The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Baseband Device"
(→Exploits: yellowsn0w is not an exploit. added xlog) |
DanTheMann15 (talk | contribs) (Qualcomm Snapdragon X65M) |
||
(74 intermediate revisions by 22 users not shown) | |||
Line 1: | Line 1: | ||
− | + | the '''Baseband Device''' is the chipset that all [[iPhone|iPhones]] and cellular models of the [[List of Apple Watches|Apple Watch]], [[List of iPads|iPad]], [[List of iPad Airs|iPad Air]], [[List of iPad minis|iPad mini]], and [[List of iPad Pros|iPad Pro]] use that manages all the functions which require a cellular antenna. It has its own RAM and Firmware in NOR flash, separate from the [[ARM]] core resources. The baseband is a resource to the OS. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores it's MAC addresses in its NVRAM. |
|
+ | See also: [[Baseband Commands]] and [[iOS Baseband Tools]]. |
||
− | The [[iPhone]]'s baseband processor is the [[S-Gold 2]] and the [[iPhone 3G]] makes use of the [[X-Gold 608]] chip for this purpose. |
||
+ | ==Device List== |
||
+ | <onlyinclude> <!-- Do not remove this tag, it is used as part of the main page transclution! --> |
||
+ | <div class="flex"> |
||
+ | <div> |
||
+ | =====[[PMB8876]] S-Gold 2===== |
||
+ | * [[M68AP|iPhone]] |
||
+ | =====[[PMB8878]] X-Gold 608===== |
||
− | You can check some [[Baseband Commands]] too (by pH and EvilPenguin) |
||
+ | * [[K48AP|iPad]] |
||
+ | * [[N82AP|iPhone 3G]] |
||
+ | * [[N88AP|iPhone 3GS]] |
||
+ | =====[[XMM 6180]] X-Gold 618===== |
||
− | ==Seczone== |
||
+ | * iPad 2 [[K94AP|(iPad2,2)]] |
||
+ | * iPhone 4 [[N90AP|(iPhone3,1)]] and [[N90BAP|(iPhone3,2)]] |
||
+ | |||
+ | =====[[MDM6600]]===== |
||
+ | * iPad 2 [[K95AP|(iPad2,3)]] |
||
+ | * iPhone 4 [[N92AP|(iPhone3,3)]] |
||
+ | |||
+ | =====[[MDM6610]]===== |
||
+ | * [[iPhone 4S]] |
||
+ | |||
+ | =====[[MDM9600]]===== |
||
+ | * [[iPad (3rd generation)]] |
||
+ | |||
+ | =====[[MDM9615]]===== |
||
+ | * [[iPad (4th generation)]] |
||
+ | * [[iPad Air]] |
||
+ | * [[iPad mini]] |
||
+ | * [[iPad mini 2]] |
||
+ | * [[iPad mini 3]] |
||
+ | * [[iPhone 5]] |
||
+ | * [[iPhone 5c]] |
||
+ | * [[iPhone 5s]] |
||
+ | |||
+ | =====[[MDM9625]]===== |
||
+ | * [[iPad (5th generation)]] |
||
+ | * [[iPad Air 2]] |
||
+ | * [[iPad Pro (12.9-inch)]] |
||
+ | * [[iPad mini 4]] |
||
+ | * [[iPhone 6]] |
||
+ | * [[iPhone 6 Plus]] |
||
+ | * [[iPhone SE (1st generation)]] |
||
+ | |||
+ | =====[[MDM9635]]===== |
||
+ | * [[Apple Watch Series 3]] |
||
+ | * [[iPad (6th generation)]] |
||
+ | * [[iPad Pro (9.7-inch)]] |
||
+ | * [[iPhone 6s]] |
||
+ | * [[iPhone 6s Plus]] |
||
+ | |||
+ | =====[[MDM9645]]===== |
||
