From The iPhone Wiki
Jump to: navigation, search

purplesn0w is geohot's unlock which used the AT+XLOG Vulnerability. Its implementation of the vulnerability differs from ultrasn0w's, and requires a legitimately activated iPhone.

How it works

purplesn0w copies the page that needs patching to an unused region of memory. It gets patched in RAM. Using the MMU, the flash page is mapped out and the patched memory page is remapped in its place. No new iPhones are really unlocked; activation creates a ticket allowing the baseband to be used with that SIM. The lockstate of the phone really lies on Apple's servers. Being unlocked means all SIMs are authorized, and being locked means only certain carriers' SIMs are authorized (for instance, AT&T). Fortunately, this ticket system provides an easy way to deliver the payload and re-execute the patched code all in one. And since the ticket is already delivered on baseband resets, there's no need to write another daemon to use the battery. Instead the daemon already designed for this, lockdownd, is used. A patch to CommCenter gets it to run the payload on ticket delivery. And a patch to your activation record contains the payload.

Installation notes

  • Be sure to have a legitimately activated iPhone.
  • Disable 3G if you don't have it (like T-Mobile in the US).
  • Watch for success output in Cydia (actually do this step)
  • Wait for signal, and enjoy your unlocked iPhone (no reboot required)

purplesn0w RC2 payload with comments

ROM:00000000                 LDR     R4, =0x201436C8 ; /* copy the page*/
ROM:00000004                 MOV     R0, #0x40000000
ROM:00000008                 LDR     R1, =0x203C1000
ROM:0000000C                 MOV     R2, #0x1000
ROM:00000010                 BLX     R4
ROM:00000014                 LDR     R5, =0x4000082C ; /*at 4000083C or 203C183C
ROM:00000014                                         ; put the code to branch to 0x404F0980*/
ROM:00000018                 ADD     R0, R5, #0x10
ROM:0000001C                 ADR     R1, loc_D4
ROM:00000020                 MOV     R2, #0xC
ROM:00000024                 BLX     R4
ROM:00000028                 MOV     R7, #0          ; /* interrupt disable */
ROM:0000002C                 MRS     R0, CPSR
ROM:00000030                 ORR     R0, R0, #0xC0
ROM:00000034                 MSR     CPSR_c, R0
ROM:00000038                 MRC     p15, 0, R6,c1,c0 ; /* MMU disable */
ROM:0000003C                 BIC     R0, R6, #0xFF
ROM:00000040                 MCR     p15, 0, R0,c1,c0
ROM:00000044                 NOP
ROM:00000048                 NOP
ROM:0000004C                 LDR     R0, =0x2030055E
ROM:00000050                 LDR     R1, =0x40001000
ROM:00000054                 ADD     R2, R1, #0x400
ROM:00000058 loop                                    ; CODE XREF: ROM:00000064�j
ROM:00000058                 STR     R0, [R1],#4     ; build a page table in memory
ROM:00000058                                         ; increments of 0x1000
ROM:00000058                                         ; from 0x2030055E to 0x2040055E
ROM:00000058                                         ;
ROM:00000058                                         ; put 0x2030055E in [0x40001000]
ROM:00000058                                         ; 0x40001000 + 0x4
ROM:00000058                                         ; 0x2030055E + 0x1000
ROM:00000058                                         ; cmp 0x40001004 to 0x40001400
ROM:00000058                                         ; ...
ROM:00000058                                         ;
ROM:00000058                                         ;
ROM:0000005C                 ADD     R0, R0, #0x1000
ROM:00000060                 CMP     R1, R2
ROM:00000064                 BNE     loop
