Dear All,

I'm thinking in buying a iPhone, and seems like the new version of Baseband does not permit do us unlock.

My question is, If I remove the Basebend Flash and errase the Baseband firmware, can I reprogram the firmware via ienew?

Or let's put this other way, what do I have to errase/reprogram in the flash so I can use the available TP/software to unlock the new versions of iPhone!

I don't want to hear answers like, oh this is very hard to do and bla bla, I have equipment for doing all this in 20 minutes. UV rework station, BGA adapters for reprogramming Flash, etc etc...

Regards,
Skippy

You will destroy 500$ if you try to remove the flash to flash it...

But if you have the skillz / equipement ask TA_Mobile or GeoHot__ They have done it in the past...

hi,

the new iphones are shipped with the 1.1.3 fw. right now it is impossible to erase the baseband because you need the secpack from the 1.1.4 firmware.
we also had to wait for the 1.1.3 secpack to erase the baseband which is coming with the 1.1.2 firmware.

this is possible only if the new FW 1.1.4 has a baseband update. if not you have to wait for the next FW which has a baseband update to extract the secpack.

Hi,

You didn't understand my question. I'm not asking for a software or TP sollution, I'm asking what should I errase/reprogram directly in the phone's flash to unlock the phone.

I've been reading that if I errase the baseband firmware, and downgade to BL3.9, I'm able to unlock.

Does anybody know the offsets to errase from the Flash?
Is I read form other iPhone 1.1.2 baseband and reprogram my 1.1.3 OTB will it work?

Regards,
Skippy
hi,

the new iphones are shipped with the 1.1.3 fw. right now it is impossible to erase the baseband because you need the secpack from the 1.1.4 firmware.
we also had to wait for the 1.1.3 secpack to erase the baseband which is coming with the 1.1.2 firmware.

this is possible only if the new FW 1.1.4 has a baseband update. if not you have to wait for the next FW which has a baseband update to extract the secpack.

Hi,

I work in mobile repair for more than 10 years. I remove BGA's and other SMT components all days!!

Regards,
William

You will destroy 500$ if you try to remove the flash to flash it...

But if you have the skillz / equipement ask TA_Mobile or GeoHot__ They have done it in the past...

Skippy,

This has to be possible because TA_Mobile does it and showed us all that he could.

I'm just not sure - don't take no for an answer.

Hi,

As far as I understood from the hundreds of posts regarding this issue, It isn't possible to downgrade the baseband without knowing the SEC pack from a newer version, i.e. having version 1.1.4.

But if you have a 1.1.3 firmware that was prevously a OTB 1.1.2 with older baseband, It's possible to unlock because you have SEC pack from newest baseband.

So the problem here is the baseband, and If i can downgrade or errase the baseband directly with a programmer, the baseband is no problem anymore.

If there is anyone that has knowledge of the iPhone firmware and baseband that could confirm me this. If this is true, the only thing that I need to do is remove and reprogram flash with older baseband.

Other question, I assume the iPhone firmware is on another flash chip, and the bootloader is in the same flash chip as the main firmware, if that's the case, I can downgrade the bootloader via TP and reprogram Baseband with programmer, and convert my 1.1.3 OTB in a 1.1.2 OTB with bootloader 3.9?

If the flash chip is the same, I can make it all at once.

This procedure was usual in some sonyericsson phones when they lost bootloader in unlocking via bad TP, the sollution was remove flash from board and reprogram only bootloader, and then flash phone via USB or with some flashing tool.

Regards,
Skippy

Skippy,

This has to be possible because TA_Mobile does it and showed us all that he could.

I'm just not sure - don't take no for an answer.

as i know the iphone has two cpu's. one is with the main system where the firmware (1.0.1/1.0.2/1.1.1/1.1.2/1.1.3) runs. the other cpu is with the baseband and a bootloader. this baseband is responsible for the gsm, bluetooth, wifi, sound, imei, iccid... that is why many ppl have no baseband but the main system is running.
some firmware updates have baseband update too. from 1.1.2 Fw with baseband 04.02.13_G to 1.1.3 with new baseband 04.03.13_G. this baseband update is the one and only reason why we are able to make the HW unlock!

if you have new bootloader 4.6 which has no exploits you will always need the secpack from a newer baseband to erase the current baseband. if you have the old bootloader it doesen't matter. then you can up and downgrade to whatever baseband you want.

here is a pdf from geohot. perhaps it helps a little bit www.tayloredge.com/museum/museum/IPhone.pdf

thats from my understanding. correct me if iam wrong.

Hi,

I thing that you aren't correct, because the 1.1.2 OTB with bootloader 4.6 is unlockable via TP as you can see in Software unlock section.

What i've read was that you need a newest SEC pack for beeing able to FULL errase baseband, not bootloader.

Is there any memory map of the baseband flash, like where is located Wi-Fi firmware, baseband firmware, IMEI...etc etc?

Regards,
Skippy

as i know the iphone has two cpu's. one is with the main system where the firmware (1.0.1/1.0.2/1.1.1/1.1.2/1.1.3) runs. the other cpu is with the baseband and a bootloader. this baseband is responsible for the gsm, bluetooth, wifi, sound, imei, iccid... that is why many ppl have no baseband but the main system is running.
some firmware updates have baseband update too. from 1.1.2 Fw with baseband 04.02.13_G to 1.1.3 with new baseband 04.03.13_G. this baseband update is the one and only reason why we are able to make the HW unlock!

if you have new bootloader 4.6 which has no exploits you will always need the secpack from a newer baseband to erase the current baseband. if you have the old bootloader it doesen't matter. then you can up and downgrade to whatever baseband you want.

here is a pdf from geohot. perhaps it helps a little bit www.tayloredge.com/museum/museum/IPhone.pdf

thats from my understanding. correct me if iam wrong.

