I bought an 8GB iPhone 3G with a shattered screen planing to fix it. Sadly it turned out that the cracked glass wasn't all that's wrong with this phone. Firmware upgrades mostly end in a 1002 error and I get no Wi-Fi, no reception and no bluetooth. I've spent five days (and the better part of five nights) trying to fix this one.

I've tried just about every firmware and jailbreak there is. After generating 70+ iPhoneUpdater logs each one taking about 25 minutes to create I'm out of ideas. Please help!

Below are a few lines from a typical iPhoneUpdater log that I find especially interesting:

Code:

radio-error = 256
radio-error-string = 'Corrupted stack'

AMDeviceIoControl: failed, error 31, usbd status c0000004
USBControlTransfer: error 0, usbd status c0000004

<Restore Device 03791A28>: operation 19 progress -1
device returned AMR error 1002

I believe that operation 19 is a baseband upgrade. It takes about 10-15 minutes and is probably the source of the 1002 error. When iTunes finishes/gives up the restore, it spits out a whole lot of lines beginning with:

Code:

==== device restore output ====

Everything looks OK until it tries to Ping. It tries around 46 times, resetting and powercycling the baseband about 7 times. After the failed pings it says:

Code:

Modem appears to not be responding. Continuing to update with available firmware
		Firmware Version: Unknown
		EEP Version: Unknown
		EEP Revision: Unknown
		Boot Loader Version: Unknown or None
		FLS/EEP Mismatch: Mismatch
Configuring Hardware Mux...OK

It repeats the pinging a few times and then:

Code:

BEGINNING BOOT
-------------------------------------------------------------------------------
Sending boot code...Powering radio on through AppleBaseband
OK
Automagic-ing firmware from path /usr/local/standalone/firmware...
	- FLS file /usr/local/standalone/firmware/ICE2_04.26.08.fls and EEP file /usr/local/standalone/firmware/ICE2_04.26.08.eep are available
Automagic-ing firmware from path /usr/local/standalone/firmware -- All OK

Version ICE2-04.26.08 is available
Deciding whether to update or not...
	- Loaded version is unknown, updating anyway.
Deciding whether to update or not -- All OK
Reading Reference file /usr/local/standalone/firmware/ICE2_04.26.08.fls...OK
Sending EBL Loader...
	Sending EBL Loader Length...OK
	Sending EBL Loader Data...OK
	Sending EBL Loader Checksum...OK
Sending EBL Loader -- All OK
Sending EBL...
	Sending EBL Length...OK
	Sending EBL Data and Checksum...OK
Sending EBL -- All OK
Getting EBL Version......OK
	- Boot Mode 0xCC
	- EBL Version Major/Minor: 6.2
	- EBL Version 'ICE2_RAM_B'
	- Flashing Compression: 0, CRC Type: 0, CRC Method: 1
Reading Reference file /usr/local/standalone/firmware/ICE2_04.26.08.fls...OK
Sending Protocol configuration...OK
Sending Flash ID...OK
Doing CFI Stage 1...OK
Doing CFI Stage 2...OK
-------------------------------------------------------------------------------
 DONE BOOT
-------------------------------------------------------------------------------
Getting software version of file /usr/local/standalone/firmware/ICE2_04.26.08.fls...OK
Increasing baud rate to 921600...OK
Validating EBL Version...OK
-------------------------------------------------------------------------------
 SENDING FLS FILE: /usr/local/standalone/firmware/ICE2_04.26.08.fls
-------------------------------------------------------------------------------
Loading FLS file /usr/local/standalone/firmware/ICE2_04.26.08.fls...OK
>> Sending Block of type CodeClass(0) from file /usr/local/standalone/firmware/ICE2_04.26.08.fls...
	Beginning Dynamic EEP erase at 0x20E40000 to 0x20EBFFFE...Progress:  0 percent, 0 of 524286Progress:  100 percent, 524286 of 524286. OK
	Sending Security Block...Timed out
Trying again (9 tries left)
Configuring Hardware Mux...OK

It repeats from "BEGINNING BOOT" nine times but always ends with "Sending Security Block...Timed out". It then starts over with the pinging and tries to send security block another nine times (can't blame it for not trying!). Finally it ends with:

