Difference between revisions of "Talk:XMM6180"

From The iPhone Wiki
Jump to: navigation, search
(fixed link)
m (Flash Possibility: link fixes)
 
(24 intermediate revisions by 8 users not shown)
Line 1: Line 1:
  +
== Flash Possibility ==
  +
Okay, so hypothetically speaking, if I flashed my baseband to [[01.59.00]] from [[03.10.01]] while my phone is on 4.2.1 (ONLY 4.2.1 [[SHSH]] IS AVAILABLE), it would enter the boot loop because the baseband doesnt meet the requirements for [[iOS]] 4.2.1. I am willing to try and flash my baseband in an attempt to downgrade and use [[ultrasn0w]]. And if the downgrade was to work and I restored it to a pwned 4.2.1 fw where the baseband update would be neglected, would the boot loop occur? [[User:Leobruh|Leobruh]] 01:20, 10 February 2011 (UTC)!
  +
:You can't flash baseband [[01.59.00]]; Apple's not signing it anymore. --[[User:Dialexio|<span style="color:#C20; font-weight:normal;">Dialexio</span>]] 02:47, 10 February 2011 (UTC)
  +
:Well look at [http://tysiphonehelp.com/forum/showthread.php?7908-Manually-flash-iphone-to-05.11.07-baseband this]. I don't know whether or not this could be done to the [[N90AP|iPhone 4]] but it proves that a manual flash can be used so long as you have the proper firmware ipsw available. I mean if this is possible for the [[N90AP|iPhone 4]], then I will do it without a doubt. [[User:Leobruh|Leobruh]] 04:05, 10 February 2011 (UTC)!
  +
::Um, that is for the iPhone 3G/3GS basebands. That probably wont work on the [[N90AP|iPhone 4]]. For those devices, Apple didn't sign the baseband, so a manual flash was possible (going up version #'s). Downgrading required one to have the 5.8 bootloader iPhone 3G. Sorry to burst your bubble, but you are mistaken. --[[User:Gamer765|Gamer765]] 04:28, 10 February 2011 (UTC)
  +
:::Word I got you bro, haha I wish it would be easier I have had an i4 for almost 2 months with the carrier lock. I will keep waiting sooner or later it will come out. [[User:Leobruh|Leobruh]] 20:43, 10 February 2011 (UTC)!
  +
 
== Device for iPhone 4 ==
 
== Device for iPhone 4 ==
  +
Are we sure this is the baseband? The infineon spec-sheet says "HSDPA/HSUPA capabilities of 7.2Mbps/2.9Mbps". At the keynote Steve mentioned 5.8Mbps HSUPA. --[[User:Iemit737|Iemit737]] 19:26, 21 June 2010 (UTC)
 
  +
:Running "string" on the new baseband files shows "XGold 618" multiple times. --[[User:Miketress|Miketress]] 19:35, 21 June 2010 (UTC)
Are we sure this is the baseband?
 
  +
::Ok, awesome. Thanks for finding this so quickly! [[User:Iemit737|Iemit737]] 19:50, 21 June 2010 (UTC)
 
  +
:::Very unlikely it's the 618 after looking at the spec sheet.
The infineon spec-sheet says "HSDPA/HSUPA capabilities of 7.2Mbps/2.9Mbps".
 
  +
In case anyone is interested, [http://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a39470bb00555 X-Gold 616 spec sheet], [https://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a3948dc76055b X-Gold 618 spec sheet]. --[[User:D235j|D235j]] 21:43, 22 June 2010 (UTC)
 
  +
::::Actually, it's the XMM 6180. ebl.fls says so. --[[User:Oranav|oranav]] 21:56, 22 June 2010 (UTC)
At the keynote Steve mentioned 5.8Mbps HSUPA.
 
[[User:Iemit737|Iemit737]] 19:26, 21 June 2010 (UTC)
 
 
Running "string" on the new baseband files shows "XGold 618" multiple times.
 