ROM:00000068                 LDR     R1, =0x4000055E ; put 0x4000055E in [0x40001400 - 0xFC]
ROM:00000068                                         ; where 203C155E put 4000055E
ROM:00000068                                         ; i.e point 0x203C1000 pagetable entry to ram 0x40000000
ROM:0000006C                 STR     R1, [R2,#-0xFC]
ROM:00000070                 LDR     R0, =0x40001011 ; this section points the 0x203 mmu mapping to built page table
ROM:00000070                                         ; at 0x40001000.
ROM:00000070                                         ;
ROM:00000070                                         ; when this code runs again it returns the mapping the way it
ROM:00000070                                         ; was that i.e no trace left behind.
ROM:00000070                                         ;
ROM:00000070                                         ; put [0x800 + 0x8] + 0x100000 at [0x800 + 0xC]
ROM:00000070                                         ; if what was at [0x800 + 0xC] = 0x40001011 then break
ROM:00000070                                         ; else put 0x40001011 at [0x800 + 0xC]
ROM:00000074                 MOV     R1, #0x800
ROM:00000078                 LDR     R2, [R1,#0xC]
ROM:0000007C                 LDR     R3, [R1,#8]
ROM:00000080                 ADD     R3, R3, #0x100000
ROM:00000084                 STR     R3, [R1,#0xC]
ROM:00000088                 CMP     R2, R0
ROM:0000008C                 BEQ     break
ROM:00000090                 STR     R0, [R1,#0xC]
ROM:00000094 break                                   ; CODE XREF: ROM:0000008C�j
ROM:00000094                 MCR     p15, 0, R7,c8,c7 ; /* invalidate TLB */
ROM:00000098                 MCR     p15, 0, R6,c1,c0 ; /* MMU enable */
ROM:0000009C                 MCR     p15, 0, R7,c7,c5 ; /* flush ICache */
ROM:000000A0                 NOP
ROM:000000A4                 NOP
ROM:000000A8                 NOP
ROM:000000AC                 MRS     R0, CPSR        ; /* interrupt enable */
ROM:000000B0                 BIC     R0, R0, #0xC0
ROM:000000B4                 MSR     CPSR_c, R0
ROM:000000B8                 LDR     R4, =0x20525359 ; /* go home */
ROM:000000BC                 LDR     R1, =0x203C1830
ROM:000000C0                 ADR     R0, dword_D0
ROM:000000C4                 STR     R1, [R0]
ROM:000000C8                 MOV     R0, #0
ROM:000000CC                 BX      R4
ROM:000000CC ; ---------------------------------------------------------------------------
ROM:000000D0 dword_D0        DCD 0x20525359          ; DATA XREF: ROM:000000B8�r
ROM:000000D0                                         ; ROM:000000C0�o
ROM:000000D4 ; ---------------------------------------------------------------------------
ROM:000000D4 loc_D4                                  ; DATA XREF: ROM:0000001C�o
ROM:000000D4                 LDR     R4, =0x404F0980
ROM:000000D8                 BX      R4
ROM:000000D8 ; ---------------------------------------------------------------------------
ROM:000000DC dword_DC        DCD 0x404F0980          ; DATA XREF: ROM:loc_D4�r
ROM:000000E0 dword_E0        DCD 0x201436C8          ; DATA XREF: ROM:00000000�r
ROM:000000E4 dword_E4        DCD 0x203C1000          ; DATA XREF: ROM:00000008�r
ROM:000000E8 dword_E8        DCD 0x4000082C          ; DATA XREF: ROM:00000014�r
ROM:000000EC dword_EC        DCD 0x2030055E          ; DATA XREF: ROM:0000004C�r
ROM:000000F0 dword_F0        DCD 0x40001000          ; DATA XREF: ROM:00000050�r
ROM:000000F4 dword_F4        DCD 0x4000055E          ; DATA XREF: ROM:00000068�r
ROM:000000F8 dword_F8        DCD 0x40001011          ; DATA XREF: ROM:00000070�r
ROM:000000FC dword_FC        DCD 0x203C1830          ; DATA XREF: ROM:000000BC�r
ROM:000000FC ; ROM           ends