Notes on a 1.1.2 OTB Software system Withdraw

I don't see it event anytime soon.

The old exploits aren't here anymore. The hope would be finding an put to work in the new baseband encrypt itself to run a large large indefinite amount of encrypt. But I think the bootloader is beautiful well secured down.

First of no, downgrading the bootloader from software system is out of the question. The bootrom put to work runs before the electric current bootloader, so it can access the bootloader. But when the bootloader boots, it locks down its sections of flash. So aft the bootloader runs, the bootloader can't be touched.

Secondly, the lone secpack that validates on 4.6 is >= 1.1.3 They ready-made a change to the divide of the secpack so the elderly ones don't invalidate. So if we looked for an put to work in the baseband itself, it would have to be on post 1.1.2

Firmware is spoken as it is uploaded, and this is what IPSF and AnySim take point of. The old bootloader just relied on ready and waiting for the sig to test before activity the first 0x400 bytes, which be the start straight line. The new bootloader also needs the "secpack" in 0x3c0000 to not test. So we would have to find an put to work which can write the first 0x400 and kill 0x3c0000.

The IPSF withdraw itself uses an RSA hack in bootloader 3.9 This has been thoroughly spotted in 4.6

Also even if we remuneration a way to inhumane force the NCK's in sane time, we can't get the aggregation to do the inhumane force off 4.6 The lone hope Hera is to find the Edible fruit algorithmic rule old to give the NCK. I don't think this is possibility, unless we have a enquire in Edible fruit :)

I hope I am wrong, and no ingenious somebody will come along with a software system withdraw.

Scream...

Congrats to the dev team for finding the last put to work in the S5L. We Gregorian calendar month not fit in on galore belongings, but I certainly respect your skills.

Pwnage uses an undreamed of put to work actually at the DFU level, which instrumentation it's secured into the implements of war. I have managed to regurgitate the put to work, but in no way see it. I can't act for your thinking. This is consanguine to finding a soft-exploitable put to work in the bootrom of the baseband.

Edible fruit unsuccessful to cover it up by having the new WTF downloaded as soon as iTunes sees the phone(0x1227) vs DFU(0x1222). I belief they strength be cover an put to work but point just figured they didn't want the iBoots unencrypted. Good thing dev looked closer.

Also it's unlikely they left the LLB unsigchecked in the 3G. They have no the encrypt in the DFU to sig check, they just don't call it.

This is also great tidings for iphonelinux. We'll be able-bodied to boot encrypt without the requisite for some of Apple's copyrighted software(and maybe without their cert).

Twenty-four hour period 4-hour interval is a good day for iPhone

Infineon, we have a question

The 3G bootloader is sig patterned by the bootrom. So even removing the NOR and fixture the bootloader(to remove piping fw sig checks) and piping firmware doesn't work for an withdraw. Big acknowledgement to TA_Mobile for dumping the NOR and confirmatory this. You have no real skills.

The X-Gold 608 is the chip old. The lame "datasheet" infineon gives us shows the implements of war RSA and the secure bootrom. So we have a real question. Even if we find an unsigned encrypt put to work, which wasn't finished for the former deuce bootloaders in software(we remuneration tricks to play with the nor), we still can't unlock.

Even though the bootloader isn't easy for transfer, theres really zero here. This bootloader doesn't be some of the synergistic modality functions, just a stub which is precise like to the old bootrom(but with sig checking). The synergistic attender is tacked on to the end of all fls and eep file, and is soused at 0x86000. BBUpdaterExtreme contains various ramloaders as well, but I disbelieve the one old is from the news file itself. You do not requisite the bootloader to work on the baseband, you just requisite the files off the ramdisk. Also newsworthy to note, the 2 rsa keys the bootloaders use haven't denaturised since 3.9 or 4.6 So you have these too.

Putting to death CommCenter on 2.0 kills the wi-fi, which will make excavation with the baseband a bit harder. Change of location synergistic modality is nowadays finished with a call to the meat to raise an I/O pin before resetting.

The first step to tackling this is dumping the bootrom. We requisite no put to work, I don't care where, to dump discretional storage device. Point we can dump 0x400000, which is the new "secure" bootrom.

Notes on a 1.1.2 OTB Software system Withdraw

I don't see it event anytime soon.

The old exploits aren't here anymore. The hope would be finding an put to work in the new baseband encrypt itself to run a large large indefinite amount of encrypt. But I think the bootloader is beautiful well secured down.

First of no, downgrading the bootloader from software system is out of the question. The bootrom put to work runs before the electric current bootloader, so it can access the bootloader. But when the bootloader boots, it locks down its sections of flash. So aft the bootloader runs, the bootloader can't be touched.