--[[User:Miketress|Miketress]] 19:35, 21 June 2010 (UTC)
 
 
Ok, awesome. Thanks for finding this so quickly! [[User:Iemit737|Iemit737]] 19:50, 21 June 2010 (UTC)
 
 
 
Very unlikely it's the 618 after looking at the spec sheet.
 
In case anyone is interested, [http://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a39470bb00555 | X-Gold 616 spec sheet], [https://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a3948dc76055b | X-Gold 618 spec sheet].
 
[[User:D235j|D235j]] 21:43, 22 June 2010 (UTC)
 
 
Actually, it's the XMM 6180. ebl.fls says so. --[[User:Oranav|oranav]] 21:56, 22 June 2010 (UTC)
 
   
 
== Downgrade ==
 
== Downgrade ==
 
 
Anybody knows more about the bb downgrade signatures? Or how to backup them like the shsh certs? Or how to use the replay attack here? Actually this is more related to baseband firmware and not to this iPhone 4 hardware. [[User:http|http]]
 
Anybody knows more about the bb downgrade signatures? Or how to backup them like the shsh certs? Or how to use the replay attack here? Actually this is more related to baseband firmware and not to this iPhone 4 hardware. [[User:http|http]]
  +
:The baseband is signed with an [[AT+XNONCE]] which is a random string generated on every bootup. Therefore, it is not possible to cache the SHSH signatures with a replay attack. I think this info either belongs on this page because it is specific to its baseband or in a special section on [[Baseband Firmware]]. [[User:Iemit737|Iemit737]] 18:18, 16 July 2010 (UTC)
  +
::I think, why dont we save the signature for every random string? In that way, when your iPhone gives the same string, it will accept the saved signature of that string and accept changes in BB. --[[User:XiiiX|XiiiX]]
  +
:::For every random string? That would be millions of SHSH's for every phone. Impossible. Thea idea of a nonce is that it NEVER gives the same value. --[[User:Http|http]] 17:37, 19 February 2011 (UTC)
   
  +
::Ah, that's what [[User:MuscleNerd|MuscleNerd]] meant with [http://twitter.com/MuscleNerd/status/18667056119 "stricter signed"]. I also found [http://iphwn.org/nonce.txt this example]. And someone suggested to change iTunes to always send the same string. That would work, but BB wouldn't accept the response. My only idea would be to let BB generate (or store) the same string on every boot (I don't know how though). But even then we would have to backup the signatures at the time they were available. -- [[User:Http|http]] 23:11, 16 July 2010 (UTC)
The baseband is signed with an [[AT+XNONCE]] which is a random string generated on every bootup. Therefore, it is not possible to cache the SHSH signatures with a replay attack. I think this info either belongs on this page because it is specific to its baseband or in a special section on [[Baseband Firmware]]. [[User:Iemit737|Iemit737]] 18:18, 16 July 2010 (UTC)
 
  +
:::So how does TinyUmbrella give baseband protection ? ---Whiteshinyapple
 
  +
::::It manages to error out the signature for the baseband, that's why you get the 1004 error, not sure exactly how it's done but I'd assume that's how. ---OMEGA_RAZER
Ah, that's what [[User:MuscleNerd|MuscleNerd]] meant with [http://twitter.com/MuscleNerd/status/18667056119 "stricter signed"]. I also found [http://iphwn.org/nonce.txt this example]. And someone suggested to change iTunes to always send the same string. That would work, but BB wouldn't accept the response. My only idea would be to let BB generate (or store) the same string on every boot (I don't know how though). But even then we would have to backup the signatures at the time they were available. -- [[User:Http|http]] 23:11, 16 July 2010 (UTC)
 