What i've read was that you need a newest SEC pack for beeing able to FULL errase baseband, not bootloader.
true

I thing that you aren't correct, because the 1.1.2 OTB with bootloader 4.6 is unlockable via TP as you can see in Software unlock section
this is more hardware unlock than software

yes I know that this is more a hardware than software method, but who cares, what I want is to unlock the phone.

Skippy
true


this is more hardware unlock than software

Ask TA_Mobile

He know how to do it send him a PM he'S gonna awnser you

the bootloader is on the first 2 blocks of the baseband nor.

just reprogram it with 3.9 Bootloader and put it back.


cheers,


cRACKn

Hi,

Are you sure? Why not reprogram the baseband?

Do you know where I can get a binary bootloader file to use with the programmer?

Regards,
Skippy
QUOTE=crackn;213136]the bootloader is on the first 2 blocks of the baseband nor.

just reprogram it with 3.9 Bootloader and put it back.


cheers,


cRACKn[/QUOTE]

the bootloader is on the first 2 blocks of the baseband nor.

just reprogram it with 3.9 Bootloader and put it back.


cheers,


cRACKn

with A17, the bootrom checks the one off-set locations, located in the main firmware, which is writable, unlike the bootloader. so taking the secpack from the modem firmware/version your iphone has, and making those one off-set locations from blank[0xFFFFFFFF], means you can proceed. this is what iEraser does, correct? then you need to patch the firmware from the above nor dump with the documented off-sets. then the program testcode.bb needs to be uploaded to the baseband via the above-bootrom exploit, and the program(iUnlocker, iunew, etc. whatever) run in the same dir as the above mentioned nor.

so, did Apple close this exploit in 1.1.3 bootrom? or does it still read from the same addresses as before? if it's the same, then nothing is preventing this with 1.1.3 firmware, correct?

if it was as easy as using the 3.9 bootloader, then why is only TA_Mobile doing it? please help me understand. thanks.

Eric Jarvies

The problem of downgrading the bootloader is that the process of doing it is via hardware and not software/TP, that' why most people can't do it!

Skippy

with A17, the bootrom checks the one off-set locations, located in the main firmware, which is writable, unlike the bootloader. so taking the secpack from the modem firmware/version your iphone has, and making those one off-set locations from blank[0xFFFFFFFF], means you can proceed. this is what iEraser does, correct? then you need to patch the firmware from the above nor dump with the documented off-sets. then the program testcode.bb needs to be uploaded to the baseband via the above-bootrom exploit, and the program(iUnlocker, iunew, etc. whatever) run in the same dir as the above mentioned nor.

so, did Apple close this exploit in 1.1.3 bootrom? or does it still read from the same addresses as before? if it's the same, then nothing is preventing this with 1.1.3 firmware, correct?

if it was as easy as using the 3.9 bootloader, then why is only TA_Mobile doing it? please help me understand. thanks.

Eric Jarvies

The problem of downgrading the bootloader is that the process of doing it is via hardware and not software/TP, that' why most people can't do it!Skippy

So TA_mobile removes the flash rom from the layer board, re-programs it externally and solders it back to the board. Is that right?

So TA_mobile removes the flash rom from the layer board, re-programs it externally and solders it back to the board. Is that right?

BINGO This is how he do

The only thing I need is a confirmation of Start/End address, and BL 3.9 to reprogram the flash.

Regards,
Skippy
BINGO This is how he do

Guys:

So the main goal here is try to find an exploit to BL4.6 or to downgrade to BL3.9?
So, why at this time on an OTB113 it is imposible to downgrade BL? and why it is so diffiult to find an exploit to BL46?

What we need to perform in each case?

Rgds!
Federico

Here are the BLs:
h**p://rapid_$_hare.com/files/89958662/bootloaders.rar.html

and a picture from baseband with nor removed

cheers

cRACKn

Hi cRACKn,

Firs of all, thanks for sharing this info!!!

I've been analyzing both DUMPS, and obviously these aren't FULL NOR DUMP's, but only the bootloader. Do you know where is located IMEI info in the FULL DUMP? I'm asking you this because if I FULL errase my NOR Flash and reprogam it only with the bootloader, is the phone going to retain IMEI, Wi-Fi ... bla bla?

If IMEI info is stored somewhere else, there is no problem programming only the BL.

The move here is to FULL ERRASE NOR FLASH, next program only BL 3.9, ressolder the NOR FLASH, then via software upload baseband, firmware and unlock. Did you already followed all these steps with sucess?

Regards,
Skippy


Here are the BLs:
h**p://rapid_$_hare.com/files/89958662/bootloaders.rar.html

and a picture from baseband with nor removed

cheers

cRACKn

Why dont you just reprogram the bootloader and leave the baseband and seczone(?) alone? with BL3.9 in place you can downgrade/patch baseband via software...

Skippy,

the correct move is:

1. unsolder the nor and do a full dump of it.

2. hexedit it and change just the BL code.

3. solder back the nor.

4. dont blame me if you fry your iphone!
the information is just to explain that its possible and
already been done by me and others here in the forum!


cheers,


cRACKn

Hey Skippy,

dont worry about it anymore.

just do the new software unlock :P



cRACKn