Secondly, the lone secpack that validates on 4.6 is >= 1.1.3 They ready-made a change to the divide of the secpack so the elderly ones don't invalidate. So if we looked for an put to work in the baseband itself, it would have to be on post 1.1.2

Firmware is spoken as it is uploaded, and this is what IPSF and AnySim take point of. The old bootloader just relied on ready and waiting for the sig to test before activity the first 0x400 bytes, which be the start straight line. The new bootloader also needs the "secpack" in 0x3c0000 to not test. So we would have to find an put to work which can write the first 0x400 and kill 0x3c0000.

The IPSF withdraw itself uses an RSA hack in bootloader 3.9 This has been thoroughly spotted in 4.6

Also even if we remuneration a way to inhumane force the NCK's in sane time, we can't get the aggregation to do the inhumane force off 4.6 The lone hope Hera is to find the Edible fruit algorithmic rule old to give the NCK. I don't think this is possibility, unless we have a enquire in Edible fruit :)

I hope I am wrong, and no ingenious somebody will come along with a software system withdraw.

11246withdraw, good decent for the prize

OMG Updated to be more than imbecile proof and the gambler of the 11246unlock contest.

Full software system withdraw of 1.1.2; the impossible(or at thing I same so) Here it is; manual square measure in the bundle. I venture I really am proper a good reverser ;-)

ZiPhone is a stone of others work. It copies a new fstab for write access to system, runs iPatcher to patch lockdownd, copies installer, and runs my action mechanism to withdraw. It is a good way to regenerate from least problems, and true escape 1.1.3 My program is just spotted to change the alternative IMEI(0049) to the selfish person entered IMEI; although I would strongly counsel against ever-changing your IMEI. The put to work he uses runs an unsigned ramdisk with no these programs. This is the best way to escape; and I had been imagining this for a long time, I just didn't have the put to work. This ramdisk put to work was purloined from the dev group, so be heedful United Nations agency you give credit to.

No, the impossible action has been finished. This has absolutely *zero* to do with JerrySim or some elite/dev/zibri etc project. I'll start with a little account. Twenty-four hours I was really stung off. So I figured I'd channel my kindle toward something rich; I don't know, something like a 1.1.2 software system withdraw. I knew the ratio were against me, but I'd figured I try anyway. At about 1 last night, I implements of war "upgraded" a 3.9 telecommunicate to 4.6 with the bootrom locations blank, the read command spotted to work, and a 0x102 read discretional storage device command.

The first put to work I remuneration, at around 4 AM last night, was the -0x20000 put to work. Just like the -0x400 put to work, but -0x20000. Go figure. I venture Edible fruit belief big book were harder to venture. I was really pumped up, hence the communicate post. But that wasn't even common fraction the battle.

Like I same in the "impossible action" post, 0x3C0000 can't have a legal secpack to allow booting. I worn out the close 16 time period finding a way to do this. I can already write unsigned to the piping fw section, no I requisite is a way to kill the secpack. My first persuasion was the eeprom secpack; download the eeprom, endpack it, and the secpack is erased because the eeprom is "clean". But you can't download a eeprom secpack until the 0x3C0000 is blank. My close persuasion was that the bl mustiness kill the secpack before activity it. So a simple regulating attack should do it. It turns out that no secpacks, even the European one, will write.

I finally remuneration a excavation put to work about 23 time period into my search for the software system withdraw. The denotative addresses 0xA03D0000-0xA03F0000 will always kill. This put to work relied on deuce belongings, the secaddrs square measure traced before the secpack is validated(stupid), and the kill command extends the range to some is in the secpack. So I tell it to kill 0xA03D0000-0xA03F0000, the kill command sees 0xA03C0000 to 0xA03F0000 in the secpack; BOOM secpack erased.

The third minor concern was the full range check of 1.1.3. So use 1.1.2 :) This allows full unsigned encrypt execution, it is a relatively simple matter of fixture the bootloader to skip the range check. And spell you square measure at it, patch the bootloader to invalidate no tokens. IPSF style withdraw w/o striking the seczone.

So, thats 24hrs to a software system withdraw; with about 3hrs of period in deuce segments. I am defeated in the elite/dev group for not finding this; or even looking at Hera. I know not everyone in elite/dev is so closed, and I feel bad for those group. Wherefore don't we no just share everything? Edible fruit will patch it anyway. They always have the berth hand. And whetever happened to the dev wiki?

If you were generous monetary system to the "dev group" for this software system withdraw, wherefore not give it to the bracing United Nations agency actually remuneration the exploits and employed them?