Hi all !

I've dumped full bb of the white 16G 3G, hoping it will help for software unlocking a little bit. Who need it for hacking pls contact me.

Who dont know about this pls do not spam. Thanks


http://gsm.com.vn/thieu_bocap/dump/gsmvn01.jpg

http://gsm.com.vn/thieu_bocap/dump/gsmvn02.jpg

http://gsm.com.vn/thieu_bocap/dump/gsmvn06.jpg

Hey Ta, it's been a long time ! :)

Very nice job and help for the community ! :)

Hey Ta, it's been a long time ! :)

Very nice job and help for the community ! :)

Im still around here bro, haha, just hoping smthing simple like this will be found out :D


Simple Unlock

From the S-Gold's perspective, here are the fundamentals of unlocking basebands. A simple byte sequence search combined with a neutered baseband are all you need. (The s5l8900 CPU imposes other restrictions beyond this discussion.)

The secpack is at ICE*.fls offset 0x1a4 (0×800 bytes long)
The baseband is at ICE*.fls offset 0x209a4
The baseband length is at ICE*.fls offset 0×20 (subtract 0×20000)
Due to gray's initial RCE of the baseband, and combined with a neutered bootloader, unlocking recent and future basebands has been reduced to a simple byte search.

Search for the byte sequence “ff 90 a0 e3 ff 00 00 e2 02 00 50 e3” in the baseband. You should find just once such sequence, and the next four bytes will be “02 00 00 1a”. Change these four bytes to all zeros to unlock your baseband.

Firmware Baseband fls offset
1.1.3 4.03.13 0x9a4+0x238150 = 0x238af4 (2329332)
1.1.4 4.04.05 0x9a4+0x2395cc = 0x239f70 (2334576)
2.0 beta1 4.05.00 0x9a4+0x239884 = 0x23a228 (2335272)
2.0 beta2 4.05.01 0x9a4+0x238f38 = 0x2398dc (2332892)
2.0 beta3 4.05.01 0x9a4+0x238f38 = 0x2398dc (2332892)
2.0 beta4 4.05.02 0x9a4+0x239194 = 0x239b38 (2333496)
2.0 beta5 4.05.03 0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta6 4.05.04 0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta7 4.05.04 0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta8 4.05.04 0x9a4+0x23925c = 0x239c00 (2333696)
2.0 release 4.05.04 0x9a4+0x23925c = 0x239c00 (2333696)
If you have a neutered bootloader, the following patches achieve the anySIM unlock. Just patch the .fls and feed both the .fls and .eep to the bbupdater that gets installed in /Applications/BootNeuter.app/bin by the Dev Team IPSW Builder.

dd if=/dev/zero of=ICE04.03.13_G.fls bs=1 seek=2329332 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.04.05_G.fls bs=1 seek=2334576 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.00_G.fls bs=1 seek=2335272 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.01_G.fls bs=1 seek=2332892 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.02_G.fls bs=1 seek=2333496 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.03_G.fls bs=1 seek=2333696 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.04_G.fls bs=1 seek=2333696 count=4 conv=notrunc

Great job TA.

thanks great job.you have perfect hardware skills.:)

Hey bro :) Nice work done, repspectable hardware skills.

Hi,

Great job! Can you please post hi res picture of the cleaned pcb ? Is any of the
flash bus exposed or all is routed in the internal layer ?

BR

Thanks TA!
Nice pics

What i was waiting for.

As always, job well done
Cheers, GSMVN
N41

Very sexyyy

sweet pics

dd if=/dev/zero of=ICE04.05.04_G.fls bs=1 seek=2333696 count=4 conv=notrunc

so edit it and then load it back up?
i tried searching for that and it wasnt found
EDIT:
ok i found 02 00 00 1a
based on TA's post
we should just be able to change these to all 0's

the problem is that i find this string many times over
so who knows which one is the right one
N41

great work ta_mobile

but i cant believe you sacrificed a white 16gb :P

keep us up to date on your progress with a hardware or software unlock :)

dd if=/dev/zero of=ICE04.05.04_G.fls bs=1 seek=2333696 count=4 conv=notrunc

so edit it and then load it back up?
i tried searching for that and it wasnt found

N41

Isnt "ICE04.05.04_G.fls" for the 2.0 baseband for the 2G? The baseband for 2.0 for the 3G is 1.45.00, so searching for the offsets listed won't apply since the baseband for 2.0 3G was just dumped and aren't listed. Someone correct me if im wrong plz.

dd if=/dev/zero of=ICE04.05.04_G.fls bs=1 seek=2333696 count=4 conv=notrunc

so edit it and then load it back up?
i tried searching for that and it wasnt found
EDIT:
ok i found 02 00 00 1a
based on TA's post
we should just be able to change these to all 0's
N41
this BB is 1.45.00 bro :) will be more differences ...

very good news indeed.