+ | * [[iPad Pro (10.5-inch)]] |
||
+ | * [[iPad Pro (12.9-inch) (2nd generation)]] |
||
+ | * [[iPhone 7]] |
||
+ | * [[iPhone 7 Plus]] |
||
+ | |||
+ | =====[[PMB9943]] X-Gold 736===== |
||
+ | * [[iPhone 7]] |
||
+ | * [[iPhone 7 Plus]] |
||
+ | </div> |
||
+ | <div> |
||
+ | =====[[MDM9655]]===== |
||
+ | * [[iPhone 8]] |
||
+ | * [[iPhone 8 Plus]] |
||
+ | * [[iPhone X]] |
||
+ | |||
+ | =====[[PMB9948]] X-Gold 748===== |
||
+ | * [[iPhone 8]] |
||
+ | * [[iPhone 8 Plus]] |
||
+ | * [[iPhone X]] |
||
+ | |||
+ | =====[[PMB9955]] X-Gold 756===== |
||
+ | * [[Apple Watch Series 4]] |
||
+ | * [[Apple Watch Series 5]] |
||
+ | * [[Apple Watch SE (1st generation)|Apple Watch SE]] |
||
+ | * [[Apple Watch Series 6]] |
||
+ | * [[Apple Watch Series 7]] |
||
+ | * [[Apple Watch SE (2nd generation)|Apple Watch SE]] |
||
+ | * [[Apple Watch Series 8]] |
||
+ | * [[Apple Watch Ultra]] |
||
+ | * [[iPad (7th generation)]] |
||
+ | * [[iPad (8th generation)]] |
||
+ | * [[iPad Air (3rd generation)]] |
||
+ | * [[iPad Pro (11-inch)]] |
||
+ | * [[iPad Pro (12.9-inch) (3rd generation)]] |
||
+ | * [[iPad mini (5th generation)]] |
||
+ | * [[iPhone XR]] |
||
+ | * [[iPhone XS]] |
||
+ | * [[iPhone XS Max]] |
||
+ | |||
+ | =====[[PMB9960]] X-Gold 766===== |
||
+ | * [[iPad Air (4th generation)]] |
||
+ | * [[iPad Pro (11-inch) (2nd generation)]] |
||
+ | * [[iPad Pro (12.9-inch) (4th generation)]] |
||
+ | * [[iPhone 11]] |
||
+ | * [[iPhone 11 Pro]] |
||
+ | * [[iPhone 11 Pro Max]] |
||
+ | * [[iPhone SE (2nd generation)]] |
||
+ | |||
+ | =====[[SDX55M]]===== |
||
+ | * [[iPad Pro (11-inch) (3rd generation)]] |
||
+ | * [[iPad Pro (12.9-inch) (5th generation)]] |
||
+ | * [[iPhone 12 mini]] |
||
+ | * [[iPhone 12]] |
||
+ | * [[iPhone 12 Pro]] |
||
+ | * [[iPhone 12 Pro Max]] |
||
+ | |||
+ | =====[[SDX57M]]===== |
||
+ | * [[iPhone SE (3rd generation)]] |
||
+ | |||
+ | =====[[SDX60M]]===== |
||
+ | * [[iPad Air (5th generation)]] |
||
+ | * [[iPad mini (6th generation)]] |
||
+ | * [[iPhone 13 mini]] |
||
+ | * [[iPhone 13]] |
||
+ | * [[iPhone 13 Pro]] |
||
+ | * [[iPhone 13 Pro Max]] |
||
+ | |||
+ | =====[[SDX65M]]===== |
||
+ | * [[iPhone 14]] |
||
+ | * [[iPhone 14 Plus]] |
||
+ | * [[iPhone 14 Pro]] |
||
+ | * [[iPhone 14 Pro Max]] |
||
+ | </div> |
||
+ | </div> |
||
+ | </onlyinclude> <!-- Do not remove this tag, it is used as part of the main page transclution! --> |
||
+ | |||
+ | ==[[Seczone]]== |
||
This is the area in the baseband where the lock state is stored. |
This is the area in the baseband where the lock state is stored. |
||
===Layout=== |
===Layout=== |
||
0x400--NCK token |
0x400--NCK token |
||
+ | 0xA00--IMEI signature |
||
0xB00--IMEI |
