Here comes an experimental 1.1.2 lockdownd patch

n000b · #1 (**permalink**) 11-12-2007, 08:27 PM

I've made a patch for 1.1.2 lockdownd so you don't have to use the old 1.1.1 patch. This patch will put the 1.1.2 into factory activated state. If you have a SuperSim or TurboSIM, you may use it immediately after the patch.

The patched lockdownd may be downloaded from:

/*removed due to copyright */
(remove the underscores)

UPDATE:
1. I did an experiment to try the 1.1.2's brickmode, I forced my activated phone (with SilverCard in) to execute the code block at 0x5B28, syslog showed the following:

Code:

localhost lockdown[21]: lookup_baseband_info: Not the expected firmware version. Enabling brick mode
localhost lockdown[21]: Enabling brick mode on the baseband

then the phone lost signal, reboot didn't not solve it, have to do a firmware restore to return the phone to normal (the syslog said 'brick mode on the baseband', but after restore and activation, my SilverCard worked again), so I think elite team's patch at 0x4B3B is needed.

2. I've modified my patch accordingly in a slightly different manner, allows the info being logged in syslog, but skip the other opeartions.

Here's the revised patch:

Code:

Search for differences

1. G:\iPhone Stuffs\lockdownd\lockdownd_112_original\lockdownd: 996,440 bytes
2. G:\iPhone Stuffs\lockdownd\lockdownd_112_patched\lockdownd: 996,440 bytes
Offsets: hexadec.

 4B4C:	01	14
 4B4E:	A0	00
 4B4F:	E3	EA
 C5C1:	00	40
 C5C2:	54	A0
 C5C8:	04	00
 C5CA:	00	A0
 C5CB:	1A	E1
 C5CC:	01	00
 C5D4:	88	EC

10 difference(s) found.

I use it on my 1.1.2 (upgraded from 1.0.2), and it activates the phone immediately without problem, my SilverCard (16F877+24C64) works as well.

EDIT: my first try was not successful because the SilverCard didn't work. I think I might messed some system files, so I did a restore and retried, this time the SilverCard works perfectly, call in/out, sms in/out, grps all work, youtube only shows list, can't play (I'm in a country the ip is forbidden by youtube).

brasuco · #2 (**permalink**) 11-12-2007, 09:38 PM

Quote:

Originally Posted by n000b

I've made a patch for 1.1.2 lockdownd so you don't have to use the old 1.1.1 patch.

The patched lockdownd may be downloaded from:

/*removed due to copyright */
(remove the underscores)

Here's what was patched:

Code:

FileOfs    Original    Patched
C5C1:	  00	    40
C5C2:	  54	    A0
C5C8:	  04	    00
C5CA:	  00	    A0
C5CB:	  1A	    E1
C5CC:	  01	    00
C5D4:	  88	    EC

I use it on my 1.1.2 (upgraded from 1.0.2), and while it activates the phone immediately without problem, my SilverCard (16F877+24C64) still doesn't work. I'm still not sure if this is caused by the new modem or if I missed any point in the patching.

Are you sure about this? I've been looking into that and my findings are a little different.

Besides, there's something wrong about the opcodes you've provided for the original/virgin lockdownd. They don't match the ones from binary that comes with the 1.1.2 restore image.

Cheers.

n000b · #3 (**permalink**) 11-13-2007, 02:43 AM

Quote:

Originally Posted by brasuco

Are you sure about this? I've been looking into that and my findings are a little different.

Besides, there's something wrong about the opcodes you've provided for the original/virgin lockdownd. They don't match the ones from binary that comes with the 1.1.2 restore image.

Cheers.

I don't think the opcodes were wrong, although I fetched the lockdownd from a restored phone, not from the restore image directly. Please check the following snippets:

Before the patch:

Code:

__text:0000D5A8 B0 26 9F E5                 LDR     R2, =off_EE99C
__text:0000D5AC 06 00 A0 E1                 MOV     R0, R6
__text:0000D5B0 00 10 A0 E3                 MOV     R1, #0
__text:0000D5B4 00 20 92 E5                 LDR     R2, [R2]
__text:0000D5B8 00 20 92 E5                 LDR     R2, [R2]
__text:0000D5BC 01 E5 FF EB                 BL      sub_69C8
__text:0000D5C0 00 00 54 E3                 CMP     R4, #0
__text:0000D5C4 00 80 A0 E1                 MOV     R8, R0
__text:0000D5C8 04 00 00 1A                 BNE     loc_D5E0
__text:0000D5CC 01 30 A0 E3                 MOV     R3, #1
__text:0000D5D0 08 30 8D E5                 STR     R3, [SP,#0x2C+var_24]
__text:0000D5D4 88 36 9F E5                 LDR     R3, =unk_EFBE0
__text:0000D5D8 18 00 8D E8                 STMEA   SP, {R3,R4}
__text:0000D5DC CA 00 00 EA                 B       loc_D90C

After the patch:

Code:

__text:0000D5A8 B0 26 9F E5                 LDR     R2, =off_EE99C
__text:0000D5AC 06 00 A0 E1                 MOV     R0, R6
__text:0000D5B0 00 10 A0 E3                 MOV     R1, #0
__text:0000D5B4 00 20 92 E5                 LDR     R2, [R2]
__text:0000D5B8 00 20 92 E5                 LDR     R2, [R2]
__text:0000D5BC 01 E5 FF EB                 BL      sub_69C8
__text:0000D5C0 00 40 A0 E3                 MOV     R4, #0
__text:0000D5C4 00 80 A0 E1                 MOV     R8, R0
__text:0000D5C8 00 00 A0 E1                 NOP
__text:0000D5CC 00 30 A0 E3                 MOV     R3, #0
__text:0000D5D0 08 30 8D E5                 STR     R3, [SP,#0x2C+var_24]
__text:0000D5D4 EC 36 9F E5                 LDR     R3, =unk_EFC50
__text:0000D5D8 18 00 8D E8                 STMEA   SP, {R3,R4}
__text:0000D5DC CA 00 00 EA                 B       loc_D90C

WinHex's file compare result:

Code:

Search for differences

1. C:\iPhone\lockdownd\lockdownd_112_original\lockdownd: 996,440 bytes
2. C:\iPhone\lockdownd\lockdownd_112_patched\lockdownd: 996,440 bytes
Offsets: hexadec.

