Difference between revisions of "Baseband Device"

From The iPhone Wiki
Jump to: navigation, search
m
 
(55 intermediate revisions by 20 users not shown)
Line 1: Line 1:
This is the device in the iPhone that manages all the functions which require an antenna. The baseband processor has its own RAM and firmware in NOR flash, separate from the ARM core resources. The baseband is a resource to the OS. The Wi-Fi and bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in it's NVRAM.
+
the '''Baseband Device''' is the chipset that all [[iPhone|iPhones]] and cellular models of the [[Apple Watch]], [[iPad]], [[List_of_iPad_Airs|iPad Air]], [[List_of_iPad_minis|iPad mini]], and [[iPad Pro]] use that manages all the functions which require a cellular antenna. it has its own RAM and Firmware in NOR flash, separate from the [[ARM]] core resources. The baseband is a resource to the OS. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores it's MAC addresses in its NVRAM.
   
  +
See also: [[Baseband Commands]] and [[iOS Baseband Tools]].
The [[iPhone]]'s baseband processor is the [[S-Gold 2]] and the [[iPhone 3G]] makes use of the [[X-Gold 608]] chip for this purpose.
 
  +
==Device List==
  +
===[[PMB8876]] S-Gold 2===
  +
* [[M68AP|iPhone]]
   
  +
===[[PMB8878]] X-Gold 608===
You can check some [[Baseband Commands]] too (by pH and EvilPenguin)
 
  +
* [[K48AP|iPad]]
  +
* [[N82AP|iPhone 3G]]
  +
* [[N88AP|iPhone 3GS]]
   
  +
===[[XMM 6180]] X-Gold 618===
==Seczone==
 
  +
* iPad 2 [[K94AP|(iPad2,2)]]
  +
* iPhone 4 [[N90AP|(iPhone3,1)]] and [[N90BAP|(iPhone3,2)]]
  +
  +
===[[MDM6600]]===
  +
* iPad 2 [[K95AP|(iPad2,3)]]
  +
* iPhone 4 [[N92AP|(iPhone3,3)]]
  +
  +
===[[MDM6610]]===
  +
* [[iPhone 4S]]
  +
  +
===[[MDM9600]]===
  +
* [[iPad (3rd generation)]]
  +
  +
===[[MDM9615]]===
  +
* [[iPad Air]]
  +
* [[iPad mini]]
  +
* [[iPad mini 2]]
  +
* [[iPad mini 3]]
  +
* [[iPhone 5]]
  +
* [[iPhone 5c]]
  +
* [[iPhone 5s]]
  +
  +
===[[MDM9625]]===
  +
* [[iPad (5th generation)]]
  +
* [[iPad Air 2]]
  +
* [[iPad Pro (12.9-inch)]]
  +
* [[iPad mini 4]]
  +
* [[iPhone 6]]
  +
* [[iPhone 6 Plus]]
  +
* [[iPhone SE (1st generation)]]
  +
  +
===[[MDM9635]]===
  +
* [[Apple Watch Series 3]]
  +
* [[iPad (6th generation)]]
  +
* [[iPad Pro (9.7-inch)]]
  +
* [[iPhone 6s]]
  +
* [[iPhone 6s Plus]]
  +
  +
===[[MDM9645]]===
  +
* [[iPad Pro (10.5-inch)]]
  +
* [[iPad Pro (12.9-inch) (2nd generation)]]
  +
* [[iPhone 7]]
  +
* [[iPhone 7 Plus]]
  +
  +
===[[PMB9943]] X-Gold 736===
  +
* [[iPhone 7]]
  +
* [[iPhone 7 Plus]]
  +
  +
===[[MDM9655]]===
  +
* [[iPhone 8]]
  +
* [[iPhone 8 Plus]]
  +
* [[iPhone X]]
  +
  +
===[[PMB9948]] X-Gold 748===
  +
* [[iPhone 8]]
  +
* [[iPhone 8 Plus]]
  +
* [[iPhone X]]
  +
  +
===[[PMB9955]] X-Gold 756===
  +
* [[Apple Watch Series 4]]
  +
* [[Apple Watch Series 5]]
  +
* [[iPad (7th generation)]]
  +
* [[iPad Air (3rd generation)]]
  +
* [[iPad Pro (11-inch)]]
  +
* [[iPad Pro (12.9-inch) (3rd generation)]]
  +
* [[iPad mini (5th generation)]]
  +
* [[iPhone XR]]
  +
* [[iPhone XS]]
  +
* [[iPhone XS Max]]
  +
  +
===[[PMB9960]] X-Gold 766===
  +
* [[iPad Pro (11-inch) (2nd generation)]]
  +
* [[iPad Pro (12.9-inch) (4th generation)]]
  +
* [[iPhone 11]]
  +
* [[iPhone 11 Pro]]
  +
* [[iPhone 11 Pro Max]]
  +
* [[iPhone SE (2nd generation)]]
  +
  +
==[[Seczone]]==
 
This is the area in the baseband where the lock state is stored.
 