0xB00--IMEI |
||
− | 0xB10--IMEI signature |
||
0xC00--Locks table |
0xC00--Locks table |
||
===Encryption=== |
===Encryption=== |
||
− | Many of the sections are encrypted using TEA based off the CHIPID and NORID. See [[NCK Brute Force]] for more info. |
+ | Many of the sections are encrypted using [[Baseband TEA Keys|TEA]] based off the [[CHIPID]] and [[NORID]]. See [[NCK Brute Force]] for more info. |
==Exploits== |
==Exploits== |
||
* [[SIM hacks]] |
* [[SIM hacks]] |
||
+ | |||
− | * [[Fakeblank|Hardware Fakeblank]] |
||
+ | ===[[PMB8876]] S-Gold 2=== |
||
+ | * [[Fakeblank]] |
||
* [[IPSF]] |
* [[IPSF]] |
||
* [[Minus 0x400]] |
* [[Minus 0x400]] |
||
− | * [[Jerrysim]] |
||
* [[Minus 0x20000 with Back Extend Erase]] |
* [[Minus 0x20000 with Back Extend Erase]] |
||
+ | |||
− | * [[At+stkprof]] |
||
+ | ===[[PMB8878]] X-Gold 608=== |
||
− | * [[AT+XLOG Exploit]] |
||
+ | * [[JerrySIM]] |
||
+ | * [[AT+stkprof]] |
||
+ | * [[AT+XLOG Vulnerability]] |
||
+ | * [[AT+XEMN Heap Overflow]] |
||
+ | * [[AT+XAPP Vulnerability]] |
||
+ | * [[AT+FNS]] |
||
+ | |||
+ | ===[[XMM 6180]] X-Gold 618=== |
||
+ | * [[AT+XAPP Vulnerability]] |
||
+ | |||
+ | ===[[MDM6600]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[MDM6610]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[MDM9600]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[MDM9615]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[MDM9625]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[MDM9635]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[MDM9645]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[PMB9943]] X-Gold 736=== |
||
+ | * None |
||
+ | |||
+ | ===[[MDM9655]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[PMB9948]] X-Gold 748=== |
||
+ | * None |
||
+ | |||
+ | ===[[PMB9955]] X-Gold 756=== |
||
+ | * None |
||
+ | |||
+ | ===[[PMB9960]] X-Gold 766=== |
||
+ | * None |
||
+ | |||
+ | ===[[SDX55M]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[SDX57M]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[SDX60M]]=== |
||
+ | * None |
||
+ | |||
+ | ===[[SDX65M]]=== |
||
+ | * None |
||
==Theoretical Attacks== |
==Theoretical Attacks== |
Latest revision as of 23:33, 19 September 2022
the Baseband Device is the chipset that all iPhones and cellular models of the Apple Watch, iPad, iPad Air, iPad mini, and iPad Pro use that manages all the functions which require a cellular antenna. It has its own RAM and Firmware in NOR flash, separate from the ARM core resources. The baseband is a resource to the OS. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores it's MAC addresses in its NVRAM.
See also: Baseband Commands and iOS Baseband Tools.