Code:

	Sending Security Block...Timed out
Giving up

!!! Exception at :0:
	- BBUReturnTimedOut(10)/2: Command receive error, progress 0 of 6

My conclusion is that iTunes isn't able to update the baseband. After restoring I usually get stuck in the recovery mode loop. I get out of it with iRecovery -s and "setenv auto-boot true". Here are a few interesting lines from iRecovery:

Code:

(Recovery) iPhone$ radio detect
Radio board detected.
(Recovery) iPhone$ radio version
Unknown
(Recovery) iPhone$ radio readnvram
Radio NVRAM Entries:
(Recovery) iPhone$ radio vitals
Radio status is Corrupted stack
ping ok med phasbandupdater

Again we see this Radio Corrupted stack which I believe is the problem. The empty Radio NVRAM is also worrying.

After getting out of the recovery mode loop I can jailbreak and get into the phone. Here are some info from Settings > General > About:

Code:

Network:	Not Available
Carrier:	Not Availible
Wi-Fi Address:	N/A
Bluetooth:	00:00:00:00:00:00
IMEI:
ICCID:
Modem Firmware:

I can get the iPhone to this state on just about every firmware available for the 3G. I've transfered a whole bunch of apps through USB. OpenSSH, Mobile Terminal, Fuzzyband, Bootneuter, etc...
Fuzzyband, Bootneuter, etc. all gets stuck at Querying Modem and similar.

The one thing I did that actually yielded some kind of result was running phasebandowngrader. On firmware 3.0 and 3.1.2 it didn't do much, but on 2.2.1 however it got interesting:

Code:

Validating parameters...OK
Disabling sleep...OK
Powering radio on through AppleBaseband
Opening device path /dev/cu.debug, using initial baud 115200
- Ping OK
Modem appears to not be responding. Continuing to update with available firmware
		Firmware Version: Unknown
		EEP Version: Unknown
		EEP Revision: Unknown
		Boot Loader Version: Unknown or None
		FLS/EEP Mismatch: Mismatch
Configuring Hardware Mux...OK
-------------------------------------------------------------------------------
 BEGINNING BOOT
-------------------------------------------------------------------------------
Sending boot code...OK
Reading Reference file ICE2_02.28.00.fls...OK
Sending EBL Loader...
	Sending EBL Loader Length...OK
	Sending EBL Loader Data...OK
	Sending EBL Loader Checksum...OK
Sending EBL Loader -- All OK
Sending EBL...
	Sending EBL Length...OK
	Sending EBL Data and Checksum...OK
Sending EBL -- All OK
Getting EBL Version......OK
	- Boot Mode 0xCC
	- EBL Version Major/Minor: 6.2
	- EBL Version 'ICE2_RAM_B'
	- Flashing Compression: 0, CRC Type: 0, CRC Method: 1
Reading Reference file ICE2_02.28.00.fls...OK
Sending Protocol configuration...OK
Sending Flash ID...OK
Doing CFI Stage 1...OK
Doing CFI Stage 2...OK
-------------------------------------------------------------------------------
 DONE BOOT
-------------------------------------------------------------------------------
Getting software version of file ICE2_02.28.00.fls...OK
Increasing baud rate to 921600...OK
Validating EBL Version...OK
-------------------------------------------------------------------------------
 SENDING FLS FILE: ICE2_02.28.00.fls
-------------------------------------------------------------------------------
Loading FLS file ICE2_02.28.00.fls...OK
>> Sending Block of type CodeClass(0) from file ICE2_02.28.00.fls...
	Beginning Dynamic EEP erase at 0x20E40000 to 0x20EBFFFE...Progress:  0 percent, 0 of 524286Progress:  100 percent, 524286 of 524286. OK
	Sending Security Block...Timed out
Trying again (9 tries left)
Configuring Hardware Mux...OK

It tries nine times but "Sending Security Block" always Times out. Finally it Gives up:

Code:

Sending Security Block...Timed out
Giving up

!!! Exception at :0:
	- BBUReturnTimedOut(10)/2: Command receive error, progress 0 of 6
	Re-enabling sleep...OK
___________________________________

Sucess! 
Reboot your device and check your Baseband number. 
It should be 02.28.00 now. Run Yellowsn0w and have fun.

