Page 1 of 2 12 LastLast
Results 1 to 10 of 13
Discuss Baseband 1.45 International (Unlocked) and AT&T (locked) Compare. at the Hardware Unlock - Hackint0sh.org; Hi all, I had the chance to have 2 iPhones 3G. One is from 3 ...
  1. #1
    Rookie Array

    Join Date
    Aug 2007
    Posts
    19
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default Baseband 1.45 International (Unlocked) and AT&T (locked) Compare.

    Hi all,
    I had the chance to have 2 iPhones 3G. One is from 3 Hong Kong, and one is from AT&T. The one from Hong Kong of course is SIM Free (unlocked) and another is stucked with AT&T.
    I have dumped both the Intel NOR flash chips which are holding the basebands using a hardware programmer and carefully compared them with the hope to find some ways to unlock.
    What I could found here are:
    - The flash size is 4 times bigger than the old one (16Mb instead of 4Mb).
    - The bootloader 5.8 size is 0x40000 bytes instead of 0x20000 bytes that of Bootloader 3.9 and 4.6. Baseband starts at 0x40000
    - Both dumped files are identical from 0x000000 to 0xE40000 which is the end of basebands.
    - I was not capable to find any bug but have done following: Wrote the whole unlocked baseband to the locked chip and soldered back. In the result, I got IMEI 0049xxx, it was predictable because of wrong IMEI and CHIPID. Next, I did the same but kept the seczone intact. In the result, I got IMEI, S/N, MAC address back but still got No Service.
    So, The posibilities here are:
    - The lock state is in the seczone, and its position depends on the combination of IMEI+NORID, wrong modification may cause to 0049xx IMEI.
    - The lock state is in the Proccessor X-Gold 608 not in the Intel NOR flash. Taking it out of the board and read it is much harder than that with the Intel NOR flash.

    Any one can help to find ways to unlock, feel free to contact me. I can give both dumped files, I can modify, patch these files, rewrite the NOR chip and solder them back with no problem.
    Curious people please just wait for professionals
    Thanks



  2. #2
    Senior Professional Array ta_mobile's Avatar

    Join Date
    Sep 2007
    Location
    HaNoi - VietNam
    Posts
    120
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    23

    Default

    haha, bro. Finally found 1 guy do the Dev's laughing things like me

    I just done all you did and more, put in and out many time the X-Gold Same result but more information.

    Pls contact me. We will share more information.

    @Dev team: pls dont forget us.

    PS: Tamagochi, dont you think 0xE80000 to the FCFC01 is insteresting ?

  3. #3
    iPhone Moderator Array

    Join Date
    Dec 2007
    Posts
    153
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    14

    Default

    Nice work guys. Keep it up!

  4. #4
    Senior Professional Array ta_mobile's Avatar

    Join Date
    Sep 2007
    Location
    HaNoi - VietNam
    Posts
    120
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    23

    Default

    Quote Originally Posted by Tamagochi View Post
    Hi all,
    I had the chance to have 2 iPhones 3G. One is from 3 Hong Kong, and one is from AT&T. The one from Hong Kong of course is SIM Free (unlocked) and another is stucked with AT&T.
    I have dumped both the Intel NOR flash chips which are holding the basebands using a hardware programmer and carefully compared them with the hope to find some ways to unlock.
    What I could found here are:
    - The flash size is 4 times bigger than the old one (16Mb instead of 4Mb).
    - The bootloader 5.8 size is 0x40000 bytes instead of 0x20000 bytes that of Bootloader 3.9 and 4.6. Baseband starts at 0x40000
    - Both dumped files are identical from 0x000000 to 0xE40000 which is the end of basebands.
    - I was not capable to find any bug but have done following: Wrote the whole unlocked baseband to the locked chip and soldered back. In the result, I got IMEI 0049xxx, it was predictable because of wrong IMEI and CHIPID. Next, I did the same but kept the seczone intact. In the result, I got IMEI, S/N, MAC address back but still got No Service.
    So, The posibilities here are:
    - The lock state is in the seczone, and its position depends on the combination of IMEI+NORID, wrong modification may cause to 0049xx IMEI.
    - The lock state is in the Proccessor X-Gold 608 not in the Intel NOR flash. Taking it out of the board and read it is much harder than that with the Intel NOR flash.

