Preventing Baseband Update

From The iPhone Wiki
Revision as of 22:42, 27 March 2011 by Http (talk | contribs) (iH8Sn0w's Method)
Jump to: navigation, search

Edit options.plist

  1. Unpack custom IPSW
  2. Decrypt Restore Ramdisk using xpwntool and mount it
  3. Navigate to /usr/local/share/restore
  4. Edit options.plist on the restore ramdisk

(Ignore any other settings specified in the plist, don't edit them)

	<key>UpdateBaseband</key>
        <false/>
  1. Reencrypt the restore ramdisk
  2. Repack the IPSW
  3. Prepare device for custom firmware using redsn0w
  4. Restore IPSW to iTunes in pwned DFU Mode using the appropriate method(Look at Restoring The Modified IPSW Section)

You must load a patched iBSS/iBEC for this to work. Using an original IPSW will not work, because redsn0w's pwned DFU Mode doesn't patch sigchecks in iBSS (which is loaded from the IPSW).

Restoring The Modified IPSW

Firmwares like 4.2.1 and above have baseband checks on the Restore Ramdisk.If the modified IPSW is restored, iTunes will give a Error 1015 and iPhone will be in a recovery mode loop which cannot be exited by TinyUmbrella or the 'setenv auto-boot true' command
Fortunately, the Update Ramdisk does not contain that baseband check so if the Update Method is used which is mentioned below,iTunes will give error 1013 and it can be exited by TinyUmbrella and the irecovery command.

Update Method

  • Windows Users, Open iTunes. hold the Shift button and click Update then select the modified IPSW
  • Mac Users, Open iTunes, hold the Alt button and click Update then select the modified IPSW

Restore Method

  • Windows Users, Open iTunes. hold the Shift button and click Restore then select the modified IPSW
  • Mac Users, Open iTunes, hold the Alt button and click Restore then select the modified IPSW

TinyUmbrella/Cydia Server Method (iPhone 4)

The iPhone 4 requires a AT+XNONCE key signature from Apple in order to update the baseband. Pointing the hosts file to Cydia Server or running TinyUmbrella will allow this request for signature to be ignored, thus preventing a baseband update.

  • This only works if Cydia Server/TinyUmbrella accepts the firmware's SHSH.
  • This method 'works' with iOS 4.2.1, but in the restore ramdisk there is a baseband version check. If it doesn't match, it will crash before the Apple logo with the loading bar (the 2nd one, not the restore one) appears. It will boot and crash again. The usual 'Kick out of recovery mode' methods or "setenv auto-boot true" won't work, because it's not the problem that the auto-boot is false. So this method is actually not useful for iOS 4.2.1.
  • But, users can now upgrade to 4.2.1 preserving the baseband, when you get into the iPhone 4 not booting after restore, just initialize the GreenPois0n RC5 and it will get you untethered jailbroken and it will kick you out of the recovery!
  1. Edit the hosts file and add the line "74.208.10.249 gs.apple.com" without the quotes, or run TinyUmbrella after saving the firmware's SHSH. If Cydia Server hasn't got your SHSH, but you have it locally, use TSS Server method in TinyUmbrella.
  2. Use the "Restore" button in iTunes to update if your firmware version is below 4.2 else use the "Update" button in iTunes to update.
  3. You will get Error 1013 and it can be easily bypassed by using the Exit Recovery Mode button in TinyUmbrella or typing 'setenv auto-boot true' and 'saveenv' in iRecovery

iH8Sn0w's Method

User IH8sn0w mentioned a new method in this tweet (an upgrade-only option in Sn0wbreeze). He confirmed that his method is not the same as the above mentioned methods. To get more details, someone would have to compare the generated ipsw content.

This method can also be used on the iPhone 3GS and the iPhone 4 to downgrade from the 4.3 betas back to 4.2.1, as long as the device can be restored (and activated) to iOS 4.1 or an earlier version.

To get some more details, I have run sn0wbreeze with the option "baseband preservation mode" on iOS 4.3 for iPhone 4 and compared the differences. I'll list them here:

root filesystem 038-0688-006.dmg

I couldn't get vfdecrypt to run, so I cannot list the details. It is much smaller (360MB instead of 615MB). (Details to be added.)

restore ramdisk 038-0715-006.dmg

options.plist

The file options.plist in the folder \ramdisk\usr\local\share\restore is changed. These are the changes:

  • first entry added: CreateFilesystemPartitions = true
  • changed value: SystemPartitionSize 1024 changed to 1050
  • added last entry: UpdateBaseband = false

asr

In the folder \ramdisk\usr\sbin\ the file asr (empty) has been renamed to asr_orig and a new file of size 180832 bytes added. Not sure where this comes from.

images

Two files were changed from the Apple logo to the iH8sn0w logo. Both are called applelogo.png and they are located in \ramdisk\usr\share\progressui\images-1x\ and in \ramdisk\usr\share\progressui\images-2x\.

patches in iBSS

There are several patches in iBSS (first line is original, second line is the patched version):

000000FC: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000FC: 03 A2 13 68 1B B1 50 68 C8 50 08 32 F9 E7 70 47 E0 A9 8C 00 30 E0 00 20 A4 AC 92 00 06 9B 0B B1 A8 AC 92 00 00 23 04 D0 D8 D3 71 00 EA D1 01 20 E4 A9 8C 00 00 20 2D E0 5C DB 27 00 01

00012C26: FF F7 73 FE
00012C26: 00 20 00 20

00012C4C: FF F7 60 FE
00012C4C: 00 20 00 20

00012C70: FF F7 B6 FE
00012C70: 00 20 00 20

00012C98: FF F7 3A FE
00012C98: 00 20 00 20

00012CBA: FF F7 29 00
00012CBA: 00 20 00 20

00012CDE: FF F7 17 FE
00012CDE: 00 20 00 20

00012D02: FF F7 05 FE
00012D02: 00 20 00 20

00012D20: FF F7 F6 FD
00012D20: 00 20 00 20

00012D44: FF F7 E4 FD
00012D44: 00 20 00 20

0001345A: 08 F0 0D
0001345A: EC F7 4F

0001AD38: 4F F0 FF 30
0001AD38: 00 20 00 20