Still it's not able to send the security block what ever that is. But at least it managed to Ping OK! This should mean that the radio unit isn't completely dead?

After booting up something has changed in Settings > General > About:

Code:

Carrier:	(null) (null)
Wi-Fi-address:	N/A
Bluetooth:	00:00:00:00:00:00
IMEI:		XX XXXXXXXXXXX X (censored)
ICCD:		
Modemfirmware:	02.11.07

In this state I once again ran the radio commands from iRecovery but they still didn't show any improvement.

One interesting thing I did was to in iRecovery enter the wifiaddress:

Code:

setenv wifiaddr xx:xx:xx:xx:xx:xx

The wifiaddress I entered then showed up in Settings > General > About. Wifi still didn't work though. I suspect that it needs a few lines more then just the MAC address.

The symptoms of this problem matches almost exactly those of a problem that people had with the 2G iphone. They seem to have fixed it by downgrading to 1.x firmwares and then reflashing the baseband. Sadly I haven't been able to get a 1.x firmware working on my 3G. I've come across a few people with the same problem on the 3G but no one seems to have fixed it.

Sadly the 3G doesn't have a separate communications board so changing the baseband/radio chip would mean changing the whole board. These boards cost more than I payed for the phone so it's not an option.

Desoldering the radio chip and reprogramming it should work, but I can't find anyone with the required tools and skills. Does anyone know where I could get a job like this done?

Any and all input would be much appreciated!

Bump.

Please, I'm out of ideas here so all ideas are welcome!

Time for another update. I've played around a bit more with this phone and tried to keep a detailed log of each step. After cleaning the log a bit this is what's left:

Phasebanddowngrader
19:20 2010-02-07 Flashing fw2.2.1 from DFU mode, iTunes 7.7.
19:48 2010-02-07 Error (1002) as usual.
22:56 2010-02-07 Jailbroke with QuickPWN.
22:56 2010-02-07 Installed mobile terminal through iPhone PC Suite.
22:58 2010-02-07 Phone keeps restarting every 3:rd minute.
23:05 2010-02-07 Moved mobilewatchdog to / and thereby extending reboot period to 10 minutes.
23:30 2010-02-07 Transfered phasebanddowngrader.
23:37 2010-02-07 Executed phasbanddowngrader. Radio wouldn't respond to pings this time. But do note that I have gotten the radio to respond to pings which makes me think that it isn't all dead.
23:41 2010-02-07 After phasebanddowngrader phone displays IMEI and modemfirmware: 02.11.07.

ienew
23:55 2010-02-07 Transfered bbupdater, ICE04.02.13_G.eep, ICE04.02.13_G.fls, ienew, ieraser and secpack to /usr/bin/
00:19 2010-02-08 Tried to run ienew, but it gets instantly killed.
00:40 2010-02-08 Ran the command "sysctl -w security.mac.proc_enforce=0 security.mac.vnode_enforce=0" got "security.mac.proc_enforce: 1 -> 0
security.mac.vnode_enforce: 1 -> 0"
00:42 2010-02-08 Success. ienew isn't killed.
00:47 2010-02-08 Ran ienew, got:
dyld: Library not loaded: /usr/lib/libgcc_s_v6.1.dylib
Referenced from /usr/bin/ienew
Reason: image not found
Trace/BPT trap
07:03 2010-02-08 I hate vfdecrypt on windows! It won't take the keys!
11:33 2010-02-08 Managed to compile a vfdecrypt with keys inside. Now I can decrypt the dmg's.
11:35 2010-02-08 Decrypted just about every firmware from 2.2.1 to 1.0. libgcc_s_v6.1.dylib can be found in 1.1.4 and earlier.
11:46 2010-02-08 ienew won't take any of my libgcc's. Complains about file size etc.
11:52 2010-02-08 Tried a couple of ienew's from other sources but still no go. I'm pretty sure I got ienew to accept a libgcc extracted from a dmg a few weeks ago but I'm unable to recreate it right now. Then I got ienew running but it didn't complete for some reason. I thought I'd try some other secpacks etc. but it doesn't seem like it's gonna happen today.

