />
struct usbmux_listener_1 { /* offset value in iTunes */<br />
unsigned int unknown0; /* 0 1 */<br />
unsigned char *unknown1; /* 4 ptr, maybe device? */<br />
amd_device_attached_callback callback; /* 8 _AMDDeviceAttached */<br />
unsigned int unknown3; /* 12 */<br />
unsigned int unknown4; /* 16 */<br />
unsigned int unknown5; /* 20 */<br />
} __PACK;<br />
<br />
struct usbmux_listener_2 {<br />
unsigned char unknown0[4144];<br />
} __PACK;<br />
<br />
struct am_bootloader_control_packet {<br />
unsigned char opcode; /* 0 */<br />
unsigned char length; /* 1 */<br />
unsigned char magic[2]; /* 2: 0x34, 0x12 */<br />
unsigned char payload[0]; /* 4 */<br />
} __PACK;<br />
<br />
/* ----------------------------------------------------------------------------<br />
* Public routines<br />
* ------------------------------------------------------------------------- */<br />
<br />
/* Registers a notification with the current run loop. The callback gets<br />
* copied into the notification struct, as well as being registered with the<br />
* current run loop. Cookie gets copied into cookie in the same.<br />
* (Cookie is a user info parameter that gets passed as an arg to<br />
* the callback) unused0 and unused1 are both 0 when iTunes calls this.<br />
*<br />
* Never try to acces directly or copy contents of dev and subscription fields <br />
* in am_device_notification_callback_info. Treat them as abstract handles. <br />
* When done with connection use AMDeviceRelease to free resources allocated for am_device.<br />
* <br />
* Returns:<br />
* MDERR_OK if successful<br />
* MDERR_SYSCALL if CFRunLoopAddSource() failed<br />
* MDERR_OUT_OF_MEMORY if we ran out of memory<br />
*/<br />
__DLLIMPORT mach_error_t AMDeviceNotificationSubscribe(am_device_notification_callback callback, <br />
unsigned int unused0, unsigned int unused1, <br />
unsigned int cookie, <br />
struct am_device_notification **subscription);<br />
<br />
<br />
/* Unregisters notifications. Buggy (iTunes 8.2): if you subscribe, unsubscribe and subscribe again, arriving <br />
notifications will contain cookie and subscription from 1st call to subscribe, not the 2nd one. iTunes <br />
calls this function only once on exit.<br />
*/<br />
__DLLIMPORT mach_error_t AMDeviceNotificationUnsubscribe(am_device_notification* subscription);<br />
<br />
/* Returns device_id field of am_device structure<br />
*/<br />
__DLLIMPORT unsigned int AMDeviceGetConnectionID(struct am_device *device);<br />
<br />
/* Returns serial field of am_device structure<br />
*/<br />
__DLLIMPORT CFStringRef AMDeviceCopyDeviceIdentifier(struct am_device *device);<br />
<br />
/* Connects to the iPhone. Pass in the am_device structure that the<br />
* notification callback will give to you.<br />
*<br />
* Returns:<br />
* MDERR_OK if successfully connected<br />
* MDERR_SYSCALL if setsockopt() failed<br />
* MDERR_QUERY_FAILED if the daemon query failed<br />
* MDERR_INVALID_ARGUMENT if USBMuxConnectByPort returned 0xffffffff<br />
*/<br />
__DLLIMPORT mach_error_t AMDeviceConnect(struct am_device *device);<br />
<br />
/* Calls PairingRecordPath() on the given device, than tests whether the path<br />
* which that function returns exists. During the initial connect, the path<br />
* returned by that function is '/', and so this returns 1.<br />
*<br />
* Returns:<br />
* 0 if the path did not exist<br />
* 1 if it did<br />
*/<br />
__DLLIMPORT mach_error_t AMDeviceIsPaired(struct am_device *device);<br />
__DLLIMPORT mach_error_t AMDevicePair(struct am_device *device);<br />
<br />
/* iTunes calls this function immediately after testing whether the device is<br />
* paired. It creates a pairing file and establishes a Lockdown connection.<br />
*<br />
* Returns:<br />
* MDERR_OK if successful<br />
* MDERR_INVALID_ARGUMENT if the supplied device is null<br />
* MDERR_DICT_NOT_LOADED if the load_dict() call failed<br />
*/<br />
__DLLIMPORT mach_error_t AMDeviceValidatePairing(struct am_device *device);<br />
<br />
/* Creates a Lockdown session and adjusts the device structure appropriately<br />
* to indicate that the session has been started. iTunes calls this function<br />
* after validating pairing.<br />
*<br />
* Returns:<br />
* MDERR_OK if successful<br />
* MDERR_INVALID_ARGUMENT if the Lockdown conn has not been established<br />
* MDERR_DICT_NOT_LOADED if the load_dict() call failed<br />
*/<br />
__DLLIMPORT mach_error_t AMDeviceStartSession(struct am_device *device);<br />
<br />
<br />
/* Reads various device settings. One of domain or cfstring arguments should be NULL.<br />
*<br />
* Possible values for cfstring:<br />
* ActivationState<br />
* ActivationStateAcknowledged<br />
* BasebandBootloaderVersion<br />
* BasebandVersion<br />
* BluetoothAddress<br />
* BuildVersion<br />
* DeviceCertificate<br />
* DeviceClass<br />
* DeviceName<br />
* DevicePublicKey<br />
* FirmwareVersion<br />
* HostAttached<br />
* IntegratedCircuitCardIdentity<br />
* InternationalMobileEquipmentIdentity<br />
* InternationalMobileSubscriberIdentity<br />
* ModelNumber<br />
* PhoneNumber<br />
* ProductType<br />
* ProductVersion<br />
* ProtocolVersion<br />
* RegionInfo<br />
* SBLockdownEverRegisteredKey<br />
* SIMStatus<br />
* SerialNumber<br />
* SomebodySetTimeZone<br />
* TimeIntervalSince1970<br />
* TimeZone<br />
* TimeZoneOffsetFromUTC<br />
* TrustedHostAttached<br />
* UniqueDeviceID<br />
* Uses24HourClock<br />
* WiFiAddress<br />
* iTunesHasConnected<br />
*<br />
* Possible values for domain:<br />
* com.apple.mobile.battery<br />
*/<br />
__DLLIMPORT CFStringRef AMDeviceCopyValue(struct am_device *device, CFStringRef domain, CFStringRef cfstring);<br />
<br />
/* Starts a service and returns a socket file descriptor that can be used in order to further<br />
* access the service. You should stop the session and disconnect before using<br />
* the service. iTunes calls this function after starting a session. It starts <br />
* the service and the SSL connection. service_name should be one of the AMSVC_*<br />
* constants.<br />
*<br />
* Returns:<br />
* MDERR_OK if successful<br />
* MDERR_SYSCALL if the setsockopt() call failed<br />
* MDERR_INVALID_ARGUMENT if the Lockdown conn has not been established<br />
*/<br />
__DLLIMPORT mach_error_t AMDeviceStartService(struct am_device *device, CFStringRef <br />
service_name, int *socket_fd);<br />
<br />
/* Stops a session. You should do this before accessing services.<br />
*<br />
* Returns:<br />
* MDERR_OK if successful<br />
* MDERR_INVALID_ARGUMENT if the Lockdown conn has not been established<br />
*/<br />
__DLLIMPORT mach_error_t AMDeviceStopSession(struct am_device *device);<br />
<br />
/* Decrements reference counter and, if nothing left, releases resources hold <br />
* by connection, invalidates pointer to device<br />
*/<br />
__DLLIMPORT void AMDeviceRelease(struct am_device *device);<br />
<br />
/* Increments reference counter<br />
*/<br />
__DLLIMPORT void AMDeviceRetain(struct am_device *device);<br />
<br />
/* Opens an Apple File Connection. You must start the appropriate service<br />
* first with AMDeviceStartService(). In iTunes, io_timeout is 0.<br />
*<br />
* Returns:<br />
* MDERR_OK if successful<br />
* MDERR_AFC_OUT_OF_MEMORY if malloc() failed<br />
*/<br />
__DLLIMPORT afc_error_t AFCConnectionOpen(int socket_fd, unsigned int io_timeout,<br />
struct afc_connection **conn);<br />
<br />
<br />
/* Copy an enviromental variable value from iBoot<br />
*/<br />
__DLLIMPORT CFStringRef AMRecoveryModeCopyEnvironmentVariable(struct am_recovery_device *rdev, CFStringRef var);<br />
<br />
/* Pass in a pointer to an afc_dictionary structure. It will be filled. You can<br />
* iterate it using AFCKeyValueRead. When done use AFCKeyValueClose. Possible keys:<br />
* FSFreeBytes - free bytes on system device for afc2, user device for afc<br />
* FSBlockSize - filesystem block size<br />
* FSTotalBytes - size of device<br />
* Model - iPhone1,1 etc.<br />
<br />
*/<br />
__DLLIMPORT afc_error_t AFCDeviceInfoOpen(struct afc_connection *conn, struct<br />
afc_dictionary **info);<br />
<br />
/* Turns debug mode on if the environment variable AFCDEBUG is set to a numeric<br />
* value, or if the file '/AFCDEBUG' is present and contains a value. */<br />
#if defined(__APPLE__)<br />
void AFCPlatformInitialize();<br />
#endif<br />
<br />
/* Opens a directory on the iPhone. Pass in a pointer in dir to be filled in.<br />
* Note that this normally only accesses the iTunes [[sandbox]]/partition as the<br />
* root, which is /var/root/Media. Pathnames are specified with '/' delimiters<br />
* as in Unix style. Use UTF-8 to specify non-ASCII symbols in path.<br />
*<br />
* Returns:<br />
* MDERR_OK if successful<br />
*/<br />
__DLLIMPORT afc_error_t AFCDirectoryOpen(struct afc_connection *conn, char *path, struct<br />
afc_directory **dir);<br />
<br />
/* Acquires the next entry in a directory previously opened with<br />
* AFCDirectoryOpen(). When dirent is filled with a NULL value, then the end<br />
* of the directory has been reached. '.' and '..' will be returned as the<br />
* first two entries in each directory except the root; you may want to skip<br />
* over them.<br />
*<br />
* Returns:<br />
* MDERR_OK if successful, even if no entries remain<br />
*/<br />
__DLLIMPORT afc_error_t AFCDirectoryRead(struct afc_connection *conn, struct afc_directory *dir,<br />
char **dirent);<br />
__DLLIMPORT afc_error_t AFCDirectoryClose(afc_connection *conn, struct afc_directory *dir);<br />
__DLLIMPORT afc_error_t AFCDirectoryCreate(afc_connection *conn, char *dirname);<br />
__DLLIMPORT afc_error_t AFCRemovePath(afc_connection *conn, char *dirname);<br />
__DLLIMPORT afc_error_t AFCRenamePath(afc_connection *conn, char *oldpath, char *newpath);<br />
<br />
#if (__ITUNES_VER >= 800)<br />
/* Creates symbolic or hard link<br />
* linktype - int64: 1 means hard link, 2 - soft (symbolic) link<br />
* target - absolute or relative path to link target<br />
* linkname - absolute path where to create new link<br />
*/<br />
__DLLIMPORT afc_error_t AFCLinkPath(struct afc_connection *conn, long long int linktype, const char *target, <br />
const char *linkname);<br />
<br />
#endif<br />
/* Opens file for reading or writing without locking it in any way. afc_file_ref should not be shared between threads - <br />
* opening file in one thread and closing it in another will lead to possible crash.<br />
* path - UTF-8 encoded absolute path to file<br />
* mode 2 = read, mode 3 = write; unknown = 0 <br />
* ref - receives file handle<br />
*/<br />
__DLLIMPORT afc_error_t AFCFileRefOpen(struct afc_connection *conn, char *path, unsigned<br />
long long int mode, afc_file_ref *ref);<br />
/* Reads specified amount (len) of bytes from file into buf. Puts actual count of read bytes into len on return<br />
*/<br />
__DLLIMPORT afc_error_t AFCFileRefRead(struct afc_connection *conn, afc_file_ref ref,<br />
void *buf, unsigned int *len);<br />
/* Writes specified amount (len) of bytes from buf into file.<br />
*/<br />
__DLLIMPORT afc_error_t AFCFileRefWrite(struct afc_connection *conn, afc_file_ref ref,<br />
void *buf, unsigned int len);<br />
/* Moves the file pointer to a specified location.<br />
* offset - Number of bytes from origin (int64)<br />
* origin - 0 = from beginning, 1 = from current position, 2 = from end<br />
*/<br />
__DLLIMPORT afc_error_t AFCFileRefSeek(struct afc_connection *conn, afc_file_ref ref,<br />
unsigned long long offset, int origin, int unused);<br />
<br />
/* Gets the current position of a file pointer into offset argument.<br />
*/<br />
__DLLIMPORT afc_error_t AFCFileRefTell(struct afc_connection *conn, afc_file_ref ref,<br />
unsigned long long* offset);<br />
<br />
/* Truncates a file at the specified offset.<br />
*/<br />
__DLLIMPORT afc_error_t AFCFileRefSetFileSize(struct afc_connection *conn, afc_file_ref ref,<br />
unsigned long long offset);<br />
<br />
<br />
__DLLIMPORT afc_error_t AFCFileRefLock(struct afc_connection *conn, afc_file_ref ref);<br />
__DLLIMPORT afc_error_t AFCFileRefUnlock(struct afc_connection *conn, afc_file_ref ref);<br />
__DLLIMPORT afc_error_t AFCFileRefClose(struct afc_connection *conn, afc_file_ref ref);<br />
<br />
/* Opens dictionary describing specified file or directory (iTunes below 8.2 allowed using AFCGetFileInfo<br />
to get the same information)<br />
*/<br />
__DLLIMPORT afc_error_t AFCFileInfoOpen(struct afc_connection *conn, char *path, struct<br />
afc_dictionary **info);<br />
<br />
/* Reads next entry from dictionary. When last entry is read, function returns NULL in key argument<br />
Possible keys:<br />
"st_size": val - size in bytes<br />
"st_blocks": val - size in blocks<br />
"st_nlink": val - number of hardlinks<br />
"st_ifmt": val - "S_IFDIR" for folders<br />
"S_IFLNK" for symlinks<br />
"LinkTarget": val - path to symlink target<br />
*/<br />
__DLLIMPORT afc_error_t AFCKeyValueRead(struct afc_dictionary *dict, char **key, char **<br />
val);<br />
/* Closes dictionary<br />
*/<br />
__DLLIMPORT afc_error_t AFCKeyValueClose(struct afc_dictionary *dict);<br />
<br />
<br />
/* Returns the context field of the given AFC connection. */<br />
__DLLIMPORT unsigned int AFCConnectionGetContext(struct afc_connection *conn);<br />
<br />
/* Returns the fs_block_size field of the given AFC connection. */<br />
__DLLIMPORT unsigned int AFCConnectionGetFSBlockSize(struct afc_connection *conn);<br />
<br />
/* Returns the io_timeout field of the given AFC connection. In iTunes this is<br />
* 0. */<br />
__DLLIMPORT unsigned int AFCConnectionGetIOTimeout(struct afc_connection *conn);<br />
<br />
/* Returns the sock_block_size field of the given AFC connection. */<br />
__DLLIMPORT unsigned int AFCConnectionGetSocketBlockSize(struct afc_connection *conn);<br />
<br />
/* Closes the given AFC connection. */<br />
__DLLIMPORT afc_error_t AFCConnectionClose(struct afc_connection *conn);<br />
<br />
/* Registers for device notifications related to the restore process. unknown0<br />
* is zero when iTunes calls this. In iTunes,<br />
* the callbacks are located at:<br />
* 1: $3ac68e-$3ac6b1, calls $3ac542(unknown1, arg, 0)<br />
* 2: $3ac66a-$3ac68d, calls $3ac542(unknown1, 0, arg)<br />
* 3: $3ac762-$3ac785, calls $3ac6b2(unknown1, arg, 0)<br />
* 4: $3ac73e-$3ac761, calls $3ac6b2(unknown1, 0, arg)<br />
*/<br />
__DLLIMPORT unsigned int AMRestoreRegisterForDeviceNotifications(<br />
am_restore_device_notification_callback dfu_connect_callback,<br />
am_restore_device_notification_callback recovery_connect_callback,<br />
am_restore_device_notification_callback dfu_disconnect_callback,<br />
am_restore_device_notification_callback recovery_disconnect_callback,<br />
unsigned int unknown0,<br />
void *user_info);<br />
<br />
/* Causes the restore functions to spit out (unhelpful) progress messages to<br />
* the file specified by the given path. iTunes always calls this right before<br />
* restoring with a path of<br />
* "$HOME/Library/Logs/iPhone Updater Logs/iPhoneUpdater X.log", where X is an<br />
* unused number.<br />
*/<br />
__DLLIMPORT unsigned int AMRestoreEnableFileLogging(char *path);<br />
<br />
/* Initializes a new option dictionary to default values. Pass the constant<br />
* kCFAllocatorDefault as the allocator. The option dictionary looks as<br />
* follows:<br />
* {<br />
* NORImageType => 'production',<br />
* AutoBootDelay => 0,<br />
* KernelCacheType => 'Release',<br />
* UpdateBaseband => true,<br />
* DFUFileType => 'RELEASE',<br />
* SystemImageType => 'User',<br />
* CreateFilesystemPartitions => true,<br />
* FlashNOR => true,<br />
* RestoreBootArgs => 'rd=md0 nand-enable-reformat=1 -progress'<br />
* BootImageType => 'User'<br />
* }<br />
*<br />
* Returns:<br />
* the option dictionary if successful<br />
* NULL if out of memory<br />
*/ <br />
__DLLIMPORT CFMutableDictionaryRef AMRestoreCreateDefaultOptions(CFAllocatorRef allocator);<br />
<br />
/* ----------------------------------------------------------------------------<br />
* Less-documented public routines<br />
* ------------------------------------------------------------------------- */<br />
<br />
__DLLIMPORT unsigned int AMRestorePerformRecoveryModeRestore(struct am_recovery_device *<br />
rdev, CFDictionaryRef opts, void *callback, void *user_info);<br />
__DLLIMPORT unsigned int AMRestorePerformRestoreModeRestore(struct am_restore_device *<br />
rdev, CFDictionaryRef opts, void *callback, void *user_info);<br />
__DLLIMPORT struct am_restore_device *AMRestoreModeDeviceCreate(unsigned int unknown0,<br />
unsigned int connection_id, unsigned int unknown1);<br />
__DLLIMPORT unsigned int AMRestoreCreatePathsForBundle(CFStringRef restore_bundle_path,<br />
CFStringRef kernel_cache_type, CFStringRef boot_image_type, unsigned int<br />
unknown0, CFStringRef *firmware_dir_path, CFStringRef *<br />
kernelcache_restore_path, unsigned int unknown1, CFStringRef *<br />
ramdisk_path);<br />
__DLLIMPORT unsigned int AMRestoreModeDeviceReboot(struct am_restore_device *rdev); // Added by JB 30.07.2008<br />
__DLLIMPORT mach_error_t AMDeviceEnterRecovery(struct am_device *device);<br />
__DLLIMPORT mach_error_t AMDeviceDisconnect(struct am_device *device);<br />
<br />
<br />
/* to use this, start the service "com.apple.mobile.notification_proxy", handle will be the socket to use */<br />
typedef void (*NOTIFY_CALLBACK)(CFSTR notification, USERDATA data);<br />
__DLLIMPORT mach_error_t AMDPostNotification(SOCKET socket, CFStringRef notification, CFStringRef userinfo);<br />
__DLLIMPORT mach_error_t AMDObserveNotification(SOCKET socket, CFSTR notification);<br />
__DLLIMPORT mach_error_t AMDListenForNotifications(SOCKET socket, NOTIFY_CALLBACK cb, USERDATA data);<br />
__DLLIMPORT mach_error_t AMDShutdownNotificationProxy(SOCKET socket);<br />
<br />
/*edits by geohot*/<br />
__DLLIMPORT mach_error_t AMDeviceDeactivate(struct am_device *device);<br />
__DLLIMPORT mach_error_t AMDeviceActivate(struct am_device *device, CFDictionaryRef dict);<br />
__DLLIMPORT mach_error_t AMDeviceRemoveValue(struct am_device *device, unsigned int, CFStringRef cfstring);<br />
<br />
/* ----------------------------------------------------------------------------<br />
* Semi-private routines<br />
* ------------------------------------------------------------------------- */<br />
<br />
/* Pass in a usbmux_listener_1 structure and a usbmux_listener_2 structure<br />
* pointer, which will be filled with the resulting usbmux_listener_2.<br />
*<br />
* Returns:<br />
* MDERR_OK if completed successfully<br />
* MDERR_USBMUX_ARG_NULL if one of the arguments was NULL<br />
* MDERR_USBMUX_FAILED if the listener was not created successfully<br />
*/<br />
__DLLIMPORT usbmux_error_t USBMuxListenerCreate(struct usbmux_listener_1 *esi_fp8, struct<br />
usbmux_listener_2 **eax_fp12);<br />
<br />
/* ----------------------------------------------------------------------------<br />
* Less-documented semi-private routines<br />
* ------------------------------------------------------------------------- */<br />
__DLLIMPORT usbmux_error_t USBMuxListenerHandleData(void *);<br />
<br />
/* ----------------------------------------------------------------------------<br />
* Private routines - here be dragons<br />
* ------------------------------------------------------------------------- */<br />
<br />
/* AMRestorePerformRestoreModeRestore() calls this function with a dictionary<br />
* in order to perform certain special restore operations<br />
* (RESTORED_OPERATION_*). It is thought that this function might enable<br />
* significant access to the phone. */<br />
<br />
/*<br />
typedef unsigned int (*t_performOperation)(struct am_restore_device *rdev,<br />
CFDictionaryRef op) __attribute__ ((regparm(2)));<br />
t_performOperation _performOperation = (t_performOperation)0x3c39fa4b;<br />
*/ <br />
<br />
/* ----------------------------------------------------------------------------<br />
* Less-documented private routines<br />
* ------------------------------------------------------------------------- */<br />
<br />
<br />
/*<br />
typedef int (*t_socketForPort)(struct am_restore_device *rdev, unsigned int port)<br />
__attribute__ ((regparm(2)));<br />
t_socketForPort _socketForPort = (t_socketForPort)(void *)0x3c39f36c;<br />
<br />
typedef void (*t_restored_send_message)(int port, CFDictionaryRef msg);<br />
t_restored_send_message _restored_send_message = (t_restored_send_message)0x3c3a4e40;<br />
<br />
typedef CFDictionaryRef (*t_restored_receive_message)(int port);<br />
t_restored_receive_message _restored_receive_message = (t_restored_receive_message)0x3c3a4d40;<br />
<br />
typedef unsigned int (*t_sendControlPacket)(struct am_recovery_device *rdev, unsigned<br />
int msg1, unsigned int msg2, unsigned int unknown0, unsigned int *unknown1,<br />
unsigned char *unknown2) __attribute__ ((regparm(3)));<br />
t_sendControlPacket _sendControlPacket = (t_sendControlPacket)0x3c3a3da3;;<br />
<br />
typedef unsigned int (*t_sendCommandToDevice)(struct am_recovery_device *rdev,<br />
CFStringRef cmd) __attribute__ ((regparm(2)));<br />
t_sendCommandToDevice _sendCommandToDevice = (t_sendCommandToDevice)0x3c3a3e3b;<br />
<br />
typedef unsigned int (*t_AMRUSBInterfaceReadPipe)(unsigned int readwrite_pipe, unsigned<br />
int read_pipe, unsigned char *data, unsigned int *len);<br />
t_AMRUSBInterfaceReadPipe _AMRUSBInterfaceReadPipe = (t_AMRUSBInterfaceReadPipe)0x3c3a27e8;<br />
<br />
typedef unsigned int (*t_AMRUSBInterfaceWritePipe)(unsigned int readwrite_pipe, unsigned<br />
int write_pipe, void *data, unsigned int len);<br />
t_AMRUSBInterfaceWritePipe _AMRUSBInterfaceWritePipe = (t_AMRUSBInterfaceWritePipe)0x3c3a27cb;<br />
*/<br />
<br />
int performOperation(am_restore_device *rdev, CFMutableDictionaryRef message);<br />
int socketForPort(am_restore_device *rdev, unsigned int portnum);<br />
int sendCommandToDevice(am_recovery_device *rdev, CFStringRef cfs, int block);<br />
int sendFileToDevice(am_recovery_device *rdev, CFStringRef filename); <br />
<br />
<br />
#ifdef __cplusplus<br />
}<br />
#endif<br />
<br />
#endif<br />
<br />
/* -*- mode:c; indent-tabs-mode:nil; c-basic-offset:2; tab-width:2; */<br />
</pre><br />
<br />
===AFC Connection===<br />
...<br />
<br />
===Locking the Device for Sync===<br />
When iTunes sends a new song to the device, the device shows a "Sync in progress" screen and when complete, the Music app on the device re-reads the iTunesDB file so it picks up the new song.<br />
<br />
To get this behaviour, first start the notification service:<br />
<pre>SOCKET socket;<br />
AMDeviceStartService(dev, CFSTR("com.apple.mobile.notification_proxy"), &socket, NULL);</pre><br />
<br />
Now we post a notificaton message to signal that we are going to start a sync:<br />
<pre>AMDPostNotification(socket, CFSTR("com.apple.itunes-mobdev.syncWillStart"), NULL);</pre><br />
<br />
Next we open the itunes lock file:<br />
<pre>afc_file_ref lockref;<br />
AFCFileRefOpen(conn, "/com.apple.itunes.lock_sync", 2, &lockref);</pre><br />
<br />
Now post a notification to say we are going to lock this file, and try and lock it.<br />
If the AFCFileRefLock call fails, pause and repeat.<br />
<pre>AMDPostNotification(socket, CFSTR("com.apple.itunes-mobdev.syncLockRequest"), NULL);<br />
mach_error_t error = AFCFileRefLock(conn, lockref);</pre><br />
<br />
When the file is successfully locked, post another notification, and stop the notification service.<br />
<pre>AMDPostNotification(socket,CFSTR("com.apple.itunes-mobdev.syncDidStart"), NULL);<br />
AMDShutdownNotificationProxy(socket);</pre><br />
<br />
Now the sync can proceed, so copy your files across and make the changes to the iTunesDB.<br />
<br />
To release the lock, start the notification system again, unlock and close the lock file, and send a sync finished notification message:<br />
<br />
<pre>AFCFileRefUnlock(conn, lockref);<br />
AFCFileRefClose(conn, lockref);<br />
AMDeviceStartService(dev, CFSTR("com.apple.mobile.notification_proxy"), &socket, NULL);<br />
AMDPostNotification(socket, &CFSTR("com.apple.itunes-mobdev.syncDidFinish"), NULL);<br />
AMDShutdownNotificationProxy(socket);</pre><br />
<br />
To handle "Slide to Cancel" and terminate sync when user slides cancel switch, use AMDObserveNotification to subscribe notifications about “com.apple.itunes-client.syncCancelRequest”. Then start listening for notifications (AMDListenForNotifications) until you get “AMDNotificationFaceplant”.<br />
When notification got, you should unlock and close lock file handle (don’t sure if you need to post “syncDidFinish” to proxy, seems it doesn’t matter) and terminate sync gracefully.<br />
