Difference between revisions of "Preventing Baseband Update"

From The iPhone Wiki
Jump to: navigation, search
(Various edits)
m (Updating.)
 
(21 intermediate revisions by 8 users not shown)
Line 1: Line 1:
  +
== Edit <code>options.plist</code> ==
==Swap Ramdisks Method==
 
  +
# Unpack custom [[IPSW File Format|IPSW]]
===Step 1: Swap Ramdisks===
 
Open the IPSW (with your favorite ZIP utility). Replace the [[Restore Ramdisk]] and the [[Update Ramdisk]] names with each other.
 
 
===Step 2: Edit options.plist===
 
# Unpack custom IPSW
 
 
# Decrypt Restore Ramdisk using [[xpwntool]] and mount it
 
# Decrypt Restore Ramdisk using [[xpwntool]] and mount it
# Navigate to /usr/local/share/restore
+
# Navigate to /usr/local/share/restore/
# Edit options.plist on the restore ramdisk
+
# Edit options.plist on the [[Restore Ramdisk]] (Ignore any other settings specified in the plist, don't edit them)
  +
<key>UpdateBaseband</key>
(Ignore any other settings specified in the plist, don't edit them)
 
<pre>
 
<key>UpdateBaseband</key>
 
 
<false/>
 
<false/>
</pre>
 
 
<ol start="5">
 
<ol start="5">
 
<li>Reencrypt the restore ramdisk</li>
 
<li>Reencrypt the restore ramdisk</li>
<li>Repack the IPSW</li>
+
<li>Repack the [[IPSW File Format|IPSW]]</li>
 
<li>Prepare device for custom firmware using [[redsn0w]]</li>
 
<li>Prepare device for custom firmware using [[redsn0w]]</li>
<li>Restore IPSW to [[iTunes]] in pwned [[DFU Mode]]</li>
+
<li>Restore the [[IPSW File Format|IPSW]] to [[iTunes]] in pwned [[DFU Mode]] using the appropriate method (Look at Restoring The Modified IPSW Section)</li>
 
</ol>
 
</ol>
  +
You must load a patched [[iBSS]]/[[iBEC]] for this to work. Using an original [[IPSW File Format|IPSW]] will not work, because [[redsn0w]]'s pwned DFU Mode doesn't patch sigchecks in [[iBSS]] (which is loaded from the [[IPSW File Format|IPSW]]).
   
  +
== Idea ==
You must load a patched [[iBSS]]/[[iBEC]] for this to work. Using an original IPSW will not work, because redsn0w's pwned DFU Mode doesn't patch sigchecks in [[iBSS]] (which is loaded from the IPSW).
 
  +
One could hook the function HookAMRestorePerformRecoveryModeRestore in the [[MobileDevice Library]] that [[iTunes]] uses, overriding the restore options CFDictionaryRef object. This would *THEORETICALLY* allow for not updating baseband without patches/[[jailbreak]]. A practical application for this is if someone absolutely needs to update to the latest firmware for work or other reasons, and can't as they must wait for PwnageTool to provide support.
   
  +
== Restoring The Modified IPSW ==
==[[TinyUmbrella]]/[[Cydia]] Method (iPhone 4)==
 
  +
[[Firmware]]s like 4.2.1 and above have baseband checks on the [[Restore Ramdisk]]. If the modified [[IPSW File Format|IPSW]] is restored, [[iTunes]] will give an [[iTunes Errors|Error 1015]] and the iDevice will be in a recovery mode loop which cannot be exited by TinyUmbrella or the 'setenv auto-boot true' command
   
  +
Fortunately, the [[Update Ramdisk]] does not contain that baseband check so if the Update Method is used which is mentioned below, [[iTunes]] will give an [[iTunes Errors|Error 1013]] and it can be exited by [[TinyUmbrella]] and the [[iRecovery]] command.
The [[N90ap|iPhone 4]] requires a AT+NONCE key signature from Apple in order to update the baseband. Pointing the hosts file to [[Cydia Server]] or running [[TinyUmbrella]] will allow this request for signature to be ignored, thus preventing a [[baseband]] update.
 
