[1.1.3 OTB] Hard way downgrading!

yes I know that this is more a hardware than software method, but who cares, what I want is to unlock the phone.

Skippy

Quote:

---

Originally Posted by Gstar

true


this is more hardware unlock than software

---

Ask TA_Mobile

He know how to do it send him a PM he'S gonna awnser you

the bootloader is on the first 2 blocks of the baseband nor.

just reprogram it with 3.9 Bootloader and put it back.


cheers,


cRACKn

Hi,

Are you sure? Why not reprogram the baseband?

Do you know where I can get a binary bootloader file to use with the programmer?

Regards,
Skippy
QUOTE=crackn;213136]the bootloader is on the first 2 blocks of the baseband nor.

just reprogram it with 3.9 Bootloader and put it back.


cheers,


cRACKn[/QUOTE]

Quote:

---

Originally Posted by crackn

the bootloader is on the first 2 blocks of the baseband nor.

just reprogram it with 3.9 Bootloader and put it back.


cheers,


cRACKn

---

with A17, the bootrom checks the one off-set locations, located in the main firmware, which is writable, unlike the bootloader. so taking the secpack from the modem firmware/version your iphone has, and making those one off-set locations from blank[0xFFFFFFFF], means you can proceed. this is what iEraser does, correct? then you need to patch the firmware from the above nor dump with the documented off-sets. then the program testcode.bb needs to be uploaded to the baseband via the above-bootrom exploit, and the program(iUnlocker, iunew, etc. whatever) run in the same dir as the above mentioned nor.

so, did Apple close this exploit in 1.1.3 bootrom? or does it still read from the same addresses as before? if it's the same, then nothing is preventing this with 1.1.3 firmware, correct?

if it was as easy as using the 3.9 bootloader, then why is only TA_Mobile doing it? please help me understand. thanks.

Eric Jarvies

The problem of downgrading the bootloader is that the process of doing it is via hardware and not software/TP, that' why most people can't do it!

Skippy

Quote:

---

Originally Posted by ericjarvies

with A17, the bootrom checks the one off-set locations, located in the main firmware, which is writable, unlike the bootloader. so taking the secpack from the modem firmware/version your iphone has, and making those one off-set locations from blank[0xFFFFFFFF], means you can proceed. this is what iEraser does, correct? then you need to patch the firmware from the above nor dump with the documented off-sets. then the program testcode.bb needs to be uploaded to the baseband via the above-bootrom exploit, and the program(iUnlocker, iunew, etc. whatever) run in the same dir as the above mentioned nor.

so, did Apple close this exploit in 1.1.3 bootrom? or does it still read from the same addresses as before? if it's the same, then nothing is preventing this with 1.1.3 firmware, correct?

if it was as easy as using the 3.9 bootloader, then why is only TA_Mobile doing it? please help me understand. thanks.

Eric Jarvies

---

Quote:

---

Originally Posted by Skippy

The problem of downgrading the bootloader is that the process of doing it is via hardware and not software/TP, that' why most people can't do it!Skippy

---

So TA_mobile removes the flash rom from the layer board, re-programs it externally and solders it back to the board. Is that right?

Quote:

---

Originally Posted by JayBee10

So TA_mobile removes the flash rom from the layer board, re-programs it externally and solders it back to the board. Is that right?

---

BINGO This is how he do

The only thing I need is a confirmation of Start/End address, and BL 3.9 to reprogram the flash.

Regards,
Skippy

Quote:

---

Originally Posted by weezo

BINGO This is how he do

---

Guys:

So the main goal here is try to find an exploit to BL4.6 or to downgrade to BL3.9?
So, why at this time on an OTB113 it is imposible to downgrade BL? and why it is so diffiult to find an exploit to BL46?

What we need to perform in each case?

Rgds!
Federico