Difference between revisions of "Baseband Device"

From The iPhone Wiki
Jump to: navigation, search
m (Updating.)
(Add the Intel PMB9960 Baseband Device)
(15 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
This is the device in the iPhone and iPad that manages all the functions which require an antenna. The baseband processor has its own RAM and firmware in NOR flash, separate from the [[ARM]] core resources. The baseband is a resource to the OS. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in its NVRAM.
 
This is the device in the iPhone and iPad that manages all the functions which require an antenna. The baseband processor has its own RAM and firmware in NOR flash, separate from the [[ARM]] core resources. The baseband is a resource to the OS. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in its NVRAM.
   
The [[M68AP|iPhone]]'s baseband processor is the [[S-Gold 2]]. The [[N82AP|iPhone 3G]], the [[N88AP|iPhone 3GS]] and the [[K48AP|iPad]] make use of the [[X-Gold 608]] chip for this purpose. The [[N90AP|iPhone 4 (iPhone3,1)]] and [[K94AP|iPad 2 (iPad2,2)]] use the [[XMM 6180]], while the [[N92AP|iPhone 4 (iPhone3,3)]] uses the [[MDM6600]] and the [[N94AP|iPhone 4S]] uses the [[MDM6610]]. [[iPad 3]] uses [[MDM9600]]. [[iPad 4]], [[iPad Air]] , [[iPad mini 1G]], [[iPad mini 2]], [[iPad mini 3]], [[iPhone 5]], [[iPhone 5c]] and [[iPhone 5s]] use [[MDM9615]] while [[iPad Air 2]], [[iPad mini 4]], [[N61AP|iPhone 6]] and [[N56AP|iPhone 6 Plus]] use [[MDM9625]]. [[iPhone 6s]] and [[iPhone 6s Plus]] use [[MDM9635]].
+
The [[M68AP|iPhone]]'s baseband processor is the [[S-Gold 2]]. The [[N82AP|iPhone 3G]], the [[N88AP|iPhone 3GS]] and the [[K48AP|iPad]] make use of the [[X-Gold 608]] chip for this purpose. The [[N90AP|iPhone 4 (iPhone3,1)]] and [[K94AP|iPad 2 (iPad2,2)]] use the [[XMM 6180]], while the [[N92AP|iPhone 4 (iPhone3,3)]] uses the [[MDM6600]] and the [[N94AP|iPhone 4S]] uses the [[MDM6610]]. [[iPad (3rd generation)]] uses [[MDM9600]]. [[iPad (4th generation)]], [[iPad Air]] , [[iPad mini]], [[iPad mini 2]], [[iPad mini 3]], [[iPhone 5]], [[iPhone 5c]] and [[iPhone 5s]] use [[MDM9615]] while [[iPad Air 2]], [[iPad Pro (12.9-inch)]], [[iPad (5th generation)]], [[iPad mini 4]], [[N61AP|iPhone 6]], [[N56AP|iPhone 6 Plus]] and [[iPhone SE]] use [[MDM9625]]. [[Apple Watch Series 3]], [[iPhone 6s]], [[iPhone 6s Plus]] and [[iPad Pro (9.7-inch)]] use [[MDM9635]]. The [[iPhone 8]], [[iPhone 8 Plus]] and [[iPhone X]] use [[MDM9655]] and [[PMB9948]]. The [[iPad (7th generation)]], [[iPad Air (3rd generation)]], [[iPad Pro (11-inch)]], [[iPad Pro (12.9-inch) (3rd generation)]], [[iPad mini (5th generation)]], [[iPhone XR]], [[iPhone XS]] and [[iPhone XS Max]] use the [[PMB9955]]. And the [[N104AP|iPhone 11]], [[D421AP|iPhone 11 Pro]] and [[D431AP|iPhone 11 Pro Max]] use the [[PMB9960]].
   
 
See also: [[Baseband Commands]] and [[iOS Baseband Tools]].
 