    Any one can help to find ways to unlock, feel free to contact me. I can give both dumped files, I can modify, patch these files, rewrite the NOR chip and solder them back with no problem.
    Curious people please just wait for professionals
    Thanks
    Lastest news: after making some modifications on the so called International phone BB, mine is seem to be locked forever even I made the backup full dumped and restored it. So you should be very carefull.

    here is the proof.



    Anyone feel sorry to my 1400$

  5. #5
    Jedi Admin Array

    Join Date
    Sep 2007
    Location
    sao paulo, brasil
    Posts
    1,242
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    10

    Default

    ta

    I hear you can get the fls files through the tmp when doing pwnage.

    N41
    MSN/AIM? PM me
    If you want to become a Hackint0sh supporter click here.
    I DO READ PM's

    "Just because I'm losing
    Doesn't mean I'm lost
    Doesn't mean I'll stop
    Doesn't mean I will cross

    Just because I'm hurting
    Doesn't mean I'm hurt
    Doesn't mean I didn't get what I deserve
    No better and no worse "


  6. #6
    Newbie Array

    Join Date
    Aug 2008
    Posts
    8
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    ouch thats some sad money ta
    thanks for everything tho, keep it coming and I'm sure we soon got an software-unlock:hack::hack:

  7. #7
    Respected Professional Array

    Join Date
    Sep 2007
    Posts
    695
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    55

    Default

    i put up the 2.1 5f90 keys here if anyone wants them. you want the restore ramdisk one because the firmware is in there

    http://www.theiphonewiki.com/wiki/in...MG3_Keys_/_IVs

    use 'xpwntool' to decrypt them if you use openssl its messy

  8. #8
    Rookie Array

    Join Date
    Aug 2007
    Posts
    19
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    @ta: I did not find anything interesting in 0xE80000:FCFC01, its out of the seczone and I had overwriten by the International version. I dont think it plays any important role.
    In your case I think you have damaged some other parts in the commboard or did not solder the NOR chip properly. It cannot be "locked forever" since you can restore the original dump file. Lets try again man!

  9. #9
    Senior Professional Array ta_mobile's Avatar

    Join Date
    Sep 2007
    Location
    HaNoi - VietNam
    Posts
    120
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    23

    Default

    Quote Originally Posted by Tamagochi View Post
    @ta: I did not find anything interesting in 0xE80000:FCFC01, its out of the seczone and I had overwriten by the International version. I dont think it plays any important role.
    In your case I think you have damaged some other parts in the commboard or did not solder the NOR chip properly. It cannot be "locked forever" since you can restore the original dump file. Lets try again man!
    Thanks. But you know or not with the inter-phone in 2 conditions: iTunes Active dumped and Pwned active dumped ? The area from 0xE8 to 0xFC will be changed bro. Isn't it interesting ?

    And if you think my hw skill is not enough to sure about the block, u can try this and dont tell me I harm your phone: Put the pair X-Gold and Nor from 1 locked in the Inter-phone then restore DFU 2.0 origin, sync itunes... after that, put back the original. Tell me the result pls

  10. #10
    Rookie Array

    Join Date
    Aug 2007
    Posts
    19
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Quote Originally Posted by ta_mobile View Post
    Thanks. But you know or not with the inter-phone in 2 conditions: iTunes Active dumped and Pwned active dumped ? The area from 0xE8 to 0xFC will be changed bro. Isn't it interesting ?

    And if you think my hw skill is not enough to sure about the block, u can try this and dont tell me I harm your phone: Put the pair X-Gold and Nor from 1 locked in the Inter-phone then restore DFU 2.0 origin, sync itunes... after that, put back the original. Tell me the result pls
    @ta: I respect your hardware skill, yes I know not everyone can do that . I will try to do as your advice, dont tell me that my International 3G will become AT&T locked or locked forever . Actually, when you do a full restore there will be some log information in the NOR flash. In my opinion it does not effect any thing in the lock state.
    Last edited by Tamagochi; 08-07-2008 at 02:02 PM.


 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. baseband locked
    By kordy007 in forum Yellowsn0w (3G unlock)
    Replies: 1
    Last Post: 02-25-2009, 07:59 PM
  2. international sms problem 1.1.4 unlocked
    By dragonman0 in forum General
    Replies: 0
    Last Post: 03-02-2008, 08:43 PM
  3. tty.baseband is locked
    By dapol in forum General
    Replies: 1
    Last Post: 09-07-2007, 11:50 PM
  4. Replies: 9
    Last Post: 08-30-2007, 07:13 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 07:53 AM.
twitter, follow us!