  +
=== Update Method ===
  +
* Windows Users, Open iTunes. hold the Shift button and click Update then select the modified IPSW
  +
* Mac Users, Open iTunes, hold the Alt button and click Update then select the modified IPSW
  +
=== Restore Method ===
  +
* Windows Users, Open iTunes. hold the Shift button and click Restore then select the modified IPSW
  +
* Mac Users, Open iTunes, hold the Alt button and click Restore then select the modified IPSW
   
  +
== [[TinyUmbrella]]/[[Cydia Server]] Method ([[iPhone 4]]) ==
*'''This only works if [[Cydia]]/[[TinyUmbrella]] accepts the firmware's SHSH.'''
 
  +
The [[iPhone 4]] requires a [[AT+XNONCE]] key signature from Apple in order to update the baseband. Pointing the hosts file to [[Cydia Server]] or running [[TinyUmbrella]] will allow this request for signature to be ignored, thus preventing a [[baseband]] update.
*'''This method 'works' with [[iOS]] 4.2.1, but in the restore ramdisk there is a baseband version check. If it doesn't match, it will crash before the Apple logo with the loading bar (the 2nd one, not the restore one) appears. It will boot and crash again. The usual 'Kick out of recovery mode' methods or "setenv auto-boot true" won't work, because it's not the problem that the auto-boot is false. So this method is actually not useful for [[iOS]] 4.2.1.'''
 
  +
  +
*'''This only works if [[Cydia Server]]/[[TinyUmbrella]] accepts the firmware's SHSH.'''
  +
*'''This method 'works' with [[iOS]] 4.2.1, but in the restore ramdisk there is a baseband version check. If it doesn't match, it will crash before the Apple logo with the loading bar (the 2nd, first-boot one, not the restore one) appears. It will boot and crash again. The old 'Kick out of recovery mode' methods or "setenv auto-boot true" won't work, because it's not the problem that the auto-boot is false. So this method is actually not useful for [[iOS]] 4.2.1+.'''
  +
*'''[[greenpois0n (jailbreak)|greenpois0n]] RC6 will fix this as part of the jailbreaking process. The latest version of TinyUmbrella also features a new Fix Recovery function.'''
 
# Edit the hosts file and add the line "74.208.10.249 gs.apple.com" without the quotes, or run [[TinyUmbrella]] after saving the firmware's SHSH. If [[Cydia Server]] hasn't got your [[SHSH]], but you have it locally, use TSS Server method in [[TinyUmbrella]].
 
# Edit the hosts file and add the line "74.208.10.249 gs.apple.com" without the quotes, or run [[TinyUmbrella]] after saving the firmware's SHSH. If [[Cydia Server]] hasn't got your [[SHSH]], but you have it locally, use TSS Server method in [[TinyUmbrella]].
  +
# Use the "Restore" button in [[iTunes]] to update if your firmware version is below 4.2 else use the "Update" button in [[iTunes]] to update.
# Delete the .bbfw file in the firmware. Rename the IPSW to ZIP, open it and then go to the "firmware" folder. There you can see a .bbfw file, which means baseband firmware. The name gives you information about the baseband version and the Baseband BootLoader. Delete the .bbfw file and ZIP the firmware files (ZIP everything in the folder, don't ZIP the folder itself). Then you can restore to this. You will get error 11. This will only work up to iOS 4.1. If you do this on a newer version than iOS 4.1, your iPhone won't boot (see the text above).
 
  +
# You will get Error 1013 and it can be easily bypassed by using the Exit Recovery Mode button in [[TinyUmbrella]] or typing 'setenv auto-boot true' and 'saveenv' in [[iRecovery]]
# Use the "Restore" button in [[iTunes]] to update. you will get error 1013 on 4.2.1 when trying to restore thought the restore ramdisk
 
  +
# If downgrading from a later firmware to a firmware that performs baseband checks, you will get error 1015. The only way to bypass this is to either update to the firmware version that matches your baseband version or downgrade (if possible) to an earlier firmware that doesn't perform the baseband version checks.
 
