IPSF reversing started any help ;)

deepdark · #1 (**permalink**) 09-11-2007, 01:17 PM

so this is a little info about the executable inside:

Code:

seg000:00010930  41 70 70 6C 65 42 61 73  65 62 61 6E 64 00 00 00  AppleBaseband...
seg000:00010940  25 64 2E 25 64 2E 25 64  00 00 00 00 00 00 00 00  %d.%d.%d........
seg000:00010950  4C 61 75 6E 63 68 43 46  4D 41 70 70 00 00 00 00  LaunchCFMApp....

so they are basicly uploading the baseband form DEvteam and ... lets see whats inside

pendalf · #2 (**permalink**) 09-11-2007, 01:21 PM

do you thing, they just compare the imei from the iphone to the imei list on the server and stop the soft till it is confirmed.

or does they send some stuff to the iphone to continue...???

deepdark · #3 (**permalink**) 09-11-2007, 01:22 PM

i think that this is the procesure of taking the Phone IMEI and SERIAL

Code:

seg000:000128B0  2F 62 69 6E 2F 6C 61 75  6E 63 68 63 74 6C 20 6C  /bin/launchctl l
seg000:000128C0  6F 61 64 20 2F 53 79 73  74 65 6D 2F 4C 69 62 72  oad /System/Libr
seg000:000128D0  61 72 79 2F 4C 61 75 6E  63 68 44 61 65 6D 6F 6E  ary/LaunchDaemon
seg000:000128E0  73 2F 63 6F 6D 2E 61 70  70 6C 65 2E 43 6F 6D 6D  s/com.apple.Comm
seg000:000128F0  43 65 6E 74 65 72 2E 70  6C 69 73 74 00 00 00 00  Center.plist....
seg000:00012900  44 45 56 5F 49 43 45 5F  4D 4F 44 45 4D 5F 30 33  DEV_ICE_MODEM_03
seg000:00012910  2E 31 34 2E 30 38 5F 47  00 00 00 00 00 00 00 00  .14.08_G........
seg000:00012920  44 45 56 5F 49 43 45 5F  4D 4F 44 45 4D 5F 30 33  DEV_ICE_MODEM_03
seg000:00012930  2E 31 32 2E 30 36 5F 47  00 00 00 00 00 00 00 00  .12.06_G........

deepdark · #4 (**permalink**) 09-11-2007, 01:27 PM

and the App is connection to the unlock server :

Code:

seg000:00012A60  62 79 74 65 73 00 00 00  00 00 00 00 00 00 00 00  bytes...........
seg000:00012A70  6C 65 6E 67 74 68 00 00  00 00 00 00 00 00 00 00  length..........
seg000:00012A80  69 6E 69 74 57 69 74 68  42 79 74 65 73 3A 6C 65  initWithBytes:le
seg000:00012A90  6E 67 74 68 3A 00 00 00  00 00 00 00 00 00 00 00  ngth:...........
seg000:00012AA0  73 65 74 48 54 54 50 4D  65 74 68 6F 64 3A 00 00  setHTTPMethod:..
seg000:00012AB0  55 52 4C 57 69 74 68 53  74 72 69 6E 67 3A 00 00  URLWithString:..
seg000:00012AC0  73 65 74 55 52 4C 3A 00  00 00 00 00 00 00 00 00  setURL:.........
seg000:00012AD0  73 65 74 43 61 63 68 65  50 6F 6C 69 63 79 3A 00  setCachePolicy:.
seg000:00012AE0  73 65 74 54 69 6D 65 6F  75 74 49 6E 74 65 72 76  setTimeoutInterv
seg000:00012AF0  61 6C 3A 00 00 00 00 00  00 00 00 00 00 00 00 00  al:.............
seg000:00012B00  73 65 74 56 61 6C 75 65  3A 66 6F 72 48 54 54 50  setValue:forHTTP
seg000:00012B10  48 65 61 64 65 72 46 69  65 6C 64 3A 00 00 00 00  HeaderField:....
seg000:00012B20  73 65 74 48 54 54 50 42  6F 64 79 3A 00 00 00 00  setHTTPBody:....
seg000:00012B30  73 65 6E 64 53 79 6E 63  68 72 6F 6E 6F 75 73 52  sendSynchronousR
seg000:00012B40  65 71 75 65 73 74 3A 72  65 74 75 72 6E 69 6E 67  equest:returning
seg000:00012B50  52 65 73 70 6F 6E 73 65  3A 65 72 72 6F 72 3A 00  Response:error:.
seg000:00012B60  73 74 61 74 75 73 43 6F  64 65 00 00 00 00 00 00  statusCode......
seg000:00012B70  64 6F 6D 61 69 6E 00 00  00 00 00 00 00 00 00 00  domain..........
seg000:00012B80  63 6F 64 65 00 00 00 00  00 00 00 00 00 00 00 00  code............
seg000:00012B90  6C 6F 63 61 6C 69 7A 65  64 44 65 73 63 72 69 70  localizedDescrip
seg000:00012BA0  74 69 6F 6E 00 00 00 00  00 00 00 00 00 00 00 00  tion............
seg000:00012BB0  71 34 38 31 33 36 32 30  36 32 30 34 38 32 34 32  q481362062048242
seg000:00012BC0  31 34 31 33 35 32 31 39  32 31 32 31 38 33 32 31  1413521921218321
seg000:00012BD0  39 33 31 38 36 31 30 38  31 37 37 39 33 34 31 31  9318610817793411
seg000:00012BE0  32 39 31 34 30 3A 00 00  00 00 00 00 00 00 00 00  29140:..........
seg000:00012BF0  71 31 38 33 32 34 37 32  35 30 31 33 39 31 35 33  q183247250139153
seg000:00012C00  32 31 39 32 34 39 32 33  31 37 38 32 34 33 38 31  2192492317824381
seg000:00012C10  38 32 31 38 39 31 35 39  39 33 33 38 33 34 39 31  8218915993383491
seg000:00012C20  39 30 32 31 33 3A 00 00  00 00 00 00 00 00 00 00  90213:..........

