The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Audio DSP Module"
ChronicDev (talk | contribs) (New page: A "secret" coprocessor only in the S5L8900 devices. I do not have a devicetree handy, so I do not know the phys / virt addresses. == Registers == I'll have to dig up my IDB to get the...) |
m (Links.) |
||
Line 6: | Line 6: | ||
* '''Register 0x50''' - Calm2ADM Instruction Area (ie. pointer to payload) |
* '''Register 0x50''' - Calm2ADM Instruction Area (ie. pointer to payload) |
||
− | == [[ |
+ | == [[IMG3 File Format|IMG3]] Obfuscation == |
− | This became known and looked into because in the 3.0 GM firmware release, for the [[S5L8900]] devices, Apple made use of this to compute a "soft" [[GID-key]] to be used to decrypt the KBAG of the firmware image being loaded. The computation was based off of a hash of the first 0x1B000 of the running iBoot, so to get the correct output you needed to do some tricky patching. |
+ | This became known and looked into because in the 3.0 GM firmware release, for the [[S5L8900]] devices, Apple made use of this to compute a "soft" [[GID-key]] to be used to decrypt the [[KBAG]] of the firmware image being loaded. The computation was based off of a hash of the first 0x1B000 of the running [[iBoot]], so to get the correct output you needed to do some tricky patching. |
=== See also === |
=== See also === |
Revision as of 17:14, 12 September 2010
A "secret" coprocessor only in the S5L8900 devices. I do not have a devicetree handy, so I do not know the phys / virt addresses.
Registers
I'll have to dig up my IDB to get the whole thing, but this is what I remember:
- Register 0x0 - Calm2ADM Configuration Register
- Register 0x50 - Calm2ADM Instruction Area (ie. pointer to payload)
IMG3 Obfuscation
This became known and looked into because in the 3.0 GM firmware release, for the S5L8900 devices, Apple made use of this to compute a "soft" GID-key to be used to decrypt the KBAG of the firmware image being loaded. The computation was based off of a hash of the first 0x1B000 of the running iBoot, so to get the correct output you needed to do some tricky patching.