Difference between revisions of "Fakeblank"

From The iPhone Wiki
Jump to: navigation, search
(New page: This exploit is in the Baseband Bootrom ==Credit== gray, iProof, geohot, dinopio, lazyc0der, and an anonymous contributor ==Description== If 0xA0000030 0xA000A5A0 0xA0015C58 0xA00173...)
 
m (Reverted edits by QWAZ (Talk); changed back to last version by ChronicDev)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This exploit is in the [[Baseband Bootrom]]
+
This exploit is in the [[Baseband Bootrom]]. There are hardware (testpoint) and software variations of this.
   
 
==Credit==
 
==Credit==
Line 5: Line 5:
   
 
==Description==
 
==Description==
If 0xA0000030 0xA000A5A0 0xA0015C58 0xA0017370 read as 0xFFFFFFFF on startup, the [[Baseband Bootrom Protocol]] can be used to download and run unsigned code. In the initial hardware unlock, an address line was pulled high to OR in hardware those addresses with 0x40000.
+
If 0xA0000030 0xA000A5A0 0xA0015C58 0xA0017370 read as 0xFFFFFFFF on startup, the [[Baseband Bootrom Protocol]] can be used to download and run unsigned code. In the initial hardware unlock, an address line was pulled high to OR in hardware those addresses with +0x40000, making it instead read parts of the baseband firmware area, which can be erased.
   
 
==Other links==
 
==Other links==
 
[http://wikee.iphwn.org/sgold_bootrom:fakeblank dev team description of fakeblank]
 
[http://wikee.iphwn.org/sgold_bootrom:fakeblank dev team description of fakeblank]
  +
  +
[[Category:Baseband Exploits]]

Latest revision as of 01:00, 23 September 2010

This exploit is in the Baseband Bootrom. There are hardware (testpoint) and software variations of this.

Credit

gray, iProof, geohot, dinopio, lazyc0der, and an anonymous contributor

Description

If 0xA0000030 0xA000A5A0 0xA0015C58 0xA0017370 read as 0xFFFFFFFF on startup, the Baseband Bootrom Protocol can be used to download and run unsigned code. In the initial hardware unlock, an address line was pulled high to OR in hardware those addresses with +0x40000, making it instead read parts of the baseband firmware area, which can be erased.

Other links

dev team description of fakeblank