  +
:::::I think there's not much to do. When hosts is pointing to Cydia, you also won't get baseband downgraded, even if it would work when pointing to real Apple server. Same should apply for upgrade. Maybe local TSS server from TinyUmbrella just handles error returns better, so that firmware up/downgrade doesn't fail - maybe it just returns an invalid certificate for the baseband, but returns 'ok'. --[[User:Http|http]] 11:08, 9 September 2010 (UTC)
 
So how does TinyUmbrella give baseband protection ? ---Whiteshinyapple
 
   
  +
== Using Replay-attack ==
It manages to error out the signature for the baseband, that's why you get the 1004 error, not sure exactly how it's done but I'd assume that's how. ---OMEGA_RAZER
 
  +
Can't we make the baseband send just one message to iTunes to, in that way, using replay-attack, downgrade the baseband? I mean, the baseband sends a random message to iTunes to allow the downgrade/upgrade, but it just allows when Apple is still signing the firmware. If we made the baseband send just one message, not a random, we could downgrade the baseband even if Apple is not signing anymore, of course if used a replay-attack. So, how can we make the baseband send just one message? --[[User:XiiiX|XiiiX]] 16:39, 14 August 2011 (MDT)
  +
:I feel like you'd have to edit the bbfw file... and so far, I've found no program that can read that code. Also, as an open question to everyone, how does Apple's baseband signing work?
  +
::SHSH Files? --[[User:5urd|5urd]] 19:13, 14 August 2011 (MDT)
  +
:Really? Damn... I don't read enough. Idea though... can we get access to the signature created at boot up?
  +
:[[04.11.08]] vuln can not be in the AT commands this time, can be? I tried to go through most of them using MiniCOM 2.2. Looks like there is nothing to get. Another thing, could the contents of [[AT+XNONCE]] be modified, so we get a constant output always? {{unsigned|Bpip4|19:31, January 30, 2012 MST}}
   
  +
== Adding wrong info here ==
I think there's not much to do. When hosts is pointing to Cydia, you also won't get baseband downgraded, even if it would work when pointing to real Apple server. Same should apply for upgrade. Maybe local TSS server from TinyUmbrella just handles error returns better, so that firmware up/downgrade doesn't fail - maybe it just returns an invalid certificate for the baseband, but returns 'ok'. -- [[User:Http|http]] 11:08, 9 September 2010 (UTC)
 
  +
{{main|Talk:MDM9x00#Adding wrong info here}}

Latest revision as of 09:33, 30 March 2017

Flash Possibility

Okay, so hypothetically speaking, if I flashed my baseband to 01.59.00 from 03.10.01 while my phone is on 4.2.1 (ONLY 4.2.1 SHSH IS AVAILABLE), it would enter the boot loop because the baseband doesnt meet the requirements for iOS 4.2.1. I am willing to try and flash my baseband in an attempt to downgrade and use ultrasn0w. And if the downgrade was to work and I restored it to a pwned 4.2.1 fw where the baseband update would be neglected, would the boot loop occur? Leobruh 01:20, 10 February 2011 (UTC)!

You can't flash baseband 01.59.00; Apple's not signing it anymore. --Dialexio 02:47, 10 February 2011 (UTC)
Well look at this. I don't know whether or not this could be done to the iPhone 4 but it proves that a manual flash can be used so long as you have the proper firmware ipsw available. I mean if this is possible for the iPhone 4, then I will do it without a doubt. Leobruh 04:05, 10 February 2011 (UTC)!
Um, that is for the iPhone 3G/3GS basebands. That probably wont work on the iPhone 4. For those devices, Apple didn't sign the baseband, so a manual flash was possible (going up version #'s). Downgrading required one to have the 5.8 bootloader iPhone 3G. Sorry to burst your bubble, but you are mistaken. --Gamer765 04:28, 10 February 2011 (UTC)
Word I got you bro, haha I wish it would be easier I have had an i4 for almost 2 months with the carrier lock. I will keep waiting sooner or later it will come out. Leobruh 20:43, 10 February 2011 (UTC)!