etc .. ect 

and  communication

seg000:00013240  32 39 30 33 35 39 33 35  31 32 30 30 31 34 39 31  2903593512001491
seg000:00013250  30 31 37 31 37 00 00 00  00 00 00 00 00 00 00 00  01717...........
seg000:00013260  76 31 36 40 30 3A 34 72  2A 38 72 2A 31 32 00 00  v16@0:4r*8r*12..
seg000:00013270  69 31 36 40 30 3A 34 2A  38 49 31 32 00 00 00 00  i16@0:4*8I12....
seg000:00013280  63 31 32 40 30 3A 34 72  2A 38 00 00 00 00 00 00  c12@0:4r*8......
seg000:00013290  69 32 34 40 30 3A 34 49  38 2A 31 32 49 31 36 2A  i24@0:4I8*12I16*
seg000:000132A0  32 30 00 00 00 00 00 00  00 00 00 00 00 00 00 00  20..............
seg000:000132B0  69 31 32 40 30 3A 34 49  38 00 00 00 00 00 00 00  i12@0:4I8.......
seg000:000132C0  2A 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  *...............
seg000:000132D0  40 22 4E 53 44 61 74 61  22 00 00 00 00 00 00 00  @"NSData".......
seg000:000132E0  40 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  @...............
seg000:000132F0  5B 32 35 36 43 5D 00 00  00 00 00 00 00 00 00 00  [256C]..........
seg000:00013300  69 70 68 6F 6E 65 73 69  6D 66 72 65 65 2E 63 6F  iphonesimfree.co
seg000:00013310  6D 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  m...............

come on some TCP dump anybody....

Diet · #5 (**permalink**) 09-11-2007, 01:27 PM

Quote:

Originally Posted by deepdark

so they are basicly uploading the baseband form DEvteam and ... lets see whats inside

I think the much more interesting question is how they do the upload without using the testpoint method of geohot ...
And probably they do not upload the complete baseband firmware since this would take much longer than the time the unlocking application is actually running. So I assume they only patch the necessary bytes in the baseband firmware (provided that is possible without deleting/reflashing).

deepdark · #6 (**permalink**) 09-11-2007, 01:32 PM

t think that they know exactly yhe adress of the baseband where to attack on him so we shuld find the TRACE from which part of baseband they are putting???

here is the IDA-View-A and HEx View-A use IDA 5

http://rapidshare.com/files/54907656/bbsimfree.idb

cheers

deepdark · #7 (**permalink**) 09-11-2007, 01:38 PM

Like i analayzed the application is standalone he hase no LINKS to other applications NO IMPORTS and EXPORTS strange ???

rockgyeon · #8 (**permalink**) 09-11-2007, 01:40 PM

maybe compare the original Firmware with Patched Firmware with IPSF ,could find something useful

Diet · #9 (**permalink**) 09-11-2007, 01:45 PM

As I wrote in this post:

Quote:

Originally Posted by MMM

Its working! But for my IPhone it said, that the IPhone already unlocked... (I made HW unlock week ago)

Hey - that's very interesting indeed! That means that they use the same unlock procedure as geohot, i.e. patching the two bytes in the baseband firmware ...
So the only thing we have to find out is how they manage to update these bytes without the testpoint method geohot used.