Contents
- 1 Device List
- 1.1 PMB8876 S-Gold 2
- 1.2 PMB8878 X-Gold 608
- 1.3 XMM 6180 X-Gold 618
- 1.4 MDM6600
- 1.5 MDM6610
- 1.6 MDM9600
- 1.7 MDM9615
- 1.8 MDM9625
- 1.9 MDM9635
- 1.10 MDM9645
- 1.11 PMB9943 X-Gold 736
- 1.12 MDM9655
- 1.13 PMB9948 X-Gold 748
- 1.14 PMB9955 X-Gold 756
- 1.15 PMB9960 X-Gold 766
- 1.16 SDX55M
- 1.17 SDX57M
- 1.18 SDX60M
- 1.19 SDX65M
- 2 Seczone
- 3 Exploits
- 3.1 PMB8876 S-Gold 2
- 3.2 PMB8878 X-Gold 608
- 3.3 XMM 6180 X-Gold 618
- 3.4 MDM6600
- 3.5 MDM6610
- 3.6 MDM9600
- 3.7 MDM9615
- 3.8 MDM9625
- 3.9 MDM9635
- 3.10 MDM9645
- 3.11 PMB9943 X-Gold 736
- 3.12 MDM9655
- 3.13 PMB9948 X-Gold 748
- 3.14 PMB9955 X-Gold 756
- 3.15 PMB9960 X-Gold 766
- 3.16 SDX55M
- 3.17 SDX57M
- 3.18 SDX60M
- 3.19 SDX65M
- 4 Theoretical Attacks
- 5 Boot Chain
Device List
PMB8876 S-Gold 2
PMB8878 X-Gold 608
XMM 6180 X-Gold 618
- iPad 2 (iPad2,2)
- iPhone 4 (iPhone3,1) and (iPhone3,2)
MDM6600
- iPad 2 (iPad2,3)
- iPhone 4 (iPhone3,3)
MDM6610
MDM9600
MDM9615
MDM9625
- iPad (5th generation)
- iPad Air 2
- iPad Pro (12.9-inch)
- iPad mini 4
- iPhone 6
- iPhone 6 Plus
- iPhone SE (1st generation)
MDM9635
MDM9645
PMB9943 X-Gold 736
MDM9655
PMB9948 X-Gold 748
PMB9955 X-Gold 756
- Apple Watch Series 4
- Apple Watch Series 5
- Apple Watch SE
- Apple Watch Series 6
- Apple Watch Series 7
- Apple Watch SE
- Apple Watch Series 8
- Apple Watch Ultra
- iPad (7th generation)
- iPad (8th generation)
- iPad Air (3rd generation)
- iPad Pro (11-inch)
- iPad Pro (12.9-inch) (3rd generation)
- iPad mini (5th generation)
- iPhone XR
- iPhone XS
- iPhone XS Max
PMB9960 X-Gold 766
- iPad Air (4th generation)
- iPad Pro (11-inch) (2nd generation)
- iPad Pro (12.9-inch) (4th generation)
- iPhone 11
- iPhone 11 Pro
- iPhone 11 Pro Max
- iPhone SE (2nd generation)
SDX55M
- iPad Pro (11-inch) (3rd generation)
- iPad Pro (12.9-inch) (5th generation)
- iPhone 12 mini
- iPhone 12
- iPhone 12 Pro
- iPhone 12 Pro Max
SDX57M
SDX60M
- iPad Air (5th generation)
- iPad mini (6th generation)
- iPhone 13 mini
- iPhone 13
- iPhone 13 Pro
- iPhone 13 Pro Max
SDX65M
Seczone
This is the area in the baseband where the lock state is stored.
Layout
0x400--NCK token 0xA00--IMEI signature 0xB00--IMEI 0xC00--Locks table
Encryption
Many of the sections are encrypted using TEA based off the CHIPID and NORID. See NCK Brute Force for more info.
Exploits
PMB8876 S-Gold 2
PMB8878 X-Gold 608
XMM 6180 X-Gold 618
MDM6600
- None
MDM6610
- None
MDM9600
- None
MDM9615
- None
MDM9625
- None
MDM9635
- None
MDM9645
- None
PMB9943 X-Gold 736
- None
MDM9655
- None
PMB9948 X-Gold 748
- None
PMB9955 X-Gold 756
- None
PMB9960 X-Gold 766
- None
SDX55M
- None
SDX57M
- None
SDX60M
- None
SDX65M
- None