Hi all, I'm looking to understand some of the bugs against the 2g baseband. I looked thru wikis but may have missed something.

As far as I understand it, the 2g exploits are in the bootloader whereas yellowsn0w exploits a stack overflow in one of the AT command parsers.

I started with ICE04.04.05.fls, since the file was accesible to me. From S-Gold 2 - The iPhone Wiki i looked in the secpack giving me 2 sections of code.

section1: A0000000h, len: 20000h
section2: A0020000h, len: 3A0000h

I loaded the file into IDA with sections 1 and 2. I take it that section 2 is the main firmware.

I'm assuming this baseband uses 4.6 bootloader. Looking at this document 4.6-fakeblank Bootloader [iPhone Dev Team]

I can see that the bootloader is mapped into the same address range as section 1. Is section1 a second stage bootloader loaded after the 4.6 one?

from the page above:
This code surrounds the 0xA0015C58 checkblank location: sub_10C44+20 02 50 82 E2 ADD R5, R2, #2

why is this listed in a different address range, sub_10C44+20 ? Is it reloced or copied?

Another question I have is re the "bootrom" S-Gold bootrom check for blank bootloader [iPhone Dev Team]
This has addresses in the 0x400000 range and if I understand correctly is ROM code. How do I dump this or has a dump been posted somewhere?

Random other questions:
Where do I get baseband versions? Are they part of general firmware releases?

Where/How do I get the bootloaders? I have seen 3.9/4.6BL available but how does one dump them originally?

"CJKT" Is this a header of some kind? Do the dwords before the "CJKT" denote loading addresses?

Is there any more information posted on the 3.9/4.6 BL bugs as far as locations in BL, in order to understand them?

This page mentions relocs sgold_bootrom:relocs [iPhone Dev Team] . These are relocs with the bootrom itself?

Thanks