Results 1 to 3 of 3
Discuss Understanding the patch (ARM disass questions) at the General - Hackint0sh.org; So I decided to jump in looking at the assembly to figure out the unlock ...
  1. #1
    Newbie Array

    Join Date
    Jul 2007
    Posts
    4
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default Understanding the patch (ARM disass questions)

    So I decided to jump in looking at the assembly to figure out the unlock patch that geohot showed on his blog.

    Basically I took the nor dump.bin, placed in in IDA pro and used Daeken's utilities to start decompiling to look to see the calling stack and structure.

    The patch basically takes the code at 0x00235148 (in the 1.0.2 full nor dump) which is a

    MOV R0, R4

    and the patch changes it to:

    MOV R0, #0

    So it basically is clearing the R0 register. This subroutine starts at 00x00234FC0.

    I decided to start tracing it up as I want to start hunting for other flags that make the Phone think its unlocked. The routine that appears to call this is at 0x002351D0. This routine seems to totally bypass the check if R0 == 1 (see the branch at 0x002351EC).

    So I am starting to trace this...but I am confused by one thing that I hope someone who understands the baseband chip can help. There are references to numbers like 0xB0157F9C, etc. What are these numbers? They seem to be beyond standard address space, so are they hardware register locations or a ROM area?

    Where I am getting at with this is I would like to hunt down the software "holes" and comparison...maybe even find the actual check.

    Thanks to the dev team and others who have served up this Nor and the patch location...it put me way ahead of the game. ;-)



  2. #2
    Professional Array

    Join Date
    Jul 2007
    Location
    UK
    Posts
    51
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    9

    Default

    Quote Originally Posted by clipgrp View Post

    There are references to numbers like 0xB0157F9C, etc. What are these numbers? They seem to be beyond standard address space, so are they hardware register locations or a ROM area?
    Check the NOR flash pdf, it has stacked RAM inside, this address lies where this RAM
    is mapped at. In this case the address you're looking at represent public var, either
    value or ptr, visible globally in the code.

  3. #3
    Newbie Array

    Join Date
    Jul 2007
    Posts
    4
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Excellent...thanks. Would you happen to have a link to that document? Will that document have a memory map of the entire address space (in particular for this Nor)?

    Also, has anyone tried running part of the Nor dump in an Arm simulator like SkyEye or Virtera?

 

 

Similar Threads

  1. [1.1.3 OTB] general understanding
    By hithere27 in forum iPhone "2G" (Rev. 1)
    Replies: 9
    Last Post: 01-25-2008, 09:26 AM
  2. Understanding the permissions
    By Hartia in forum General
    Replies: 0
    Last Post: 11-01-2007, 01:17 AM
  3. not understanding if i need to patch springboard
    By msen612 in forum iPhone "2G" (Rev. 1)
    Replies: 0
    Last Post: 10-28-2007, 11:33 PM
  4. PATCH COMING! PLS just a few questions!!
    By yalag in forum iPhone "2G" (Rev. 1)
    Replies: 1
    Last Post: 09-27-2007, 05:02 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 04:15 PM.
twitter, follow us!