Audio DSP Module

From The iPhone Wiki
Revision as of 17:14, 12 September 2010 by Dialexio (talk | contribs) (Links.)
Jump to: navigation, search

A "secret" coprocessor only in the S5L8900 devices. I do not have a devicetree handy, so I do not know the phys / virt addresses.

Registers

I'll have to dig up my IDB to get the whole thing, but this is what I remember:

  • Register 0x0 - Calm2ADM Configuration Register
  • Register 0x50 - Calm2ADM Instruction Area (ie. pointer to payload)

IMG3 Obfuscation

This became known and looked into because in the 3.0 GM firmware release, for the S5L8900 devices, Apple made use of this to compute a "soft" GID-key to be used to decrypt the KBAG of the firmware image being loaded. The computation was based off of a hash of the first 0x1B000 of the running iBoot, so to get the correct output you needed to do some tricky patching.

See also