Page 1 of 14 1234567891011 ... LastLast
Results 1 to 10 of 138
Discuss Here comes an experimental 1.1.2 lockdownd patch at the iPhone "2G" (Rev. 1) - Hackint0sh.org; I've made a patch for 1.1.2 lockdownd so you don't have to use the old ...
  1. #1
    Senior Professional Array n000b's Avatar

    Join Date
    Mar 2007
    Posts
    117
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Smile Here comes an experimental 1.1.2 lockdownd patch

    I've made a patch for 1.1.2 lockdownd so you don't have to use the old 1.1.1 patch. This patch will put the 1.1.2 into factory activated state. If you have a SuperSim or TurboSIM, you may use it immediately after the patch.

    The patched lockdownd may be downloaded from:

    /*removed due to copyright */
    (remove the underscores)

    UPDATE:
    1. I did an experiment to try the 1.1.2's brickmode, I forced my activated phone (with SilverCard in) to execute the code block at 0x5B28, syslog showed the following:
    Code:
    localhost lockdown[21]: lookup_baseband_info: Not the expected firmware version. Enabling brick mode
    localhost lockdown[21]: Enabling brick mode on the baseband
    then the phone lost signal, reboot didn't not solve it, have to do a firmware restore to return the phone to normal (the syslog said 'brick mode on the baseband', but after restore and activation, my SilverCard worked again), so I think elite team's patch at 0x4B3B is needed.

    2. I've modified my patch accordingly in a slightly different manner, allows the info being logged in syslog, but skip the other opeartions.

    Here's the revised patch:
    Code:
    Search for differences
    
    1. G:\iPhone Stuffs\lockdownd\lockdownd_112_original\lockdownd: 996,440 bytes
    2. G:\iPhone Stuffs\lockdownd\lockdownd_112_patched\lockdownd: 996,440 bytes
    Offsets: hexadec.
    
     4B4C:	01	14
     4B4E:	A0	00
     4B4F:	E3	EA
     C5C1:	00	40
     C5C2:	54	A0
     C5C8:	04	00
     C5CA:	00	A0
     C5CB:	1A	E1
     C5CC:	01	00
     C5D4:	88	EC
    
    10 difference(s) found.
    I use it on my 1.1.2 (upgraded from 1.0.2), and it activates the phone immediately without problem, my SilverCard (16F877+24C64) works as well.

    EDIT: my first try was not successful because the SilverCard didn't work. I think I might messed some system files, so I did a restore and retried, this time the SilverCard works perfectly, call in/out, sms in/out, grps all work, youtube only shows list, can't play (I'm in a country the ip is forbidden by youtube).
    Last edited by n000b; 11-14-2007 at 04:47 PM.



  2. #2
    Senior Professional Array

    Join Date
    Aug 2007
    Posts
    310
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    24

    Default

    Quote Originally Posted by n000b View Post
    I've made a patch for 1.1.2 lockdownd so you don't have to use the old 1.1.1 patch.

    The patched lockdownd may be downloaded from:

    /*removed due to copyright */
    (remove the underscores)

    Here's what was patched:
    Code:
    FileOfs    Original    Patched
    C5C1:	  00	    40
    C5C2:	  54	    A0
    C5C8:	  04	    00
    C5CA:	  00	    A0
    C5CB:	  1A	    E1
    C5CC:	  01	    00
    C5D4:	  88	    EC
    I use it on my 1.1.2 (upgraded from 1.0.2), and while it activates the phone immediately without problem, my SilverCard (16F877+24C64) still doesn't work. I'm still not sure if this is caused by the new modem or if I missed any point in the patching.
    Are you sure about this? I've been looking into that and my findings are a little different.

    Besides, there's something wrong about the opcodes you've provided for the original/virgin lockdownd. They don't match the ones from binary that comes with the 1.1.2 restore image.

    Cheers.
    Last edited by sam; 11-14-2007 at 02:06 PM.
    brasuco
    A Brazilian fellow that likes iPhone stuff.
    email: brasucocarnaval@gmail.com

  3. #3
    Senior Professional Array n000b's Avatar

    Join Date
    Mar 2007
    Posts
    117
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Default

    Quote Originally Posted by brasuco View Post
    Are you sure about this? I've been looking into that and my findings are a little different.

    Besides, there's something wrong about the opcodes you've provided for the original/virgin lockdownd. They don't match the ones from binary that comes with the 1.1.2 restore image.