See also: [[Baseband Commands]] and [[iOS Baseband Tools]].
Line 20: Line 20:
 
* [[SIM hacks]]
 
* [[SIM hacks]]
   
===[[S-Gold 2]]===
+
===[[PMB8876]] S-Gold 2===
 
* [[Fakeblank]]
 
* [[Fakeblank]]
 
* [[IPSF]]
 
* [[IPSF]]
Line 26: Line 26:
 
* [[Minus 0x20000 with Back Extend Erase]]
 
* [[Minus 0x20000 with Back Extend Erase]]
   
===[[X-Gold 608]]===
+
===[[PMB8878]] X-Gold 608===
 
* [[JerrySIM]]
 
* [[JerrySIM]]
 
* [[AT+stkprof]]
 
* [[AT+stkprof]]
Line 34: Line 34:
 
* [[AT+FNS]]
 
* [[AT+FNS]]
   
===[[XMM 6180]]===
+
===[[XMM 6180]] X-Gold 618===
 
* [[AT+XAPP Vulnerability]]
 
* [[AT+XAPP Vulnerability]]
   
Line 41: Line 41:
   
 
===[[MDM6610]]===
 
===[[MDM6610]]===
  +
* None
  +
  +
===[[MDM9600]]===
 
* None
 
* None
   
Line 46: Line 49:
 
* None
 
* None
   
===[[MDM9x00]]===
+
===[[MDM9625]]===
 
* None
 
* None
   
===[[MDM9625M]]===
+
===[[MDM9635]]===
 
* None
 
* None
  +
  +
===[[MDM9645]]===
  +
* none
  +
  +
===[[PMB9943]] X-Gold 736===
  +
* none
  +
  +
===[[MDM9655]]===
  +
* none
  +
  +
===[[PMB9948]]===
  +
* none
  +
  +
===[[PMB9955]] X-Gold 756===
  +
* none
  +
  +
===[[PMB9960]] X-Gold 766===
  +
* none
   
 
==Theoretical Attacks==
 
==Theoretical Attacks==

Revision as of 01:10, 22 October 2019

This is the device in the iPhone and iPad that manages all the functions which require an antenna. The baseband processor has its own RAM and firmware in NOR flash, separate from the ARM core resources. The baseband is a resource to the OS. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in its NVRAM.

The iPhone's baseband processor is the S-Gold 2. The iPhone 3G, the iPhone 3GS and the iPad make use of the X-Gold 608 chip for this purpose. The iPhone 4 (iPhone3,1) and iPad 2 (iPad2,2) use the XMM 6180, while the iPhone 4 (iPhone3,3) uses the MDM6600 and the iPhone 4S uses the MDM6610. iPad (3rd generation) uses MDM9600. iPad (4th generation), iPad Air , iPad mini, iPad mini 2, iPad mini 3, iPhone 5, iPhone 5c and iPhone 5s use MDM9615 while iPad Air 2, iPad Pro (12.9-inch), iPad (5th generation), iPad mini 4, iPhone 6, iPhone 6 Plus and iPhone SE use MDM9625. Apple Watch Series 3, iPhone 6s, iPhone 6s Plus and iPad Pro (9.7-inch) use MDM9635. The iPhone 8, iPhone 8 Plus and iPhone X use MDM9655 and PMB9948. The iPad (7th generation), iPad Air (3rd generation), iPad Pro (11-inch), iPad Pro (12.9-inch) (3rd generation), iPad mini (5th generation), iPhone XR, iPhone XS and iPhone XS Max use the PMB9955. And the iPhone 11, iPhone 11 Pro and iPhone 11 Pro Max use the PMB9960.

See also: Baseband Commands and iOS Baseband Tools.

Seczone

This is the area in the baseband where the lock state is stored.

Layout

0x400--NCK token
0xA00--IMEI signature
0xB00--IMEI
0xC00--Locks table

Encryption

Many of the sections are encrypted using TEA based off the CHIPID and NORID. See NCK Brute Force for more info.

Exploits

PMB8876 S-Gold 2

PMB8878 X-Gold 608

XMM 6180 X-Gold 618

MDM6600

  • None

MDM6610

  • None

MDM9600

  • None

MDM9615

  • None

MDM9625

  • None

MDM9635

  • None

MDM9645

  • none

PMB9943 X-Gold 736

  • none

MDM9655

  • none

PMB9948

  • none

PMB9955 X-Gold 756

  • none

PMB9960 X-Gold 766

  • none

Theoretical Attacks

Boot Chain

bootrom->bootloader->firmware