|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Fakeblank"
(→Other links) |
m (Reverted edits by QWAZ (Talk); changed back to last version by ChronicDev) |
||
| Line 4: | Line 4: | ||
gray, iProof, geohot, dinopio, lazyc0der, and an anonymous contributor |
gray, iProof, geohot, dinopio, lazyc0der, and an anonymous contributor |
||
| − | == |
+ | ==Description== |
| + | If 0xA0000030 0xA000A5A0 0xA0015C58 0xA0017370 read as 0xFFFFFFFF on startup, the [[Baseband Bootrom Protocol]] can be used to download and run unsigned code. In the initial hardware unlock, an address line was pulled high to OR in hardware those addresses with +0x40000, making it instead read parts of the baseband firmware area, which can be erased. |
||
| − | The bootrom is located at 0x400000, and can be dumped via geohotz 5.8bl loader exploit |
||
| + | ==Other links== |
||
| − | This is the first code that runs on the baseband. It resides in internal ROM. |
||
| + | [http://wikee.iphwn.org/sgold_bootrom:fakeblank dev team description of fakeblank] |
||
| + | [[Category:Baseband Exploits]] |
||
| − | ==S-Gold 2== |
||
| − | The bootrom here is located at 0x400000. It was initially dumped using exploits in java on other [[S-Gold 2]] phones. It allows unsigned code to be uploaded using [[Baseband Bootrom Protocol]]. On non debug variants of the chip, it requires [[Fakeblank]] to run that code |
||
| − | |||
| − | ==X-Gold 608== |
||
| − | The bootrom is located at 0x400000, and can be dumped via geohotz 5.8bl loader exploit |
||
Latest revision as of 01:00, 23 September 2010
This exploit is in the Baseband Bootrom. There are hardware (testpoint) and software variations of this.
Credit
gray, iProof, geohot, dinopio, lazyc0der, and an anonymous contributor
Description
If 0xA0000030 0xA000A5A0 0xA0015C58 0xA0017370 read as 0xFFFFFFFF on startup, the Baseband Bootrom Protocol can be used to download and run unsigned code. In the initial hardware unlock, an address line was pulled high to OR in hardware those addresses with +0x40000, making it instead read parts of the baseband firmware area, which can be erased.