  +
== [[User:Ih8sn0w|iH8Sn0w]]'s Method==
  +
[[sn0wbreeze]] has a "Baseband Preservation Mode" since version 2.2. [[User:Ih8sn0w|iH8sn0w]] [http://twitter.com/iH8sn0w/status/19453808090288128 confirmed] that his method is not the same as the above mentioned methods.
  +
  +
This method can also be used on the [[N88AP|iPhone 3GS]] and the [[iPhone 4]] to downgrade from the 4.3 betas and above back to 4.2.1, as long as the device can be restored (and activated) to iOS 4.1 or an earlier version.
  +
  +
To get some more details about what [[sn0wbreeze]] with the option "Baseband Preservation Mode" does, here a short analysis - a comparison of the generated ipsw for iOS 4.3 (iPhone 4):
  +
=== [[:/|Root Filesystem]] (038-0688-006.dmg) ===
  +
(Details to be added.)
  +
=== [[Restore Ramdisk]] (038-0715-006.dmg) ===
  +
==== options.plist ====
  +
The file options.plist in the folder \ramdisk\usr\local\share\restore is changed. These are the changes:
  +
*first entry added: CreateFilesystemPartitions = true
  +
*changed value: SystemPartitionSize 1024 changed to 1050
  +
*added last entry: UpdateBaseband = false
  +
==== [[ASR]] ====
  +
In the folder \ramdisk\usr\sbin\ the file asr has been renamed to asr_orig and a patched file of size 180832 bytes added. The patches are:
  +
0001321A: DF F8
  +
0001321A: FD E7
   
  +
0002BFC6: ED B7 6C AA D3 AF A0 B4 90 08 6D 63 51 46 17 0B 8A 40 8D C4
==[[User:Ih8sn0w|iH8Sn0w]]'s Method==
 
  +
0002BFC6: 6E DB 54 D3 DB 60 A8 FB 74 47 28 EB 02 33 EA FA 20 B6 7E B5
User [[User:Ih8sn0w|IH8sn0w]] mentioned a new method in [http://twitter.com/iH8sn0w/status/19249886721478656 this tweet] (an upgrade-only option in [[Sn0wbreeze]]). [http://twitter.com/iH8sn0w/status/19453808090288128 He confirmed] that his method is not the same as the above mentioned methods. To get more details, someone would have to compare the generated ipsw content.
 
   
  +
0002C1BA: FA DE 0C 01
==iTunes Update Method (iPhone 4)==
 
  +
0002C1BA: F6 B6 D0 8F
A variant of the TinyUmbrella method which exploits the lack of baseband version checks on the update ramdisk. [http://twitter.com/ven000m/status/19526989958356992]
 
  +
==== Images ====
Just shift+click (Windows) or Option+click (Mac) the !Update! button in iTunes after switching to a non-Apple TSS server and exit recovery mode after the update fails
 
