Difference between revisions of "Talk:Preventing Baseband Update"

From The iPhone Wiki
Jump to: navigation, search
(iH8sn0w's method)
Line 99: Line 99:
 
== iH8sn0w's method ==
 
== iH8sn0w's method ==
 
I saw sn0wbreeze source code and it patches the ASR,options.plist in the ramdisk and the [[iBSS]].How does that exit the recovery loop? --[[User:Whiteshinyapple|Whiteshinyapple]] 07:24, 22 March 2011 (UTC)
 
I saw sn0wbreeze source code and it patches the ASR,options.plist in the ramdisk and the [[iBSS]].How does that exit the recovery loop? --[[User:Whiteshinyapple|Whiteshinyapple]] 07:24, 22 March 2011 (UTC)
  +
There is no [[fstab]] patch so does that mean the baseband check checks the partition and see's if it has access ? --[[User:Whiteshinyapple|Whiteshinyapple]] 11:18, 22 March 2011 (UTC)

Revision as of 11:18, 22 March 2011

No success

I tried this and it didn't work. I used an iPhone 4 with firmware 4.1 and baseband 1.59.00, trying to upgrade it to stock firmware 4.2.1, preserving the baseband.

One thing that was unclear is the plist edit. There was another entry SystemPartitionSyize=1024(integer) (<key>SystemPartitionSize</key><integer>1024</integer>). It was not clear if this should be removed or not. I tried both.

To reencrypt, it used the command

xpwntool 038-0032-002_modified.dmg 038-0032-002_reencrypted.dmg -t 038-0032-002_original.dmg -k 06849aead2e9a6ca8a82c3929bad5c2368942e3681a3d5751720d2aacf0694c0 -iv 9b20ae16bebf4cf1b9101374c3ab0095

With key and iv from here (must be correct, otherwise decryption wouldn't have worked). Then rename 038-0032-002_reencrypted.dmg to original name and back into the ipsw.

To prepare for custom firmware flashing, I used redsn0w 0.9.6b4, reading initial 4.1 firmware.

Without the SystemPartitionSize, I received an iTunes unknown error 46 when it started to flash. With the SystemPartitionSize it went a few seconds longer and I got iTunes error 14.

Anything I am doing wrong? Did anybody else complete this successfully? Or was this just a joke? --http 03:14, 29 November 2010 (UTC)

well what ipsw did you restore to because restored will signature check the root filesystem after ASR but the SystemPartitionSize should be replaced with <key>SystemImage</key> <false/> if you dont want to update the root partition --liamchat 16:06, 29 November 2010 (UTC)
ipsw: 4.2.1 as I said. Why should I not update the root partition? The goal is to upgrade firmware from 4.1 to 4.2.1, without updating the baseband. Did you do this and were successful? --http 19:40, 29 November 2010 (UTC)
why are you using the original file as a template --liamchat 23:02, 29 November 2010 (UTC)
Because xpwntool says so. Is that wrong? --http 23:17, 29 November 2010 (UTC)
it is optional if you want to the code just says create an abstract copy of template if has key --liamchat 23:30, 29 November 2010 (UTC)
Are you guessing? Did you ever try all this? If yes: Did it work for you? If no: no guessing please and better no answer in that case. Thanks. --http 00:48, 30 November 2010 (UTC)
when you used xpwn did it output
img3.c:createAbstractFileFromImg3:645: d65fdeb907a78562210697cf5e57bcaefde672d1a64fda4ec7d1da9df9c6502d23cd01d17ccb0f60b3bdcce154216af8
img3.c:createAbstractFileFromImg3:645: d65fdeb907a78562210697cf5e57bcaefde672d1a64fda4ec7d1da9df9c6502d23cd01d17ccb0f60b3bdcce154216af8
--liamchat 10:45, 30 November 2010 (UTC)
I don't have MUCH experience with this, but I assume that since you've got yourself a modded ramdisk, you have to pwn the bootstrapper iBEC and the other fw parts, as in pwnagetool. --dra1nerdrake 01:24, 30 November 2010 (UTC)
well no because if he see's the apple logo and the empty bar that is in the ramdisk --liamchat 08:29, 30 November 2010 (UTC)
Step 7 should take care of that. I used redsn0w to prepare. --http 08:49, 30 November 2010 (UTC)