Care to elaborate? hahaha

N41 :)

yea we would have to figure out what to look for instead of " ff 90 a0 e3 ff 00 00 e2 02 00 50 e3" it would be something else... :hack::hack::hack:

yea we would have to figure out what to look for instead of " ff 90 a0 e3 ff 00 00 e2 02 00 50 e3" it would be something else... :hack::hack::hack:

yup, we'd need to find the new sequence that only occurs once and is the right one to unlock the baseband. And if im not wrong, wouldn't it be easier when the next firmware for 3G comes out because searching for “ff 90 a0 e3 ff 00 00 e2 02 00 50 e3” applied for all the basebands for the 2G if im not mistaken, so if we compare 2 firmwares and look for the same byte sequence that only occurs once in both firmwares, won't we find the unlock?

could anyone email me the dump file? I have a lot of spare time on my hands at the moment and helping the cause would make me feel happy. PM me if you have it.

dd if=/dev/zero of=ICE04.05.04_G.fls bs=1 seek=2333696 count=4 conv=notrunc

so edit it and then load it back up? ff 90 a0 e3 ff 00 00 e2 02 00 50 e3
i tried searching for that and it wasnt found
EDIT:
ok i found 02 00 00 1a
based on TA's post
we should just be able to change these to all 0's

the problem is that i find this string many times over
so who knows which one is the right one
N41

Hi,

It is possible that baseband is complied from completely new sources. The security
scheme could be changed as well. Did anyone confirmed that the CPU is 100 % the
same as the old iPhone ?

BTW i would like to have a look at the flash dump. Sent PM to ta_mobile.

BR, Alex

TA, any chance you can dump the hardware AES key used to decrypt KBAG of IMG3 files ???

TA, any chance you can dump the hardware AES key used to decrypt KBAG of IMG3 files ???

*facepalm* meh, close enough :)

TA_Mobile. Please check ur private messages. it may be a better method that i described to u if u do know a carrier, rather than hardware dumping them like a badass hax0r :)

Someone call them up

http://www.infineon.com/cms/en/corporate/press/news/releases/2006/170186.html

N41

Someone call them up

http://www.infineon.com/cms/en/corporate/press/news/releases/2006/170186.html

N41

we must enter the Matrix N41 :D

What I really like about TA_Mobile is that he always does his thing and keeps the rest of us in the loop (even if most of us don't undestand what he's doing)

This time around it feels like the community isn't a part of the project. I'm not sure about everyone else but on the 1.1.4 unlock I felt involved enough to check the forums every hour.

Now I kinda check the Dev blog and Geohot's site every day and the forums only for fun.. not for unlocking.

Kinda sad in my opinion I would love to feel more involved and to see more information around these forums (unlock-wise information)

Just my two cents.

What exactly do you mean when u say 'involved'?

great work ta_mobile

but i cant believe you sacrificed a white 16gb :P

keep us up to date on your progress with a hardware or software unlock :)


http://gsm.com.vn/thieu_bocap/dump/gsmvn07.jpg

:p:p:p

What exactly do you mean when u say 'involved'?

I think he means that it´s really quite here on the 3G unlocking front. The last time people working on this project posted news and stuff. This time there is not even a real thread which deals with the 3G unlock and nobody (exept for the dev members maybe) knows what the progress on this is. I would like to know too, so whats the status of this thing?

The file has come to hands of Dev team. I'll not give it to anyone else who not be known to involve to the hacking process. And all are researching about this.

And 1 bad news as Geohot posted on his blog, bootloader 5.8 do not have any exploit until now. And Apple change all the way of bootrom sig check to the bootloader. We are hitting to the wall !!!

Thank you very much for interested in our bloody job :D

why to search for bootloader exploit if you have a prebootexploit and can make it fakeblank?

I think he means that it´s really quite here on the 3G unlocking front. The last time people working on this project posted news and stuff. This time there is not even a real thread which deals with the 3G unlock and nobody (exept for the dev members maybe) knows what the progress on this is. I would like to know too, so whats the status of this thing?

What I meant was that back in the 1.1.4 OOTB unlock people were posting all sorts of attempts, some people took the time do explain what each attempt was based on, what the problems were (like waiting for the new secpack) and all the action ended up getting to the forums at some point.

This time the Dev Team is working (which is great, don't get me wrong) and Geohot seems to be doing his thing (when he gets info).

But as far as the community goes, the fight between Geohot/Zibri/Dev-Team/Iphone-Elite and someone else I might have forgotten just made the whole scene "undercover" and we (the regular guys who aren't in any team but could give some ideas) were left out of the loop.

If you check out some dev wikis on the net about unlocking iphone you'll see that theres a lot of info about 1.1.2 and 1.1.4 OOTB but as far as 2.0 goes the info is very limited.

This could be good for the Dev-Team because they won't have people stealing their exploits and releasing half-ready tools that could potentially hurt people's phones but for me (personally) it's now only a matter of waiting for a release instead of trying to help in any way I can.

Mind you that I don't even have a 3G in my hands yet but I would love to throw some ideas around.