The same notification is also got when you unplug your device, so you should always be ready for errors.<br />
<br />
NOTE: You may find that starting the notification_proxy service once and once only at the start of your app and using the same socket in calls to AMDPostNotification works better. iTunes opens and closes the notification_proxy regularly, but it appears to be a bit flakey when you open/close it all the time.<br />
<br />
===Known Functions===<br />
<br />
AFCLockCreate<br />
AFCLockFree<br />
AFCLockLock<br />
AFCLockTryLock<br />
AFCLockUnlock<br />
AFCStringBufferAlloc<br />
AFCStringBufferAppend<br />
AFCStringBufferFree<br />
AFCStringCopy<br />
MISProfileCopyPayload<br />
MISProfileCopySignerSubjectSummary<br />
MISProfileCreateDataRepresentation<br />
MISProfileCreateWithData<br />
MISProfileCreateWithFile<br />
MISProfileGetValue<br />
MISProfileIsMutable<br />
MISProfileValidateSignature<br />
MISProfileValidateSignatureWithAnchors<br />
MISProfileWriteToFile<br />
MISProvisioningProfileCheckValidity<br />
MISProvisioningProfileGetCreationDate<br />
MISProvisioningProfileGetDeveloperCertificates<br />
MISProvisioningProfileGetExpirationDate<br />
MISProvisioningProfileGetName<br />
MISProvisioningProfileGetProvisionedDevices<br />
MISProvisioningProfileGetUUID<br />
MISProvisioningProfileGetVersion<br />
MISProvisioningProfileIncludesDevice<br />
MISProvisioningProfileProvisionsAllDevices<br />
MISProvisioningProfileValidateSignature<br />
AFCConnectionClose<br />
AFCConnectionGetContext<br />
AFCConnectionGetFSBlockSize<br />
AFCConnectionGetIOTimeout<br />
AFCConnectionGetSocketBlockSize<br />
AFCConnectionOpen<br />
AFCConnectionSetContext<br />
AFCConnectionSetFSBlockSize<br />
AFCConnectionSetFatalError<br />
AFCConnectionSetIOTimeout<br />
AFCConnectionSetSocketBlockSize<br />
AFCDeviceInfoOpen<br />
AFCDirectoryClose<br />
AFCDirectoryCreate<br />
AFCDirectoryOpen<br />
AFCDirectoryRead<br />
AFCDiscardBodyData<br />
AFCDiscardData<br />
AFCErrnoToAFCError<br />
AFCFileInfoOpen<br />
AFCFileRefClose<br />
AFCFileRefLock<br />
AFCFileRefOpen<br />
AFCFileRefRead<br />
AFCFileRefSeek<br />
AFCFileRefSetFileSize<br />
AFCFileRefTell<br />
AFCFileRefUnlock<br />
AFCFileRefWrite<br />
AFCFlushData<br />
AFCGetClientVersionString<br />
AFCGetDeviceInfo<br />
AFCGetFileInfo<br />
AFCInitHeader<br />
AFCKeyValueClose<br />
AFCKeyValueRead<br />
AFCParseDataPacketHeader<br />
AFCParseStatusPacket<br />
AFCReadData<br />
AFCReadPacket<br />
AFCReadPacketBody<br />
AFCReadPacketHeader<br />
AFCRemovePath<br />
AFCRenamePath<br />
AFCSendData<br />
AFCSendDataPacket<br />
AFCSendHeader<br />
AFCSendPacket<br />
AFCSendStatus<br />
AFCValidateHeader<br />
AMDFUModeDeviceGetLocationID<br />
AMDFUModeDeviceGetProductID<br />
AMDFUModeDeviceGetProductType<br />
AMDFUModeDeviceGetProgress<br />
AMDFUModeDeviceGetTypeID<br />
AMDListenForNotifications<br />
AMDObserveNotification<br />
AMDPostNotification<br />
AMDShutdownNotificationProxy<br />
AMDeviceActivate<br />
AMDeviceArchiveApplication<br />
AMDeviceConnect<br />
AMDeviceCopyDeviceIdentifier<br />
AMDeviceCopyProvisioningProfiles<br />
AMDeviceCopyValue<br />
AMDeviceDeactivate<br />
AMDeviceDisconnect<br />
AMDeviceEnterRecovery<br />
AMDeviceGetConnectionID<br />
AMDeviceInstallApplication<br />
AMDeviceInstallProvisioningProfile<br />
AMDeviceIsPaired<br />
AMDeviceIsValid<br />
AMDeviceLookupApplicationArchives<br />
AMDeviceLookupApplications<br />
AMDeviceNotificationGetThreadHandle<br />
AMDeviceNotificationSubscribe<br />
AMDeviceNotificationUnsubscribe<br />
AMDevicePair<br />
AMDeviceRelease<br />
AMDeviceRemoveApplicationArchive<br />
AMDeviceRemoveProvisioningProfile<br />
AMDeviceRemoveValue<br />
AMDeviceRestoreApplication<br />
AMDeviceRetain<br />
AMDeviceSetValue<br />
AMDeviceSoftwareUpdate<br />
AMDeviceStartHouseArrestService<br />
AMDeviceStartService<br />
AMDeviceStartSession<br />
AMDeviceStopSession<br />
AMDeviceTransferApplication<br />
AMDeviceUninstallApplication<br />
AMDeviceValidatePairing<br />
AMRecoveryModeDeviceCopyIMEI<br />
AMRecoveryModeDeviceCopySerialNumber<br />
AMRecoveryModeDeviceGetLocationID<br />
AMRecoveryModeDeviceGetProductID<br />
AMRecoveryModeDeviceGetProductType<br />
AMRecoveryModeDeviceGetProgress<br />
AMRecoveryModeDeviceGetSecurityEpoch<br />
AMRecoveryModeDeviceGetTypeID<br />
AMRecoveryModeDeviceReboot<br />
AMRecoveryModeDeviceSetAutoBoot<br />
AMRecoveryModeGetSoftwareBuildVersion<br />
AMRestoreCreateBootArgsByAddingArg<br />
AMRestoreCreateBootArgsByRemovingArg<br />
AMRestoreCreateDefaultOptions<br />
AMRestoreCreateDefaultOptionsForIdentification<br />
AMRestoreCreatePathsForBundle<br />
AMRestoreDisableFileLogging<br />
AMRestoreEnableExtraDFUDevices<br />
AMRestoreEnableFileLogging<br />
AMRestoreGetSupportedPayloadVersion<br />
AMRestoreModeDeviceCopyIMEI<br />
AMRestoreModeDeviceCopyRestoreLog<br />
AMRestoreModeDeviceCopySerialNumber<br />
AMRestoreModeDeviceCreate<br />
AMRestoreModeDeviceGetDeviceID<br />
AMRestoreModeDeviceGetLocationID<br />
AMRestoreModeDeviceGetProgress<br />
AMRestoreModeDeviceGetTypeID<br />
AMRestoreModeDeviceReboot<br />
AMRestorePerformDFURestore<br />
AMRestorePerformRecoveryModeRestore<br />
AMRestorePerformRestoreModeRestore<br />
AMRestoreRegisterForDeviceNotifications<br />
AMRestoreSetLogLevel<br />
AMSBackup<br />
AMSBeginSync<br />
AMSBeginSyncForDataClasses<br />
AMSCancelBackupRestore<br />
AMSCancelCrashReportCopy<br />
AMSCancelSync<br />
AMSCancelSyncDiagnostics<br />
AMSCleanup<br />
AMSConnectToCrashReportCopyTarget<br />
AMSCopyAndSubmitCrashLogs<br />
AMSCopyAndSubmitCrashLogsFromTarget<br />
AMSCopyApplicationListFromBackup<br />
AMSCopyCrashReportPath<br />
AMSCopyCrashReportsFromTarget<br />
AMSCopySourcesForRestoreCompatibleWith<br />
AMSDisconnectFromCrashReportCopyTarget<br />
AMSGetAOSUsername<br />
AMSGetApplicationProviderInfo<br />
AMSGetCalendarDayLimit<br />
AMSGetClientIdentifierAndDisplayNameForTarget<br />
AMSGetCollectionsForDataClassName<br />
AMSGetConflictInformation<br />
AMSGetConflictInformationForIdentifiers<br />
AMSGetCrashReportCopyPreferencesForTarget<br />
AMSGetDCAChangeInformation<br />
AMSGetDataChangeAlertInfo<br />
AMSGetDataClassInfoForTarget<br />
AMSGetLastSyncDateForDataClass<br />
AMSGetNewRecordCalendarName<br />
AMSGetNewRecordGroupName<br />
AMSGetNumberOfCrashReportsToCopy<br />
AMSGetNumberOfCrashReportsToSubmit<br />
AMSGetSourcesForRestore<br />
AMSGetSupportedDataClassNames<br />
AMSInitialize<br />
AMSRefreshCollectionsForDataClassName<br />
AMSRegisterCallbacks<br />
AMSRegisterClientWithTargetIdentifierAndDisplayName<br />
AMSResetSyncData<br />
AMSRestore<br />
AMSRestoreWithApplications<br />
AMSRunSyncDiagnostics<br />
AMSSetCalendarDayLimit<br />
AMSSetConflictWinners<br />
AMSSetCrashReportCopyPreferencesForTarget<br />
AMSSetDataChangeAlertInfo<br />
AMSSetDataClassInfoForTarget<br />
AMSSetDesignatedProviderForDataClassName<br />
AMSSetFilteredCollectionNamesForDataClassName<br />
AMSSetNewRecordCalendarName<br />
AMSSetNewRecordGroupName<br />
AMSSubmitCrashReportsFromTarget<br />
AMSSyncConflictsSelections<br />
AMSUnregisterTarget<br />
ASRServerHandleConnection<br />
GoogleSyncConduitCopyUsername<br />
GoogleSyncConduitRegisterClient<br />
GoogleSyncConduitSetUsernameAndPassword<br />
GoogleSyncConduitUnregisterClient<br />
GoogleSyncConduitValidateUser<br />
USBMuxConnectByPort<br />
USBMuxListenForDevices<br />
USBMuxListenerClose<br />
USBMuxListenerCreate<br />
USBMuxListenerGetEvent<br />
USBMuxListenerGetFD<br />
USBMuxListenerHandleData<br />
USBMuxListenerSetDebug<br />
YahooConduitCopyYahooID<br />
YahooConduitIsTokenValid<br />
YahooConduitLastSyncError<br />
YahooConduitRegister<br />
YahooConduitUnregister<br />
kAMDMobileDeviceVersionNumber<br />
kLDErrorInvalidResponse<br />
lockdown_activate<br />
lockdown_connection_create<br />
lockdown_connection_destroy<br />
lockdown_get_value<br />
lockdown_goodbye<br />
lockdown_pair<br />
lockdown_remove_value<br />
lockdown_service_start<br />
lockdown_session_start<br />
lockdown_session_stop<br />
lockdown_set_value<br />
<br />
===Private Functions===<br />
<br />
====How to find address of privates functions in iTunesMobileDevice.dll or MobileDevice.framework====<br />
<br />
In order to obtain the address of a usable private function in MobileDevice, you will have to be able to understand x86-64 assembly to reverse engineer it. A private function will not have its name exported in the mach-o symbol table, so in a debugger, like GDB, it will show up as part of another function. However, you will know that it is a separate function as a new stack frame is set up.<br />
<br />
====Private Function Address List====<br />
<br />
=====OSX.6 - iTunes 9.0.2(25)=====<br />
<pre>unsigned int sendCommandToiBoot(struct am_recovery_device *rdev, CFStringRef command, int u);</pre><br />
Address is obtainable by adding 868(0x364) to the address of AMRecoveryDeviceGetProductType(), a public symbol that you can obtain via nlist() or dlsym(). <br />
Address: 0x1000245ea<br />
<br />
Parameters<br />
1. rdev - the device you wish to send the command to.<br />
2. a CFStringRef of the command to send.<br />
3. an integer, whose use is currently unknown, but should be set to 0 to work.<br />
<br />
<pre>unsigned int sendFileToiDevice(struct am_recovery_device *rdev, CFStringRef filename);</pre><br />
Address is obtainable by adding 1763(0x6e3) to the address of AMRecoveryDeviceGetProductType(), a public symbol that you can obtain via nlist() or dlsym().<br />
Address: 0x100024969<br />
<br />
Parameters<br />
1. rdev - the device you wish to send the file to.<br />
2. a CFStringRef of the path to the file to send.<br />
<br />
=====OSX.6 - iTunes 9.0.3(15)=====<br />
<pre>unsigned int sendCommandToiBoot(struct am_recovery_device *rdev, CFStringRef command, int u);</pre><br />
Addresss: AMRecoveryDeviceGetProductType() + 0x37f(895); full offset: 0x2a0ed<br />
<br />
<pre>unsigned int sendFileToiDevice(struct am_recovery_device *rdev, CFStringRef filename);</pre><br />
Address: AMRecoveryDeviceGetProductType()+0x6f3(1790); full offset: 0x2a46c<br />
<br />
As of now, Apple has decided to make these functions public with the following names:<br />
<br />
*_AMRecoveryModeDeviceSendFileToDevice <br />
*_AMRecoveryModeDeviceSendCommandToDevice<br />
*_AMRecoveryModeDeviceSendBlindCommandToDevice<br />
<br />
The last of those returns no response from the device. One can only assume that the parameters to these functions are the same or similar to the private ones. They're not the exact same function though, as it appears that these functions call the previously private ones.<br />
<br />
===Libraries Implementations===<br />
<br />
* [https://github.com/iSn0wra1n/CFManzana CFManzana (MobileDevice Library for Windows with CoreFoundation support)]<br />
* [http://www.libimobiledevice.org/ Libimobiledevice (provides the same functionality on GNU/Linux)]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Activation_Token&diff=17320Activation Token2011-04-08T07:20:14Z<p>Whiteshinyapple: Needs SSL</p>
<hr />
<div>==Layout Activation Token==<br />
This is the [[wikipedia:Core Foundation|CFDictionary]] string representation which gets sent to Apple's server.The object can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value<br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
===Key: ActivationInfoXML===<br />
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationRandomness</key><br />
<string>(GUID)</string><br />
<key>ActivationRequiresActivationTicket</key><br />
<true/><br />
<key>ActivationState</key><br />
<string>Unactivated</string><br />
<key>BasebandMasterKeyHash</key><br />
<string>(Hash of hardware IDs)<string><br />
<key>[[Baseband TEA Keys#Hardware Thumbprint Generation|BasebandThumbprint]]</key><br />
<string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string><br />
<key>BuildVersion</key><br />
<string>8A306</string><br />
<key>DeviceCertRequest</key><br />
<data><br />
(base64 encoded cert)<br />
</data><br />
<key>DeviceClass</key><br />
<string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string><br />
<key>IntegratedCircuitCardIdentity</key><br />
<string>(ICCID as base-10 string)</string><br />
<key>InternationalMobileEquipmentIdentity</key><br />
<string>(IMEI as base-10 string)</string><br />
<key>InternationalMobileSubscriberIdentity</key><br />
<string>(IMSI as base-10 string)</string><br />
<key>ModelNumber</key><br />
<string>MC135</string><br />
<key>PhoneNumber</key><br />
<string>(String like "+1 (555) 555-5555")</string><br />
<key>ProductType</key><br />
<string>iPhone2,1</string><br />
<key>ProductVersion</key><br />
<string>4.0.1</string><br />
<string>SIMGID1</string><br />
<data><br />
(base64-encoded binary GID1)<br />
</data><br />
<string>SIMGID2</string><br />
<data><br />
(base64-encoded binary GID2)<br />
</data><br />
<key>SIMStatus</key><br />
<string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string><br />
<key>SerialNumber</key><br />
<string>...</string><br />
<key>SupportsPostponement</key><br />
<true/><br />
<key>UniqueChipID</key><br />
<integer>...</integer><br />
<key>UniqueDeviceID</key><br />
<string>(hex UUID)</string><br />
</dict><br />
</plist><br />
<br />
==Activation Protocol==<br />
Use SSL and send the request below with the values<br />
POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1<br />
Accept-Encoding: gzip<br />
Accept-Language: en-us, en;q=0.50<br />
Content-Type: multipart/form-data; boundary=DeviceActivation<br />
Content-Length: 1234<br />
Host: albert.apple.com<br />
Cache-Control: no-cache<br />
<br />
--DeviceActivation<br />
Content-Disposition: form-data; name="activation-info"<br />
<br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
==Resources==<br />
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]<br />
<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Activation_Token&diff=17319Activation Token2011-04-08T07:18:48Z<p>Whiteshinyapple: It is not a plist file!</p>
<hr />
<div>==Layout Activation Token==<br />
This is the [[wikipedia:Core Foundation|CFDictionary]] string representation which gets sent to Apple's server.The object can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value<br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
===Key: ActivationInfoXML===<br />
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationRandomness</key><br />
<string>(GUID)</string><br />
<key>ActivationRequiresActivationTicket</key><br />
<true/><br />
<key>ActivationState</key><br />
<string>Unactivated</string><br />
<key>BasebandMasterKeyHash</key><br />
<string>(Hash of hardware IDs)<string><br />
<key>[[Baseband TEA Keys#Hardware Thumbprint Generation|BasebandThumbprint]]</key><br />
<string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string><br />
<key>BuildVersion</key><br />
<string>8A306</string><br />
<key>DeviceCertRequest</key><br />
<data><br />
(base64 encoded cert)<br />
</data><br />
<key>DeviceClass</key><br />
<string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string><br />
<key>IntegratedCircuitCardIdentity</key><br />
<string>(ICCID as base-10 string)</string><br />
<key>InternationalMobileEquipmentIdentity</key><br />
<string>(IMEI as base-10 string)</string><br />
<key>InternationalMobileSubscriberIdentity</key><br />
<string>(IMSI as base-10 string)</string><br />
<key>ModelNumber</key><br />
<string>MC135</string><br />
<key>PhoneNumber</key><br />
<string>(String like "+1 (555) 555-5555")</string><br />
<key>ProductType</key><br />
<string>iPhone2,1</string><br />
<key>ProductVersion</key><br />
<string>4.0.1</string><br />
<string>SIMGID1</string><br />
<data><br />
(base64-encoded binary GID1)<br />
</data><br />
<string>SIMGID2</string><br />
<data><br />
(base64-encoded binary GID2)<br />
</data><br />
<key>SIMStatus</key><br />
<string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string><br />
<key>SerialNumber</key><br />
<string>...</string><br />
<key>SupportsPostponement</key><br />
<true/><br />
<key>UniqueChipID</key><br />
<integer>...</integer><br />
<key>UniqueDeviceID</key><br />
<string>(hex UUID)</string><br />
</dict><br />
</plist><br />
<br />
==Activation Protocol==<br />
POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1<br />
Accept-Encoding: gzip<br />
Accept-Language: en-us, en;q=0.50<br />
Content-Type: multipart/form-data; boundary=DeviceActivation<br />
Content-Length: 1234<br />
Host: albert.apple.com<br />
Cache-Control: no-cache<br />
<br />
--DeviceActivation<br />
Content-Disposition: form-data; name="activation-info"<br />
<br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
==Resources==<br />
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]<br />
<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Activation_Token&diff=17318Activation Token2011-04-08T07:12:57Z<p>Whiteshinyapple: Added the Activation Protocol</p>
<hr />
<div>==Layout Activation Token==<br />
This is the plist file which gets sent to Apple's server.It can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
===Key: ActivationInfoXML===<br />
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationRandomness</key><br />
<string>(GUID)</string><br />
<key>ActivationRequiresActivationTicket</key><br />
<true/><br />
<key>ActivationState</key><br />
<string>Unactivated</string><br />
<key>BasebandMasterKeyHash</key><br />
<string>(Hash of hardware IDs)<string><br />
<key>[[Baseband TEA Keys#Hardware Thumbprint Generation|BasebandThumbprint]]</key><br />
<string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string><br />
<key>BuildVersion</key><br />
<string>8A306</string><br />
<key>DeviceCertRequest</key><br />
<data><br />
(base64 encoded cert)<br />
</data><br />
<key>DeviceClass</key><br />
<string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string><br />
<key>IntegratedCircuitCardIdentity</key><br />
<string>(ICCID as base-10 string)</string><br />
<key>InternationalMobileEquipmentIdentity</key><br />
<string>(IMEI as base-10 string)</string><br />
<key>InternationalMobileSubscriberIdentity</key><br />
<string>(IMSI as base-10 string)</string><br />
<key>ModelNumber</key><br />
<string>MC135</string><br />
<key>PhoneNumber</key><br />
<string>(String like "+1 (555) 555-5555")</string><br />
<key>ProductType</key><br />
<string>iPhone2,1</string><br />
<key>ProductVersion</key><br />
<string>4.0.1</string><br />
<string>SIMGID1</string><br />
<data><br />
(base64-encoded binary GID1)<br />
</data><br />
<string>SIMGID2</string><br />
<data><br />
(base64-encoded binary GID2)<br />
</data><br />
<key>SIMStatus</key><br />
<string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string><br />
<key>SerialNumber</key><br />
<string>...</string><br />
<key>SupportsPostponement</key><br />
<true/><br />
<key>UniqueChipID</key><br />
<integer>...</integer><br />
<key>UniqueDeviceID</key><br />
<string>(hex UUID)</string><br />
</dict><br />
</plist><br />
<br />
==Activation Protocol==<br />
POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1<br />
Accept-Encoding: gzip<br />
Accept-Language: en-us, en;q=0.50<br />
Content-Type: multipart/form-data; boundary=DeviceActivation<br />
Content-Length: 1234<br />
Host: albert.apple.com<br />
Cache-Control: no-cache<br />
<br />
--DeviceActivation<br />
Content-Disposition: form-data; name="activation-info"<br />
<br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
==Resources==<br />
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]<br />
<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Sn0wbreeze&diff=17082Sn0wbreeze2011-03-29T01:45:26Z<p>Whiteshinyapple: sb 2.3b4</p>
<hr />
<div>{{lowercase}}<br />
{{float toc}}<br />
== What is sn0wbreeze? ==<br />
'''sn0wbreeze''' is a tool to create custom [[IPSW File Format|IPSW]]s to restore, similar to [[PwnageTool]]. It is a GUI of [[XPwn]] for Windows written in visual basic.net and is developed by [[User:ih8sn0w|iH8sn0w]].It is released under GPL v3 license and it is a freeware.sn0wbreeze used to be open-source but it is now closed-source<br />
== Versions ==<br />
[[sn0wbreeze]] was first released January 13, 2010 as a beta version. The following versions that are shown here are official, and sorted by compatibility with iOS revisions.<br />
<br />
=== 3.X ===<br />
{| class="wikitable" width="100%" style="font-size:smaller;border-collapse:collapse;" border="1"<br />
! style="background-color:#E9E9E9;text-align:center;width:50px;" | Version<br />
! style="background-color:#E9E9E9;text-align:center;width:65px;" | Release date<br />
! style="background-color:#E9E9E9;text-align:center;" | Changes<br />
|-<br />
! Public Beta<br />
| style="text-align:center;" | 13-Jan-2010<br />
|<br />
* Initial release<br />
* Jailbreaks iOS 3.1.2<br />
* Only allows you to be able to select simple mode<br />
* Taken down due to copyright issues with [[XPwn]]<br />
|-<br />
! 1.0<br />
| style="text-align:center;" | 16-Jan-2010<br />
|<br />
* Official release of sn0wbreeze<br />
|-<br />
! 1.1<br />
| style="text-align:center;" | 19-Jan-2010<br />
|<br />
* Fixes [[Cydia Application|Cydia]] problems<br />
* Fixes problems with [[NOR]] on [[S5L8900]] devices<br />
* Fixes custom packages not being installed<br />
|-<br />
! 1.2<br />
| style="text-align:center;" | 21-Jan-2010<br />
|<br />
* GUI fixes<br />
* Fixed even more [[Cydia Application|Cydia]] problems<br />
|-<br />
! 1.3<br />
| style="text-align:center;" | 23-Jan-2010<br />
|<br />
* fixes bug where some [[Cydia Application|Cydia]] repositories could not be added and downloaded from<br />
|-<br />
! 1.4<br />
| style="text-align:center;" | 26-Jan-2010<br />
|<br />
* Fixed vital bug where deb files may not be added to the right place<br />
|-<br />
! 1.5<br />
| style="text-align:center;" | 05-Feb-2010<br />
|<br />
* Jailbreaks iOS 3.1.3<br />
* Removed verbose mode support<br />
|-<br />
! 1.5.1<br />
| style="text-align:center;" | 07-Feb-2010<br />
|<br />
* Removed [[blacksn0w]] due to CommCenter issues (fix being worked on)<br />
|-<br />
|}<br />
<br />
=== 4.X ===<br />
{| class="wikitable" width="100%" style="font-size:smaller;border-collapse:collapse;" border="1"<br />
! style="background-color:#E9E9E9;text-align:center;width:50px;" | Version<br />
! style="background-color:#E9E9E9;text-align:center;width:65px;" | Release date<br />
! style="background-color:#E9E9E9;text-align:center;" | Changes<br />
|-<br />
! 1.6<br />
| style="text-align:center;" | 24-Jun-2010<br />
|<br />
* Jailbreaks iOS 4.0 only.<br />
* Removed [[ultrasn0w]] integration. (Due to MuscleNerd's request citing version management issues. Install it through the "custom packages" feature instead.)<br />
* Removed "sn0wbreeze App" integration (discontinued)<br />
|-<br />
! 1.7<br />
| style="text-align:center;" | 06-Jul-2010<br />
|<br />
* Added support for new bootroms in the form of a [[tethered jailbreak]] with [[iBooty]].<br />
|-<br />
! 1.8 Beta<br />
| style="text-align:center;" | 16-Jul-2010<br />
|<br />
* Only for iOS 4.1 beta 1.<br />
* Doesn't support [[hacktivation]].<br />
|-<br />
! 2.0<br />
| style="text-align:center;" | 22-Sep-2010<br />
|<br />
* Added support for "MC model" [[N72ap|iPod touch 2G]] ([[Tethered jailbreak|tethered]] using [[usb_control_msg(0xA1, 1) Exploit]])<br />
* Added Support for [[N18ap|iPod touch 3G]] and [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]]) on iOS 3.1.2<br />
* GUI improvements<br />
* Backwards compatible with 3.1.X<br />
|-<br />
! 2.0.1<br />
| style="text-align:center;" | 22-Sep-2010<br />
|<br />
* Fix for Error 37<br />
|-<br />
! 2.0.2<br />
| style="text-align:center;" | 25-Sep-2010<br />
|<br />
* Fixes for Error 37 and hacktivation.<br />
|-<br />
! 2.1<br />
| style="text-align:center;" | 13-Nov-2010<br />
|<br />
* Jailbreaks iOS 3.2.2/4.1.<br />
* Implemented [[usb_control_msg(0xA1, 1) Exploit|steaks4uce]] and [[limera1n]] exploits.<br />
* Added support for all iOS devices (except [[M68ap|iPhone]] and [[N45ap|iPod touch]])<br />
|-<br />
! 2.2r1<br />
| style="text-align:center;" | 15-Feb-2011<br />
|<br />
* Jailbreaks iOS 4.2.1.<br />
* A new "Baseband Preservation Mode", which allows upgrade without updating the baseband (as usual), but without jailbreaking ([http://twitter.com/iH8sn0w/status/19249886721478656 announced on Dec 27])<br />
|-<br />
! 2.2r2<br />
| style="text-align:center;" | 15-Feb-2011<br />
|<br />
* Includes a fix for iBooks.<br />
|-<br />
! 2.2r3<br />
| style="text-align:center;" | 18-Feb-2011<br />
|<br />
* Fixes iBooks issues on devices still having issues.<br />
|-<br />
! 2.2.1<br />
| style="text-align:center;" | 20-Feb-2011<br />
|<br />
* Fixes for the [[n92ap|iPhone 4 (CDMA model)]]<br />
* Definitely fixes iBooks.<br />