  +
Two files were changed from the Apple logo to the iH8sn0w logo. Both are called applelogo.png and they are located in \ramdisk\usr\share\progressui\images-1x\ and in \ramdisk\usr\share\progressui\images-2x\.
  +
=== Patches in [[iBSS]] ===
  +
There are several patches in [[iBSS]] (first line is original, second line is the patched version):
  +
000000FC: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  +
000000FC: 03 A2 13 68 1B B1 50 68 C8 50 08 32 F9 E7 70 47 E0 A9 8C 00 30 E0 00 20 A4 AC 92 00 06 9B 0B B1 A8 AC 92 00 00 23 04 D0 D8 D3 71 00 EA D1 01 20 E4 A9 8C 00 00 20 2D E0 5C DB 27 00 01
  +
  +
00012C26: FF F7 73 FE
  +
00012C26: 00 20 00 20
  +
  +
00012C4C: FF F7 60 FE
  +
00012C4C: 00 20 00 20
  +
  +
00012C70: FF F7 B6 FE
  +
00012C70: 00 20 00 20
  +
  +
00012C98: FF F7 3A FE
  +
00012C98: 00 20 00 20
  +
  +
00012CBA: FF F7 29 00
  +
00012CBA: 00 20 00 20
  +
  +
00012CDE: FF F7 17 FE
  +
00012CDE: 00 20 00 20
  +
  +
00012D02: FF F7 05 FE
  +
00012D02: 00 20 00 20
  +
  +
00012D20: FF F7 F6 FD
  +
00012D20: 00 20 00 20
  +
  +
00012D44: FF F7 E4 FD
  +
00012D44: 00 20 00 20
  +
  +
0001345A: 08 F0 0D
  +
0001345A: EC F7 4F
  +
  +
0001AD38: 4F F0 FF 30
  +
0001AD38: 00 20 00 20
   
 
[[Category:Baseband]]
 
[[Category:Baseband]]

Latest revision as of 09:15, 13 October 2015

Edit options.plist

  1. Unpack custom IPSW
  2. Decrypt Restore Ramdisk using xpwntool and mount it
  3. Navigate to /usr/local/share/restore/
  4. Edit options.plist on the Restore Ramdisk (Ignore any other settings specified in the plist, don't edit them)
       <key>UpdateBaseband</key>
       <false/>
  1. Reencrypt the restore ramdisk
  2. Repack the IPSW
  3. Prepare device for custom firmware using redsn0w
  4. Restore the IPSW to iTunes in pwned DFU Mode using the appropriate method (Look at Restoring The Modified IPSW Section)

You must load a patched iBSS/iBEC for this to work. Using an original IPSW will not work, because redsn0w's pwned DFU Mode doesn't patch sigchecks in iBSS (which is loaded from the IPSW).

Idea

One could hook the function HookAMRestorePerformRecoveryModeRestore in the MobileDevice Library that iTunes uses, overriding the restore options CFDictionaryRef object. This would *THEORETICALLY* allow for not updating baseband without patches/jailbreak. A practical application for this is if someone absolutely needs to update to the latest firmware for work or other reasons, and can't as they must wait for PwnageTool to provide support.

Restoring The Modified IPSW

Firmwares like 4.2.1 and above have baseband checks on the Restore Ramdisk. If the modified IPSW is restored, iTunes will give an Error 1015 and the iDevice will be in a recovery mode loop which cannot be exited by TinyUmbrella or the 'setenv auto-boot true' command

Fortunately, the Update Ramdisk does not contain that baseband check so if the Update Method is used which is mentioned below, iTunes will give an Error 1013 and it can be exited by TinyUmbrella and the iRecovery command.

Update Method

  • Windows Users, Open iTunes. hold the Shift button and click Update then select the modified IPSW
  • Mac Users, Open iTunes, hold the Alt button and click Update then select the modified IPSW

Restore Method

  • Windows Users, Open iTunes. hold the Shift button and click Restore then select the modified IPSW
  • Mac Users, Open iTunes, hold the Alt button and click Restore then select the modified IPSW

TinyUmbrella/Cydia Server Method (iPhone 4)

The iPhone 4 requires a AT+XNONCE key signature from Apple in order to update the baseband. Pointing the hosts file to Cydia Server or running TinyUmbrella will allow this request for signature to be ignored, thus preventing a baseband update.