 C5C1:	00	40
 C5C2:	54	A0
 C5C8:	04	00
 C5CA:	00	A0
 C5CB:	1A	E1
 C5CC:	01	00
 C5D4:	88	EC

7 difference(s) found.

brasuco · #4 (**permalink**) 11-13-2007, 03:09 AM

Quote:

Originally Posted by n000b

I don't think the opcodes were wrong, although I fetched the lockdownd from a restored phone, not from the restore image directly. Please check the following snippets:

Before the patch:

Code:

__text:0000D5A8 B0 26 9F E5                 LDR     R2, =off_EE99C
__text:0000D5AC 06 00 A0 E1                 MOV     R0, R6
__text:0000D5B0 00 10 A0 E3                 MOV     R1, #0
__text:0000D5B4 00 20 92 E5                 LDR     R2, [R2]
__text:0000D5B8 00 20 92 E5                 LDR     R2, [R2]
__text:0000D5BC 01 E5 FF EB                 BL      sub_69C8
__text:0000D5C0 00 00 54 E3                 CMP     R4, #0
__text:0000D5C4 00 80 A0 E1                 MOV     R8, R0
__text:0000D5C8 04 00 00 1A                 BNE     loc_D5E0
__text:0000D5CC 01 30 A0 E3                 MOV     R3, #1
__text:0000D5D0 08 30 8D E5                 STR     R3, [SP,#0x2C+var_24]
__text:0000D5D4 88 36 9F E5                 LDR     R3, =unk_EFBE0
__text:0000D5D8 18 00 8D E8                 STMEA   SP, {R3,R4}
__text:0000D5DC CA 00 00 EA                 B       loc_D90C

After the patch:

Code:

__text:0000D5A8 B0 26 9F E5                 LDR     R2, =off_EE99C
__text:0000D5AC 06 00 A0 E1                 MOV     R0, R6
__text:0000D5B0 00 10 A0 E3                 MOV     R1, #0
__text:0000D5B4 00 20 92 E5                 LDR     R2, [R2]
__text:0000D5B8 00 20 92 E5                 LDR     R2, [R2]
__text:0000D5BC 01 E5 FF EB                 BL      sub_69C8
__text:0000D5C0 00 40 A0 E3                 MOV     R4, #0
__text:0000D5C4 00 80 A0 E1                 MOV     R8, R0
__text:0000D5C8 00 00 A0 E1                 NOP
__text:0000D5CC 00 30 A0 E3                 MOV     R3, #0
__text:0000D5D0 08 30 8D E5                 STR     R3, [SP,#0x2C+var_24]
__text:0000D5D4 EC 36 9F E5                 LDR     R3, =unk_EFC50
__text:0000D5D8 18 00 8D E8                 STMEA   SP, {R3,R4}
__text:0000D5DC CA 00 00 EA                 B       loc_D90C

WinHex's file compare result:

Code:

Search for differences

1. C:\iPhone\lockdownd\lockdownd_112_original\lockdownd: 996,440 bytes
2. C:\iPhone\lockdownd\lockdownd_112_patched\lockdownd: 996,440 bytes
Offsets: hexadec.

 C5C1:	00	40
 C5C2:	54	A0
 C5C8:	04	00
 C5CA:	00	A0
 C5CB:	1A	E1
 C5CC:	01	00
 C5D4:	88	EC

7 difference(s) found.

It seems I forgot to subtract 0x1000 from the IDA offset, sorry (I always forget that)!

Now that you posted the code things gotten more clear. We basically have the same thing with a minor difference. As soon as you or me (or someone else) patches it nicely I'll be able to assemble a newer version of CARNAVAL.

That's kindda the last thing.

I haven't been able to test my patch yet, as soon as I test it out I'll post it here.

I'll let you know what I find out.

Cheers.

n000b · #5 (**permalink**) 11-13-2007, 03:18 AM

Quote:

Originally Posted by brasuco

It seems I forgot to subtract 0x1000 from the IDA offset, sorry (I always forget that)!

Now that you posted the code things gotten more clear. We basically have the same thing with a minor difference. As soon as you or me (or someone else) patches it nicely I'll be able to assemble a newer version of CARNAVAL.

That's kindda the last thing.

I haven't been able to test my patch yet, as soon as I test it out I'll post it here.

I'll let you know what I find out.

Cheers.

Heh, that 0x1000 thing has got me several times

Waiting for yr next unlocking batch, good luck! BTW, what's its name gonna be this time?

Vger · #6 (**permalink**) 11-13-2007, 05:02 AM

Working excellent here with TurboSIM! Thank you very much!!

Quote:

Originally Posted by n000b

I use it on my 1.1.2 (upgraded from 1.0.2), and while it activates the phone immediately without problem, my SilverCard (16F877+24C64) still doesn't work. I'm still not sure if this is caused by the new modem or if I missed any point in the patching.

Check the iphone-elite Wiki!