It works. restored checks the plist and skips BB update if the option is set to false. Now are you saying that your hand-made ipsw failed the restore process or that your BB was in fact updated? --Msft.guy 03:59, 7 December 2010 (UTC)

Just to confirm: all those that are claiming it doesn't work are patching the correct ramdisk right? Some people are talking about the restore ramdisk then mentioning updates?? Surely if you want to prevent update when updating software you need to patch the update ramdisk and in the same way for restores patch the restore ramdisk? I'm sure this isn't happening but I thought it right to check to rule it out as a possibility -- blackthund3r 06:20, 7 December 2010 (UTC)

I never said it cannot work. For me it just didn't restore (as mentioned). But even if it would restore: how do you get around the new baseband version check? Nothing mentioned about that. --http 07:52, 7 December 2010 (UTC)
i thought the check was in the restore ramdisk not the kernelcache i checked the kernal's memory and saw no running process that can check the baseband version --liamchat 19:22, 7 December 2010 (UTC)
confirmed there is no check on ios it is in the ramdisk --liamchat 22:26, 18 December 2010 (UTC)

Way to bypass recovery mode problem

Is there currently any way to bypass the check? or is it done by setting UpdateBaseband to false? iPad 3Gs cannot downgrade from 4.3 to 4.2.1 and get stuck in a recovery loop even after being kicked out of recovery mode. --LIV2 11:23, 16 January 2011 (UTC)

what error did you get when you restored --liamchat 12:09, 16 January 2011 (UTC)
I'm in the same situation; I've decided to stick with 4.3 for now, can't go back to 3.x after living with multitasking! I get error 1015. Have tried all the usual suspects, can't kick it out of recovery mode, etc. Even tried downgrading to iOS 3.2.2 and then 'upgrading' instead of restoring to 4.2.1 without any success.--Beau 12:34, 16 January 2011 (UTC)
Error code is the usual 1015 error, but iOS 4.2.1 must be doing a BB Version check somewhere because there is no way to stop it going back to recovery. basically when you kick it out of recovery it goes to the apple logo for a while, then reboots and goes into recovery. other reports of this issue are found here:http://forums.macrumors.com/showthread.php?t=1079811 also to note, 3.2.x will restore just fine, 4.2.1 and 4.2.1B3 will not work though --LIV2 13:15, 16 January 2011 (UTC)
Here is the userland side baseband check, which probably looks for something the ramdisk only does after the BB update completes. --The preceding unsigned comment was added by Ryccardo (talk) 17:27, January 16, 2011. Please consult this page for more info on how to sign pages, and how to fix this.
I can confirm that UpdateBaseband = false does not help. Just tried building a custom ramdisk; same result with it being stuck in a loop with error 1015 --Beau 08:39, 24 January 2011 (UTC)
Does anyone know how to get Verbose mode on the iPad? It might help to know why it's not succeeding even when I tell it to not do a baseband update, I even tried replacing the fls and eep with the ones from 4.3 so it wouldn't try to downgrade, but to no avail. --LIV2 00:23, 17 January 2011 (UTC)
As there is no check in the firmware (MuscleNerd's Tweet), there are ways to bypass the problem. Although neither sn0wbreeze nor PwnageTool support 4.2.1, you can still use PwnageTool with an unofficial bundle to install 4.2.1 without changing the baseband. It will automatically bypass this check (not sure how). Also, IH8sn0w has another way than this (see Tweet) to bypass this check in his upcoming sn0wbreeze (will have an option to just perserve baseband, see this Tweet or image. --http 14:39, 16 January 2011 (UTC)

merge all ipsw modifications

Shuld all pages that describe how to make changes to the restore process be merged into one page --liamchat 23:02, 29 November 2010 (UTC)

deletion request

there are 2 point's i am going to make

The ONLY thing you should do to skip a BB update is to set UpdateBaseband to false, don't change anything else. To just flash NOR you have do disable baseband and rootfs, I don't really know the proper way to disable it but there's more than what's listed on the nor-only page. --Ryccardo 21:33, 6 December 2010 (UTC)
i actually would patch restored ( the files are checked before they are flashed and SHSHed ) or replace it with restored_pwn but that is the way apple does it with the recovery ipsw for the S5L8900 --liamchat 19:22, 7 December 2010 (UTC)

