Difference between revisions of "Audio DSP Module"

From The iPhone Wiki
Jump to: navigation, search
m (Links.)
m (IMG3 Obfuscation: link update)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
A "secret" coprocessor only in the [[S5L8900]] devices. I do not have a devicetree handy, so I do not know the phys / virt addresses.
+
A "secret" coprocessor only in the [[S5L8900]] devices. The phys / virt addresses are unknown.
   
 
== Registers ==
 
== Registers ==
Line 7: Line 7:
   
 
== [[IMG3 File Format|IMG3]] Obfuscation ==
 
== [[IMG3 File Format|IMG3]] Obfuscation ==
This became known and looked into because in the 3.0 GM firmware release, for the [[S5L8900]] devices, Apple made use of this to compute a "soft" [[GID-key]] to be used to decrypt the [[KBAG]] of the firmware image being loaded. The computation was based off of a hash of the first 0x1B000 of the running [[iBoot]], so to get the correct output you needed to do some tricky patching.
+
This became known and looked into because in the 3.0 GM firmware release, for the [[S5L8900]] devices, Apple made use of this to compute a "soft" [[GID Key]] to be used to decrypt the [[KBAG]] of the firmware image being loaded. The computation was based off of a hash of the first 0x1B000 of the running [[iBoot]], so to get the correct output you needed to do some tricky patching.
   
 
=== See also ===
 
=== See also ===
 
* [[GIDecrypt]]
 
* [[GIDecrypt]]
  +
  +
{{stub|hardware}}

Latest revision as of 08:14, 4 August 2013

A "secret" coprocessor only in the S5L8900 devices. The phys / virt addresses are unknown.

Registers

I'll have to dig up my IDB to get the whole thing, but this is what I remember:

  • Register 0x0 - Calm2ADM Configuration Register
  • Register 0x50 - Calm2ADM Instruction Area (ie. pointer to payload)

IMG3 Obfuscation

This became known and looked into because in the 3.0 GM firmware release, for the S5L8900 devices, Apple made use of this to compute a "soft" GID Key to be used to decrypt the KBAG of the firmware image being loaded. The computation was based off of a hash of the first 0x1B000 of the running iBoot, so to get the correct output you needed to do some tricky patching.

See also

Hacking.png This hardware article is a "stub", an incomplete page. Please add more content to this article and remove this tag.