Device for iPhone 4

Are we sure this is the baseband? The infineon spec-sheet says "HSDPA/HSUPA capabilities of 7.2Mbps/2.9Mbps". At the keynote Steve mentioned 5.8Mbps HSUPA. --Iemit737 19:26, 21 June 2010 (UTC)

Running "string" on the new baseband files shows "XGold 618" multiple times. --Miketress 19:35, 21 June 2010 (UTC)
Ok, awesome. Thanks for finding this so quickly! Iemit737 19:50, 21 June 2010 (UTC)
Very unlikely it's the 618 after looking at the spec sheet.

In case anyone is interested, X-Gold 616 spec sheet, X-Gold 618 spec sheet. --D235j 21:43, 22 June 2010 (UTC)

Actually, it's the XMM 6180. ebl.fls says so. --oranav 21:56, 22 June 2010 (UTC)

Downgrade

Anybody knows more about the bb downgrade signatures? Or how to backup them like the shsh certs? Or how to use the replay attack here? Actually this is more related to baseband firmware and not to this iPhone 4 hardware. http

The baseband is signed with an AT+XNONCE which is a random string generated on every bootup. Therefore, it is not possible to cache the SHSH signatures with a replay attack. I think this info either belongs on this page because it is specific to its baseband or in a special section on Baseband Firmware. Iemit737 18:18, 16 July 2010 (UTC)
I think, why dont we save the signature for every random string? In that way, when your iPhone gives the same string, it will accept the saved signature of that string and accept changes in BB. --XiiiX
For every random string? That would be millions of SHSH's for every phone. Impossible. Thea idea of a nonce is that it NEVER gives the same value. --http 17:37, 19 February 2011 (UTC)
Ah, that's what MuscleNerd meant with "stricter signed". I also found this example. And someone suggested to change iTunes to always send the same string. That would work, but BB wouldn't accept the response. My only idea would be to let BB generate (or store) the same string on every boot (I don't know how though). But even then we would have to backup the signatures at the time they were available. -- http 23:11, 16 July 2010 (UTC)
So how does TinyUmbrella give baseband protection ? ---Whiteshinyapple
It manages to error out the signature for the baseband, that's why you get the 1004 error, not sure exactly how it's done but I'd assume that's how. ---OMEGA_RAZER
I think there's not much to do. When hosts is pointing to Cydia, you also won't get baseband downgraded, even if it would work when pointing to real Apple server. Same should apply for upgrade. Maybe local TSS server from TinyUmbrella just handles error returns better, so that firmware up/downgrade doesn't fail - maybe it just returns an invalid certificate for the baseband, but returns 'ok'. --http 11:08, 9 September 2010 (UTC)

Using Replay-attack

Can't we make the baseband send just one message to iTunes to, in that way, using replay-attack, downgrade the baseband? I mean, the baseband sends a random message to iTunes to allow the downgrade/upgrade, but it just allows when Apple is still signing the firmware. If we made the baseband send just one message, not a random, we could downgrade the baseband even if Apple is not signing anymore, of course if used a replay-attack. So, how can we make the baseband send just one message? --XiiiX 16:39, 14 August 2011 (MDT)

I feel like you'd have to edit the bbfw file... and so far, I've found no program that can read that code. Also, as an open question to everyone, how does Apple's baseband signing work?
SHSH Files? --5urd 19:13, 14 August 2011 (MDT)
Really? Damn... I don't read enough. Idea though... can we get access to the signature created at boot up?
04.11.08 vuln can not be in the AT commands this time, can be? I tried to go through most of them using MiniCOM 2.2. Looks like there is nothing to get. Another thing, could the contents of AT+XNONCE be modified, so we get a constant output always? --The preceding unsigned comment was added by Bpip4 (talk) 19:31, January 30, 2012 MST. Please consult this page for more info on how to sign pages, and how to fix this.

Adding wrong info here

Main article: Talk:MDM9x00#Adding wrong info here