* Drag and drop [[IPSW File Format|IPSWs]].<br />
* Fixes issues with Windows Classic.<br />
|-<br />
! 2.3b1<br />
| style="text-align:center;" | 13-Mar-2011<br />
|<br />
* "For people that want to play around with 4.3 or preserve their baseband. It's BETA for a reason."<br />
|-<br />
! 2.3b2<br />
| style="text-align:center;" | 17-Mar-2011<br />
|<br />
* Adds Multitasking Gestures option in Settings App.<br />
* [[iBooty]] bug fixes (includes [[iBSS]] issues).<br />
* [[iBooty]] is even faster.<br />
* [[Mobile Substrate]] is now working.<br />
* Sleep bug in [[IPod touch|iPod touches]] is fixed.<br />
* Rare [[K48ap|iPad 1G]] issues resolved.<br />
* Added [[iREB]] to top bar for future re-runs within [[sn0wbreeze]].<br />
* [[ultrasn0w]] is still broken.<br />
|-<br />
! 2.3b3<br />
| style="text-align:center;" | 18-Mar-2011<br />
|<br />
* Fixed [[N81ap|iPod touch 4]] [[iBooty]] issues.<br />
|-<br />
! 2.3b4<br />
| style="text-align:center;" | 19-Mar-2011<br />
|<br />
* [[ultrasn0w]] now works for basebands ([[1.59.00]] / [[4.26.08]] / [[5.11.07]] / [[5.12.01]] / [[5.13.04]] / [[6.15.00]])<br />
* Fixed minor GUI + [[iBooty]] bugs.<br />
|-<br />
|-<br />
! 2.4b1<br />
| style="text-align:center;" | 19-Mar-2011<br />
|<br />
* iOS 4.3.1 is now supported<br />
* iPhone 3GS users can upgrade to 06.15.00 baseband<br />
|-<br />
|}<br />
<br />
== Resources ==<br />
*[http://ih8sn0w.com/index.php/welcome.snow Download sn0wbreeze]<br />
<br />
[[Category:Hacking Software]]<br />
[[Category:GUI Tools]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Talk:Preventing_Baseband_Update&diff=16966Talk:Preventing Baseband Update2011-03-22T11:18:46Z<p>Whiteshinyapple: formatting</p>
<hr />
<div>==No success==<br />
I tried this and it didn't work. I used an iPhone 4 with firmware 4.1 and baseband 1.59.00, trying to upgrade it to stock firmware 4.2.1, preserving the baseband.<br />
<br />
One thing that was unclear is the plist edit. There was another entry SystemPartitionSyize=1024(integer) (<nowiki><key>SystemPartitionSize</key><integer>1024</integer></nowiki>). It was not clear if this should be removed or not. I tried both.<br />
<br />
To reencrypt, it used the command<br />
xpwntool 038-0032-002_modified.dmg 038-0032-002_reencrypted.dmg -t 038-0032-002_original.dmg -k 06849aead2e9a6ca8a82c3929bad5c2368942e3681a3d5751720d2aacf0694c0 -iv 9b20ae16bebf4cf1b9101374c3ab0095<br />
With key and iv [[Jasper 8C148 (iPhone 4)|from here]] (must be correct, otherwise decryption wouldn't have worked).<br />
Then rename 038-0032-002_reencrypted.dmg to original name and back into the ipsw.<br />
<br />
To prepare for custom firmware flashing, I used redsn0w 0.9.6b4, reading initial 4.1 firmware.<br />
<br />
Without the SystemPartitionSize, I received an iTunes unknown error 46 when it started to flash. With the SystemPartitionSize it went a few seconds longer and I got iTunes error 14.<br />
<br />
Anything I am doing wrong? Did anybody else complete this successfully? Or was this just a joke?<br />
--[[User:Http|http]] 03:14, 29 November 2010 (UTC)<br />
:well what ipsw did you restore to because [[restored]] will signature check the root filesystem after [[ASR]] but the SystemPartitionSize should be replaced with <nowiki> <key>SystemImage</key> <false/> </nowiki> if you dont want to update the root partition --[[User:Liamchat|liamchat]] 16:06, 29 November 2010 (UTC)<br />
::ipsw: 4.2.1 as I said. Why should I not update the root partition? The goal is to upgrade firmware from 4.1 to 4.2.1, without updating the baseband. Did you do this and were successful? --[[User:Http|http]] 19:40, 29 November 2010 (UTC)<br />
:::why are you using the original file as a template --[[User:Liamchat|liamchat]] 23:02, 29 November 2010 (UTC)<br />
::::Because [[xpwntool]] says so. Is that wrong? --[[User:Http|http]] 23:17, 29 November 2010 (UTC)<br />
:::::it is optional if you want to the code just says create an abstract copy of template if has key --[[User:Liamchat|liamchat]] 23:30, 29 November 2010 (UTC)<br />
::::::Are you guessing? Did you ever try all this? If yes: Did it work for you? If no: no guessing please and better no answer in that case. Thanks. --[[User:Http|http]] 00:48, 30 November 2010 (UTC)<br />
:::::::when you used xpwn did it output <br />
img3.c:createAbstractFileFromImg3:645: d65fdeb907a78562210697cf5e57bcaefde672d1a64fda4ec7d1da9df9c6502d23cd01d17ccb0f60b3bdcce154216af8<br />
img3.c:createAbstractFileFromImg3:645: d65fdeb907a78562210697cf5e57bcaefde672d1a64fda4ec7d1da9df9c6502d23cd01d17ccb0f60b3bdcce154216af8<br />
:::::::--[[User:Liamchat|liamchat]] 10:45, 30 November 2010 (UTC)<br />
<br />
:I don't have MUCH experience with this, but I assume that since you've got yourself a modded ramdisk, you have to pwn the bootstrapper iBEC and the other fw parts, as in pwnagetool. --[[User:Dra1nerdrake|dra1nerdrake]] 01:24, 30 November 2010 (UTC)<br />
::well no because if he see's the apple logo and the empty bar that is in the ramdisk --[[User:Liamchat|liamchat]] 08:29, 30 November 2010 (UTC)<br />
<br />
::Step 7 should take care of that. I used redsn0w to prepare. --[[User:Http|http]] 08:49, 30 November 2010 (UTC)<br />
<br />
It works. [[restored]] checks the plist and skips BB update if the option is set to false. Now are you saying that your hand-made ipsw failed the restore process or that your BB was in fact updated?<br />
--[[User:Msft.guy|Msft.guy]] 03:59, 7 December 2010 (UTC)<br />
<br />
Just to confirm: all those that are claiming it doesn't work are patching the correct ramdisk right? Some people are talking about the restore ramdisk then mentioning updates?? Surely if you want to prevent update when updating software you need to patch the update ramdisk and in the same way for restores patch the restore ramdisk? I'm sure this isn't happening but I thought it right to check to rule it out as a possibility -- [[User:Windows Helpdesk|blackthund3r]] 06:20, 7 December 2010 (UTC)<br />
<br />
:I never said it cannot work. For me it just didn't restore (as mentioned). But even if it would restore: how do you get around the new baseband version check? Nothing mentioned about that. --[[User:Http|http]] 07:52, 7 December 2010 (UTC)<br />
::i thought the check was in the restore ramdisk not the [[kernelcache]] i checked the [[kernal]]'s memory and saw no running process that can check the [[baseband]] version --[[User:Liamchat|liamchat]] 19:22, 7 December 2010 (UTC)<br />
:::[http://twitter.com/MuscleNerd/status/16210881088069632 confirmed] there is no check on ios it is in the ramdisk --[[User:Liamchat|liamchat]] 22:26, 18 December 2010 (UTC)<br />
<br />
==Way to bypass recovery mode problem==<br />
Is there currently any way to bypass the check? or is it done by setting UpdateBaseband to false? iPad 3Gs cannot downgrade from 4.3 to 4.2.1 and get stuck in a recovery loop even after being kicked out of recovery mode. --[[User:LIV2|LIV2]] 11:23, 16 January 2011 (UTC)<br />
:what error did you get when you restored --[[User:Liamchat|liamchat]] 12:09, 16 January 2011 (UTC)<br />
::I'm in the same situation; I've decided to stick with 4.3 for now, can't go back to 3.x after living with multitasking! I get error 1015. Have tried all the usual suspects, can't kick it out of recovery mode, etc. Even tried downgrading to iOS 3.2.2 and then 'upgrading' instead of restoring to 4.2.1 without any success.--[[User:Beau|Beau]] 12:34, 16 January 2011 (UTC)<br />
:::Error code is the usual 1015 error, but iOS 4.2.1 must be doing a BB Version check somewhere because there is no way to stop it going back to recovery. basically when you kick it out of recovery it goes to the apple logo for a while, then reboots and goes into recovery. other reports of this issue are found here:http://forums.macrumors.com/showthread.php?t=1079811 also to note, 3.2.x will restore just fine, 4.2.1 and 4.2.1B3 will not work though --[[User:LIV2|LIV2]] 13:15, 16 January 2011 (UTC)<br />
::::[http://www.youtube.com/watch?v=N2AX6Ywnjb8 Here is] the userland side baseband check, which probably looks for something the ramdisk only does after the BB update completes. {{unsigned|Ryccardo|17:27, January 16, 2011}}<br />
::::I can confirm that UpdateBaseband = false does not help. Just tried building a custom ramdisk; same result with it being stuck in a loop with error 1015 --[[User:Beau|Beau]] 08:39, 24 January 2011 (UTC)<br />
:::::Does anyone know how to get Verbose mode on the iPad? It might help to know why it's not succeeding even when I tell it to not do a baseband update, I even tried replacing the fls and eep with the ones from 4.3 so it wouldn't try to downgrade, but to no avail. --[[User:LIV2|LIV2]] 00:23, 17 January 2011 (UTC)<br />
<br />
:As there is no check in the firmware ([http://twitter.com/MuscleNerd/status/16210881088069632 MuscleNerd's Tweet]), there are ways to bypass the problem. Although neither [[sn0wbreeze]] nor [[PwnageTool]] support 4.2.1, you can still use [[PwnageTool]] with an unofficial bundle to install 4.2.1 without changing the baseband. It will automatically bypass this check (not sure how). Also, [[User:IH8sn0w|IH8sn0w]] has another way than this (see [http://twitter.com/iH8sn0w/status/19453808090288128 Tweet]) to bypass this check in his upcoming [[sn0wbreeze]] (will have an option to just perserve baseband, see [http://twitter.com/iH8sn0w/status/19249886721478656 this Tweet] or [http://twitpic.com/3k3mt6 image]. --[[User:Http|http]] 14:39, 16 January 2011 (UTC)<br />
<br />
== merge all ipsw modifications ==<br />
<br />
Shuld all pages that describe how to make changes to the restore process be merged into one page --[[User:Liamchat|liamchat]] 23:02, 29 November 2010 (UTC)<br />
<br />
== deletion request ==<br />
<br />
there are 2 point's i am going to make<br />
*1. if this is wrong then how does [[PwnageTool]] and [[sn0wbreeze]] work<br />
*2. if this is wrong then the [[NOR-only_ipsw]] is also wrong ( also being outdated ) --[[User:Liamchat|liamchat]] 13:30, 6 December 2010 (UTC)<br />
*3. if this is wrong then my ipsw patch will not work [http://filebin.ca/ngqkhx/iPhone31_4.2.1_8C148.bundle.zip iPhone31_4.2.1_8C148.bundle] --[[User:Liamchat|liamchat]] 15:41, 6 December 2010 (UTC)<br />
<br />
:The ONLY thing you should do to skip a BB update is to set UpdateBaseband to false, don't change anything else. To just flash NOR you have do disable baseband and rootfs, I don't really know the proper way to disable it but there's more than what's listed on the nor-only page. --[[User:Ryccardo|Ryccardo]] 21:33, 6 December 2010 (UTC)<br />
::i actually would patch [[restored]] ( the files are checked before they are flashed and [[SHSH]]ed ) or replace it with [https://github.com/Gojohnnyboi/restored_pwn restored_pwn] but that is the way apple does it with the recovery ipsw for the [[S5L8900]] --[[User:Liamchat|liamchat]] 19:22, 7 December 2010 (UTC)<br />
<br />
== Errors :( ==<br />
There were some errors in this article. Sorry! I edited it and there should be no problems now.[[PwnageTool]] & [[sn0wbreeze]] use this method. --[[User:Whiteshinyapple|Whiteshinyapple]]<br />
:Thanks for updating. But actually I cannot see any difference to your original article, except that you mention to not change existing values in the plist. My open questions are:<br />
:*Any idea what I should have made wrong from my description above?<br />
:*Did you or anybody else ever tried this successfully? I always hear that it "should work", but nobody confirmed it by doing so.<br />
:*As far as I know do [[PwnageTool]] & [[sn0wbreeze]] not support iOS 4.2.1 yet.<br />
:*I can see that by this method the baseband won't get updated. But you can achieve this also by pointing your hosts file to [[Cydia Server]]. But how would this solve the problem to boot the device as of the new bb check?<br />
:--[[User:http|http]] 12:02, 7 December 2010 (UTC)<br />
<br />
BTW, this still won't work with original IPSW. Pwned DFU mode doesn't patch sigchecks in iBSS, so the ramdisk won't load. You need to load patched iBSS/iBEC for this to work.<br />
--[[User:Msft.guy|Msft.guy]] 14:11, 7 December 2010 (UTC)<br />
:also i added the swap ramdisk because that was confirmed to work this [[baseband]] check is only in the restore ramdisk and there are no differences between the update and restore ramdisk and strangely the ramdisk mounts and the progress bar appears --[[User:Liamchat|liamchat]] 19:22, 7 December 2010 (UTC)<br />
<br />
:TinyUmbrella uses a different method to prevent baseband update afaik.And could someone add on how to swap ramdisks. --[[User:Whiteshinyapple|Whiteshinyapple]]<br />
:: i added how to use TinyUmbrella but it will not work untill someone start's to save update [[SHSH]] so until this is fixed i will teach people how to swap ramdisk's --[[User:Liamchat|liamchat]] 16:11, 8 December 2010 (UTC)<br />
:::[http://twitter.com/notcom/status/9273579120099328] the check is only on the restore ramdisk --[[User:Liamchat|liamchat]] 17:22, 9 December 2010 (UTC)<br />
<br />
== iTunes Method ==<br />
<br />
I already tried this (without reading it here first), because of the mentioned ramdisk swap method. But it didn't work for me. I installed stock 4.1 and then clicked Update in iTunes. Actually with the Shift-Click you can avoid installing 4.1 first, but it's the same. Did this work for anyone? --[[User:Http|http]] 14:49, 16 January 2011 (UTC)<br />
<br />
And actually it is the same as the TinyUmbrella method, because the hosts entry prevents the baseband update here. --[[User:Http|http]] 14:52, 16 January 2011 (UTC)<br />
<br />
:I don't know if this applies to the baseband (it should only if you use a non-Apple server and manually set auto-boot after restoring), but it's definitely useful in hacktivating betas :) --[[User:Ryccardo|Ryccardo]] 15:18, 16 January 2011 (UTC)<br />
<br />
::this was said a while ago http://twitter.com/notcom/status/9273579120099328 and swapping [[ramdisk]]'s does not work [[itunes]] cant connect to [[restored]] --[[User:Liamchat|liamchat]] 15:47, 16 January 2011 (UTC)<br />
<br />
== bbfw deletion ==<br />
<br />
[[User:Christoph|Christoph]] added the bbfw removal to the TinyUmbrella method. I think this is not correct. To install 4.1 you don't have to change the ipsw file at all. What is this for? I didn't remove it right away, because maybe it helps to get out of the recovery loop with the 4.2.1 update? But in this case more clarifications are needed. --[[User:Http|http]] 14:55, 16 January 2011 (UTC)<br />
:iTunes now checks for the bbfw and makes the restore fail if it doesn't exist. Same if the baseband signature can't be generated, but this condition can't be checked in advance, so just redefine gs.apple.com --[[User:Ryccardo|Ryccardo]] 15:18, 16 January 2011 (UTC)<br />
<br />
== iH8sn0w's method ==<br />
I saw sn0wbreeze source code and it patches the ASR,options.plist in the ramdisk and the [[iBSS]].How does that exit the recovery loop? --[[User:Whiteshinyapple|Whiteshinyapple]] 07:24, 22 March 2011 (UTC)<br />
<br>There is no [[fstab]] patch so does that mean the baseband check checks the partition and see's if it has access ? --[[User:Whiteshinyapple|Whiteshinyapple]] 11:18, 22 March 2011 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Talk:Preventing_Baseband_Update&diff=16965Talk:Preventing Baseband Update2011-03-22T11:18:27Z<p>Whiteshinyapple: /* iH8sn0w's method */</p>
<hr />
<div>==No success==<br />
I tried this and it didn't work. I used an iPhone 4 with firmware 4.1 and baseband 1.59.00, trying to upgrade it to stock firmware 4.2.1, preserving the baseband.<br />
<br />
One thing that was unclear is the plist edit. There was another entry SystemPartitionSyize=1024(integer) (<nowiki><key>SystemPartitionSize</key><integer>1024</integer></nowiki>). It was not clear if this should be removed or not. I tried both.<br />
<br />
To reencrypt, it used the command<br />
xpwntool 038-0032-002_modified.dmg 038-0032-002_reencrypted.dmg -t 038-0032-002_original.dmg -k 06849aead2e9a6ca8a82c3929bad5c2368942e3681a3d5751720d2aacf0694c0 -iv 9b20ae16bebf4cf1b9101374c3ab0095<br />
With key and iv [[Jasper 8C148 (iPhone 4)|from here]] (must be correct, otherwise decryption wouldn't have worked).<br />
Then rename 038-0032-002_reencrypted.dmg to original name and back into the ipsw.<br />
<br />
To prepare for custom firmware flashing, I used redsn0w 0.9.6b4, reading initial 4.1 firmware.<br />
<br />
Without the SystemPartitionSize, I received an iTunes unknown error 46 when it started to flash. With the SystemPartitionSize it went a few seconds longer and I got iTunes error 14.<br />
<br />
Anything I am doing wrong? Did anybody else complete this successfully? Or was this just a joke?<br />
--[[User:Http|http]] 03:14, 29 November 2010 (UTC)<br />
:well what ipsw did you restore to because [[restored]] will signature check the root filesystem after [[ASR]] but the SystemPartitionSize should be replaced with <nowiki> <key>SystemImage</key> <false/> </nowiki> if you dont want to update the root partition --[[User:Liamchat|liamchat]] 16:06, 29 November 2010 (UTC)<br />
::ipsw: 4.2.1 as I said. Why should I not update the root partition? The goal is to upgrade firmware from 4.1 to 4.2.1, without updating the baseband. Did you do this and were successful? --[[User:Http|http]] 19:40, 29 November 2010 (UTC)<br />
:::why are you using the original file as a template --[[User:Liamchat|liamchat]] 23:02, 29 November 2010 (UTC)<br />
::::Because [[xpwntool]] says so. Is that wrong? --[[User:Http|http]] 23:17, 29 November 2010 (UTC)<br />
:::::it is optional if you want to the code just says create an abstract copy of template if has key --[[User:Liamchat|liamchat]] 23:30, 29 November 2010 (UTC)<br />
::::::Are you guessing? Did you ever try all this? If yes: Did it work for you? If no: no guessing please and better no answer in that case. Thanks. --[[User:Http|http]] 00:48, 30 November 2010 (UTC)<br />
:::::::when you used xpwn did it output <br />
img3.c:createAbstractFileFromImg3:645: d65fdeb907a78562210697cf5e57bcaefde672d1a64fda4ec7d1da9df9c6502d23cd01d17ccb0f60b3bdcce154216af8<br />
img3.c:createAbstractFileFromImg3:645: d65fdeb907a78562210697cf5e57bcaefde672d1a64fda4ec7d1da9df9c6502d23cd01d17ccb0f60b3bdcce154216af8<br />
:::::::--[[User:Liamchat|liamchat]] 10:45, 30 November 2010 (UTC)<br />
<br />
:I don't have MUCH experience with this, but I assume that since you've got yourself a modded ramdisk, you have to pwn the bootstrapper iBEC and the other fw parts, as in pwnagetool. --[[User:Dra1nerdrake|dra1nerdrake]] 01:24, 30 November 2010 (UTC)<br />
::well no because if he see's the apple logo and the empty bar that is in the ramdisk --[[User:Liamchat|liamchat]] 08:29, 30 November 2010 (UTC)<br />
<br />
::Step 7 should take care of that. I used redsn0w to prepare. --[[User:Http|http]] 08:49, 30 November 2010 (UTC)<br />
<br />
It works. [[restored]] checks the plist and skips BB update if the option is set to false. Now are you saying that your hand-made ipsw failed the restore process or that your BB was in fact updated?<br />
--[[User:Msft.guy|Msft.guy]] 03:59, 7 December 2010 (UTC)<br />
<br />
Just to confirm: all those that are claiming it doesn't work are patching the correct ramdisk right? Some people are talking about the restore ramdisk then mentioning updates?? Surely if you want to prevent update when updating software you need to patch the update ramdisk and in the same way for restores patch the restore ramdisk? I'm sure this isn't happening but I thought it right to check to rule it out as a possibility -- [[User:Windows Helpdesk|blackthund3r]] 06:20, 7 December 2010 (UTC)<br />
<br />
:I never said it cannot work. For me it just didn't restore (as mentioned). But even if it would restore: how do you get around the new baseband version check? Nothing mentioned about that. --[[User:Http|http]] 07:52, 7 December 2010 (UTC)<br />
::i thought the check was in the restore ramdisk not the [[kernelcache]] i checked the [[kernal]]'s memory and saw no running process that can check the [[baseband]] version --[[User:Liamchat|liamchat]] 19:22, 7 December 2010 (UTC)<br />
:::[http://twitter.com/MuscleNerd/status/16210881088069632 confirmed] there is no check on ios it is in the ramdisk --[[User:Liamchat|liamchat]] 22:26, 18 December 2010 (UTC)<br />
<br />
==Way to bypass recovery mode problem==<br />
Is there currently any way to bypass the check? or is it done by setting UpdateBaseband to false? iPad 3Gs cannot downgrade from 4.3 to 4.2.1 and get stuck in a recovery loop even after being kicked out of recovery mode. --[[User:LIV2|LIV2]] 11:23, 16 January 2011 (UTC)<br />
:what error did you get when you restored --[[User:Liamchat|liamchat]] 12:09, 16 January 2011 (UTC)<br />
::I'm in the same situation; I've decided to stick with 4.3 for now, can't go back to 3.x after living with multitasking! I get error 1015. Have tried all the usual suspects, can't kick it out of recovery mode, etc. Even tried downgrading to iOS 3.2.2 and then 'upgrading' instead of restoring to 4.2.1 without any success.--[[User:Beau|Beau]] 12:34, 16 January 2011 (UTC)<br />
:::Error code is the usual 1015 error, but iOS 4.2.1 must be doing a BB Version check somewhere because there is no way to stop it going back to recovery. basically when you kick it out of recovery it goes to the apple logo for a while, then reboots and goes into recovery. other reports of this issue are found here:http://forums.macrumors.com/showthread.php?t=1079811 also to note, 3.2.x will restore just fine, 4.2.1 and 4.2.1B3 will not work though --[[User:LIV2|LIV2]] 13:15, 16 January 2011 (UTC)<br />
::::[http://www.youtube.com/watch?v=N2AX6Ywnjb8 Here is] the userland side baseband check, which probably looks for something the ramdisk only does after the BB update completes. {{unsigned|Ryccardo|17:27, January 16, 2011}}<br />
::::I can confirm that UpdateBaseband = false does not help. Just tried building a custom ramdisk; same result with it being stuck in a loop with error 1015 --[[User:Beau|Beau]] 08:39, 24 January 2011 (UTC)<br />
:::::Does anyone know how to get Verbose mode on the iPad? It might help to know why it's not succeeding even when I tell it to not do a baseband update, I even tried replacing the fls and eep with the ones from 4.3 so it wouldn't try to downgrade, but to no avail. --[[User:LIV2|LIV2]] 00:23, 17 January 2011 (UTC)<br />
<br />
:As there is no check in the firmware ([http://twitter.com/MuscleNerd/status/16210881088069632 MuscleNerd's Tweet]), there are ways to bypass the problem. Although neither [[sn0wbreeze]] nor [[PwnageTool]] support 4.2.1, you can still use [[PwnageTool]] with an unofficial bundle to install 4.2.1 without changing the baseband. It will automatically bypass this check (not sure how). Also, [[User:IH8sn0w|IH8sn0w]] has another way than this (see [http://twitter.com/iH8sn0w/status/19453808090288128 Tweet]) to bypass this check in his upcoming [[sn0wbreeze]] (will have an option to just perserve baseband, see [http://twitter.com/iH8sn0w/status/19249886721478656 this Tweet] or [http://twitpic.com/3k3mt6 image]. --[[User:Http|http]] 14:39, 16 January 2011 (UTC)<br />
<br />
== merge all ipsw modifications ==<br />
<br />
Shuld all pages that describe how to make changes to the restore process be merged into one page --[[User:Liamchat|liamchat]] 23:02, 29 November 2010 (UTC)<br />
<br />
== deletion request ==<br />
<br />
there are 2 point's i am going to make<br />
*1. if this is wrong then how does [[PwnageTool]] and [[sn0wbreeze]] work<br />
*2. if this is wrong then the [[NOR-only_ipsw]] is also wrong ( also being outdated ) --[[User:Liamchat|liamchat]] 13:30, 6 December 2010 (UTC)<br />
*3. if this is wrong then my ipsw patch will not work [http://filebin.ca/ngqkhx/iPhone31_4.2.1_8C148.bundle.zip iPhone31_4.2.1_8C148.bundle] --[[User:Liamchat|liamchat]] 15:41, 6 December 2010 (UTC)<br />
<br />
:The ONLY thing you should do to skip a BB update is to set UpdateBaseband to false, don't change anything else. To just flash NOR you have do disable baseband and rootfs, I don't really know the proper way to disable it but there's more than what's listed on the nor-only page. --[[User:Ryccardo|Ryccardo]] 21:33, 6 December 2010 (UTC)<br />
::i actually would patch [[restored]] ( the files are checked before they are flashed and [[SHSH]]ed ) or replace it with [https://github.com/Gojohnnyboi/restored_pwn restored_pwn] but that is the way apple does it with the recovery ipsw for the [[S5L8900]] --[[User:Liamchat|liamchat]] 19:22, 7 December 2010 (UTC)<br />
<br />
== Errors :( ==<br />
There were some errors in this article. Sorry! I edited it and there should be no problems now.[[PwnageTool]] & [[sn0wbreeze]] use this method. --[[User:Whiteshinyapple|Whiteshinyapple]]<br />