The main problem is still the 1002 error, no Wi-Fi, no reception and no bluetooth. The problem seems to be the baseband, it's somehow corrupted and all reflashing attempts fails. Perhaps because of some problem with secpack?

A secondary problem that just recently appeared is the constant rebooting. Every third minute. I've done some minor attempts to fix it w/o success.

Hopefully someone will see something I missed. Please share your thoughts and ideas.

why don't you go back to OS 1.1.4? I think your ienew (libgcc_s_v6.1.dylib) problems would go away then.

Is that possible on a 3G? I did try but perhaps not hard enough?

Originally Posted by brokenBB

Is that possible on a 3G? I did try but perhaps not hard enough?

Good point.. I am not paying close enough attention.
I was confused because you were talking about 2G only baseband tools.

Think you might be out of luck software wise...

Yeah, sadly there's not too many 3G baseband tools around so I've resorted to trying out some of the older ones.

I haven't been able to get a version number out of it. I'll give it another try but it'll take a while before I'm in a position where I can do that.

Originally Posted by brokenBB

Yeah, sadly there's not too many 3G baseband tools around so I've resorted to trying out some of the older ones.

I haven't been able to get a version number out of it. I'll give it another try but it'll take a while before I'm in a position where I can do that.

The 2G baseband tools are pretty much going to screw your 3G baseband beyond repair. So just don't touch them.

There aren't many 3G baseband tools because 99% of 3G owners can't make use of such tools. (Baseband Bootloader 5.9 or higher)

My son's 3gs phone seems to have exactly the same problem i.e. failing with 1002 after trying to update and restore. The logs look identical to yours.

I was particularly taken by this: "The main problem is still the 1002 error, ...
A secondary problem that just recently appeared is the constant rebooting. Every third minute."

Maybe this will help but this is what happened to the phone.
1. It was jailbroken I think using a tethered jailbreak
2. It was updated to 3.1.3 which caused it to go into a recovery loop
3. Attempts were made to jailbreak it again
4. iReb was used to get out of the recovery loop
5. No SHSH blobs available to restore to 3.1.2
6. Attempts to restore to 3.1.3 or higher have failed with 1002 error and constant rebooting (every 3 minutes or so). It only started rebooting after this step - at step 5 there was no rebooting. There is no IMEI and no ICCID.

Apple website says it is hardware but this seems unlikely as it was working fine until step 2.

I don't know if any of that will help you. I am still working on trying to fix this but I have no idea how this works. I am just searching for help and being systematic with what I do. Next I will try a custom firmware restore which doesn't reflash the baseband and try reactivating through iTunes (whatever that means...can you tell me a suitable editor for the IPSW files?).

If you do find a cure please post as I am sure I will still be working on this!

Originally Posted by freya105

My son's 3gs phone seems to have exactly the same problem i.e. failing with 1002 after trying to update and restore. The logs look identical to yours.

I was particularly taken by this: "The main problem is still the 1002 error, ...
A secondary problem that just recently appeared is the constant rebooting. Every third minute."

Maybe this will help but this is what happened to the phone.
1. It was jailbroken I think using a tethered jailbreak
2. It was updated to 3.1.3 which caused it to go into a recovery loop
3. Attempts were made to jailbreak it again
4. iReb was used to get out of the recovery loop
5. No SHSH blobs available to restore to 3.1.2
6. Attempts to restore to 3.1.3 or higher have failed with 1002 error and constant rebooting (every 3 minutes or so). It only started rebooting after this step - at step 5 there was no rebooting. There is no IMEI and no ICCID.

Apple website says it is hardware but this seems unlikely as it was working fine until step 2.

I don't know if any of that will help you. I am still working on trying to fix this but I have no idea how this works. I am just searching for help and being systematic with what I do. Next I will try a custom firmware restore which doesn't reflash the baseband and try reactivating through iTunes (whatever that means...can you tell me a suitable editor for the IPSW files?).

If you do find a cure please post as I am sure I will still be working on this!

no IMEI and no ICCID point to hardware problem.

If it is new bootrom (tethered jailbreak means new bootrom) then custom/pwnagetool ipsw will just make things worse. Do not try.

Post your restore log.
http://www.hackint0sh.org/f137/130802.htm
Do you have a 3.1.3 SHSH?