Page 2 of 11 FirstFirst 1234567891011 LastLast
Results 11 to 20 of 105
Discuss IPSF reversing started any help ;) at the iPhone "2G" (Rev. 1) - Hackint0sh.org; Originally Posted by Diet As I wrote in this post : Hey - that's very ...
  1. #11
    Professional Array deepdark's Avatar

    Join Date
    Jul 2007
    Posts
    97
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    11

    Default

    Quote Originally Posted by Diet View Post
    As I wrote in this post:

    Hey - that's very interesting indeed! That means that they use the same unlock procedure as geohot, i.e. patching the two bytes in the baseband firmware ...
    So the only thing we have to find out is how they manage to update these bytes without the testpoint method geohot used.


    maybe this is that location:

    Code:
    seg000:0001EEF0  00 5F 76 6D 5F 64 65 61  6C 6C 6F 63 61 74 65 00    ._vm_deallocate.
    seg000:0001EF00  5F 76 6D 5F 72 65 67 69  6F 6E 5F 36 34 00 5F 77    _vm_region_64._w
    seg000:0001EF10  72 69 74 65 00 00 00 00                                            rite....


  2. #12
    Professional Array Children Of Doom's Avatar

    Join Date
    Aug 2007
    Location
    Somewhere in time
    Posts
    93
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    edit sorry double post!
    Last edited by Children Of Doom; 09-11-2007 at 01:56 PM. Reason: ooops
    ---iPhone 8Gb 1.0.2 OOB Hw unlocked, verginized, updated to 1.1.1, updated to 1.1.2, soft updated to 1.1.3, Ziphone 1.1.4, Pwned 1.1.4, Pwned 2.0, Pwned 2.0.1, Quickpwn 2.2.1, Quickpwn 3.0--- iPhone 3gs 32 GB --- MBpro 15"---

  3. #13
    Professional Array Children Of Doom's Avatar

    Join Date
    Aug 2007
    Location
    Somewhere in time
    Posts
    93
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    Quote Originally Posted by Diet View Post
    As I wrote in this post:

    Hey - that's very interesting indeed! That means that they use the same unlock procedure as geohot, i.e. patching the two bytes in the baseband firmware ...
    So the only thing we have to find out is how they manage to update these bytes without the testpoint method geohot used.
    yep....
    they've used much part of the work of the dev taem...
    ---iPhone 8Gb 1.0.2 OOB Hw unlocked, verginized, updated to 1.1.1, updated to 1.1.2, soft updated to 1.1.3, Ziphone 1.1.4, Pwned 1.1.4, Pwned 2.0, Pwned 2.0.1, Quickpwn 2.2.1, Quickpwn 3.0--- iPhone 3gs 32 GB --- MBpro 15"---

  4. #14
    Professional Array

    Join Date
    Aug 2007
    Posts
    87
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    11

    Default

    Ofcourse the baseband is being patched. This is back to square one. The problem to solve has always been how to patch the baseband without physically touching the test point.

    I am all for reversing the software, but we really need people out there who know their stuff.

    All you guys are helping and it is great. I have a locked iphone, I have iphone sim free app but no license yet...

  5. #15
    Rookie Array

    Join Date
    Sep 2007
    Posts
    10
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    This maybe no help at all, but I have an 4GB iPhone and get the error:
    "Unlock failed. Error unlock currently unauthorized or unavailable for this phone. Please contact your retailer".


  6. #16
    Newbie Array

    Join Date
    Aug 2007
    Posts
    9
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Quote Originally Posted by Diet View Post
    As I wrote in this post:

    Hey - that's very interesting indeed! That means that they use the same unlock procedure as geohot, i.e. patching the two bytes in the baseband firmware ...
    So the only thing we have to find out is how they manage to update these bytes without the testpoint method geohot used.
    No. It may just mean that they query the modem with AT commands and he says it's unlocked already. That's what AT+CLCK="PN",2 is for.

  7. #17
    Professional Array

    Join Date
    Aug 2007
    Posts
    85
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    11

    Default

    Quote Originally Posted by mtheojg View Post
    No. It may just mean that they query the modem with AT commands and he says it's unlocked already. That's what AT+CLCK="PN",2 is for.
    sad but true So my idea seems to be useless ...

  8. #18
    Professional Array

    Join Date
    Aug 2007
    Posts
    51
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    9

    Default

    can we use the same technique that DVDJONE has used to activate the phone (Activation Server) here in software unlocking if it goes to their server for authentication of the phone

  9. #19
    Professional Array deepdark's Avatar

    Join Date
    Jul 2007
    Posts
    97
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    11

    Default

    i think that we must jump the Server authentification process? but the QUESTION is about Do the software is downloading something from server or is exchanging just informations?

  10. #20
    Respected Professional Array

    Join Date
    Aug 2007
    Location
    Paris, France
    Posts
    533
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    34

    Default

    Quote Originally Posted by deepdark View Post
    maybe this is that location:

    Code:
    seg000:0001EEF0  00 5F 76 6D 5F 64 65 61  6C 6C 6F 63 61 74 65 00    ._vm_deallocate.
    seg000:0001EF00  5F 76 6D 5F 72 65 67 69  6F 6E 5F 36 34 00 5F 77    _vm_region_64._w
    seg000:0001EF10  72 69 74 65 00 00 00 00                                            rite....
    Indeed. Re: vm_region_64. Common Apple routine in MacOS. Here's what it does.

    routine vm_region_64(
    #endif
    target_task : vm_map_t;
    inout address : mach_vm_address_t;
    out size : mach_vm_size_t;
    flavor : vm_region_flavor_t;
    out info : vm_region_info_t, CountInOut;
    out object_name : memory_object_name_t =
    MACH_MSG_TYPE_MOVE_SEND
    ctype: mach_port_t);

    /*
    * Allow application level processes to create named entries which
    * correspond to mapped portions of their address space. These named
    * entries can then be manipulated, shared with other processes in
    * other address spaces and ultimately mapped in other address spaces


    vm_deallocate set's the maximum protection attribute for the specified range of the virtual address space of the target virtual memory map.


 

 

Similar Threads

  1. 3G unlock reversing
    By sabxine in forum Yellowsn0w (3G unlock)
    Replies: 8
    Last Post: 04-27-2009, 02:56 AM
  2. [Pwnagetool] Help with reversing pwnage
    By d0b33 in forum PwnageTool
    Replies: 2
    Last Post: 08-07-2008, 06:58 PM
  3. [1.1.3] Reversing Geohot's IPSF
    By Random in forum iPhone "2G" (Rev. 1)
    Replies: 25
    Last Post: 04-15-2008, 07:31 PM
  4. Reversing 1.11 New Theoretical Approach - Trying it right now
    By kevinsolx in forum iPhone "2G" (Rev. 1)
    Replies: 5
    Last Post: 10-01-2007, 11:08 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 08:31 AM.
twitter, follow us!