:Thanks for updating. But actually I cannot see any difference to your original article, except that you mention to not change existing values in the plist. My open questions are:<br />
:*Any idea what I should have made wrong from my description above?<br />
:*Did you or anybody else ever tried this successfully? I always hear that it "should work", but nobody confirmed it by doing so.<br />
:*As far as I know do [[PwnageTool]] & [[sn0wbreeze]] not support iOS 4.2.1 yet.<br />
:*I can see that by this method the baseband won't get updated. But you can achieve this also by pointing your hosts file to [[Cydia Server]]. But how would this solve the problem to boot the device as of the new bb check?<br />
:--[[User:http|http]] 12:02, 7 December 2010 (UTC)<br />
<br />
BTW, this still won't work with original IPSW. Pwned DFU mode doesn't patch sigchecks in iBSS, so the ramdisk won't load. You need to load patched iBSS/iBEC for this to work.<br />
--[[User:Msft.guy|Msft.guy]] 14:11, 7 December 2010 (UTC)<br />
:also i added the swap ramdisk because that was confirmed to work this [[baseband]] check is only in the restore ramdisk and there are no differences between the update and restore ramdisk and strangely the ramdisk mounts and the progress bar appears --[[User:Liamchat|liamchat]] 19:22, 7 December 2010 (UTC)<br />
<br />
:TinyUmbrella uses a different method to prevent baseband update afaik.And could someone add on how to swap ramdisks. --[[User:Whiteshinyapple|Whiteshinyapple]]<br />
:: i added how to use TinyUmbrella but it will not work untill someone start's to save update [[SHSH]] so until this is fixed i will teach people how to swap ramdisk's --[[User:Liamchat|liamchat]] 16:11, 8 December 2010 (UTC)<br />
:::[http://twitter.com/notcom/status/9273579120099328] the check is only on the restore ramdisk --[[User:Liamchat|liamchat]] 17:22, 9 December 2010 (UTC)<br />
<br />
== iTunes Method ==<br />
<br />
I already tried this (without reading it here first), because of the mentioned ramdisk swap method. But it didn't work for me. I installed stock 4.1 and then clicked Update in iTunes. Actually with the Shift-Click you can avoid installing 4.1 first, but it's the same. Did this work for anyone? --[[User:Http|http]] 14:49, 16 January 2011 (UTC)<br />
<br />
And actually it is the same as the TinyUmbrella method, because the hosts entry prevents the baseband update here. --[[User:Http|http]] 14:52, 16 January 2011 (UTC)<br />
<br />
:I don't know if this applies to the baseband (it should only if you use a non-Apple server and manually set auto-boot after restoring), but it's definitely useful in hacktivating betas :) --[[User:Ryccardo|Ryccardo]] 15:18, 16 January 2011 (UTC)<br />
<br />
::this was said a while ago http://twitter.com/notcom/status/9273579120099328 and swapping [[ramdisk]]'s does not work [[itunes]] cant connect to [[restored]] --[[User:Liamchat|liamchat]] 15:47, 16 January 2011 (UTC)<br />
<br />
== bbfw deletion ==<br />
<br />
[[User:Christoph|Christoph]] added the bbfw removal to the TinyUmbrella method. I think this is not correct. To install 4.1 you don't have to change the ipsw file at all. What is this for? I didn't remove it right away, because maybe it helps to get out of the recovery loop with the 4.2.1 update? But in this case more clarifications are needed. --[[User:Http|http]] 14:55, 16 January 2011 (UTC)<br />
:iTunes now checks for the bbfw and makes the restore fail if it doesn't exist. Same if the baseband signature can't be generated, but this condition can't be checked in advance, so just redefine gs.apple.com --[[User:Ryccardo|Ryccardo]] 15:18, 16 January 2011 (UTC)<br />
<br />
== iH8sn0w's method ==<br />
I saw sn0wbreeze source code and it patches the ASR,options.plist in the ramdisk and the [[iBSS]].How does that exit the recovery loop? --[[User:Whiteshinyapple|Whiteshinyapple]] 07:24, 22 March 2011 (UTC)<br />
There is no [[fstab]] patch so does that mean the baseband check checks the partition and see's if it has access ? --[[User:Whiteshinyapple|Whiteshinyapple]] 11:18, 22 March 2011 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Talk:Preventing_Baseband_Update&diff=16963Talk:Preventing Baseband Update2011-03-22T07:24:25Z<p>Whiteshinyapple: </p>
<hr />
<div>==No success==<br />
I tried this and it didn't work. I used an iPhone 4 with firmware 4.1 and baseband 1.59.00, trying to upgrade it to stock firmware 4.2.1, preserving the baseband.<br />
<br />
One thing that was unclear is the plist edit. There was another entry SystemPartitionSyize=1024(integer) (<nowiki><key>SystemPartitionSize</key><integer>1024</integer></nowiki>). It was not clear if this should be removed or not. I tried both.<br />
<br />
To reencrypt, it used the command<br />
xpwntool 038-0032-002_modified.dmg 038-0032-002_reencrypted.dmg -t 038-0032-002_original.dmg -k 06849aead2e9a6ca8a82c3929bad5c2368942e3681a3d5751720d2aacf0694c0 -iv 9b20ae16bebf4cf1b9101374c3ab0095<br />
With key and iv [[Jasper 8C148 (iPhone 4)|from here]] (must be correct, otherwise decryption wouldn't have worked).<br />
Then rename 038-0032-002_reencrypted.dmg to original name and back into the ipsw.<br />
<br />
To prepare for custom firmware flashing, I used redsn0w 0.9.6b4, reading initial 4.1 firmware.<br />
<br />
Without the SystemPartitionSize, I received an iTunes unknown error 46 when it started to flash. With the SystemPartitionSize it went a few seconds longer and I got iTunes error 14.<br />
<br />
Anything I am doing wrong? Did anybody else complete this successfully? Or was this just a joke?<br />
--[[User:Http|http]] 03:14, 29 November 2010 (UTC)<br />
:well what ipsw did you restore to because [[restored]] will signature check the root filesystem after [[ASR]] but the SystemPartitionSize should be replaced with <nowiki> <key>SystemImage</key> <false/> </nowiki> if you dont want to update the root partition --[[User:Liamchat|liamchat]] 16:06, 29 November 2010 (UTC)<br />
::ipsw: 4.2.1 as I said. Why should I not update the root partition? The goal is to upgrade firmware from 4.1 to 4.2.1, without updating the baseband. Did you do this and were successful? --[[User:Http|http]] 19:40, 29 November 2010 (UTC)<br />
:::why are you using the original file as a template --[[User:Liamchat|liamchat]] 23:02, 29 November 2010 (UTC)<br />
::::Because [[xpwntool]] says so. Is that wrong? --[[User:Http|http]] 23:17, 29 November 2010 (UTC)<br />
:::::it is optional if you want to the code just says create an abstract copy of template if has key --[[User:Liamchat|liamchat]] 23:30, 29 November 2010 (UTC)<br />
::::::Are you guessing? Did you ever try all this? If yes: Did it work for you? If no: no guessing please and better no answer in that case. Thanks. --[[User:Http|http]] 00:48, 30 November 2010 (UTC)<br />
:::::::when you used xpwn did it output <br />
img3.c:createAbstractFileFromImg3:645: d65fdeb907a78562210697cf5e57bcaefde672d1a64fda4ec7d1da9df9c6502d23cd01d17ccb0f60b3bdcce154216af8<br />
img3.c:createAbstractFileFromImg3:645: d65fdeb907a78562210697cf5e57bcaefde672d1a64fda4ec7d1da9df9c6502d23cd01d17ccb0f60b3bdcce154216af8<br />
:::::::--[[User:Liamchat|liamchat]] 10:45, 30 November 2010 (UTC)<br />
<br />
:I don't have MUCH experience with this, but I assume that since you've got yourself a modded ramdisk, you have to pwn the bootstrapper iBEC and the other fw parts, as in pwnagetool. --[[User:Dra1nerdrake|dra1nerdrake]] 01:24, 30 November 2010 (UTC)<br />
::well no because if he see's the apple logo and the empty bar that is in the ramdisk --[[User:Liamchat|liamchat]] 08:29, 30 November 2010 (UTC)<br />
<br />
::Step 7 should take care of that. I used redsn0w to prepare. --[[User:Http|http]] 08:49, 30 November 2010 (UTC)<br />
<br />
It works. [[restored]] checks the plist and skips BB update if the option is set to false. Now are you saying that your hand-made ipsw failed the restore process or that your BB was in fact updated?<br />
--[[User:Msft.guy|Msft.guy]] 03:59, 7 December 2010 (UTC)<br />
<br />
Just to confirm: all those that are claiming it doesn't work are patching the correct ramdisk right? Some people are talking about the restore ramdisk then mentioning updates?? Surely if you want to prevent update when updating software you need to patch the update ramdisk and in the same way for restores patch the restore ramdisk? I'm sure this isn't happening but I thought it right to check to rule it out as a possibility -- [[User:Windows Helpdesk|blackthund3r]] 06:20, 7 December 2010 (UTC)<br />
<br />
:I never said it cannot work. For me it just didn't restore (as mentioned). But even if it would restore: how do you get around the new baseband version check? Nothing mentioned about that. --[[User:Http|http]] 07:52, 7 December 2010 (UTC)<br />
::i thought the check was in the restore ramdisk not the [[kernelcache]] i checked the [[kernal]]'s memory and saw no running process that can check the [[baseband]] version --[[User:Liamchat|liamchat]] 19:22, 7 December 2010 (UTC)<br />
:::[http://twitter.com/MuscleNerd/status/16210881088069632 confirmed] there is no check on ios it is in the ramdisk --[[User:Liamchat|liamchat]] 22:26, 18 December 2010 (UTC)<br />
<br />
==Way to bypass recovery mode problem==<br />
Is there currently any way to bypass the check? or is it done by setting UpdateBaseband to false? iPad 3Gs cannot downgrade from 4.3 to 4.2.1 and get stuck in a recovery loop even after being kicked out of recovery mode. --[[User:LIV2|LIV2]] 11:23, 16 January 2011 (UTC)<br />
:what error did you get when you restored --[[User:Liamchat|liamchat]] 12:09, 16 January 2011 (UTC)<br />
::I'm in the same situation; I've decided to stick with 4.3 for now, can't go back to 3.x after living with multitasking! I get error 1015. Have tried all the usual suspects, can't kick it out of recovery mode, etc. Even tried downgrading to iOS 3.2.2 and then 'upgrading' instead of restoring to 4.2.1 without any success.--[[User:Beau|Beau]] 12:34, 16 January 2011 (UTC)<br />
:::Error code is the usual 1015 error, but iOS 4.2.1 must be doing a BB Version check somewhere because there is no way to stop it going back to recovery. basically when you kick it out of recovery it goes to the apple logo for a while, then reboots and goes into recovery. other reports of this issue are found here:http://forums.macrumors.com/showthread.php?t=1079811 also to note, 3.2.x will restore just fine, 4.2.1 and 4.2.1B3 will not work though --[[User:LIV2|LIV2]] 13:15, 16 January 2011 (UTC)<br />
::::[http://www.youtube.com/watch?v=N2AX6Ywnjb8 Here is] the userland side baseband check, which probably looks for something the ramdisk only does after the BB update completes. {{unsigned|Ryccardo|17:27, January 16, 2011}}<br />
::::I can confirm that UpdateBaseband = false does not help. Just tried building a custom ramdisk; same result with it being stuck in a loop with error 1015 --[[User:Beau|Beau]] 08:39, 24 January 2011 (UTC)<br />
:::::Does anyone know how to get Verbose mode on the iPad? It might help to know why it's not succeeding even when I tell it to not do a baseband update, I even tried replacing the fls and eep with the ones from 4.3 so it wouldn't try to downgrade, but to no avail. --[[User:LIV2|LIV2]] 00:23, 17 January 2011 (UTC)<br />
<br />
:As there is no check in the firmware ([http://twitter.com/MuscleNerd/status/16210881088069632 MuscleNerd's Tweet]), there are ways to bypass the problem. Although neither [[sn0wbreeze]] nor [[PwnageTool]] support 4.2.1, you can still use [[PwnageTool]] with an unofficial bundle to install 4.2.1 without changing the baseband. It will automatically bypass this check (not sure how). Also, [[User:IH8sn0w|IH8sn0w]] has another way than this (see [http://twitter.com/iH8sn0w/status/19453808090288128 Tweet]) to bypass this check in his upcoming [[sn0wbreeze]] (will have an option to just perserve baseband, see [http://twitter.com/iH8sn0w/status/19249886721478656 this Tweet] or [http://twitpic.com/3k3mt6 image]. --[[User:Http|http]] 14:39, 16 January 2011 (UTC)<br />
<br />
== merge all ipsw modifications ==<br />
<br />
Shuld all pages that describe how to make changes to the restore process be merged into one page --[[User:Liamchat|liamchat]] 23:02, 29 November 2010 (UTC)<br />
<br />
== deletion request ==<br />
<br />
there are 2 point's i am going to make<br />
*1. if this is wrong then how does [[PwnageTool]] and [[sn0wbreeze]] work<br />
*2. if this is wrong then the [[NOR-only_ipsw]] is also wrong ( also being outdated ) --[[User:Liamchat|liamchat]] 13:30, 6 December 2010 (UTC)<br />
*3. if this is wrong then my ipsw patch will not work [http://filebin.ca/ngqkhx/iPhone31_4.2.1_8C148.bundle.zip iPhone31_4.2.1_8C148.bundle] --[[User:Liamchat|liamchat]] 15:41, 6 December 2010 (UTC)<br />
<br />
:The ONLY thing you should do to skip a BB update is to set UpdateBaseband to false, don't change anything else. To just flash NOR you have do disable baseband and rootfs, I don't really know the proper way to disable it but there's more than what's listed on the nor-only page. --[[User:Ryccardo|Ryccardo]] 21:33, 6 December 2010 (UTC)<br />
::i actually would patch [[restored]] ( the files are checked before they are flashed and [[SHSH]]ed ) or replace it with [https://github.com/Gojohnnyboi/restored_pwn restored_pwn] but that is the way apple does it with the recovery ipsw for the [[S5L8900]] --[[User:Liamchat|liamchat]] 19:22, 7 December 2010 (UTC)<br />
<br />
== Errors :( ==<br />
There were some errors in this article. Sorry! I edited it and there should be no problems now.[[PwnageTool]] & [[sn0wbreeze]] use this method. --[[User:Whiteshinyapple|Whiteshinyapple]]<br />
:Thanks for updating. But actually I cannot see any difference to your original article, except that you mention to not change existing values in the plist. My open questions are:<br />
:*Any idea what I should have made wrong from my description above?<br />
:*Did you or anybody else ever tried this successfully? I always hear that it "should work", but nobody confirmed it by doing so.<br />
:*As far as I know do [[PwnageTool]] & [[sn0wbreeze]] not support iOS 4.2.1 yet.<br />
:*I can see that by this method the baseband won't get updated. But you can achieve this also by pointing your hosts file to [[Cydia Server]]. But how would this solve the problem to boot the device as of the new bb check?<br />
:--[[User:http|http]] 12:02, 7 December 2010 (UTC)<br />
<br />
BTW, this still won't work with original IPSW. Pwned DFU mode doesn't patch sigchecks in iBSS, so the ramdisk won't load. You need to load patched iBSS/iBEC for this to work.<br />
--[[User:Msft.guy|Msft.guy]] 14:11, 7 December 2010 (UTC)<br />
:also i added the swap ramdisk because that was confirmed to work this [[baseband]] check is only in the restore ramdisk and there are no differences between the update and restore ramdisk and strangely the ramdisk mounts and the progress bar appears --[[User:Liamchat|liamchat]] 19:22, 7 December 2010 (UTC)<br />
<br />
:TinyUmbrella uses a different method to prevent baseband update afaik.And could someone add on how to swap ramdisks. --[[User:Whiteshinyapple|Whiteshinyapple]]<br />
:: i added how to use TinyUmbrella but it will not work untill someone start's to save update [[SHSH]] so until this is fixed i will teach people how to swap ramdisk's --[[User:Liamchat|liamchat]] 16:11, 8 December 2010 (UTC)<br />
:::[http://twitter.com/notcom/status/9273579120099328] the check is only on the restore ramdisk --[[User:Liamchat|liamchat]] 17:22, 9 December 2010 (UTC)<br />
<br />
== iTunes Method ==<br />
<br />
I already tried this (without reading it here first), because of the mentioned ramdisk swap method. But it didn't work for me. I installed stock 4.1 and then clicked Update in iTunes. Actually with the Shift-Click you can avoid installing 4.1 first, but it's the same. Did this work for anyone? --[[User:Http|http]] 14:49, 16 January 2011 (UTC)<br />
<br />
And actually it is the same as the TinyUmbrella method, because the hosts entry prevents the baseband update here. --[[User:Http|http]] 14:52, 16 January 2011 (UTC)<br />
<br />
:I don't know if this applies to the baseband (it should only if you use a non-Apple server and manually set auto-boot after restoring), but it's definitely useful in hacktivating betas :) --[[User:Ryccardo|Ryccardo]] 15:18, 16 January 2011 (UTC)<br />
<br />
::this was said a while ago http://twitter.com/notcom/status/9273579120099328 and swapping [[ramdisk]]'s does not work [[itunes]] cant connect to [[restored]] --[[User:Liamchat|liamchat]] 15:47, 16 January 2011 (UTC)<br />
<br />
== bbfw deletion ==<br />
<br />
[[User:Christoph|Christoph]] added the bbfw removal to the TinyUmbrella method. I think this is not correct. To install 4.1 you don't have to change the ipsw file at all. What is this for? I didn't remove it right away, because maybe it helps to get out of the recovery loop with the 4.2.1 update? But in this case more clarifications are needed. --[[User:Http|http]] 14:55, 16 January 2011 (UTC)<br />
:iTunes now checks for the bbfw and makes the restore fail if it doesn't exist. Same if the baseband signature can't be generated, but this condition can't be checked in advance, so just redefine gs.apple.com --[[User:Ryccardo|Ryccardo]] 15:18, 16 January 2011 (UTC)<br />
<br />
== iH8sn0w's method ==<br />
I saw sn0wbreeze source code and it patches the ASR,options.plist in the ramdisk and the [[iBSS]].How does that exit the recovery loop? --[[User:Whiteshinyapple|Whiteshinyapple]] 07:24, 22 March 2011 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Activation_Token&diff=16914Activation Token2011-03-19T03:21:46Z<p>Whiteshinyapple: </p>
<hr />
<div>==Layout Activation Token==<br />
This is the plist file which gets sent to Apple's server.It can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
===Key: ActivationInfoXML===<br />
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationRandomness</key><br />
<string>(GUID)</string><br />
<key>ActivationRequiresActivationTicket</key><br />
<true/><br />
<key>ActivationState</key><br />
<string>Unactivated</string><br />
<key>BasebandMasterKeyHash</key><br />
<string>(Hash of hardware IDs)<string><br />
<key>[[Baseband TEA Keys#Hardware Thumbprint Generation|BasebandThumbprint]]</key><br />
<string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string><br />
<key>BuildVersion</key><br />
<string>8A306</string><br />
<key>DeviceCertRequest</key><br />
<data><br />
(base64 encoded cert)<br />
</data><br />
<key>DeviceClass</key><br />
<string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string><br />
<key>IntegratedCircuitCardIdentity</key><br />
<string>(ICCID as base-10 string)</string><br />
<key>InternationalMobileEquipmentIdentity</key><br />
<string>(IMEI as base-10 string)</string><br />
<key>InternationalMobileSubscriberIdentity</key><br />
<string>(IMSI as base-10 string)</string><br />
<key>ModelNumber</key><br />
<string>MC135</string><br />
<key>PhoneNumber</key><br />
<string>(String like "+1 (555) 555-5555")</string><br />
<key>ProductType</key><br />
<string>iPhone2,1</string><br />
<key>ProductVersion</key><br />
<string>4.0.1</string><br />
<string>SIMGID1</string><br />
<data><br />
(base64-encoded binary GID1)<br />
</data><br />
<string>SIMGID2</string><br />
<data><br />
(base64-encoded binary GID2)<br />
</data><br />
<key>SIMStatus</key><br />
<string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string><br />
<key>SerialNumber</key><br />
<string>...</string><br />
<key>SupportsPostponement</key><br />
<true/><br />
<key>UniqueChipID</key><br />
<integer>...</integer><br />
<key>UniqueDeviceID</key><br />
<string>(hex UUID)</string><br />
</dict><br />
</plist><br />
<br />
==Spoofing the Activation Server using python==<br />
Here's a python script to spoof it:<br />
import httplib,urllib<br />
import time<br />
ai=open("a.plist",'r')<br />
aidata=ai.read()<br />
conn = httplib.HTTPSConnection("albert.apple.com")<br />
headers = {"Content-type": "application/x-www-form-urlencoded", "User-Agent": 'iTunes/7.6 (Windows; U; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) DPI/96}'}<br />
params = urllib.urlencode({<br />
'activation-info': aidata<br />
})<br />
conn.request('POST', '/WebObjects/ALActivation.woa/wa/deviceActivation',params,headers)<br />
response = conn.getresponse()<br />
resdata=response.read()<br />
f=open("arsp.xml",'w')<br />
f.write(resdata)<br />
#time.sleep(1)<br />
==Resources==<br />
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]<br />
<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Activation&diff=16913Activation2011-03-19T03:21:19Z<p>Whiteshinyapple: cleanup</p>
<hr />
<div>[[Image:foto.jpg|thumb|right|iPhone with 1 signal bar and damaged [[hacktivation]] or it doesn't have an internet connection|100px]]<br />
<br />
Activation is the process by which a new (or newly restored) iPhone or iPod touch can get by the "Emergency Call Screen" ([[iPhone]]) or "Connect to iTunes" screen (not to be confused with [[Recovery Mode]]; the activation screen has a battery icon in the top right corner to indicate this) to access the SpringBoard.<br />
The code in charge of this resides in [[lockdownd]], which is always running on [[iOS]] and monitors the activation status of the device. Lockdownd patches (which requires a [[jailbreak]] whereby a patched kernel can be booted by [[iBoot]] without dynamic libraries dynamically patching in RAM) activate your phone and obviate the need to activate legitimately through [[iTunes]] with an official carrier however the iPhone cannot be used to communicate unless a [[unlock]] is found for the [[baseband]]. Lockdownd patches are only used on the [[iPhone]] as the [[iPod touch]] has never been denied activation regardless of firmware, country etc.<br />
<br />
Activation is handled by https://albert.apple.com/WebObjects/ALActivation.woa/wa/deviceActivation<br />
<br />
[[iTunes]] generates an [[Activation Token]] and sends it to Apple's activation server. Once the [[Activation Token]] is validated, the server will generate a [[WildcardTicket]] and signs it with Apple's private key. [[iTunes]] then calls AMDeviceActivate with the [[WildcardTicket]]; The device gets the [[WildcardTicket]] and checks if the signature matches. If it does, it get pasts the emergency call screen and allowing the use of the iPhone. All devices actually go through this process. The activation process is outlined in detail in US patent no. [http://www.freepatentsonline.com/20090061934.pdf 2009/0061934].<br />
<br />
Although the [[iPod touch]] can be 'activated' without an internet connection, some services such as YouTube and Push Notifications will fail to work due to not having a valid authentication token ([http://support.apple.com/kb/TS3305 iPad and iPod touch: Unable to use YouTube or Push notifications]) so connecting to iTunes will activate the [[iPod Touch]] fully.<br />
<br />
The [[iPhone]] needs a cellular data connection for the first time, after the activation in [[iTunes]]. You can make calls if an alert says "iPhone is activated". If you don't have a cellular data connection (3G, EDGE, GPRS) you won't be able to make calls and you have only 1 bar of reception. If you only have 1 bar and no carrier at the status bar, it isn't activated correctly.<br />
<br />
For more information on the activation process, refer to [[Activation Token]].<br />
<br />
==Resources==<br />
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]<br />
* [http://www.freepatentsonline.com/20090061934.pdf Apple Patent]<br />
<br />
{{stub|iPhone}}<br />
<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Activation_Token&diff=16912Activation Token2011-03-19T03:15:31Z<p>Whiteshinyapple: /* Layout ActivationInfo */</p>
<hr />
<div>==Layout ActivationInfo==<br />
This is the plist file which gets sent to Apple's server.It can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
===Key: ActivationInfoXML===<br />
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationRandomness</key><br />
<string>(GUID)</string><br />
<key>ActivationRequiresActivationTicket</key><br />
<true/><br />
<key>ActivationState</key><br />
<string>Unactivated</string><br />
<key>BasebandMasterKeyHash</key><br />
<string>(Hash of hardware IDs)<string><br />
<key>[[Baseband TEA Keys#Hardware Thumbprint Generation|BasebandThumbprint]]</key><br />
<string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string><br />
<key>BuildVersion</key><br />
<string>8A306</string><br />
<key>DeviceCertRequest</key><br />
<data><br />
(base64 encoded cert)<br />
</data><br />
<key>DeviceClass</key><br />
<string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string><br />
<key>IntegratedCircuitCardIdentity</key><br />
