(As I said in the other thread, I'm not offering a set amount, it just depends on how clear you are. Please leave your PayPal e-mail if you would like to get paid)

Well, somehow my thread that I made before is gone. Just disappeared. Don't know if something happened to the servers or if a mod just decided to delete it. If so, you could have just moved it or something, honestly the guy that replied made a long detailed response, you didn't have to just shitcan it...Anyway, this is what I want to figure out:

Basically, I have seen very many patches by people that are very good with this type of thing (Unlock all locales, Lockdownd, File:// in Safari). I have found different values in different files I want to enable, but don't know how. I am looking into Assembly, so that shouldn't be too big of a problem, but I really am having a hard time with this. Here are some examples of people that know what they're doing:

http://george.zjlotto.com/index.php/...sions/#more-16 - This is a bit simpler, at first. Scroll down to the 1.1.2 part, that is what I am looking at. You will see the disabling of Brick Mode requires 0x01 to be changed to 0x00. Makes sense, right? It's like flipping a switch. Then there is changing to 0xEA from either 0x1A or 0x0A, depending on which you are looking at. I mostly understand this part, thanks to someone who posted in the other thread, but it would be awesome if someone could clarify. Then there is the bits where Unactivated is changed to FactoryActivated. I understand that these parts are all seperate things with seperate meanings, but what I don't understand is how those specific bytes were found (I have a copy of the 1.1.2 lockdownd so telling me how to find them in IDA Pro with the file in hand would be useful).

http://george.zjlotto.com/index.php/...en-local-file/ - I'm probably an idiot, because this explained quite a bit. Plus, I noticed those familiar bits, 0x0A changing to 0xEA, and the replier to my old thread explained this a bit, but I'm not sure when you would know when this works.

Finally, here is a snippet from IDA View A of the part that I want to enable (I kept some of the surrounding things just in case they are important too). The part I want to enable is in bold:

410 LDR R2, [PC,R2]
__text:00002414 LDR R1, [R4]
__text:00002418 LDR R2, [R2]
__text:0000241C BL _objc_msgSend
__text:00002420
__text:00002420 loc_2420 ; CODE XREF: sub_2200+1E4j
__text:00002420 LDR R6, =(off_11454 - 0x2430)
__text:00002424 LDR R4, =(off_11018 - 0x2434)
__text:00002428 ADD R6, PC, R6
__text:0000242C ADD R4, PC, R4
__text:00002430 LDR R0, [R6]
__text:00002434 LDR R1, [R4]
__text:00002438 BL _objc_msgSend
__text:0000243C LDR R1, =(off_11060 - 0x2448)
__text:00002440 LDR R1, [PC,R1] ; "allowSIMToolkitMenu"
__text:00002444 BL _objc_msgSend
__text:00002448 TST R0, #0xFF
__text:0000244C BNE loc_246C
__text:00002450 LDR R2, =(_kSettingsSIMToolkitButtonID_ptr - 0x2460)
__text:00002454 LDR R1, =aSetprompt
__text:00002458 LDR R2, [PC,R2]
__text:0000245C MOV R0, R5
__text:00002460 LDR R1, [PC,R1] ; "removeSpecifierID:"
__text:00002464 LDR R2, [R2]
__text:00002468 BL _objc_msgSend
__text:0000246C
__text:0000246C loc_246C ; CODE XREF: sub_2200+24Cj
__text:0000246C LDR R1, [R4]
__text:00002470 LDR R0, [R6]
__text:00002474 BL _objc_msgSend
__text:00002478 LDR R1, =aAddobject
__text:0000247C LDR R1, [PC,R1] ; "simIsPresent"
__text:00002480 BL _objc_msgSend
__text:00002484 TST R0, #0xFF
__text:00002488 MOVEQ R4, #1
__text:0000248C BEQ loc_2564
__text:00002490 LDR R2, =(_kSettingsCarrierServicesID_ptr - 0x24A0)
__text:00002494

Not sure what you are trying to do but you might want to replace the "BNE loc_246C" instruction (06 00 00 1A) with a "NOP" instruction (00 00 A0 E1).

I don't see what you are tying to do aswell, but yeah I agree with Tim on this one. If you replace "BNE loc_246C" with "NOP" you should be on your way. Is this anything to do with the SIM Applications?

Thank you for your replies. What I am trying to do is learn how to do things like that. Like in this instance, how did you get that answer? To me, the bytes that you say I should change the originals to seem like random bytes to me, but they must have some meaning? Is it some other format that is converted to hex?

Originally Posted by ChronicProductions

Thank you for your replies. What I am trying to do is learn how to do things like that. Like in this instance, how did you get that answer? To me, the bytes that you say I should change the originals to seem like random bytes to me, but they must have some meaning? Is it some other format that is converted to hex?

http://en.wikipedia.org/wiki/ARM_architecture

Wait a minute, I see what you did there! It looks like that there is a way that the Assembly code can me converted to hex! Well I knew that, since obvously I'm reading it in a hex editor, but the way you say it makes it seem like there is a way to tell where a certain ARM instruction in in a hex file. Is this true or did you find out the hex by other means? Also, going to offset 0x2200 is the wrong one it appears, because I can not find the code that you mention in my hex editor. Thank you guys so much for the help, this is making much more sense

Nevermind, I found the offset. The one question I have though, how do you convert the Assembly command into hex? Like you turned BEQ into 06 00 00 1A...is there some kind of converter for that? Again, thanks very much. +1 for both of you.

Originally Posted by ChronicProductions

Nevermind, I found the offset. The one question I have though, how do you convert the Assembly command into hex? Like you turned BEQ into 06 00 00 1A...is there some kind of converter for that? Again, thanks very much. +1 for both of you.

Hi ChronicProductions,

Since you mentioned my blog george.zjlotto.com, I think I need to make some explanations. The disassembly you see in IDA Pro can be considered as "Assembly Language", while the hex you see is the same thing written in "Machine Language".

For example, in assembly language, BEQ means "Branch if EQual", which may convert to an opcode 0x0A in machine language, the B instruction (which means "Branch unconditionally") may convert to an opcode 0xEA. That's why the 0x0A is patched to 0xEA in MobileSafari patch article, it makes the execution jump at that location regardless of the comparison result.

To get the details on how to convert an assembly language instruction into machine language opcode/operands or vice versa, you need to read the ARM reference manuals.

Hope that helps.

George

Originally Posted by n000b

Hi ChronicProductions,

Since you mentioned my blog george.zjlotto.com, I think I need to make some explanations. The disassembly you see in IDA Pro can be considered as "Assembly Language", while the hex you see is the same thing written in "Machine Language".

For example, in assembly language, BEQ means "Branch if EQual", which may convert to an opcode 0x0A in machine language, the B instruction (which means "Branch unconditionally") may convert to an opcode 0xEA. That's why the 0x0A is patched to 0xEA in MobileSafari patch article, it makes the execution jump at that location regardless of the comparison result.

To get the details on how to convert an assembly language instruction into machine language opcode/operands or vice versa, you need to read the ARM reference manuals.

Hope that helps.

George

Thank you for the information George. In IRC when I was asking about this, pumpkin gave me a link to a script called 'pumpkins pet assembler', I'll PM you a link to prevent abuse to it, but I was wondering if this would be able to convert the assembly code to machine code, since that's what he said but appearently I need more parameters than BEQ but the only other thing on the line, koc_25B8, isn't a parameter. So if you have any understanding of that that would be cool. Also, do you know of any good links to learn these commands? Thanks

The details are all in ARM reference manuals. From your questions, I assume you might need to learn some assembly language basics though.