Results 1 to 6 of 6
Discuss [1.1.2/1.1.3 OTB] Bricked after attempting SW unlock, possible workaround? at the iPhone "2G" (Rev. 1) - Hackint0sh.org; Hi, it's me again with another bricked iPhone As many people on this board after ...
  1. #1
    Advanced Array

    Join Date
    Dec 2007
    Posts
    45
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default [1.1.2/1.1.3 OTB] Bricked after attempting SW unlock, possible workaround?

    Hi, it's me again with another bricked iPhone

    As many people on this board after trying the SW unlock on an OTB 1.1.2 iPhone it crashed and rendered the phone unusable, it's impossible to even restore to 1.1.3 (error 1012). So I have no baseband, always get the 'repair needed' message.

    This is a week 49 (> 47) phone so it's impossible for me to downgrade to 1.0.2. Given that I have no baseband (and hence no WiFi) the *#307#/jailbreakme.com method is out of the question.

    So what we need is to be able to jailbreak the phone 'manually' which for firmware versions later than 1.0.2 seems to be impossible.

    However, is there any way to spoof the 1.1.1 IPSW restore image to include a jailbroken filesystem for the iPhone and make it still validate? So we can use iTunes to restore with this hacked image and no matter that it can't rewrite the baseband we still get a semi functional brick?

    I know there is vfdecrypt and the encryption key for 1.1.1 is already known, so that's about half the work. We theoretically could:

    * decrypt the 022-3602-17.dmg and open (mount) it
    * replace the /etc/fstab file inside of it to give rw access to the root filesystem
    * Add the Term-vt100.app, the BSD Subsystem and the needed tools (gunlock, secpack, .fls, etc.) to the system image
    * Activate the system using a hacked lockdownd or whatever method
    * Re-encrypt the dmg and zip the new IPSW
    * Use it via iTunes to restore

    However, there are a few things that I don't certainly know:
    * Is there any way to re-encrypt the DMG file using a given key? Like a vfencrypt? To make it generate a valid encrypted DMG for the iPhone
    * Does the restore process has some type of file integrity check? As if the DMG is modified would it still accept it?

    Please, to the people with more technical knowledge about this issues, what would you think about this? Would it ever be possible to create a spoofed IPSW already jailbroken and activated?

    Best regards and good luck.
    Last edited by boliva; 02-09-2008 at 08:01 PM.



  2. #2
    Rookie Array

    Join Date
    Aug 2007
    Posts
    16
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Are you able to put the phone in DFU mode (not recovery mode)? Then restore it back to 1.1.3. I remember 1.1.3 did fix old bricked iPhones (before it could be unlocked).

  3. #3
    Rookie Array

    Join Date
    Feb 2008
    Posts
    20
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    bigballz: That only repairs iPhones with 04.02.13 baseband. This is about 04.03.13, which hopefully will be able to be repaired by 1.1.4 (if not by anything else)...

    In my opinion it would be more realistic if someone modified 1.0.2 IPSW so it could restore all iPhones. But nobody seems to be working on that, are they?
    Last edited by Kael008; 02-09-2008 at 07:16 PM.

  4. #4
    Advanced Array

    Join Date
    Dec 2007
    Posts
    45
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    In my opinion it would be more realistic if someone modified 1.0.2 IPSW so it could restore all iPhones. But nobody seems to be working on that, are they?
    That would be possible, as well, but I don't see either anyone working on that direction. I can't really know what makes the phones manufactured after week 47 to be unable to downgrade to 1.0.2 and get them stuck at the 'Waiting for iPhone' screen. In some very unconclusive and unscientific (and probably wrong at all) tests I conducted this issue seems to be related to the 'kernelcache' file inside the IPSW restore image, but I don't further know how to manipulate it.

    Any ideas and help on any of these directions from some of the more 'enlightened' of the community would be greatly appreciated.

  5. #5
    Advanced Array

    Join Date
    Dec 2007
    Posts
    45
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Ok, replying myself here. Just to shed some light into the matter (not that it's a breakthrough discovery).

    Looking around inside the 1.0.2 IPSW on the past, one thing that called my attention was the Restore.plist file (it is an Apple Property List in XML format which describes various parameters to be used in the restore process, present on every IPSW file). On the 1.0.2 IPSW Restore.plist there is a parameter not found on the later restore images (I don't certainly know about previous ones as I haven't looked into it), it's a key called 'ForceNANDErase' with a bool value of 'true'. Changing it to 'false' as well as erasing the key and its value completly has no (visible) effect on the restore process, as it stays stuck on 'Waiting for iPhone' anyway.

    However, doing a comparission with the 1.1.1 and later IPSW files (which do work on week > 47 iPhones) I came across another subtle difference: under the DeviceMap array there are two dictionaries, both of them with the same keys but with different values. On the second occurrence of 'DeviceReleaseNumber' it has a value of '4352' for the 1.0.2 IPSW, where on 1.1.1 and later it has a value of '4354'. When upping the value from 4352 to 4354 (or any other higher value) on the 1.0.2 IPSW then it stops right after putting the phone on DFU mode (white screen) with an error 17.

    Later I tried replacing the files inside the Firmware/dfu/ directory found on the 1.0.2 IPSW with the ones from 1.1.1: this time, the iPhone passes the 'white screen' but then stays for a while on prepping iPhone for restore (the last two messages on the iPhoneUpdater log file are: 'operation 9 progress -1' and 'Recovery mode succeeded'). It then fails with error 1604.

    I have to leave now. Will continue with this later on.

    Best regards.


  6. #6
    Rookie Array

    Join Date
    Jan 2008
    Location
    Oslo, Norway
    Posts
    21
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Found a solution that works!

    I don't care what people write about Zibri but his ZiPhone tool worked. Get it from iphone-elite.org and run it from command with "ziphone - u"

    Great work!!!

 

 

Similar Threads

  1. Replies: 3
    Last Post: 07-02-2009, 04:18 PM
  2. Replies: 2
    Last Post: 02-14-2008, 04:55 PM
  3. Attempting H\W 1.1.2 OTB unlock
    By danik in forum iPhone "2G" (Rev. 1)
    Replies: 2
    Last Post: 02-03-2008, 11:50 PM
  4. [112 OTB][HW Unlock Problem] Attempting to read[x]...0
    By RaduQ in forum iPhone "2G" (Rev. 1)
    Replies: 5
    Last Post: 01-29-2008, 05:23 AM
  5. Questions before attempting the unlock
    By kazee in forum iPhone "2G" (Rev. 1)
    Replies: 4
    Last Post: 09-22-2007, 06:28 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 06:35 AM.
twitter, follow us!