<string>(ICCID as base-10 string)</string><br />
<key>InternationalMobileEquipmentIdentity</key><br />
<string>(IMEI as base-10 string)</string><br />
<key>InternationalMobileSubscriberIdentity</key><br />
<string>(IMSI as base-10 string)</string><br />
<key>ModelNumber</key><br />
<string>MC135</string><br />
<key>PhoneNumber</key><br />
<string>(String like "+1 (555) 555-5555")</string><br />
<key>ProductType</key><br />
<string>iPhone2,1</string><br />
<key>ProductVersion</key><br />
<string>4.0.1</string><br />
<string>SIMGID1</string><br />
<data><br />
(base64-encoded binary GID1)<br />
</data><br />
<string>SIMGID2</string><br />
<data><br />
(base64-encoded binary GID2)<br />
</data><br />
<key>SIMStatus</key><br />
<string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string><br />
<key>SerialNumber</key><br />
<string>...</string><br />
<key>SupportsPostponement</key><br />
<true/><br />
<key>UniqueChipID</key><br />
<integer>...</integer><br />
<key>UniqueDeviceID</key><br />
<string>(hex UUID)</string><br />
</dict><br />
</plist><br />
<br />
==Spoofing the Activation Server using python==<br />
Here's a python script to spoof it:<br />
import httplib,urllib<br />
import time<br />
ai=open("a.plist",'r')<br />
aidata=ai.read()<br />
conn = httplib.HTTPSConnection("albert.apple.com")<br />
headers = {"Content-type": "application/x-www-form-urlencoded", "User-Agent": 'iTunes/7.6 (Windows; U; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) DPI/96}'}<br />
params = urllib.urlencode({<br />
'activation-info': aidata<br />
})<br />
conn.request('POST', '/WebObjects/ALActivation.woa/wa/deviceActivation',params,headers)<br />
response = conn.getresponse()<br />
resdata=response.read()<br />
f=open("arsp.xml",'w')<br />
f.write(resdata)<br />
#time.sleep(1)<br />
==Resources==<br />
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]<br />
<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Talk:Activation_Token&diff=16911Talk:Activation Token2011-03-19T03:08:04Z<p>Whiteshinyapple: Removing all content from page</p>
<hr />
<div></div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Activation_Token&diff=16910Activation Token2011-03-19T03:06:42Z<p>Whiteshinyapple: </p>
<hr />
<div>==Layout ActivationInfo==<br />
This is the plist file which gets sent to Apple's server <br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationInfoComplete</key><br />
<true/><br />
<key>ActivationInfoXML</key><br />
<data><br />
(base64-encoded activation info here)<br />
</data><br />
<key>FairPlayCertChain</key><br />
<data><br />
(base64-encoded cert in DER format)<br />
</data><br />
<key>FairPlaySignature</key><br />
<data><br />
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)<br />
</data><br />
</dict><br />
<br />
===Key: ActivationInfoXML===<br />
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>ActivationRandomness</key><br />
<string>(GUID)</string><br />
<key>ActivationRequiresActivationTicket</key><br />
<true/><br />
<key>ActivationState</key><br />
<string>Unactivated</string><br />
<key>BasebandMasterKeyHash</key><br />
<string>(Hash of hardware IDs)<string><br />
<key>[[Baseband TEA Keys#Hardware Thumbprint Generation|BasebandThumbprint]]</key><br />
<string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string><br />
<key>BuildVersion</key><br />
<string>8A306</string><br />
<key>DeviceCertRequest</key><br />
<data><br />
(base64 encoded cert)<br />
</data><br />
<key>DeviceClass</key><br />
<string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string><br />
<key>IntegratedCircuitCardIdentity</key><br />
<string>(ICCID as base-10 string)</string><br />
<key>InternationalMobileEquipmentIdentity</key><br />
<string>(IMEI as base-10 string)</string><br />
<key>InternationalMobileSubscriberIdentity</key><br />
<string>(IMSI as base-10 string)</string><br />
<key>ModelNumber</key><br />
<string>MC135</string><br />
<key>PhoneNumber</key><br />
<string>(String like "+1 (555) 555-5555")</string><br />
<key>ProductType</key><br />
<string>iPhone2,1</string><br />
<key>ProductVersion</key><br />
<string>4.0.1</string><br />
<string>SIMGID1</string><br />
<data><br />
(base64-encoded binary GID1)<br />
</data><br />
<string>SIMGID2</string><br />
<data><br />
(base64-encoded binary GID2)<br />
</data><br />
<key>SIMStatus</key><br />
<string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string><br />
<key>SerialNumber</key><br />
<string>...</string><br />
<key>SupportsPostponement</key><br />
<true/><br />
<key>UniqueChipID</key><br />
<integer>...</integer><br />
<key>UniqueDeviceID</key><br />
<string>(hex UUID)</string><br />
</dict><br />
</plist><br />
<br />
==Spoofing the Activation Server using python==<br />
Here's a python script to spoof it:<br />
import httplib,urllib<br />
import time<br />
ai=open("a.plist",'r')<br />
aidata=ai.read()<br />
conn = httplib.HTTPSConnection("albert.apple.com")<br />
headers = {"Content-type": "application/x-www-form-urlencoded", "User-Agent": 'iTunes/7.6 (Windows; U; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) DPI/96}'}<br />
params = urllib.urlencode({<br />
'activation-info': aidata<br />
})<br />
conn.request('POST', '/WebObjects/ALActivation.woa/wa/deviceActivation',params,headers)<br />
response = conn.getresponse()<br />
resdata=response.read()<br />
f=open("arsp.xml",'w')<br />
f.write(resdata)<br />
#time.sleep(1)<br />
==Resources==<br />
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]<br />
<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Spam&diff=16842The iPhone Wiki:Spam2011-03-16T09:53:16Z<p>Whiteshinyapple: </p>
<hr />
<div>How do we combat this recent spamming of this wiki? I suggest a possible invite system or similar? --[[User:Srts|Srts]] 02:24, 9 November 2009 (UTC)<br />
<br />
I have already blocked account signup, they must have had this account for a while. --[[User:Geohot|geohot]] 02:29, 9 November 2009 (UTC)<br />
<br />
Well if they don't stop, we can't have account creation disabled forever, defeats the purpose of the wiki. People like him are sad. Great work to all the sysops et all. keeping disruption to a minimal :D --[[User:Srts|Srts]] 02:34, 9 November 2009 (UTC)<br />
<br />
Yea thanks a lot guys for putting up with this. We'll give a bit of time, and if they continue, we'll figure something out. This kid keep trying to reset my password for hosting and the wiki. Too bad he doesn't have a life. --[[User:Geohot|geohot]] 03:10, 9 November 2009 (UTC)<br />
<br />
An invite system might not be a bad idea actually [[User:ChronicDev|Will Strafach]] 03:16, 9 November 2009 (UTC)<br />
<br />
feel free to post their IP addresses, lol --[[User:Posixninja|posixninja]] 04:08, 9 November 2009 (UTC)<br />
<br />
Well, if you need an extra admin to block them (and delete spam pages), I volunteer. --[[User:Dranfi|Dranfi]] Congrats, you're an admin --[[User:Geohot|geohot]] 13:22, 9 November 2009 (UTC)<br />
<br />
How many different IPs are we dealing with? Is it within a specific range? For the time being, it may be possible to blacklist an entire subnet if they are all coming from the same place. But if a botnet is doing this, may be more difficult. Is it possible for MediaWiki to require admin approval of an edit prior to it being commited? Not well versed with MediaWiki administration, just thossing out some ideas. --[[User:Tsuehpsyde|tsuehpsyde]] 17:29, 9 November 2009 (UTC)<br />
<br />
We could figure out where they come rom and do the same to them. Secondly, we could create a filter that unless your part of a specific group you cannot do more than this many edits in this amount of time. We could try making a period where the admins have to approve the users. Lastly, we could make it so that in the first 12 hours of a user account that user could not edit pages so it would give time for the sysops to ban the users. [[User:Revolution|Revolution]] 00:02, 10 November 2009 (UTC)<br />
<br />
If the ones you refer to as 'they' are the [http://code.google.com/p/pois0nhack pois0nhack] group then 'they' don't really seem to pose much of a threat in my opinion. I agree that for the time being we could impose some kind of 12/24 hr posting limitation (maybe no more than +-300 char changes?), but no more than that since this is, after all, a public wiki. Sorry if I'm intruding on some kind of admin/mod meeting, just figured I should have my say. --[[User:Rekoil|adriaaan]] 00:27, 10 November 2009 (UTC)<br />
<br />
I am in favor of a 12hr limit for new users, but since it's a public wiki, during this time, contributions would have to be approved by sysops. --Untagged<br />
<br />
Personally I think it would be good to have it so that all edits by new users a thrown into a moderation pool, then once a good amount of worthwhile contributions, that user can be "whitelisted".<br />
<br />
Maybe we could extend the Twitter-Service to display more information (i.e. "Main Page (-2,439) http://u.nu/5x2t3 " instead of "Main Page - http://u.nu/5x2t3"). That could allow fast detection (and reversal) of vandalism attempts because large edits by "unknown" would be easy to spot. May also add the username and/or the commit message, but then we'd have to check for anything Twitter might interpret or block. --[[User:CleanAir|CleanAir]] 13:58, 12 November 2009 (UTC)<br />
<br />
Can we add a Captchure to the logon process? I don't think all these recent spam pages are done manually. --[[User:Http|http]] 06:29, 15 March 2011 (UTC)<br />
<br />
Good idea [[User:Http|http]], add a Captcha to the logon process and the sign up process for some time --[[User:Whiteshinyapple|Whiteshinyapple]] 09:53, 16 March 2011 (UTC).</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Talk:Baseband_SHSH_Protocol&diff=16745Talk:Baseband SHSH Protocol2011-03-11T06:25:07Z<p>Whiteshinyapple: </p>
<hr />
<div>I just have 1 question: in the request file, the BBChipID is required. how can we extract it? And, if we can't get it, could we extract it capturing the request sent to apple? or it is encrypted? --XiiiX<br />
:Nothing is encrypted. See [[SHSH Protocol]]. For BBChipID: Yes, you can read it by capturing one request. Maybe it's even bb specific and can be read from ipsw. -- [[User:Http|http]] 21:02, 10 March 2011 (UTC)<br />
:BBChipID can be found in the BuildManifest.plist inside the appropriate IPSW file --[[User:Whiteshinyapple|Whiteshinyapple]] 06:25, 11 March 2011 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Recovery_Mode&diff=16715Recovery Mode2011-03-10T08:38:13Z<p>Whiteshinyapple: /* Entering Recovery Mode */</p>
<hr />
<div>[[Image:Recovery Mode.jpg|thumb|right|iPhone in Recovery Mode.]]<br />
Recovery Mode is a failsafe in [[iBoot (Bootloader)|iBoot]] that is used to reflash the device with a new OS, whether the currently installed one is somehow damaged or the device is undergoing an upgrade via [[iTunes]].<br />
<br />
Information about [[Recovery Mode (Protocols)|Recovery Mode's protocols]] is available.<br />
<br />
== Entering Recovery Mode ==<br />
=== Automatic Method ===<br />
Call the AMDeviceEnterRecovery function in [[MobileDevice Library|MobileDevice Framework]]<br />
=== Manual Method ===<br />
# Connect the device to the Computer<br />
# Make sure iPhone is in the homescreen<br />
# Hold The Home Button and The Power Button till Connect To iTunes logo is seen<br />
# Ignore the Slide To Power Off message<br />
<br />
or<br />
# Turn off the device.<br />
# Press and hold the home button<br />
# Connect the device with iTunes<br />
# Wait until you see the iTunes logo on the iPhone<br />
<br />
== Exiting Recovery Mode ==<br />
=== Automatic Method ===<br />
Call the AMRecoveryDeviceSetAutoBoot & AMRecoveryDeviceReboot functions in the [[MobileDevice Library|MobileDevice Framework]]<br />
or send the following commands to the [[iPhone]] using a terminal<br />
<br />
<pre>> setenv auto-boot true<br />
> saveenv<br />
> reboot</pre><br />
<br />
=== Manual Method ===<br />
Hold the Home button + Power Button till the Apple Logo Appears<br />
<br />
== Recovery Mode output to the computer ==<br />
iProduct: "Apple Mobile Device (Recovery Mode)"<br />
iSerialNumber: "CPID:XXXX CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:XXXXXXXXXXXXXXXX IBFL:01 SRNM:[XXXXXXXXXXX] IMEI:[XXXXXXXXXXXXXXX]"</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Recovery_Mode&diff=16714Recovery Mode2011-03-10T08:37:54Z<p>Whiteshinyapple: /* Automatic Method */</p>
<hr />
<div>[[Image:Recovery Mode.jpg|thumb|right|iPhone in Recovery Mode.]]<br />
Recovery Mode is a failsafe in [[iBoot (Bootloader)|iBoot]] that is used to reflash the device with a new OS, whether the currently installed one is somehow damaged or the device is undergoing an upgrade via [[iTunes]].<br />
<br />
Information about [[Recovery Mode (Protocols)|Recovery Mode's protocols]] is available.<br />
<br />
== Entering Recovery Mode ==<br />
=== Automatic Method ===<br />
Call the AMDeviceEnterRecovery function in [[MobileDevice Library|iTunesMobileDevice.dll]]<br />
=== Manual Method ===<br />
# Connect the device to the Computer<br />
# Make sure iPhone is in the homescreen<br />
# Hold The Home Button and The Power Button till Connect To iTunes logo is seen<br />
# Ignore the Slide To Power Off message<br />
<br />
or<br />
# Turn off the device.<br />
# Press and hold the home button<br />
# Connect the device with iTunes<br />
# Wait until you see the iTunes logo on the iPhone<br />
<br />
== Exiting Recovery Mode ==<br />
=== Automatic Method ===<br />
Call the AMRecoveryDeviceSetAutoBoot & AMRecoveryDeviceReboot functions in the [[MobileDevice Library|MobileDevice Framework]]<br />
or send the following commands to the [[iPhone]] using a terminal<br />
<br />
<pre>> setenv auto-boot true<br />
> saveenv<br />
> reboot</pre><br />
<br />
=== Manual Method ===<br />
Hold the Home button + Power Button till the Apple Logo Appears<br />
<br />
== Recovery Mode output to the computer ==<br />
iProduct: "Apple Mobile Device (Recovery Mode)"<br />
iSerialNumber: "CPID:XXXX CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:XXXXXXXXXXXXXXXX IBFL:01 SRNM:[XXXXXXXXXXX] IMEI:[XXXXXXXXXXXXXXX]"</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=ECID&diff=16713ECID2011-03-10T08:37:01Z<p>Whiteshinyapple: /* Developer Instructions */</p>
<hr />
<div>The '''E'''xclusive '''C'''hip '''ID''' or '''ECID''', is an identifier unique to every unit.<br />
<br />
ECID looks like this: <tt>00000XXXXXXXXXXX</tt> (hex)<br />
<br />
Please be aware that some tools (like [[TinyUmbrella]]) display the ECID in decimal format.<br />
<br />
The ECID is a very important element in the [[SHSH Protocol|SHSH Protocol]]<br />
<br />
== Get your ECID ==<br />
===Mac Instructions===<br />
*Put your device in [[Recovery Mode]] or [[DFU Mode]].<br />
*Open System Profiler. (in /Applications/Utilities/)<br />
*In the sidebar, go to "USB" (in the "Hardware" section)<br />
*Under "Serial Number", there should be a part called "ECID". There you go.<br />
<br />
===Windows Instructions===<br />
* Put your device in [[Recovery Mode]] or [[DFU Mode]].<br />
* Open Device Manager and right click on Apple Mobile Device (Recovery or DFU Mode) for properties<br />
* Click on the details tab <br />
* Click on the dropdown box and select Device Instance Path<br />
* You should find it in the textbox<br />
<br />
===Developer Instructions===<br />
Call the AMDeviceCopyValue function in the [[MobileDevice Library|MobileDevice Framework]] with the "UniqueChipID" value.It returns the E.C.I.D as a CFNumber(kCFNumberSInt64Type) object.</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Baseband_SHSH_Protocol&diff=16710Baseband SHSH Protocol2011-03-10T05:52:20Z<p>Whiteshinyapple: New page: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "<nowiki>http://www.apple.com/DTDs/PropertyList-1.0.dtd</nowiki>"> <plist version=...</p>
<hr />
<div> <?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "<nowiki>http://www.apple.com/DTDs/PropertyList-1.0.dtd</nowiki>"><br />
<br />
<plist version="1.0"><br />
<dict><br />
<key>@HostIpAddress</key><br />
<string>192.168.0.1</string><br />
<key>@HostPlatformInfo</key><br />
<string>windows</string> <br />
<key>@VersionInfo</key><br />
<string>libauthinstall-34</string><br />
<key>ApBoardID</key><br />
<integer></integer><br />
<key>ApChipID</key><br />
<integer></integer><br />
<key>ApECID</key><br />
<string></string><br />
<key>ApProductionMode</key><br />
<true /> <br />
<key>ApSecurityDomain</key><br />
<integer></integer> <br />
<key>BbChipID</key><br />
<integer></integer><br />
<key>BbGoldCertId</key><br />
<integer></integer><br />
<key>BbSNUM</key><br />
<data></data><br />
<key>BbSkeyId</key><br />
<data></data><br />
<key>BbNonce</key><br />
<data></data><br />
<key>UniqueBuildID</key><br />
<data></data><br />
<key>FlashPSI-PartialDigest</key><br />
<data></data><br />
<key>RamPSI-PartialDigest</key><br />
<data></data><br />
</plist></div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Talk:SHSH_Protocol&diff=16661Talk:SHSH Protocol2011-03-09T13:52:08Z<p>Whiteshinyapple: </p>
<hr />
<div>== Naming ==<br />
Or should I better have named this '''TSS Protocol''' instead? -- [[User:Http|http]] 21:23, 15 August 2010 (UTC)<br />
<br />
I think the current title is easier to tell it relates to shsh. I can't recall what tss stands for, and I think it would also be easier to find. [[User:Iemit737|Iemit737]] 21:36, 15 August 2010 (UTC)<br />
<br />
== Implementation ==<br />
<br />
How can I implement this on a Linux-based system? I have the request, but the 'telnet' and 'POST' commands don't work. --[[User:Dra1nerdrake|dra1nerdrake]] 22:40, 15 August 2010 (UTC)<br />
<br />
Telnet should work. Just enter<br />
telnet gs.apple.com 80<br />
Then you get a HTTP connection. Then send the request and terminate with two CR/LF and you get the response. You can try with any other web page first, that should work the same way:<br />
telnet www.google.com 80<br />
Then:<br />
GET / HTTP/1.0<br />
<br />
<br />
And didn't [[User:Semaphore|semaphore]] release a unix version with some source code of [[TinyUmbrella]]? -- [[User:Http|http]] 23:49, 15 August 2010 (UTC)<br />
<br />
Great, thanks, forgot the port number. He released unix TinyUmbrella, but it segfaults and I can't code in Java. --[[User:Dra1nerdrake|dra1nerdrake]] 04:18, 16 August 2010 (UTC)<br />
<br />
EDIT: I can't seem to get it to work. I do:<br />
telnet cydia.saurik.com 80<br />
Then I do<br />
POST /TSS/controller?action=2 HTTP/1.1<br />
Accept: */*<br />
Cache-Control: no-cache<br />
Content-type: text/xml; charset="utf-8"<br />
User-Agent: InetURL/1.0<br />
Content-Length: 411<br />
Host: gs.apple.com<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>@HostIpAddress</key><br />
<string>192.168.0.1</string><br />
<key>@HostPlatformInfo</key><br />
<string>darwin</string><br />
<key>@VersionInfo</key><br />
<string>3.8</string><br />
<key>@Locality</key><br />
<string>en_US</string><br />
<key>ApProductionMode</key><br />
<true/><br />
<key>ApECID</key><br />
<string>1430661561679</string><br />
<key>ApChipID</key><br />
<integer>35106</integer><br />
<key>ApBoardID</key><br />
<integer>2</integer><br />
<key>ApSecurityDomain</key><br />
<integer>1</integer><br />
<key>UniqueBuildID</key><br />
<data><br />
uvWKIop3L16LfQymS8IyiDZXXw0=<br />
</data><br />
<key>AppleLogo</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
kK7SLPJWvaq+GAn9Dm/sG6aJjXg=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAAHgdAADDPQY07wMJ1z2qVSjKuM4iqjhFKw==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>BatteryCharging</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
lvxtYniO/PKy46ZZV0YIe9ZeNt0=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/glyphcharging.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAAHhHAADPFoOCbp1jZBqTtFlCT3XE/qYkKw==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>BatteryCharging0</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
+o+lH7zqvh90+/cRCjNeSmTsNvU=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/batterycharging0.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAAPhEAADGKdYO2peJTZrXjeitEdUEMiC8hw==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>BatteryCharging1</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
u7NDP6MdWuEGT5Q4Qsm/OrsGTuE=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key> <br />
<string>Firmware/all_flash/all_flash.n18ap.production/batterycharging1.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAADhZAAAWwQq0Y75xTjOyQ9gxMVNrczF01g==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>BatteryFull</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
fTK7DLd3XJTHX9ywLJy97+VeUN0=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/batteryfull.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAADghAQDNQ9aqlsb/szaE/5Xh9OJF1WIhxw==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>BatteryLow0</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
rdMyyO2tICLCLzvxY05lirfWrzQ=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/batterylow0.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAALjVAAB7wuaDZva7tC1CGWUl4ATOZ7aUbA==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>BatteryLow1</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
ecfArQo2Cxly0h6D7iYT9TLKSSE=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/batterylow1.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAAPj2AAABqpmcEB9sOeTSulytXfC8KWZU9g==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>BatteryPlugin</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
MtXc08RsYs+6BMhD4kY0quNr/AU=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/glyphplugin.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAAHhDAABQJN3XJEBkNhnJqv6Ra2zBYJeuoQ==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>DeviceTree</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
ngiLrFM16Bg/BkPkmqf59h3H90c=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAALiDAABl290rfckYS+L3TjGRA7j8avdgDg==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>KernelCache</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
F978uz3zV6USmE34FMmm6xeQDwU=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>Path</key><br />
<string>kernelcache.release.s5l8922x</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAALhxPQDOpPhRPAe/mVP5J89iIhtaQEmJgg==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>LLB</key><br />
<dict><br />
<key>BuildString</key><br />
<string>iBoot-636.66~5</string><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/LLB.n18ap.RELEASE.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAADgxAQDkevEFsIGKqarjmv9T7avG8oGXhg==<br />
</data><br />
</dict><br />
<key>NeedService</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
klkKn9XNikUb9bdtVU7b2yv9OYc=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/needservice.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAALhHAACO1eYCz8W9YsCQ5OT1T0CFHk+aHQ==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>OS</key><br />
<dict><br />
<key>Info</key><br />
<dict><br />
<key>Path</key><br />
<string>018-6152-014.dmg</string><br />
</dict><br />
</dict><br />
<key>RecoveryMode</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
DjD6JMIq4Qnnsay14L3jL+AdxPs=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/recoverymode.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAAPiyAABju7ZnxiRutww2vcmjIIlXG4KSAA==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>RestoreDeviceTree</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
ngiLrFM16Bg/BkPkmqf59h3H90c=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/DeviceTree.n18ap.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAALiDAABl290rfckYS+L3TjGRA7j8avdgDg==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>RestoreKernelCache</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
F978uz3zV6USmE34FMmm6xeQDwU=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>Path</key><br />
<string>kernelcache.release.s5l8922x</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAALhxPQDOpPhRPAe/mVP5J89iIhtaQEmJgg==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>RestoreLogo</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
kK7SLPJWvaq+GAn9Dm/sG6aJjXg=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/applelogo.s5l8922x.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAAHgdAADDPQY07wMJ1z2qVSjKuM4iqjhFKw==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>RestoreRamDisk</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
20tqZkEp1wApx1tz+ZCP38axvHE=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>Path</key><br />
<string>018-6145-014.dmg</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAAPjQuwAyMjwJWKpL0b8bUzYKajbbPEVuPA==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
<key>iBEC</key><br />