  • This only works if Cydia Server/TinyUmbrella accepts the firmware's SHSH.
  • This method 'works' with iOS 4.2.1, but in the restore ramdisk there is a baseband version check. If it doesn't match, it will crash before the Apple logo with the loading bar (the 2nd, first-boot one, not the restore one) appears. It will boot and crash again. The old 'Kick out of recovery mode' methods or "setenv auto-boot true" won't work, because it's not the problem that the auto-boot is false. So this method is actually not useful for iOS 4.2.1+.
  • greenpois0n RC6 will fix this as part of the jailbreaking process. The latest version of TinyUmbrella also features a new Fix Recovery function.
  1. Edit the hosts file and add the line "74.208.10.249 gs.apple.com" without the quotes, or run TinyUmbrella after saving the firmware's SHSH. If Cydia Server hasn't got your SHSH, but you have it locally, use TSS Server method in TinyUmbrella.
  2. Use the "Restore" button in iTunes to update if your firmware version is below 4.2 else use the "Update" button in iTunes to update.
  3. You will get Error 1013 and it can be easily bypassed by using the Exit Recovery Mode button in TinyUmbrella or typing 'setenv auto-boot true' and 'saveenv' in iRecovery

iH8Sn0w's Method

sn0wbreeze has a "Baseband Preservation Mode" since version 2.2. iH8sn0w confirmed that his method is not the same as the above mentioned methods.

This method can also be used on the iPhone 3GS and the iPhone 4 to downgrade from the 4.3 betas and above back to 4.2.1, as long as the device can be restored (and activated) to iOS 4.1 or an earlier version.

To get some more details about what sn0wbreeze with the option "Baseband Preservation Mode" does, here a short analysis - a comparison of the generated ipsw for iOS 4.3 (iPhone 4):

Root Filesystem (038-0688-006.dmg)

(Details to be added.)

Restore Ramdisk (038-0715-006.dmg)

options.plist

The file options.plist in the folder \ramdisk\usr\local\share\restore is changed. These are the changes:

  • first entry added: CreateFilesystemPartitions = true
  • changed value: SystemPartitionSize 1024 changed to 1050
  • added last entry: UpdateBaseband = false

ASR

In the folder \ramdisk\usr\sbin\ the file asr has been renamed to asr_orig and a patched file of size 180832 bytes added. The patches are:

0001321A: DF F8
0001321A: FD E7
0002BFC6: ED B7 6C AA D3 AF A0 B4 90 08 6D 63 51 46 17 0B 8A 40 8D C4
0002BFC6: 6E DB 54 D3 DB 60 A8 FB 74 47 28 EB 02 33 EA FA 20 B6 7E B5
0002C1BA: FA DE 0C 01
0002C1BA: F6 B6 D0 8F

Images

Two files were changed from the Apple logo to the iH8sn0w logo. Both are called applelogo.png and they are located in \ramdisk\usr\share\progressui\images-1x\ and in \ramdisk\usr\share\progressui\images-2x\.

Patches in iBSS

There are several patches in iBSS (first line is original, second line is the patched version):

000000FC: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000FC: 03 A2 13 68 1B B1 50 68 C8 50 08 32 F9 E7 70 47 E0 A9 8C 00 30 E0 00 20 A4 AC 92 00 06 9B 0B B1 A8 AC 92 00 00 23 04 D0 D8 D3 71 00 EA D1 01 20 E4 A9 8C 00 00 20 2D E0 5C DB 27 00 01

00012C26: FF F7 73 FE
00012C26: 00 20 00 20

00012C4C: FF F7 60 FE
00012C4C: 00 20 00 20

00012C70: FF F7 B6 FE
00012C70: 00 20 00 20

00012C98: FF F7 3A FE
00012C98: 00 20 00 20

00012CBA: FF F7 29 00
00012CBA: 00 20 00 20

00012CDE: FF F7 17 FE
00012CDE: 00 20 00 20

00012D02: FF F7 05 FE
00012D02: 00 20 00 20

00012D20: FF F7 F6 FD
00012D20: 00 20 00 20

00012D44: FF F7 E4 FD
00012D44: 00 20 00 20

0001345A: 08 F0 0D
0001345A: EC F7 4F

0001AD38: 4F F0 FF 30
0001AD38: 00 20 00 20