    Cheers.
    I don't think the opcodes were wrong, although I fetched the lockdownd from a restored phone, not from the restore image directly. Please check the following snippets:

    Before the patch:
    Code:
    __text:0000D5A8 B0 26 9F E5                 LDR     R2, =off_EE99C
    __text:0000D5AC 06 00 A0 E1                 MOV     R0, R6
    __text:0000D5B0 00 10 A0 E3                 MOV     R1, #0
    __text:0000D5B4 00 20 92 E5                 LDR     R2, [R2]
    __text:0000D5B8 00 20 92 E5                 LDR     R2, [R2]
    __text:0000D5BC 01 E5 FF EB                 BL      sub_69C8
    __text:0000D5C0 00 00 54 E3                 CMP     R4, #0
    __text:0000D5C4 00 80 A0 E1                 MOV     R8, R0
    __text:0000D5C8 04 00 00 1A                 BNE     loc_D5E0
    __text:0000D5CC 01 30 A0 E3                 MOV     R3, #1
    __text:0000D5D0 08 30 8D E5                 STR     R3, [SP,#0x2C+var_24]
    __text:0000D5D4 88 36 9F E5                 LDR     R3, =unk_EFBE0
    __text:0000D5D8 18 00 8D E8                 STMEA   SP, {R3,R4}
    __text:0000D5DC CA 00 00 EA                 B       loc_D90C
    After the patch:
    Code:
    __text:0000D5A8 B0 26 9F E5                 LDR     R2, =off_EE99C
    __text:0000D5AC 06 00 A0 E1                 MOV     R0, R6
    __text:0000D5B0 00 10 A0 E3                 MOV     R1, #0
    __text:0000D5B4 00 20 92 E5                 LDR     R2, [R2]
    __text:0000D5B8 00 20 92 E5                 LDR     R2, [R2]
    __text:0000D5BC 01 E5 FF EB                 BL      sub_69C8
    __text:0000D5C0 00 40 A0 E3                 MOV     R4, #0
    __text:0000D5C4 00 80 A0 E1                 MOV     R8, R0
    __text:0000D5C8 00 00 A0 E1                 NOP
    __text:0000D5CC 00 30 A0 E3                 MOV     R3, #0
    __text:0000D5D0 08 30 8D E5                 STR     R3, [SP,#0x2C+var_24]
    __text:0000D5D4 EC 36 9F E5                 LDR     R3, =unk_EFC50
    __text:0000D5D8 18 00 8D E8                 STMEA   SP, {R3,R4}
    __text:0000D5DC CA 00 00 EA                 B       loc_D90C
    WinHex's file compare result:
    Code:
    Search for differences
    
    1. C:\iPhone\lockdownd\lockdownd_112_original\lockdownd: 996,440 bytes
    2. C:\iPhone\lockdownd\lockdownd_112_patched\lockdownd: 996,440 bytes
    Offsets: hexadec.
    
     C5C1:	00	40
     C5C2:	54	A0
     C5C8:	04	00
     C5CA:	00	A0
     C5CB:	1A	E1
     C5CC:	01	00
     C5D4:	88	EC
    
    7 difference(s) found.

  4. #4
    Senior Professional Array

    Join Date
    Aug 2007
    Posts
    310
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    24

    Default

    Quote Originally Posted by n000b View Post
    I don't think the opcodes were wrong, although I fetched the lockdownd from a restored phone, not from the restore image directly. Please check the following snippets:

    Before the patch:
    Code:
    __text:0000D5A8 B0 26 9F E5                 LDR     R2, =off_EE99C
    __text:0000D5AC 06 00 A0 E1                 MOV     R0, R6
    __text:0000D5B0 00 10 A0 E3                 MOV     R1, #0
    __text:0000D5B4 00 20 92 E5                 LDR     R2, [R2]
    __text:0000D5B8 00 20 92 E5                 LDR     R2, [R2]
    __text:0000D5BC 01 E5 FF EB                 BL      sub_69C8
    __text:0000D5C0 00 00 54 E3                 CMP     R4, #0
    __text:0000D5C4 00 80 A0 E1                 MOV     R8, R0
    __text:0000D5C8 04 00 00 1A                 BNE     loc_D5E0
    __text:0000D5CC 01 30 A0 E3                 MOV     R3, #1
    __text:0000D5D0 08 30 8D E5                 STR     R3, [SP,#0x2C+var_24]
    __text:0000D5D4 88 36 9F E5                 LDR     R3, =unk_EFBE0
    __text:0000D5D8 18 00 8D E8                 STMEA   SP, {R3,R4}
    __text:0000D5DC CA 00 00 EA                 B       loc_D90C
    After the patch:
    Code:
    __text:0000D5A8 B0 26 9F E5                 LDR     R2, =off_EE99C
    __text:0000D5AC 06 00 A0 E1                 MOV     R0, R6
    __text:0000D5B0 00 10 A0 E3                 MOV     R1, #0
    __text:0000D5B4 00 20 92 E5                 LDR     R2, [R2]
    __text:0000D5B8 00 20 92 E5                 LDR     R2, [R2]
    __text:0000D5BC 01 E5 FF EB                 BL      sub_69C8
    __text:0000D5C0 00 40 A0 E3                 MOV     R4, #0
    __text:0000D5C4 00 80 A0 E1                 MOV     R8, R0
    __text:0000D5C8 00 00 A0 E1                 NOP
    __text:0000D5CC 00 30 A0 E3                 MOV     R3, #0
    __text:0000D5D0 08 30 8D E5                 STR     R3, [SP,#0x2C+var_24]
    __text:0000D5D4 EC 36 9F E5                 LDR     R3, =unk_EFC50
    __text:0000D5D8 18 00 8D E8                 STMEA   SP, {R3,R4}
    __text:0000D5DC CA 00 00 EA                 B       loc_D90C
    WinHex's file compare result:
    Code:
    Search for differences
    
