What happens if we ran ienew in 1.1.3 baseband (4.9 b/l) did ienew erase baseband or just screw up baseband?

With 1.1.3 preinstalled OTB can we run iunew to "overwrite" bootloader area (well, it say "did u erase first?") but I think theres a way to erase it (screwing up?) baseband to write anything...


Just a thought...:confused:

no.

basebands are weird and require a newer version to be available to be able to erase it. with u being on the newest one you can't do shit. don't know what'll happen if you erase it but it wont be pretty

thank you for ur answer. Better i wont do that erase...

We need baseband source to write a baseband update manualy, before apple release.
then we can do this faster ;)

I think nothing will happens because with ienew(ieraser) you will try erase only bbfirmware and 1.1.3 FW needed to cheat BL to work (if secpack allows it; so nothing; you dont have 1)

Secpack is like you know; a file that authorize baseband upgrading. Inside this short file is rsa crypted header where are hidden checks (signs) for validate BB firmware to update and not downgrade

Geohotz A17 point cheats BL4.6 to check on one or two areas which we erased with ienew (0xFFFFFFFF) which contains "flash block locked" flag or similar.

That address or addresses in NOR flash are readed, for example in 0xA0000020 and 0xA00003FF and our cheat increase adresses by 2^17(0x20000) and make points BL4.6 to check data in address 0xA0020020 and 0xA002003FF which was previously erased and means 0xFFFFFFFF no lock on that block... THAT EVIL :) BLOCK where is stored BL and new BL3.9 are flashed there.

I think that mechanism Geohot uses to downgrade BL!

So probably answer on your question is:
you wil not erase anything cause you cannot validate (no secpac) updating of BBFirmware even on first step - ienew!
maybe you fk a little yor 1.1.3 fw but you will not allowed to touch BB fw and BL

:p

I think nothing will happens because with ienew(ieraser) you will try erase only bbfirmware and 1.1.3 FW needed to cheat BL to work (if secpack allows it; so nothing; you dont have 1)

Secpack is like you know; a file that authorize baseband upgrading. Inside this short file is rsa crypted header where are hidden checks (signs) for validate BB firmware to update and not downgrade

Geohotz A17 point cheats BL4.6 to check on one or two areas which we erased with ienew (0xFFFFFFFF) which contains "flash block locked" flag or similar.

That address or addresses in NOR flash are readed, for example in 0xA0000020 and 0xA00003FF and our cheat increase adresses by 2^17(0x20000) and make points BL4.6 to check data in address 0xA0020020 and 0xA002003FF which was previously erased and means 0xFFFFFFFF no lock on that block... THAT EVIL :) BLOCK where is stored BL and new BL3.9 are flashed there.

I think that mechanism Geohot uses to downgrade BL!

So probably answer on your question is:
you wil not erase anything cause you cannot validate (no secpac) updating of BBFirmware even on first step - ienew!
maybe you fk a little yor 1.1.3 fw but you will not allowed to touch BB fw and BL

:p
exactly. If trying to erase 113otb, some address of bootlader will be FF but the whole can't touch.

Oh my god , ta_mobile answered here :)

Great work ta_mobile!!

Im working in Hi-Tec fiber optics company so i understand that is difficult for "common" people desolder bga flashes or worst solder it back and check it x-ray or
with ersa scope, but i have acces to all this.

I know that you will not answer me in private or here but i want ask you here anyway:
I dont think you have desoldered , reprogrammed and resoldered flash cause with your equipment what is shown in photo is impossible to do :). Anyway what is suported programmer for Nor flash or tecnicaly how you do reprograming

(or you have priv.a.t.e rsa k.e.y?)

thanks and sorry if i asked too much
Btw, you are GREAT!!!!

a

Hi,

Do you think that's impossible to dessolder and solder a BGA with a hot air gun? You are only capable of doing that job with a UV Rework from ERSA?

I have a rework from ERSA and it is a lot easier to rework BGA that with a Hot Air, but with both I can do the job.

A supported programmer is some piece of device + ZIF socket adapter that can reprogram the flash chip, take a look at Xeltek, AEC, UP-48.... all of them can reprogram the flash.

If TA_MOBILE could tell me/us where to errase and reprogram the flash, I would be very thankfull. If not I'll try to FULL dump other flash with older version and check where baseband is and to reprogram my flash IC.

Regards,
Skippy

Oh my god , ta_mobile answered here :)

Great work ta_mobile!!

Im working in Hi-Tec fiber optics company so i understand that is difficult for "common" people desolder bga flashes or worst solder it back and check it x-ray or
with ersa scope, but i have acces to all this.

I know that you will not answer me in private or here but i want ask you here anyway:
I dont think you have desoldered , reprogrammed and resoldered flash cause with your equipment what is shown in photo is impossible to do :). Anyway what is suported programmer for Nor flash or tecnicaly how you do reprograming

(or you have priv.a.t.e rsa k.e.y?)

thanks and sorry if i asked too much
Btw, you are GREAT!!!!

a

ta_mobile... did you find a bootrom that loads if the flash isn't working? of did someone give you key?

when will your tell everyone... when secpack 1.1.4 comes out?

Eric Jarvies

you are right ; i say that is very silly to do resoldering the chip back on main board with Hot Air because u must have luck to solder all balls and to center flash well.

What i want to precise that is not impossible to do it with Hot Air station but unessessary hard to do.
And also why then "keep secret"?
I want only "provoke" Great ta_mobile gently to reply with;
for example:
"Haha, Be patient soon!"
to give us hope that is some other method :p .
:)
Gogogogo ta_mobile !

First, Hello and sorry all !

As I said, I did unlock sucessfully 1.1.3OTB full function with the fw 113 and the BB 4.03 also. Cos jailbreak for 1.1.3 released.

But, the solution will not be released cos of it's so much risk and difficult with full equiped tools and skill. And I must keep it for the incomming firmware researching. What I can help the community, I did it. And pls dont buzz me with blabla share me solution or something like that.

Be calm and wait. If u have problem with 1.1.3 being upgraded or 1.1.3OTB (bl 4.6) you can send me the comm board to repair it (sound impossible but this is the less i can help).



Will upload some more pics of 113OTB with serial 8x80x for you to see. Just for fun.

BR

Hi,

This is the most common thing to do in unlocking these days, just take a look how to disable Airbag from a crashed car ECU, how to pair dish smartcards to decoders, Remove notebooks lost pass from BIOS... etc etc!!!!!

More and more firmware hacking passes through hardware direct reprogram, not USB or other easy communication bus.

Regards,
Skippy

you are right ; i say that is very silly to do resoldering the chip back on main board with Hot Air because u must have luck to solder all balls and to center flash well.

What i want to precise that is not impossible to do it with Hot Air station but unessessary hard to do.
And also why then "keep secret"?
I want only "provoke" Great ta_mobile gently to reply with;
for example:
"Haha, Be patient soon!"
to give us hope that is some other method :p .
:)
Gogogogo ta_mobile !