<dict><br />
<key>BuildString</key><br />
<string>iBoot-636.66~5</string><br />
<key>Info</key><br />
<dict><br />
<key>Path</key><br />
<string>Firmware/dfu/iBEC.n18ap.RELEASE.dfu</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAADjRAQDQA4xYDDo21pS9j57YWeGp6l/TvA==<br />
</data><br />
</dict><br />
<key>iBSS</key><br />
<dict><br />
<key>BuildString</key><br />
<string>iBoot-636.66~5</string><br />
<key>Info</key><br />
<dict><br />
<key>Path</key><br />
<string>Firmware/dfu/iBSS.n18ap.RELEASE.dfu</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAADjRAQA2J3DDdRv+TmjaGodpeT634g/Haw==<br />
</data><br />
</dict><br />
<key>iBoot</key><br />
<dict><br />
<key>Digest</key><br />
<data><br />
soCT6YL1cig/OKRvbam3igRcvaQ=<br />
</data><br />
<key>Info</key><br />
<dict><br />
<key>IsFirmwarePayload</key><br />
<true/><br />
<key>Path</key><br />
<string>Firmware/all_flash/all_flash.n18ap.production/iBoot.n18ap.RELEASE.img3</string><br />
</dict><br />
<key>PartialDigest</key><br />
<data><br />
QAAAADihAgB46rf/axQHtuftGLR8SDpdOuOywA==<br />
</data><br />
<key>Trusted</key><br />
<true/><br />
</dict><br />
</dict><br />
</plist><br />
<CR><LF><br />
<CR><LF><br />
But no dice. --[[User:Dra1nerdrake|dra1nerdrake]] 18:33, 16 August 2010 (UTC)<br />
----<br />
*I think your main problem is that your content is more than the 411 bytes that you specified.<br />
*Where do you have the digest etc. values from?<br />
*In my article I didn't write about the Info key you added. What is that?<br />
-- [[User:Http|http]] 20:45, 16 August 2010 (UTC)<br />
<br />
I copied the entire plist from a plist generated by [[idevicerestore]]. Digest values are from the buildmanifest.plist, at the root directory of the firmware. I ran it in debug mode (-d). What should I put in place of 411? --[[User:Dra1nerdrake|dra1nerdrake]] 02:12, 17 August 2010 (UTC)<br />
<br />
It should be the size of the data you transfer. The data seems to be much longer than 411 bytes, I didn't count though. See section 14.13 [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html here (RFC2616)]. --[[User:Http|http]] 03:56, 17 August 2010 (UTC)<br />
<br />
Did it finally work for you? Also: Do you know how [[idevicerestore]] creates these Digest values? If you find that out, maybe you can update the article. -- [[User:Http|http]] 22:42, 24 August 2010 (UTC)<br />
<br />
Curl is more suitable for LL HTTP, try something like:<br />
<pre><br />
$ curl -v "http://cydia.saurik.com/TSS/controller?action=2" -X POST -d @1.plist -H "Host: gs.apple.com" -H "Content-type: text/xml; charset=utf8"<br />
* About to connect() to cydia.saurik.com port 80 (#0)<br />
* Trying 74.208.10.249... connected<br />
* Connected to cydia.saurik.com (74.208.10.249) port 80 (#0)<br />
> POST /TSS/controller?action=2 HTTP/1.1<br />
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3<br />
> Accept: */*<br />
> Host: gs.apple.com<br />
> Content-type: text/xml; charset=utf8<br />
> Content-Length: 8222<br />
> Expect: 100-continue<br />
> <br />
< HTTP/1.1 100 Continue<br />
< HTTP/1.1 200 OK<br />
< Server: nginx/0.7.64<br />
< Date: Thu, 26 Aug 2010 09:27:56 GMT<br />
< Content-Type: text/plain<br />
< Transfer-Encoding: chunked<br />
< Connection: keep-alive<br />
< Cache-Control: private, proxy-revalidate<br />
< <br />
STATUS=94&MESSAGE=This device isn't eligible for the requested build.<br />
* Connection #0 to host cydia.saurik.com left intact<br />
* Closing connection #0<br />
</pre><br />
where 1.plist is a file with your plist<br />
--[[User:Vasfed|Vasfed]] 09:41, 26 August 2010 (UTC)<br />
<br />
== Request? ==<br />
I'm still not understanding the telnet part of this. I can connect fine, but what exactly is the request that I have to send in order to get back a plist file with the SHSH blobs? --[[User:Cool name|Cool name]] 04:08, 16 August 2010 (UTC)<br />
== Rewrite ==<br />
Somebody should rewrite this article as it is partially wrong and the iPhone 4 needs more values but i cant seem to figure out all of them.--[[User:sn0wra1n|sn0wra1n]]<br />
: it is not that different [http://pastebin.com/r8XNaVFY iphone 4 build manifest] and [http://pastebin.com/f2wv9y2m iphone 3gs build manifest] the only difference is <br />
<br />
<key>BbChipID</key><br />
<string>0x50</string><br />
<key>BbSkeyId</key><br />
<data><br />
l6s0rAaT9bA7+3JtTiwlTxTicKE=<br />
</data><br />
<key>EBL-Digest</key><br />
<data>B/rJD65edrIfdautbDNZaJuUfOU=</data><br />
<key>FlashPSI-PartialDigest</key><br />
<data>QAQAAMB6AACo7NXgZ2muHRNmX3gIXFDTaxOfUA==</data><br />
<key>FlashPSI-SecPackDigest</key><br />
<data>aV7n5VUpvSbMWA4ImMj4R0vfpmk=</data><br />
<key>FlashPSI-Version</key><br />
<string>0x00020008</string><br />
<key>Info</key><br />
<dict><br />
<key>Path</key><br />
<string>Firmware/ICE3_03.10.01_BOOT_02.08.Release.bbfw</string><br />
</dict><br />
<key>ModemStack-Digest</key><br />
<data>Bf9WSgSASGLSpQqRYdAFIt6Nce8=</data><br />
<key>ModemStack-Length</key><br />
<string>0x006f0934</string><br />
<key>ModemStack-SecPackDigest</key><br />
<data>sjmc0PFoajjg5fJLcLztnN27YVM=</data><br />
<key>RamPSI-PartialDigest</key><br />
<data>QAQAAMD5AACPnk/ZFyWqznQdTlQX95aC8NXjqQ==</data><br />
<key>RamPSI-Version</key><br />
<string>0x00020008</string><br />
</dict><br />
</plist><br />
--[[User:Liamchat|liamchat]] 13:12, 19 December 2010 (UTC)<br />
:So if i want to create a SHSH request, i just copy the BuildManifest.plist and add the ECID value only? If no, is there any sample SHSH Request plist with the entire thing? --[[User:sn0wra1n|sn0wra1n]]<br />
::yes but the baseband will also give its nonce key ( witch is required to validate the shsh of the baseband ) so you could cash the baseband shsh's but the nonce is what makes them work --[[User:Liamchat|liamchat]] 14:59, 19 December 2010 (UTC)<br />
<br />
I decided to use my iPod Touch 4 then my iPhone 4 so this is what I got [http://pastie.org/private/7xcigxahj9sdfjeoa5f0w SHSH Request Plist] but the problem is I dont receive anything after submitting. How long should I wait to receive it?<br />
*How do i calculate my content-length (with or without the headers size?) <br />
*Must the plist be spaced/formatted correctly?<br />
--[[User:Sn0wra1n|Sn0wra1n]] 01:59, 21 December 2010 (UTC)<br />
:*Content-Length: This is the standard http protocol. See [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13 RFC2616] chapters 14.13 and 4.4. In short: only the message body, not the header.<br />
:*spacing/formatting: shouldn't matter; it's XML<br />
:*time: answer should come immediately. If you get no reply, try to get the Google start page this way first - there you don't need a message body. Also you can start with HTTP/1.0, there you don't need ''any'' header rows (except the GET statement of course):<br />
GET / HTTP/1.0<br />
<br />
<br />
:--[[User:Http|http]] 07:41, 21 December 2010 (UTC)<br />
<br />
Actually im not sure about calculating the Content-Length.Is it just the xml files words including spaces or not including spaces? --[[User:Sn0wra1n|Sn0wra1n]] 10:07, 21 December 2010 (UTC)<br />
:It includes every byte you send: spaces, carriage-return, linefeed, etc. --[[User:Http|http]] 16:28, 21 December 2010 (UTC)<br />
:Thanks for your help.Seems like Windows 7 adds 2 bytes extra to the file size so I had problems.I managed to get iTunes SHSH Request and found that the Info tag,BBTicket Value & APTicket Value is not needed--[[User:Sn0wra1n|Sn0wra1n]] 09:26, 22 December 2010 (UTC)<br />
<br />
==Baseband SHSH Protocol==<br />
Seems like there is a Baseband SHSH Protocol too. Maybe someone should write a wiki page on it. Im trying to understand notcom's [http://www.github.com/iSn0wra1n/TinyUmbrella TinyUmbrella code] --[[User:Whiteshinyapple|Whiteshinyapple]] 13:52, 9 March 2011 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Plutil&diff=16137Plutil2011-02-14T08:54:48Z<p>Whiteshinyapple: </p>
<hr />
<div>plutil is basically a plist reader/converter used by iTunes and Xcode.It converts a xml file to binary plist and native plist.<br />
==Apple's plutil==<br />
<br />
Usage : <br />
<br />
==Erica's plutil==<br />
<br />
plutil: [command_option] [other_options] file...<br />
-h show this message and exit<br />
-l output a list of the properties (default)<br />
-k list the top level property list keys<br />
-t create new property list(s) and exit<br />
-c fmt rewrite the property list in format<br />
fmt is one of xml1 binary1<br />
Setting and accessing (writes to XML):<br />
-v key retrieve the value for key<br />
-s key set the value for key with the option given in -v<br />
-i key set int value for the key with the option given in -v<br />
-f key set float value for the key with the option given in -v<br />
-0 key set the key to the boolean value false<br />
-1 key set the key to the boolean value true<br />
-r key remove the key/value pair for key</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Plutil&diff=16136Plutil2011-02-14T08:52:30Z<p>Whiteshinyapple: </p>
<hr />
<div>==Apple's plutil==<br />
<br />
Usage : <br />
<br />
==Erica's plutil==<br />
<br />
plutil: [command_option] [other_options] file...<br />
-h show this message and exit<br />
-l output a list of the properties (default)<br />
-k list the top level property list keys<br />
-t create new property list(s) and exit<br />
-c fmt rewrite the property list in format<br />
fmt is one of xml1 binary1<br />
Setting and accessing (writes to XML):<br />
-v key retrieve the value for key<br />
-s key set the value for key with the option given in -v<br />
-i key set int value for the key with the option given in -v<br />
-f key set float value for the key with the option given in -v<br />
-0 key set the key to the boolean value false<br />
-1 key set the key to the boolean value true<br />
-r key remove the key/value pair for key</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Plutil&diff=16135Plutil2011-02-14T08:49:22Z<p>Whiteshinyapple: New page: Coming Soon...</p>
<hr />
<div>Coming Soon...</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=SHSH_Protocol&diff=15963SHSH Protocol2011-02-09T09:25:29Z<p>Whiteshinyapple: </p>
<hr />
<div>Here is a description about the protocol that is used when [[iTunes]] requests the [[SHSH]] certificate from Apple. For details about what this is used for, please see the main article [[SHSH]].<br />
<br />
This is a simple [[wikipedia:Hypertext Transfer Protocol|HTTP]] ([[wikipedia:POST (HTTP)|POST]]) request and answer. You can retry this via a [[wikipedia:Telnet|Telnet]] session or similar. The destination host is gs.apple.com (IP 17.112.176.11) and runs on the common [[wikipedia:Hypertext Transfer Protocol|HTTP]] [[wikipedia:TCP and UDP port|port]] 80. The data is plaintext and not encoded in any way. For details about the [[wikipedia:Hypertext Transfer Protocol|HTTP]] protocol itself, please see [http://www.w3.org/Protocols/HTTP/1.1/rfc2616.pdf RFC2616].<br />
<br />
===Sending data (request)===<br />
POST /TSS/controller?action=2 HTTP/1.1<br />
Accept: */*<br />
Cache-Control: no-cache<br />
Content-type: text/xml; charset="utf-8"<br />
User-Agent: InetURL/1.0<br />
Content-Length: 12345<br />
Host: gs.apple.com<br />
<br />
(here comes the Plist request file)<br />
<br />
===Receiving data (answer)===<br />
HTTP/1.1 200 OK<br />
Date: Sun, 15 Aug 2010 19:25:18 GMT<br />
Server: Apache-Coyote/1.1<br />
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5<br />
Content-Type: text/html<br />
Content-Length: 123456<br />
MS-Author-Via: DAV<br />
<br />
STATUS=0&MESSAGE=SUCCESS&REQUEST_STRING=(here comes the requested [[SHSH]] file)<br />
<br />
===Plist request file===<br />
'''NOTE: ''This template is only for devices other than the iPhone 4'''''<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "<nowiki>http://www.apple.com/DTDs/PropertyList-1.0.dtd</nowiki>"><br />
<br />
<plist version="1.0"><br />
<dict><br />
<key>@HostIpAddress</key><br />
<string>192.168.0.1</string><br />
<key>@HostPlatformInfo</key><br />
<string>windows</string> -------> "darwin" without quotes for Mac/Linux Systems<br />
<key>@Locality</key><br />
<string>en_US</string><br />
<key>@VersionInfo</key><br />
<string>libauthinstall-34</string> -------> "3.8" without quotes for Mac/Linux Systems<br />
<key>ApBoardID</key><br />
<integer>____</integer><br />
<key>ApChipID</key><br />
<integer>____</integer><br />
<key>ApECID</key><br />
<string>*************</string> ------------> This is your own [[ECID]]<br />
<key>ApProductionMode</key><br />
<true /> <br />
<key>ApSecurityDomain</key><br />
<integer>_____</integer><br />
<key>UniqueBuildID</key><br />
<data>_________________________</data><br />
<key>AppleLogo</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryCharging</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryCharging0</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryCharging1</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryFull</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryLow0</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryLow1</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryPlugin</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>DeviceTree</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>KernelCache</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>LLB</key><br />
<dict><br />
<key>BuildString</key><br />
<string>_________________________</string><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
</dict><br />
<key>RecoveryMode</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>RestoreDeviceTree</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>RestoreKernelCache</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>RestoreLogo</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>RestoreRamDisk</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>iBEC</key><br />
<dict><br />
<key>BuildString</key><br />
<string>_________________________</string><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
</dict><br />
<key>iBSS</key><br />
<dict><br />
<key>BuildString</key><br />
<string>_________________________</string><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
</dict><br />
<key>iBoot</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
</dict><br />
</plist><br />
<br />
The underlined values( _______ ) can be found from the BuildManifest.plist which is located inside a IPSW file.<br />
===Status responses===<br />
STATUS=0&MESSAGE=SUCCESS<br />
<br>STATUS=511&MESSAGE=No data in the request <br />
<br>STATUS=551&MESSAGE=Error occured while importing config packet with cpsn: <br />
<br>STATUS=5000&MESSAGE=Invalid Option! <br />
<br />
===Other parameters / open questions===<br />
Some parameters could have other values. Not all details are known.<br />
*action=2 in the request. What other values exist and what is their meaning?<br />
*STATUS=0&MESSAGE=SUCCESS in the answer. What other values exist?<br />
*ApProductionMode What does this mean? Is there a test environment?<br />
*ApSecurityDomain Meaning?<br />
*Trusted What is this for?<br />
*Full description of the above values for UniqueBuildID, Digest, PartialDigest and BuildString.<br />
<br />
==Resources==<br />
[https://github.com/iSn0wra1n/TinyScreen TinyScreen source code by iSn0wra1n]<br />
[[Category:Firmware Tags]]<br />
[[Category:Firmware Parsing]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=AT%2BXNONCE&diff=15863AT+XNONCE2011-02-06T05:01:07Z<p>Whiteshinyapple: </p>
<hr />
<div>{{DISPLAYTITLE:AT+NONCE}}<br />
The [[at+nonce]] command returns a random string that was generated at boot time. This string is used together with some other device specific identifiers as a base to let Apple generate a certificate, similar to [[SHSH]], to allow installation of [[Baseband Firmware|baseband firmware]]. The baseband checks the certificate and allows or denies installation of its firmware.<br />
<br>This string can be obtained by using the [[MobileDevice Library]] to call for AMDeviceCopyValue on "BasebandNonce".<br />
<br />
===References / More infos===<br />
*[http://iphwn.org/nonce.txt example command]<br />
*[[Talk:XMM_6180#Downgrade|discussion]]<br />
*[[User:MuscleNerd|MuscleNerd]] says [http://twitter.com/MuscleNerd/status/18667056119 "baseband is stricter signed"].</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=AT%2BXNONCE&diff=15862AT+XNONCE2011-02-06T04:45:47Z<p>Whiteshinyapple: </p>
<hr />
<div>The [[at+nonce]] command returns a random string that was generated at boot time. This string is used together with some other device specific identifiers as a base to let Apple generate a certificate, similar to [[SHSH]], to allow installation of [[Baseband Firmware|baseband firmware]]. The baseband checks the certificate and allows or denies installation of its firmware.<br />
<br>This string can be obtained by using the [[MobileDevice Library]] to call for AMDeviceCopyValue on "BasebandNonce".<br />
<br />
===References / More infos===<br />
*[http://iphwn.org/nonce.txt example command]<br />
*[[Talk:XMM_6180#Downgrade|discussion]]<br />
*[[User:MuscleNerd|MuscleNerd]] says [http://twitter.com/MuscleNerd/status/18667056119 "baseband is stricter signed"].</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=SHSH_Protocol&diff=15818SHSH Protocol2011-02-04T09:16:22Z<p>Whiteshinyapple: /* Resources */</p>
<hr />
<div>Here is a description about the protocol that is used when [[iTunes]] requests the [[SHSH]] certificate from Apple. For details about what this is used for, please see the main article [[SHSH]].<br />
<br />
This is a simple [[wikipedia:Hypertext Transfer Protocol|HTTP]] ([[wikipedia:POST (HTTP)|POST]]) request and answer. You can retry this via a [[wikipedia:Telnet|Telnet]] session or similar. The destination host is gs.apple.com (IP 17.112.176.11) and runs on the common [[wikipedia:Hypertext Transfer Protocol|HTTP]] [[wikipedia:TCP and UDP port|port]] 80. The data is plaintext and not encoded in any way. For details about the [[wikipedia:Hypertext Transfer Protocol|HTTP]] protocol itself, please see [http://www.w3.org/Protocols/HTTP/1.1/rfc2616.pdf RFC2616].<br />
<br />
===Sending data (request)===<br />
POST /TSS/controller?action=2 HTTP/1.1<br />
Accept: */*<br />
Cache-Control: no-cache<br />
Content-type: text/xml; charset="utf-8"<br />
User-Agent: InetURL/1.0<br />
Content-Length: 12345<br />
Host: gs.apple.com<br />
<br />
(here comes the Plist request file)<br />
<br />
===Receiving data (answer)===<br />
HTTP/1.1 200 OK<br />
Date: Sun, 15 Aug 2010 19:25:18 GMT<br />
Server: Apache-Coyote/1.1<br />
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5<br />
Content-Type: text/html<br />
Content-Length: 123456<br />
MS-Author-Via: DAV<br />
<br />
STATUS=0&MESSAGE=SUCCESS&REQUEST_STRING=(here comes the requested [[SHSH]] file)<br />
<br />
===Plist request file===<br />
'''NOTE: ''This template is only for devices other than the iPhone 4'''''<br />
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "<nowiki>http://www.apple.com/DTDs/PropertyList-1.0.dtd</nowiki>"><br />
<br />
<plist version="1.0"><br />
<dict><br />
<key>@HostIpAddress</key><br />
<string>192.168.0.1</string><br />
<key>@HostPlatformInfo</key><br />
<string>windows</string> -------> "darwin" without quotes for Mac/Linux Systems<br />
<key>@Locality</key><br />
<string>en_US</string><br />
<key>@VersionInfo</key><br />
<string>libauthinstall-34</string> -------> "3.8" without quotes for Mac/Linux Systems<br />
<key>ApBoardID</key><br />
<integer>____</integer><br />
<key>ApChipID</key><br />
<integer>____</integer><br />
<key>ApECID</key><br />
<string>*************</string> ------------> This is your own [[ECID]]<br />
<key>ApProductionMode</key><br />
<true /> <br />
<key>ApSecurityDomain</key><br />
<integer>_____</integer><br />
<key>UniqueBuildID</key><br />
<data>_________________________</data><br />
<key>AppleLogo</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryCharging</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryCharging0</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryCharging1</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryFull</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryLow0</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryLow1</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>BatteryPlugin</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>DeviceTree</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>KernelCache</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>LLB</key><br />
<dict><br />
<key>BuildString</key><br />
<string>_________________________</string><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
</dict><br />
<key>RecoveryMode</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>RestoreDeviceTree</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>RestoreKernelCache</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>RestoreLogo</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>RestoreRamDisk</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
<key>iBEC</key><br />
<dict><br />
<key>BuildString</key><br />
<string>_________________________</string><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
</dict><br />
<key>iBSS</key><br />
<dict><br />
<key>BuildString</key><br />
<string>_________________________</string><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
</dict><br />
<key>iBoot</key><br />
<dict><br />
<key>Digest</key><br />
<data>_________________________</data><br />
<key>PartialDigest</key><br />
<data>_________________________</data><br />
<key>Trusted</key><br />
<true /><br />
</dict><br />
</dict><br />
</plist><br />
<br />
The underlined values( _______ ) can be found from the BuildManifest.plist which is located inside a IPSW file.<br />
<br />
===Other parameters / open questions===<br />
Some parameters could have other values. Not all details are known.<br />
*action=2 in the request. What other values exist and what is their meaning?<br />
*STATUS=0&MESSAGE=SUCCESS in the answer. What other values exist?<br />
*ApProductionMode What does this mean? Is there a test environment?<br />
*ApSecurityDomain Meaning?<br />
*Trusted What is this for?<br />
*Full description of the above values for UniqueBuildID, Digest, PartialDigest and BuildString.<br />
<br />
==Resources==<br />
[https://github.com/iSn0wra1n/TinyScreen TinyScreen source code by iSn0wra1n]<br />
[[Category:Firmware Tags]]<br />
[[Category:Firmware Parsing]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Preventing_Baseband_Update&diff=15767Preventing Baseband Update2011-02-02T05:24:48Z<p>Whiteshinyapple: /* TinyUmbrella/Cydia Method (iPhone 4) */</p>
<hr />
<div>===Edit options.plist===<br />
# Unpack custom IPSW<br />
# Decrypt Restore Ramdisk using [[xpwntool]] and mount it<br />
# Navigate to /usr/local/share/restore <br />
# Edit options.plist on the restore ramdisk <br />
(Ignore any other settings specified in the plist, don't edit them)<br />
<pre><br />
<key>UpdateBaseband</key><br />
<false/><br />
</pre><br />
<ol start="5"><br />
<li>Reencrypt the restore ramdisk</li><br />
<li>Repack the IPSW</li><br />
<li>Prepare device for custom firmware using [[redsn0w]]</li><br />
<li>Restore IPSW to [[iTunes]] in pwned [[DFU Mode]] using the appropriate method(Look at Restoring The Modified IPSW Section)</li><br />
</ol><br />
<br />
You must load a patched [[iBSS]]/[[iBEC]] for this to work. Using an original IPSW will not work, because redsn0w's pwned DFU Mode doesn't patch sigchecks in [[iBSS]] (which is loaded from the IPSW).<br />
<br />
==Restoring The Modified IPSW==<br />
Firmwares like 4.2.1 and above have baseband checks on the [[Restore Ramdisk]].If the modified IPSW is restored, iTunes will give a Error 1015 and iPhone will be in a recovery mode loop which cannot be exited by TinyUmbrella or the 'setenv auto-boot true' command.<br />
<br>Fortunately, the [[Update Ramdisk]] does not contain that baseband check so if the Update Method is used which is mentioned below,iTunes will give error 1013 and it can be exited by TinyUmbrella and the irecovery command.<br />
===Update Method===<br />
Windows Users, Open iTunes. hold the Shift button and click Update then select the modified IPSW<br />
<br>Mac Users, Open iTunes, hold the Alt button and click Update then select the modified IPSW<br />
===Restore Method===<br />
Windows Users, Open iTunes. hold the Shift button and click Restore then select the modified IPSW<br />
<br>Mac Users, Open iTunes, hold the Alt button and click Restore then select the modified IPSW<br />
<br />
==[[TinyUmbrella]]/[[Cydia.app|Cydia]] Method (iPhone 4)==<br />
<br />
The [[N90ap|iPhone 4]] requires a [[at+nonce]] key signature from Apple in order to update the baseband. Pointing the hosts file to [[Cydia Server]] or running [[TinyUmbrella]] will allow this request for signature to be ignored, thus preventing a [[baseband]] update.<br />