    1. C:\iPhone\lockdownd\lockdownd_112_original\lockdownd: 996,440 bytes
    2. C:\iPhone\lockdownd\lockdownd_112_patched\lockdownd: 996,440 bytes
    Offsets: hexadec.
    
     C5C1:	00	40
     C5C2:	54	A0
     C5C8:	04	00
     C5CA:	00	A0
     C5CB:	1A	E1
     C5CC:	01	00
     C5D4:	88	EC
    
    7 difference(s) found.
    It seems I forgot to subtract 0x1000 from the IDA offset, sorry (I always forget that)!

    Now that you posted the code things gotten more clear. We basically have the same thing with a minor difference. As soon as you or me (or someone else) patches it nicely I'll be able to assemble a newer version of CARNAVAL. That's kindda the last thing.

    I haven't been able to test my patch yet, as soon as I test it out I'll post it here.

    I'll let you know what I find out.

    Cheers.
    brasuco
    A Brazilian fellow that likes iPhone stuff.
    email: brasucocarnaval@gmail.com

  5. #5
    Senior Professional Array n000b's Avatar

    Join Date
    Mar 2007
    Posts
    117
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Default

    Quote Originally Posted by brasuco View Post
    It seems I forgot to subtract 0x1000 from the IDA offset, sorry (I always forget that)!

    Now that you posted the code things gotten more clear. We basically have the same thing with a minor difference. As soon as you or me (or someone else) patches it nicely I'll be able to assemble a newer version of CARNAVAL. That's kindda the last thing.

    I haven't been able to test my patch yet, as soon as I test it out I'll post it here.

    I'll let you know what I find out.

    Cheers.
    Heh, that 0x1000 thing has got me several times Waiting for yr next unlocking batch, good luck! BTW, what's its name gonna be this time?


  6. #6
    Senior Professional Array

    Join Date
    Aug 2007
    Location
    Ljubljana, SI
    Posts
    228
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    20

    Default

    Working excellent here with TurboSIM! Thank you very much!!

    Quote Originally Posted by n000b View Post
    I use it on my 1.1.2 (upgraded from 1.0.2), and while it activates the phone immediately without problem, my SilverCard (16F877+24C64) still doesn't work. I'm still not sure if this is caused by the new modem or if I missed any point in the patching.
    Check the iphone-elite Wiki!
    Last edited by Vger; 11-13-2007 at 04:05 AM.

  7. #7
    Senior Professional Array n000b's Avatar

    Join Date
    Mar 2007
    Posts
    117
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Default

    Quote Originally Posted by Vger View Post
    Working excellent here with TurboSIM! Thank you very much!!
    Check the iphone-elite Wiki!
    Glad it works! Though I don't have a TurboSIM thus can't get that the first hand

  8. #8
    Senior Professional Array

    Join Date
    Aug 2007
    Location
    Ljubljana, SI
    Posts
    228
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    20

    Default

    Since TSIM works, SuperSim should aswell... I think.

  9. #9
    Senior Professional Array n000b's Avatar

    Join Date
    Mar 2007
    Posts
    117
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Default

    I thought so, just weird why my SilverCard not work I'll retry it later.

  10. #10
    Senior Professional Array

    Join Date
    Aug 2007
    Location
    Ljubljana, SI
    Posts
    228
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    20

    Default

    Quote Originally Posted by n000b View Post
    I thought so, just weird why my SilverCard not work I'll retry it later.
    What's happening?


 

 
Page 1 of 14 1234567891011 ... LastLast

Similar Threads

  1. MacNN: Adobe intros experimental Flash to HTML5 conversion tool
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 03-08-2011, 12:00 PM
  2. Slashdot: Experimental MacRuby Branch Is 3x Faster
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 04-28-2009, 11:40 PM
  3. Slashdot: Experimental MacRuby Branch Is 3x Faster
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 03-29-2009, 11:30 PM
  4. [Release] XPwn (experimental pwnage tool for Linux)
    By planetbeing in forum PwnageTool
    Replies: 33
    Last Post: 08-07-2008, 06:00 PM
  5. Any progress on official 1.1.3 lockdownd patch?
    By Flash31 in forum iPhone "2G" (Rev. 1)
    Replies: 16
    Last Post: 02-08-2008, 11:51 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 03:20 AM.
twitter, follow us!