This is the area in the baseband where the lock state is stored.
   
 
===Layout===
 
===Layout===
 
0x400--NCK token
 
0x400--NCK token
  +
0xA00--IMEI signature
 
0xB00--IMEI
 
0xB00--IMEI
0xB10--IMEI signature
 
 
0xC00--Locks table
 
0xC00--Locks table
   
 
===Encryption===
 
===Encryption===
Many of the sections are encrypted using TEA based off the CHIPID and NORID. See [[NCK Brute Force]] for more info.
+
Many of the sections are encrypted using [[Baseband TEA Keys|TEA]] based off the [[CHIPID]] and [[NORID]]. See [[NCK Brute Force]] for more info.
   
 
==Exploits==
 
==Exploits==
 
* [[SIM hacks]]
 
* [[SIM hacks]]
  +
* [[Fakeblank|Hardware Fakeblank]]
 
  +
===[[PMB8876]] S-Gold 2===
  +
* [[Fakeblank]]
 
* [[IPSF]]
 
* [[IPSF]]
 
* [[Minus 0x400]]
 
* [[Minus 0x400]]
* [[Jerrysim]]
 
 
* [[Minus 0x20000 with Back Extend Erase]]
 
* [[Minus 0x20000 with Back Extend Erase]]
  +
* [[At+stkprof]]
 
  +
===[[PMB8878]] X-Gold 608===
  +
* [[JerrySIM]]
  +
* [[AT+stkprof]]
 
* [[AT+XLOG Vulnerability]]
 
* [[AT+XLOG Vulnerability]]
  +
* [[AT+XEMN Heap Overflow]]
  +
* [[AT+XAPP Vulnerability]]
  +
* [[AT+FNS]]
  +
  +
===[[XMM 6180]] X-Gold 618===
  +
* [[AT+XAPP Vulnerability]]
  +
  +
===[[MDM6600]]===
  +
* None
  +
  +
===[[MDM6610]]===
  +
* None
  +
  +
===[[MDM9600]]===
  +
* None
  +
  +
===[[MDM9615]]===
  +
* None
  +
  +
===[[MDM9625]]===
  +
* None
  +
  +
===[[MDM9635]]===
  +
* None
  +
  +
===[[MDM9645]]===
  +
* none
  +
  +
===[[PMB9943]] X-Gold 736===
  +
* none
  +
  +
===[[MDM9655]]===
  +
* none
  +
  +
===[[PMB9948]] X-Gold 748===
  +
* none
  +
  +
===[[PMB9955]] X-Gold 756===
  +
* none
  +
  +
===[[PMB9960]] X-Gold 766===
  +
* none
   
 
==Theoretical Attacks==
 
==Theoretical Attacks==

Latest revision as of 13:54, 26 May 2020

the Baseband Device is the chipset that all iPhones and cellular models of the Apple Watch, iPad, iPad Air, iPad mini, and iPad Pro use that manages all the functions which require a cellular antenna. it has its own RAM and Firmware in NOR flash, separate from the ARM core resources. The baseband is a resource to the OS. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores it's MAC addresses in its NVRAM.

See also: Baseband Commands and iOS Baseband Tools.

Device List

PMB8876 S-Gold 2

PMB8878 X-Gold 608

XMM 6180 X-Gold 618

MDM6600

MDM6610

MDM9600

MDM9615

MDM9625

MDM9635

MDM9645

PMB9943 X-Gold 736

MDM9655

PMB9948 X-Gold 748

PMB9955 X-Gold 756

PMB9960 X-Gold 766

Seczone

This is the area in the baseband where the lock state is stored.

Layout

0x400--NCK token
0xA00--IMEI signature
0xB00--IMEI
0xC00--Locks table

Encryption

Many of the sections are encrypted using TEA based off the CHIPID and NORID. See NCK Brute Force for more info.

Exploits

PMB8876 S-Gold 2

PMB8878 X-Gold 608

XMM 6180 X-Gold 618

MDM6600

  • None

MDM6610

  • None

MDM9600

  • None

MDM9615

  • None

MDM9625

  • None

MDM9635

  • None

MDM9645

  • none

PMB9943 X-Gold 736

  • none

MDM9655

  • none

PMB9948 X-Gold 748

  • none

PMB9955 X-Gold 756

  • none

PMB9960 X-Gold 766

  • none

Theoretical Attacks

Boot Chain

bootrom->bootloader->firmware