<br />
*'''This only works if [[Cydia]]/[[TinyUmbrella]] accepts the firmware's SHSH.'''<br />
*'''This method 'works' with [[iOS]] 4.2.1, but in the restore ramdisk there is a baseband version check. If it doesn't match, it will crash before the Apple logo with the loading bar (the 2nd one, not the restore one) appears. It will boot and crash again. The usual 'Kick out of recovery mode' methods or "setenv auto-boot true" won't work, because it's not the problem that the auto-boot is false. So this method is actually not useful for [[iOS]] 4.2.1.'''<br />
# Edit the hosts file and add the line "74.208.10.249 gs.apple.com" without the quotes, or run [[TinyUmbrella]] after saving the firmware's SHSH. If [[Cydia Server]] hasn't got your [[SHSH]], but you have it locally, use TSS Server method in [[TinyUmbrella]].<br />
# Use the "Restore" button in [[iTunes]] to update if your firmware version is below 4.2 else use the "Update" button in [[iTunes]] to update.<br />
# You will get Error 1013 and it can be easily bypassed by using the Exit Recovery Mode button in [[TinyUmbrella]] or typing 'setenv auto-boot true' and 'saveenv' in [[iRecovery]]<br />
<br />
==[[User:Ih8sn0w|iH8Sn0w]]'s Method==<br />
User [[User:Ih8sn0w|IH8sn0w]] mentioned a new method in [http://twitter.com/iH8sn0w/status/19249886721478656 this tweet] (an upgrade-only option in [[Sn0wbreeze]]). [http://twitter.com/iH8sn0w/status/19453808090288128 He confirmed] that his method is not the same as the above mentioned methods. To get more details, someone would have to compare the generated ipsw content.<br />
<br />
This method can also be used on the iPhone 3GS and the iPhone 4 to downgrade from the 4.3 betas back to 4.2.1, as long as the device can be restored (and activated) to iOS 4.1 or an earlier version.<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Preventing_Baseband_Update&diff=15765Preventing Baseband Update2011-02-02T05:23:26Z<p>Whiteshinyapple: </p>
<hr />
<div>===Edit options.plist===<br />
# Unpack custom IPSW<br />
# Decrypt Restore Ramdisk using [[xpwntool]] and mount it<br />
# Navigate to /usr/local/share/restore <br />
# Edit options.plist on the restore ramdisk <br />
(Ignore any other settings specified in the plist, don't edit them)<br />
<pre><br />
<key>UpdateBaseband</key><br />
<false/><br />
</pre><br />
<ol start="5"><br />
<li>Reencrypt the restore ramdisk</li><br />
<li>Repack the IPSW</li><br />
<li>Prepare device for custom firmware using [[redsn0w]]</li><br />
<li>Restore IPSW to [[iTunes]] in pwned [[DFU Mode]] using the appropriate method(Look at Restoring The Modified IPSW Section)</li><br />
</ol><br />
<br />
You must load a patched [[iBSS]]/[[iBEC]] for this to work. Using an original IPSW will not work, because redsn0w's pwned DFU Mode doesn't patch sigchecks in [[iBSS]] (which is loaded from the IPSW).<br />
<br />
==Restoring The Modified IPSW==<br />
Firmwares like 4.2.1 and above have baseband checks on the [[Restore Ramdisk]].If the modified IPSW is restored, iTunes will give a Error 1015 and iPhone will be in a recovery mode loop which cannot be exited by TinyUmbrella or the 'setenv auto-boot true' command.<br />
<br>Fortunately, the [[Update Ramdisk]] does not contain that baseband check so if the Update Method is used which is mentioned below,iTunes will give error 1013 and it can be exited by TinyUmbrella and the irecovery command.<br />
===Update Method===<br />
Windows Users, Open iTunes. hold the Shift button and click Update then select the modified IPSW<br />
<br>Mac Users, Open iTunes, hold the Alt button and click Update then select the modified IPSW<br />
===Restore Method===<br />
Windows Users, Open iTunes. hold the Shift button and click Restore then select the modified IPSW<br />
<br>Mac Users, Open iTunes, hold the Alt button and click Restore then select the modified IPSW<br />
<br />
==[[TinyUmbrella]]/[[Cydia.app|Cydia]] Method (iPhone 4)==<br />
<br />
The [[N90ap|iPhone 4]] requires a [[AT+NONCE]] key signature from Apple in order to update the baseband. Pointing the hosts file to [[Cydia Server]] or running [[TinyUmbrella]] will allow this request for signature to be ignored, thus preventing a [[baseband]] update.<br />
<br />
*'''This only works if [[Cydia]]/[[TinyUmbrella]] accepts the firmware's SHSH.'''<br />
*'''This method 'works' with [[iOS]] 4.2.1, but in the restore ramdisk there is a baseband version check. If it doesn't match, it will crash before the Apple logo with the loading bar (the 2nd one, not the restore one) appears. It will boot and crash again. The usual 'Kick out of recovery mode' methods or "setenv auto-boot true" won't work, because it's not the problem that the auto-boot is false. So this method is actually not useful for [[iOS]] 4.2.1.'''<br />
# Edit the hosts file and add the line "74.208.10.249 gs.apple.com" without the quotes, or run [[TinyUmbrella]] after saving the firmware's SHSH. If [[Cydia Server]] hasn't got your [[SHSH]], but you have it locally, use TSS Server method in [[TinyUmbrella]].<br />
# Use the "Restore" button in [[iTunes]] to update if your firmware version is below 4.2 else use the "Update" button in [[iTunes]] to update.<br />
# You will get Error 1013 and it can be easily bypassed by using the Exit Recovery Mode button in [[TinyUmbrella]] or typing 'setenv auto-boot true' and 'saveenv' in [[iRecovery]]<br />
==[[User:Ih8sn0w|iH8Sn0w]]'s Method==<br />
User [[User:Ih8sn0w|IH8sn0w]] mentioned a new method in [http://twitter.com/iH8sn0w/status/19249886721478656 this tweet] (an upgrade-only option in [[Sn0wbreeze]]). [http://twitter.com/iH8sn0w/status/19453808090288128 He confirmed] that his method is not the same as the above mentioned methods. To get more details, someone would have to compare the generated ipsw content.<br />
<br />
This method can also be used on the iPhone 3GS and the iPhone 4 to downgrade from the 4.3 betas back to 4.2.1, as long as the device can be restored (and activated) to iOS 4.1 or an earlier version.<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Preventing_Baseband_Update&diff=15760Preventing Baseband Update2011-02-02T04:47:13Z<p>Whiteshinyapple: </p>
<hr />
<div>===Edit options.plist===<br />
# Unpack custom IPSW<br />
# Decrypt Restore Ramdisk using [[xpwntool]] and mount it<br />
# Navigate to /usr/local/share/restore <br />
# Edit options.plist on the restore ramdisk <br />
(Ignore any other settings specified in the plist, don't edit them)<br />
<pre><br />
<key>UpdateBaseband</key><br />
<false/><br />
</pre><br />
<ol start="5"><br />
<li>Reencrypt the restore ramdisk</li><br />
<li>Repack the IPSW</li><br />
<li>Prepare device for custom firmware using [[redsn0w]]</li><br />
<li>Restore IPSW to [[iTunes]] in pwned [[DFU Mode]]</li><br />
</ol><br />
<br />
You must load a patched [[iBSS]]/[[iBEC]] for this to work. Using an original IPSW will not work, because redsn0w's pwned DFU Mode doesn't patch sigchecks in [[iBSS]] (which is loaded from the IPSW).<br />
<br />
this process has being automated into some of the unofficial bundles out there.<br />
<br />
==[[TinyUmbrella]]/[[Cydia.app|Cydia]] Method (iPhone 4)==<br />
<br />
The [[N90ap|iPhone 4]] requires a AT+NONCE key signature from Apple in order to update the baseband. Pointing the hosts file to [[Cydia Server]] or running [[TinyUmbrella]] will allow this request for signature to be ignored, thus preventing a [[baseband]] update.<br />
<br />
*'''This only works if [[Cydia]]/[[TinyUmbrella]] accepts the firmware's SHSH.'''<br />
*'''This method 'works' with [[iOS]] 4.2.1, but in the restore ramdisk there is a baseband version check. If it doesn't match, it will crash before the Apple logo with the loading bar (the 2nd one, not the restore one) appears. It will boot and crash again. The usual 'Kick out of recovery mode' methods or "setenv auto-boot true" won't work, because it's not the problem that the auto-boot is false. So this method is actually not useful for [[iOS]] 4.2.1.'''<br />
# Edit the hosts file and add the line "74.208.10.249 gs.apple.com" without the quotes, or run [[TinyUmbrella]] after saving the firmware's SHSH. If [[Cydia Server]] hasn't got your [[SHSH]], but you have it locally, use TSS Server method in [[TinyUmbrella]].<br />
# Use the "Restore" button in [[iTunes]] to update. you will get error 1013 on 4.2.1 when trying to restore thought the restore ramdisk<br />
# If downgrading from a later firmware to a firmware that performs baseband checks, you will get error 1015. The only way to bypass this is to either update to the firmware version that matches your baseband version or downgrade (if possible) to an earlier firmware that doesn't perform the baseband version checks.<br />
<br />
==[[User:Ih8sn0w|iH8Sn0w]]'s Method==<br />
User [[User:Ih8sn0w|IH8sn0w]] mentioned a new method in [http://twitter.com/iH8sn0w/status/19249886721478656 this tweet] (an upgrade-only option in [[Sn0wbreeze]]). [http://twitter.com/iH8sn0w/status/19453808090288128 He confirmed] that his method is not the same as the above mentioned methods. To get more details, someone would have to compare the generated ipsw content.<br />
<br />
==iTunes Update Method (iPhone 4)==<br />
A variant of the TinyUmbrella method which exploits the lack of baseband version checks on the update ramdisk. [http://twitter.com/ven000m/status/19526989958356992]<br />
Just shift+click (Windows) or Option+click (Mac) the !Update! button in iTunes after switching to a non-Apple TSS server and exit recovery mode after the update fails.<br />
<br />
This method can also be used on the iPhone 3GS and the iPhone 4 to downgrade from the 4.3 betas back to 4.2.1, as long as the device can be restored (and activated) to iOS 4.1 or an earlier version.<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=User_talk:Geohot&diff=15570User talk:Geohot2011-01-30T02:07:50Z<p>Whiteshinyapple: </p>
<hr />
<div>== Future of this Wiki ==<br />
<br />
[[Geohot]] is the founder of this wiki. Now that he has retired (or whatever) I would be interested to know how this Wiki continues. I'm a little scared that he could just turn it off. Maybe we should make some backups now? Or can geohot or a close insider provide some infos about the future of this Wiki? If geohot needs someone to take over this project, I would be happy to do so (and probably many others also). It would be awful to see all our contributions fade away. A clear statement by any insider would help. Thanks. --[[User:Http|http]] 18:58, 13 July 2010 (UTC)<br />
<br />
I currently have no plans to shut down this wiki. Rest assured that if I do, I will make a backup available online. --[[User:Geohot|geohot]] 19:17, 13 July 2010 (UTC)<br />
<br />
Thanks for clarification. This helps a lot. --[[User:Http|http]] 22:39, 13 July 2010 (UTC)<br />
<br />
== Access to [http://iphonejtag.blogspot.com/ blog] archives ==<br />
Will you post the information on your initial iPhone 2G unlock anywhere? This used to be on your blog (in the archives) and was quite fascinating... :( [[User:D235j|D235j]] 01:41, 14 July 2010 (UTC)<br />
<br />
== Other ==<br />
<br />
You made a rational decision leaving the jailbreak community. After all the crap you had to take from people I dont blame you. Im sorry for ever adding to the BS you deal with on a day-to-day basis. [[User:Leobruh|Leobruh]] 22:42, 13 July 2010 (UTC)!<br />
<br />
== Blog ==<br />
Hey mate, do you have any plans to make your blog public again? There was a lot of good information on there and it would be an official source of information and updates from you! Best! =) [[User:LiNK|LiNK]] 19:01, 23 October 2010 (UTC)<br />
<br />
Yeah, Please Open your Blog... Even if it doesnt have to do with jailbreaking or anything like that! I just want to know the real george hotz... [[User:xX-BLACK_OPS-Xx|LOLZ]] 9:53, 2 December 2010 (UTC)<br />
<br />
== About GUIs == <br />
Hi. What do you think about GUIs in this wiki.There are some programs which calls another program like [[iDecrypt]](Calls VFDecrypt) [[iDecrypter]](Calls VFDecypt) [[WinDecrypt]](Calls VFDecrypt) [[Seas0npass]](Calls XPwn). Should these programs have a wiki page? Isnt it considered as advertising their program using this wiki? --[[User:Whiteshinyapple|Whiteshinyapple]] 02:07, 30 January 2011 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=F0recast&diff=15396F0recast2011-01-28T13:22:35Z<p>Whiteshinyapple: </p>
<hr />
<div>{{delete|Please look at the talk page for the reasons}}<br />
{{DISPLAYTITLE:f0recast}}<br />
== What is f0recast? ==<br />
An application created by [[User:ih8sn0w|iH8sn0w]]. He created a simple application to tap into [[MobileDevice Library]] inside of: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\iTunesMobileDevice.dll<br />
<br />
'''It grabs these functions when an iDevice is connected:'''<br />
* Serial #<br />
* [[Baseband Firmware|Baseband]]<br />
* Bootloader Version<br />
* Model<br />
* ProductType<br />
<br />
== How does it determine if its [[unlock]]able? ==<br />
When f0recast grabs the [[Baseband Firmware|baseband]] version, it checks the version against a built-in database to determine whether it is [[unlock]]able or not.<br />
<br />
== How does it determine if it's restricted to a [[tethered jailbreak]]? ==<br />
f0recast checks the built-in database of firmwares which are tethered and untethered.<br />
<br />
== License ==<br />
f0recast is a freeware.<br />
<br />
== Resources ==<br />
[http://ih8sn0w.com/index.php/products/view/f0recast.snow Download f0recast]<br />
<br />
[http://www.github.com/sn0wra1n/f0retell Open-Source Alternative to f0recast by iSn0wra1n,f0retell]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=F0recast&diff=15395F0recast2011-01-28T13:21:40Z<p>Whiteshinyapple: </p>
<hr />
<div>{{template:delete}}<br />
{{DISPLAYTITLE:f0recast}}<br />
== What is f0recast? ==<br />
An application created by [[User:ih8sn0w|iH8sn0w]]. He created a simple application to tap into [[MobileDevice Library]] inside of: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\iTunesMobileDevice.dll<br />
<br />
'''It grabs these functions when an iDevice is connected:'''<br />
* Serial #<br />
* [[Baseband Firmware|Baseband]]<br />
* Bootloader Version<br />
* Model<br />
* ProductType<br />
<br />
== How does it determine if its [[unlock]]able? ==<br />
When f0recast grabs the [[Baseband Firmware|baseband]] version, it checks the version against a built-in database to determine whether it is [[unlock]]able or not.<br />
<br />
== How does it determine if it's restricted to a [[tethered jailbreak]]? ==<br />
f0recast checks the built-in database of firmwares which are tethered and untethered.<br />
<br />
== License ==<br />
f0recast is a freeware.<br />
<br />
== Resources ==<br />
[http://ih8sn0w.com/index.php/products/view/f0recast.snow Download f0recast]<br />
<br />
[http://www.github.com/sn0wra1n/f0retell Open-Source Alternative to f0recast by iSn0wra1n,f0retell]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Community_portal/2010&diff=15391The iPhone Wiki:Community portal/20102011-01-28T13:09:39Z<p>Whiteshinyapple: </p>
<hr />
<div>{{Archive Page|The iPhone Wiki:Community Portal}}<br />
__NOTOC__<br />
== Site Related Requests ==<br />
=== REQUEST ===<br />
Can somebody please make a wiki page on how to boot the device into Recovery mode via itunesmobiledevice? Thank you! --[[User:Johnnyfranks67|Johnnyfranks67]] 18:11, 18 October 2009 (UTC)<br />
:Check the [[MobileDevice Library]] page to use MobileDevice Framework --[[User:Whiteshinyapple|Whiteshinyapple]] 13:05, 28 January 2011 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Community_portal/2010&diff=15390The iPhone Wiki:Community portal/20102011-01-28T13:05:04Z<p>Whiteshinyapple: </p>
<hr />
<div>{{Archive Page|The iPhone Wiki:Community Portal}}<br />
__NOTOC__<br />
== Site Related Requests ==<br />
=== REQUEST ===<br />
Can somebody please make a wiki page on how to boot the device into Recovery mode via itunesmobiledevice? Thank you! --[[User:Johnnyfranks67|Johnnyfranks67]] 18:11, 18 October 2009 (UTC)<br />
:This is a iPhone Wiki not a iPhone Development Wiki.For development related, u need to see another wiki --[[User:Whiteshinyapple|Whiteshinyapple]] 13:05, 28 January 2011 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Community_portal/2011&diff=15389The iPhone Wiki:Community portal/20112011-01-28T13:01:51Z<p>Whiteshinyapple: </p>
<hr />
<div>{{Archive Page|The iPhone Wiki:Community Portal}}<br />
__NOTOC__<br />
== Site Related Requests ==<br />
=== Merge pages ===<br />
[[/private/var]] is the correct name and has a better description, but [[/var]] has a full folder listing. --[[User:Ryccardo|Ryccardo]] 12:33, 7 June 2010 (UTC)<br />
:Dealt with. :) --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 02:58, 26 July 2010 (UTC)<br />
I think [[Sierra_7C108b]] and [[SwitchBoard.app]] should be merged. Or are there any differences that I misunderstood? --[[User:Http|http]] 22:13, 28 July 2010 (UTC)<br />
:I wouldn't merge the two since [[SwitchBoard.app]] ''is'' in [[Sierra 7C108b]], but it's not exclusive to that build. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 00:09, 29 July 2010 (UTC)<br />
::I understand. Ok, no merge. But currently both are about the app. We should put that content into [[SwitchBoard.app]] and focus [[Sierra 7C108b]] more on the firmware then (would be very short right now). Also we should delete one of the two images. What do you think? --[[User:Http|http]] 03:10, 29 July 2010 (UTC)<br />
:::Agreed. Both of the screenshots show different "apps" though, so it might be best to keep both images. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 03:41, 29 July 2010 (UTC)<br />
<br />
=== Hackers and Teams ===<br />
We have only one page for [[User:Ih8sn0w|IH8sn0w]], but with this name we have both things: the person and the team. I'm not sure how to do this. He is listed as a member of his group. Also all referals should distinguish then, that's quite difficult. He himself also had no idea. Maybe a new page with [[IH8sn0w team]] where the current content should go to? -- [[User:Http|http]] 19:20, 6 August 2010 (UTC)<br />
<br />
A similar problem exists for chronic. It is split already: [[User:ChronicDev]] (user) and [[Chronic Dev (team)|Chronic Dev]] (team). I think we should rename the team to [[Chronic Dev (team)|Chronic Dev Team]], although this is not their official name, but it helps to distinguish. What do you think? -- [[User:Http|http]] 19:27, 6 August 2010 (UTC)<br />
:We could use parentheses, such as [[iH8sn0w (team)]] and [[Chronic Dev (team)]]. Alternatively, we could use prefixes, like [[Team:iH8sn0w]] and [[Team:Chronic Dev]]. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 19:56, 6 August 2010 (UTC)<br />
::Parentheses sounds good. Prefix is more wiki-internal stuff for me. -- [[User:Http|http]] 06:03, 7 August 2010 (UTC)<br />
::Thanks [[User:Dialexio|Dialexio]] for going ahead with this. We now have a few disambiguation pages, but they are not marked as such (see [[Special:Disambiguations]]). I don't know how to mark them with this template. Do you? -- [[User:Http|http]] 06:43, 8 August 2010 (UTC)<br />
:I tried to see if I could get it to work (using the [[Chronic Dev]] page for testing), but I can't figure out why it won't appear on the [[Special:Disambiguations]]. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 15:43, 8 August 2010 (UTC)<br />
<br />
=== Will this site keep running? ===<br />
I'm enjoying learning about the highly technical side to the iPhone, but after what's happened with geohot, will this site continue? -- [[User:MaybachMan|MaybachMan]] 16:46, 14 July 2010 (UTC)<br />
:Yes it will continue. I had the same question and [[User:geohot|geohot]] already answered that on [[User_talk:geohot|his talk page]]. --[[User:Http|http]] 18:46, 14 July 2010 (UTC)<br />
::That's great to hear, thank you. [[User:MaybachMan|MaybachMan]]<br />
<br />
=== Baseband: Processor vs. Platform ===<br />
All right, so The iPhone Wiki has articles about baseband ''processors''. However, the [[XMM 6180]] is about the baseband ''platform''. The wiki mostly references baseband processors, but I'm a bit reluctant to go that route since it was [[User:Oranav|Oranav]], who definitely knows more about the baseband than me, that changed the article from baseband processor to baseband platform. I'd like to keep things consistent, so should we stick with referencing it by processor or platform? This inconsistency is bugging the crap out of me. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 06:19, 9 August 2010 (UTC)<br />
<br />
=== Cleanup orphaned pages ===<br />
The [[Special:Lonelypages|orphaned pages]] should be cleaned up. Possible work:<br />
*most of those pages need to get updated<br />
*add a link on another page to it, so that it's not orphaned anymore<br />
*The main page and some disambiguation pages may remain orphaned.<br />
*Some pages are really old, outdated and not worth to get updated. In this case add a deletion request to its talk page.<br />
*Maybe we need a new overview page that links to some of these pages (e.g. my request for a [[Beta Firmware]] page, see [[Talk:VFDecrypt_Keys:_3.x_BETA#STOP]])<br />
*Please note that links with a prefix don't count for this list, so that pages that only appear on a Category page also appear in this list. To get the full links list, go to the page and click "what links here".<br />
I started with a little cleanup already. --[[User:Http|http]] 10:02, 23 October 2010 (UTC)<br />
<br />
=== Useless Team Pages ===<br />
I think we should remove all the team pages of users. Keep the Chronic and iPhone dev teams, but the rest that are just milking the wiki as a way to seek fame. There is no purpose for it and it just causes a large amount of useless edits and arguments. Instead of having a team page how about just add the software you make and use the credits part of it? Is there really a need for team pages? I am open to all discussions, just don't argue here. --[[User:JacobVengeance|JakeAnthraX]] 14:49, 7 November 2010 (UTC)<br />
:As long as the team in question is actually doing *something* I see no reason not to document them. [[User:MaybachMan|MaybachMan]] 15:11, 7 November 2010 (UTC)<br />
::Well my counter to that is still there is no need for it. Maybe when you guys do something that is amazing or make something that isn't already out there. I don't want to fight, don't think I do. I just want the wiki to be peaceful and a place of knowledge. Not people gloating to be parts of groups and leech off of other people. Is the page really that important to you? --[[User:JacobVengeance|JakeAnthraX]] 15:14, 7 November 2010 (UTC)<br />
:::My team made a jailbreak using usb control msg for iPodTouch2g MC. It was compatible with 4.0.2 and it was semitethered. Anyway I don't want it on theiphonewiki, because this wiki should NOT be TheTeamsWiki.--[[User:Qwertyoruiop|Qwertyoruiop]] 15:22, 7 November 2010 (UTC)<br />
::::The page isn't for showing off, we made it so we can have a place to list all the projects the team makes, which I find useful. I don't want to fight over it, but I just think it has a use for organising knowledge on here, that's all. [[User:MaybachMan|MaybachMan]] 15:19, 7 November 2010 (UTC)<br />
Well I'm done arguing. I still say both be removed until a group release is made. Either way it doesn't matter much to me, but I had to make things fair between the groups. Let other people voice their opinions for a day or so and don't remove deletion request until it is decided as a community, okay? --[[User:JacobVengeance|JakeAnthraX]] 15:21, 7 November 2010 (UTC)<br />
:Until then, the deletion should be undone. I notice my team's page is already deleted for some reason. Or the content is, anyway. [[User:MaybachMan|MaybachMan]] 15:23, 7 November 2010 (UTC)<br />
Wait, i have an idea. A wiki for projects by secondary teams. If anyone wants, I can host it. :) --[[User:Qwertyoruiop|Qwertyoruiop]] 15:24, 7 November 2010 (UTC)<br />
<br />
I have a question. Why is it that it is like you must be on a team to be on here, cuz you don't! --[[User:Balloonhead66|Balloonhead66]] 15:25, 7 November 2010 (UTC)<br />
:Well without the deletion tags people won't know to discuss it, but it is up to the sysops in the end. So Yeah. --[[User:JacobVengeance|JakeAnthraX]] 15:29, 7 November 2010 (UTC)<br />
<br />
A Official hacking team is a team which is well-recognised among people.The team must have contributed to the Jailbreak Community.For example, the iPhone Dev Team found a number of exploits and made jailbreaks which were used by a large number of people.Take 0wnDev for example, they didnt do anything big and PwnPie was just a script making use of greenpois0n and irecovery which were done by the official hacking teams afaik and they didnt find any exploits;Same for Maybach Dev Team. --[[User:Whiteshinyapple|Whiteshinyapple]] 13:01, 28 January 2011 (UTC)<br />