Errors :(

There were some errors in this article. Sorry! I edited it and there should be no problems now.PwnageTool & sn0wbreeze use this method. --Whiteshinyapple

Thanks for updating. But actually I cannot see any difference to your original article, except that you mention to not change existing values in the plist. My open questions are:
  • Any idea what I should have made wrong from my description above?
  • Did you or anybody else ever tried this successfully? I always hear that it "should work", but nobody confirmed it by doing so.
  • As far as I know do PwnageTool & sn0wbreeze not support iOS 4.2.1 yet.
  • I can see that by this method the baseband won't get updated. But you can achieve this also by pointing your hosts file to Cydia Server. But how would this solve the problem to boot the device as of the new bb check?
--http 12:02, 7 December 2010 (UTC)

BTW, this still won't work with original IPSW. Pwned DFU mode doesn't patch sigchecks in iBSS, so the ramdisk won't load. You need to load patched iBSS/iBEC for this to work. --Msft.guy 14:11, 7 December 2010 (UTC)

also i added the swap ramdisk because that was confirmed to work this baseband check is only in the restore ramdisk and there are no differences between the update and restore ramdisk and strangely the ramdisk mounts and the progress bar appears --liamchat 19:22, 7 December 2010 (UTC)
TinyUmbrella uses a different method to prevent baseband update afaik.And could someone add on how to swap ramdisks. --Whiteshinyapple
i added how to use TinyUmbrella but it will not work untill someone start's to save update SHSH so until this is fixed i will teach people how to swap ramdisk's --liamchat 16:11, 8 December 2010 (UTC)
[1] the check is only on the restore ramdisk --liamchat 17:22, 9 December 2010 (UTC)

iTunes Method

I already tried this (without reading it here first), because of the mentioned ramdisk swap method. But it didn't work for me. I installed stock 4.1 and then clicked Update in iTunes. Actually with the Shift-Click you can avoid installing 4.1 first, but it's the same. Did this work for anyone? --http 14:49, 16 January 2011 (UTC)

And actually it is the same as the TinyUmbrella method, because the hosts entry prevents the baseband update here. --http 14:52, 16 January 2011 (UTC)

I don't know if this applies to the baseband (it should only if you use a non-Apple server and manually set auto-boot after restoring), but it's definitely useful in hacktivating betas :) --Ryccardo 15:18, 16 January 2011 (UTC)
this was said a while ago http://twitter.com/notcom/status/9273579120099328 and swapping ramdisk's does not work itunes cant connect to restored --liamchat 15:47, 16 January 2011 (UTC)

bbfw deletion

Christoph added the bbfw removal to the TinyUmbrella method. I think this is not correct. To install 4.1 you don't have to change the ipsw file at all. What is this for? I didn't remove it right away, because maybe it helps to get out of the recovery loop with the 4.2.1 update? But in this case more clarifications are needed. --http 14:55, 16 January 2011 (UTC)

iTunes now checks for the bbfw and makes the restore fail if it doesn't exist. Same if the baseband signature can't be generated, but this condition can't be checked in advance, so just redefine gs.apple.com --Ryccardo 15:18, 16 January 2011 (UTC)

iH8sn0w's method

I saw sn0wbreeze source code and it patches the ASR,options.plist in the ramdisk and the iBSS.How does that exit the recovery loop? --Whiteshinyapple 07:24, 22 March 2011 (UTC) There is no fstab patch so does that mean the baseband check checks the partition and see's if it has access ? --Whiteshinyapple 11:18, 22 March 2011 (UTC)