Have fun!
:hack:

For people who have been asking Ta_mobile for more pictures, he asked me to post it here for you.
He also asked that users to please refrain from sending emails.
He is inundated with things and cannot reply to every messages.

http://i293.photobucket.com/albums/mm62/dtube1/full%20dump/IMG00062copy.jpg

http://i293.photobucket.com/albums/mm62/dtube1/full%20dump/IMG00068copy.jpg

What I meant was that back in the 1.1.4 OOTB unlock people were posting all sorts of attempts, some people took the time do explain what each attempt was based on, what the problems were (like waiting for the new secpack) and all the action ended up getting to the forums at some point.

This time the Dev Team is working (which is great, don't get me wrong) and Geohot seems to be doing his thing (when he gets info).

But as far as the community goes, the fight between Geohot/Zibri/Dev-Team/Iphone-Elite and someone else I might have forgotten just made the whole scene "undercover" and we (the regular guys who aren't in any team but could give some ideas) were left out of the loop.

If you check out some dev wikis on the net about unlocking iphone you'll see that theres a lot of info about 1.1.2 and 1.1.4 OOTB but as far as 2.0 goes the info is very limited.

This could be good for the Dev-Team because they won't have people stealing their exploits and releasing half-ready tools that could potentially hurt people's phones but for me (personally) it's now only a matter of waiting for a release instead of trying to help in any way I can.

Mind you that I don't even have a 3G in my hands yet but I would love to throw some ideas around.

Have fun!
:hack:

i remember the hardware unlock for 1.1.2. the steps being released as geohot was doing it himself. everyone trying at the same time, but mostly just accomplishing it was a lot more satisfying then pressing a button in bootneuter and waiting for the unlock. the good ole days :hack:

The file has come to hands of Dev team. I'll not give it to anyone else who not be known to involve to the hacking process. And all are researching about this.


Hi,

Fair enough. It's your work/investment/effort. We understand you want to keep it.
Wish you best of luck.

Regards

The file has come to hands of Dev team. I'll not give it to anyone else who not be known to involve to the hacking process. And all are researching about this.

And 1 bad news as Geohot posted on his blog, bootloader 5.8 do not have any exploit until now. And Apple change all the way of bootrom sig check to the bootloader. We are hitting to the wall !!!

Thank you very much for interested in our bloody job :D

TA_Mobile. Please read my PM. I really do not like to see iPhones getting sacrificed and my solution will prevent that.

Also, although it is yours to share, I strongly urge you to release it. No pressure, but the only other method of getting the bootloader...well...if it is distributed lets just say some apple employees are going to get fired....

I know Chronic and a few others are putting a fair amount of effort into their own iphone reversing so I would second sending a copy to him. Their work so far has been good.

yup, we'd need to find the new sequence that only occurs once and is the right one to unlock the baseband. And if im not wrong, wouldn't it be easier when the next firmware for 3G comes out because searching for applied for all the basebands for the 2G if im not mistaken, so if we compare 2 firmwares and look for the same byte sequence that only occurs once in both firmwares, won't we find the unlock?
Isnt there aleady two different fws for the 3G? I thought if you restored a 3G it updated to a slightly higher firmware? I know nothing about what this thread is about (except Ta_mobile took apart a white 3G and learned something previously unknown about the bl) God I have been waiting for ten days for my 3G to come in (its backordered from at&t), and here you are dissassembling one ;) I just may cry :) lol

Um, I found the sequence. But you can't upload it. And even if you could, you have runtime sig checks. And even if you patch them out, it still doesn't run because the bootloader is sig checked.

What everyone can do to help is find a way to dump running memory. We need a copy of that bootrom.

You know we cant spread this around....people's lively hood are on the line.....


N41

You know we cant spread this around....people's lively hood are on the line.....


N41

If you are referring to the dump, it is the only method of getting one that is not watermarked by apple, although it may be messy, the fact remains that peoples jobs are on the line for any other method of getting the bootloader :)

.......Ta_mobile took apart a white 3G and learned something previously unknown about the bl) God I have been waiting for ten days for my 3G to come in (its backordered from at&t), and here you are dissassembling one ;) I just may cry :) lol
You can cry harder because he did not disassembled just one :)

You can cry harder because he did not disassembled just one :)
I just relized that :(, but now I am hearing the delay is 13 ~ 14 days so I will get mine monday or tuesday :) so after I get mine I dont care who ruins rare iPhones for the unlocking process :)

who said about ruined rare iphone3G :)?
He can put it back and use it (I think he did)
My hats off to TA. He's willing to risk it all

If you are referring to the dump, it is the only method of getting one that is not watermarked by apple, although it may be messy, the fact remains that peoples jobs are on the line for any other method of getting the bootloader :)


Just out of curiosity, but how can any method to get the bootloader put someone's job at stake?

Just out of curiosity, but how can any method to get the bootloader put someone's job at stake?

Bootloader= possible unlock

Possible unlock= money out of att and maybe apples pockets

Fucking with either att and or apples money= the workers who made the exploit by accident in one of those alah akabar head cut off videosO:)

you get what i am saying

Wouldn't their jobs still me at stake whether the boatloader was obtained from a flash dump or from any other method??

It's not really like that, I am not allowed to say...but i did like lawl's hypothosis :P