<br />
=== Deleting Firmware (keys) pages ===<br />
One thing. A key page should never be deleted unless it is empty. They still have valublw info on them. --[[User:Balloonhead66|Balloonhead66]] 03:55, 20 November 2010 (UTC)<br />
:I agree. Firmware pages shouln't get deleted. Missing information will get filled out sooner or later anyway. And we don't want to delete and recreate them. I'll delete firmware pages only if the page's name is wrong. If information on it is wrong, please just write it onto the page or remove the wrong info. If the page is empty (no keys) this still applies, but please don't create new empty pages. --[[User:Http|http]] 08:26, 20 November 2010 (UTC)<br />
<br />
=== VFDecrypt GUIs ===<br />
I don't mean to sound like a dictator, but I'd like to request for no more VFDecrypt GUIs to be added here. There are more than enough of them, so I feel there really isn't a need to add any more. Whenever a new one arises, an argument spews over about its usefulness, as well as whether it belongs on this wiki. These arguments clog up the [[Special:Recentchanges|Recent changes]] page, making it tougher to keep an eye on things with the wiki. So, once again, I'd like to ask for no more VFDecrypt GUIs to have a place on this wiki. '''As of now, this is NOT a rule that will be imposed. It's just a polite request, nothing more.''' --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 19:35, 30 October 2010 (UTC)<br />
:I'd ask for GUI's of all kinds, such as VFDecrypt, iRecovery, and so on. Anyone can make a GUI. It takes a real hacker to write a program. --[[User:Dra1nerdrake|dra1nerdrake]] 22:52, 30 October 2010 (UTC)<br />
::We only have 3 publiclly available ones + 2 in development --[[User:Balloonhead66|Balloonhead66]] 00:14, 31 October 2010 (UTC)<br />
:I saw this coming when the new page for [[GiRecovery]] ([[Zeratul]]) first appeared some months ago. This Wiki is not intended to promote these tools. I didn't want to just delete the page though. One way we could go: Make sure '''all''' applications (including highly recognized ones and jailbreak apps like [[Limera1n]]) will get listed on an overview [[Tools]] page. It should be categorized by tool purpose and operating system. Maybe also by related iOS firmware. As soon as this works well, we just have to assure that not anybody adds new tools there. For example by having two users request a new entry (without the author). We can start this Tools page in any case. Initially we can include all these useless GUI apps already existing here also. -- [[User:Http|http]] 07:38, 31 October 2010 (UTC)<br />
:We could delete the original pages and merge them with the page of the original app in a subsection. To be honest, though, I still don't see the point of having 4 softwares that do the same thing with the same features. --[[User:Ryccardo|Ryccardo]] 09:22, 31 October 2010 (UTC)<br />
:All of them just decrypt. But mine will have 7zip integration to extract it for you and possibly look up the key automatically based on the Dmg name... --[[User:Balloonhead66|Balloonhead66]] 14:28, 31 October 2010 (UTC)<br />
:http://theiphonewiki.com/wiki/index.php?title=Ground_Rules#No_advertising_your_website.2Fforum.2Fwiki.2Fetc.Theiphonewiki is to help people understand the method and not just give people a GUI which can do those stuff.Take [[limera1n]] for example,they descibe about the software and their payload, method, explanation is over there which is what theiphonewiki wants and not just a GUI with the name over there and crediting their "own" team. --[[User:Whiteshinyapple|Whiteshinyapple]].<br />
:To Balloonhead66:And dont undo the stuff I did. The sysops will decide and it is their decision not yours. --[[User:Whiteshinyapple|Whiteshinyapple]].<br />
::A GUI is not a wiki website or forum apple dude --[[User:Balloonhead66|Balloonhead66]] 03:51, 20 November 2010 (UTC)<br />
Yup a GUI is a program not a website. Those VFDecrypt GUI's just basically call the real VFDecrypt Program which does the real work.It is the same as using a batch file to call a program.If we saw a iphone wiki page which is showing a batch file; wouldnt we delete that? Its the same for these GUI's. We got to delete them!They are just advertising their program so that people will download it and geohot doesnt want people to advertise their stuff,he didnt say about a program but im sure that he meant any type of advertising including this.--[[User:Whiteshinyapple|Whiteshinyapple]] 13:01, 28 January 2011 (UTC)<br />
<br />
=== Polls ===<br />
I think we should have a page for polls, like this: [[Polls]]. I am requesting this as I need to take a quick survey, and I don't know where to place it. The poll does relate to the iPhone... --[[User:Balloonhead66|Balloonhead66]] 00:41, 16 November 2010 (UTC)<br />
<br />
=== iPhone Compatibility ===<br />
Well the wikis startpage (and maybe other pages) do not display really good on the iphone ;) -- [[User:M2m|M2m]] 16:11, 14 September 2010 (UTC)<br />
:Well, I think it's good enough. Ok, it's not optimized, but it's ok. If we improve the startpage to have only one column, then that would look ugly on a PC. I work a lot in here from my iPhone. The biggest problem is the edit box. You cannot really edit big texts from your iPhone. But that's a problem of the Wiki itself (Mediawiki) and we cannot fix that just by changing texts or layout. -- [[User:Http|http]] 22:25, 14 September 2010 (UTC)<br />
::On all textboxes, use 2 fingers to scroll --[[User:Balloonhead66|Balloonhead66]] 02:52, 27 October 2010 (UTC)<br />
::Installing the extension [http://mediawiki.org/wiki/Extension:MobileSkin MobileSkin] would be something [[User:geohot|geohot]] would have to do. Also he would have to create a mobile skin as all that extension does is display a skin over the default MonoBook skin... --[[User:Balloonhead66|Balloonhead66]] 00:43, 16 November 2010 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=The_iPhone_Wiki:Community_portal/2011&diff=15388The iPhone Wiki:Community portal/20112011-01-28T12:56:47Z<p>Whiteshinyapple: </p>
<hr />
<div>{{Archive Page|The iPhone Wiki:Community Portal}}<br />
__NOTOC__<br />
== Site Related Requests ==<br />
=== Merge pages ===<br />
[[/private/var]] is the correct name and has a better description, but [[/var]] has a full folder listing. --[[User:Ryccardo|Ryccardo]] 12:33, 7 June 2010 (UTC)<br />
:Dealt with. :) --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 02:58, 26 July 2010 (UTC)<br />
I think [[Sierra_7C108b]] and [[SwitchBoard.app]] should be merged. Or are there any differences that I misunderstood? --[[User:Http|http]] 22:13, 28 July 2010 (UTC)<br />
:I wouldn't merge the two since [[SwitchBoard.app]] ''is'' in [[Sierra 7C108b]], but it's not exclusive to that build. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 00:09, 29 July 2010 (UTC)<br />
::I understand. Ok, no merge. But currently both are about the app. We should put that content into [[SwitchBoard.app]] and focus [[Sierra 7C108b]] more on the firmware then (would be very short right now). Also we should delete one of the two images. What do you think? --[[User:Http|http]] 03:10, 29 July 2010 (UTC)<br />
:::Agreed. Both of the screenshots show different "apps" though, so it might be best to keep both images. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 03:41, 29 July 2010 (UTC)<br />
<br />
=== Hackers and Teams ===<br />
We have only one page for [[User:Ih8sn0w|IH8sn0w]], but with this name we have both things: the person and the team. I'm not sure how to do this. He is listed as a member of his group. Also all referals should distinguish then, that's quite difficult. He himself also had no idea. Maybe a new page with [[IH8sn0w team]] where the current content should go to? -- [[User:Http|http]] 19:20, 6 August 2010 (UTC)<br />
<br />
A similar problem exists for chronic. It is split already: [[User:ChronicDev]] (user) and [[Chronic Dev (team)|Chronic Dev]] (team). I think we should rename the team to [[Chronic Dev (team)|Chronic Dev Team]], although this is not their official name, but it helps to distinguish. What do you think? -- [[User:Http|http]] 19:27, 6 August 2010 (UTC)<br />
:We could use parentheses, such as [[iH8sn0w (team)]] and [[Chronic Dev (team)]]. Alternatively, we could use prefixes, like [[Team:iH8sn0w]] and [[Team:Chronic Dev]]. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 19:56, 6 August 2010 (UTC)<br />
::Parentheses sounds good. Prefix is more wiki-internal stuff for me. -- [[User:Http|http]] 06:03, 7 August 2010 (UTC)<br />
::Thanks [[User:Dialexio|Dialexio]] for going ahead with this. We now have a few disambiguation pages, but they are not marked as such (see [[Special:Disambiguations]]). I don't know how to mark them with this template. Do you? -- [[User:Http|http]] 06:43, 8 August 2010 (UTC)<br />
:I tried to see if I could get it to work (using the [[Chronic Dev]] page for testing), but I can't figure out why it won't appear on the [[Special:Disambiguations]]. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 15:43, 8 August 2010 (UTC)<br />
<br />
=== Will this site keep running? ===<br />
I'm enjoying learning about the highly technical side to the iPhone, but after what's happened with geohot, will this site continue? -- [[User:MaybachMan|MaybachMan]] 16:46, 14 July 2010 (UTC)<br />
:Yes it will continue. I had the same question and [[User:geohot|geohot]] already answered that on [[User_talk:geohot|his talk page]]. --[[User:Http|http]] 18:46, 14 July 2010 (UTC)<br />
::That's great to hear, thank you. [[User:MaybachMan|MaybachMan]]<br />
<br />
=== Baseband: Processor vs. Platform ===<br />
All right, so The iPhone Wiki has articles about baseband ''processors''. However, the [[XMM 6180]] is about the baseband ''platform''. The wiki mostly references baseband processors, but I'm a bit reluctant to go that route since it was [[User:Oranav|Oranav]], who definitely knows more about the baseband than me, that changed the article from baseband processor to baseband platform. I'd like to keep things consistent, so should we stick with referencing it by processor or platform? This inconsistency is bugging the crap out of me. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 06:19, 9 August 2010 (UTC)<br />
<br />
=== Cleanup orphaned pages ===<br />
The [[Special:Lonelypages|orphaned pages]] should be cleaned up. Possible work:<br />
*most of those pages need to get updated<br />
*add a link on another page to it, so that it's not orphaned anymore<br />
*The main page and some disambiguation pages may remain orphaned.<br />
*Some pages are really old, outdated and not worth to get updated. In this case add a deletion request to its talk page.<br />
*Maybe we need a new overview page that links to some of these pages (e.g. my request for a [[Beta Firmware]] page, see [[Talk:VFDecrypt_Keys:_3.x_BETA#STOP]])<br />
*Please note that links with a prefix don't count for this list, so that pages that only appear on a Category page also appear in this list. To get the full links list, go to the page and click "what links here".<br />
I started with a little cleanup already. --[[User:Http|http]] 10:02, 23 October 2010 (UTC)<br />
<br />
=== Useless Team Pages ===<br />
I think we should remove all the team pages of users. Keep the Chronic and iPhone dev teams, but the rest that are just milking the wiki as a way to seek fame. There is no purpose for it and it just causes a large amount of useless edits and arguments. Instead of having a team page how about just add the software you make and use the credits part of it? Is there really a need for team pages? I am open to all discussions, just don't argue here. --[[User:JacobVengeance|JakeAnthraX]] 14:49, 7 November 2010 (UTC)<br />
:As long as the team in question is actually doing *something* I see no reason not to document them. [[User:MaybachMan|MaybachMan]] 15:11, 7 November 2010 (UTC)<br />
::Well my counter to that is still there is no need for it. Maybe when you guys do something that is amazing or make something that isn't already out there. I don't want to fight, don't think I do. I just want the wiki to be peaceful and a place of knowledge. Not people gloating to be parts of groups and leech off of other people. Is the page really that important to you? --[[User:JacobVengeance|JakeAnthraX]] 15:14, 7 November 2010 (UTC)<br />
:::My team made a jailbreak using usb control msg for iPodTouch2g MC. It was compatible with 4.0.2 and it was semitethered. Anyway I don't want it on theiphonewiki, because this wiki should NOT be TheTeamsWiki.--[[User:Qwertyoruiop|Qwertyoruiop]] 15:22, 7 November 2010 (UTC)<br />
::::The page isn't for showing off, we made it so we can have a place to list all the projects the team makes, which I find useful. I don't want to fight over it, but I just think it has a use for organising knowledge on here, that's all. [[User:MaybachMan|MaybachMan]] 15:19, 7 November 2010 (UTC)<br />
Well I'm done arguing. I still say both be removed until a group release is made. Either way it doesn't matter much to me, but I had to make things fair between the groups. Let other people voice their opinions for a day or so and don't remove deletion request until it is decided as a community, okay? --[[User:JacobVengeance|JakeAnthraX]] 15:21, 7 November 2010 (UTC)<br />
:Until then, the deletion should be undone. I notice my team's page is already deleted for some reason. Or the content is, anyway. [[User:MaybachMan|MaybachMan]] 15:23, 7 November 2010 (UTC)<br />
Wait, i have an idea. A wiki for projects by secondary teams. If anyone wants, I can host it. :) --[[User:Qwertyoruiop|Qwertyoruiop]] 15:24, 7 November 2010 (UTC)<br />
<br />
I have a question. Why is it that it is like you must be on a team to be on here, cuz you don't! --[[User:Balloonhead66|Balloonhead66]] 15:25, 7 November 2010 (UTC)<br />
:Well without the deletion tags people won't know to discuss it, but it is up to the sysops in the end. So Yeah. --[[User:JacobVengeance|JakeAnthraX]] 15:29, 7 November 2010 (UTC)<br />
<br />
=== Deleting Firmware (keys) pages ===<br />
One thing. A key page should never be deleted unless it is empty. They still have valublw info on them. --[[User:Balloonhead66|Balloonhead66]] 03:55, 20 November 2010 (UTC)<br />
:I agree. Firmware pages shouln't get deleted. Missing information will get filled out sooner or later anyway. And we don't want to delete and recreate them. I'll delete firmware pages only if the page's name is wrong. If information on it is wrong, please just write it onto the page or remove the wrong info. If the page is empty (no keys) this still applies, but please don't create new empty pages. --[[User:Http|http]] 08:26, 20 November 2010 (UTC)<br />
<br />
=== VFDecrypt GUIs ===<br />
I don't mean to sound like a dictator, but I'd like to request for no more VFDecrypt GUIs to be added here. There are more than enough of them, so I feel there really isn't a need to add any more. Whenever a new one arises, an argument spews over about its usefulness, as well as whether it belongs on this wiki. These arguments clog up the [[Special:Recentchanges|Recent changes]] page, making it tougher to keep an eye on things with the wiki. So, once again, I'd like to ask for no more VFDecrypt GUIs to have a place on this wiki. '''As of now, this is NOT a rule that will be imposed. It's just a polite request, nothing more.''' --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 19:35, 30 October 2010 (UTC)<br />
:I'd ask for GUI's of all kinds, such as VFDecrypt, iRecovery, and so on. Anyone can make a GUI. It takes a real hacker to write a program. --[[User:Dra1nerdrake|dra1nerdrake]] 22:52, 30 October 2010 (UTC)<br />
::We only have 3 publiclly available ones + 2 in development --[[User:Balloonhead66|Balloonhead66]] 00:14, 31 October 2010 (UTC)<br />
:I saw this coming when the new page for [[GiRecovery]] ([[Zeratul]]) first appeared some months ago. This Wiki is not intended to promote these tools. I didn't want to just delete the page though. One way we could go: Make sure '''all''' applications (including highly recognized ones and jailbreak apps like [[Limera1n]]) will get listed on an overview [[Tools]] page. It should be categorized by tool purpose and operating system. Maybe also by related iOS firmware. As soon as this works well, we just have to assure that not anybody adds new tools there. For example by having two users request a new entry (without the author). We can start this Tools page in any case. Initially we can include all these useless GUI apps already existing here also. -- [[User:Http|http]] 07:38, 31 October 2010 (UTC)<br />
:We could delete the original pages and merge them with the page of the original app in a subsection. To be honest, though, I still don't see the point of having 4 softwares that do the same thing with the same features. --[[User:Ryccardo|Ryccardo]] 09:22, 31 October 2010 (UTC)<br />
:All of them just decrypt. But mine will have 7zip integration to extract it for you and possibly look up the key automatically based on the Dmg name... --[[User:Balloonhead66|Balloonhead66]] 14:28, 31 October 2010 (UTC)<br />
:http://theiphonewiki.com/wiki/index.php?title=Ground_Rules#No_advertising_your_website.2Fforum.2Fwiki.2Fetc.Theiphonewiki is to help people understand the method and not just give people a GUI which can do those stuff.Take [[limera1n]] for example,they descibe about the software and their payload, method, explanation is over there which is what theiphonewiki wants and not just a GUI with the name over there and crediting their "own" team. --[[User:Whiteshinyapple|Whiteshinyapple]].<br />
:To Balloonhead66:And dont undo the stuff I did. The sysops will decide and it is their decision not yours. --[[User:Whiteshinyapple|Whiteshinyapple]].<br />
::A GUI is not a wiki website or forum apple dude --[[User:Balloonhead66|Balloonhead66]] 03:51, 20 November 2010 (UTC)<br />
Yup a GUI is a program not a website. Those VFDecrypt GUI's just basically call the real VFDecrypt Program which does the real work.It is the same as using a batch file to call a program.If we saw a iphone wiki page which is showing a batch file; wouldnt we delete that? Its the same for these GUI's. We got to delete them!They are just advertising their program so that people will download it and geohot doesnt want people to advertise their stuff,he didnt say about a program but im sure that he meant any type of advertising including this.<br />
<br />
=== Polls ===<br />
I think we should have a page for polls, like this: [[Polls]]. I am requesting this as I need to take a quick survey, and I don't know where to place it. The poll does relate to the iPhone... --[[User:Balloonhead66|Balloonhead66]] 00:41, 16 November 2010 (UTC)<br />
<br />
=== iPhone Compatibility ===<br />
Well the wikis startpage (and maybe other pages) do not display really good on the iphone ;) -- [[User:M2m|M2m]] 16:11, 14 September 2010 (UTC)<br />
:Well, I think it's good enough. Ok, it's not optimized, but it's ok. If we improve the startpage to have only one column, then that would look ugly on a PC. I work a lot in here from my iPhone. The biggest problem is the edit box. You cannot really edit big texts from your iPhone. But that's a problem of the Wiki itself (Mediawiki) and we cannot fix that just by changing texts or layout. -- [[User:Http|http]] 22:25, 14 September 2010 (UTC)<br />
::On all textboxes, use 2 fingers to scroll --[[User:Balloonhead66|Balloonhead66]] 02:52, 27 October 2010 (UTC)<br />
::Installing the extension [http://mediawiki.org/wiki/Extension:MobileSkin MobileSkin] would be something [[User:geohot|geohot]] would have to do. Also he would have to create a mobile skin as all that extension does is display a skin over the default MonoBook skin... --[[User:Balloonhead66|Balloonhead66]] 00:43, 16 November 2010 (UTC)</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Preventing_Baseband_Update&diff=14450Preventing Baseband Update2010-12-29T07:19:25Z<p>Whiteshinyapple: /* TinyUmbrella/Cydia Method for iPhone 4 (Doesnt work on iOS 4.2.1) */</p>
<hr />
<div>==Step 1: Swap Ramdisks==<br />
Open the IPSW (with your favorite ZIP utility). Replace the [[Restore Ramdisk]] and the [[Update Ramdisk]] names with each other.<br />
<br />
== Step 2: Edit options.plist ==<br />
# Unpack custom IPSW<br />
# Decrypt Restore Ramdisk using [[xpwntool]] and mount it<br />
# Navigate to /usr/local/share/restore <br />
# Edit options.plist on the restore ramdisk <br />
'''(Ignore the SystemPartitionSize in your plist file and leave it)'''<br />
<br />
<pre><br />
<key>UpdateBaseband</key><br />
<false/><br />
</pre><br />
<br />
<ol start="5"><br />
<li>Reencrypt the restore ramdisk</li><br />
<li>Repack the IPSW</li><br />
<li>Prepare device for custom firmware using [[redsn0w]]</li><br />
<li>Restore IPSW to [[iTunes]] in pwned [[DFU Mode]]</li><br />
</ol><br />
<br />
You must load a patched [[iBSS]]/[[iBEC]] for this to work. Using an original IPSW will not work, because redsn0w's pwned DFU Mode doesn't patch sigchecks in [[iBSS]].<br />
<br />
==[[TinyUmbrella]]/[[Cydia]] Method for iPhone 4 (Doesnt work on iOS 4.2.1)==<br />
<br />
The [[N90ap|iPhone 4]] requires a AT+NONCE key signature from Apple in order to update the baseband. Pointing the hosts file to [[Cydia Server]] or running [[TinyUmbrella]] will allow this request for signature to be ignored, thus preventing a [[baseband]] update.<br />
<br />
*'''This only works if [[Cydia]]/[[TinyUmbrella]] accepts the firmware's SHSH.'''<br />
*'''This method also 'works' with [[iOS]] 4.2.1, but in the restore ramdisk there is a baseband version check. If it doesn't match, it will not boot. The usual 'Kick out of recovery mode' methods won't work, so this method is actually not useful for [[iOS]] 4.2.1.'''<br />
# Edit the hosts file and add the line "74.208.10.249 gs.apple.com" without the quotes, or run [[TinyUmbrella]] after saving the firmware's SHSH. If [[Cydia Server]] hasn't got your [[SHSH]], but you have it locally, use TSS Server method in [[TinyUmbrella]].<br />
# Use the "Restore" button in [[iTunes]] to update. you will get error 1013 on 4.2.1 when trying to restore thought the restore ramdisk<br />
<br />
[[Category:Baseband]]</div>Whiteshinyapplehttps://www.theiphonewiki.com/w/index.php?title=Preventing_Baseband_Update&diff=14131Preventing Baseband Update2010-12-09T02:51:22Z<p>Whiteshinyapple: </p>
<hr />
<div>=Step 1: Swap Ramdisks=<br />
Open the IPSW in a ZIP Editor and replace the [[Restore Ramdisk]] and the [[Update Ramdisk]] names with each other then follow Step 2<br />
<br>This is done to bypass [[baseband]] check<br />
= Step 2: Edit options.plist =<br />
<br />
# Unpack Custom IPSW<br />
# Decrypt Restore Ramdisk using [[xpwntool]] and mount it<br />
# Navigate to /usr/local/share/restore <br />
# Edit options.plist on the restore ramdisk <br />
'''(Ignore the SystemPartitionSize in your plist file and leave it)'''<br />
<br />
<pre><br />
<?xml version="1.0" encoding="UTF-8"?><br />
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><br />
<plist version="1.0"><br />
<dict><br />
<key>UpdateBaseband</key><br />
<false/><br />
</dict><br />
</plist><br />
</pre><br />
<br />
<ol start="5"><br />
<li>Reencrypt the restore ramdisk</li><br />
<li>Repack the IPSW</li><br />
<li>Prepare device for custom firmware using [[redsn0w]] Just enter pwned DFU option</li><br />
<li>Restore IPSW to [[iTunes]] in pwned [[DFU Mode]]</li><br />
</ol><br />
<br />
This won't work with original IPSW. Pwned DFU mode doesn't patch sigchecks in [[iBSS]], so the [[Restore/Update Ramdisks|ramdisk]] won't load. You need to load patched [[iBSS]]/[[iBEC]] for this to work.<br />
<br />
=[[TinyUmbrella]]/[[Cydia]] Method for iPhone 4 (Doesnt work on iOS 4.2.1)=<br />
<br />
The [[N90ap|iPhone 4]] needs [[baseband]] signature to update the baseband.Pointing the hosts file to [[Saurik]]'s server or running [[TinyUmbrella]] will allow this request for signature to be ignored thus preventing [[baseband]] update<br />
<br />
'''Warning : This might only work if [[Cydia]]/[[TinyUmbrella]] accepts the latest firmware SHSH'''<br />
# Edit the hosts file and add the line "74.208.10.249 gs.apple.com" without the quotes or run [[TinyUmbrella]] after saving the firmwares SHSH<br />
# Use the restore button in iTunes to update firmware<br />
<br />
'''Custom [[Firmware]] wont work with [[TinyUmbrella]]/[[Cydia]] Method'''<br />
[[Category:Baseband]]</div>Whiteshinyapple