2g Baseband RE questions
Hi all, I'm looking to understand some of the bugs against the 2g baseband. I looked thru wikis but may have missed something.
As far as I understand it, the 2g exploits are in the bootloader whereas yellowsn0w exploits a stack overflow in one of the AT command parsers.
I started with ICE04.04.05.fls, since the file was accesible to me. From S-Gold 2 - The iPhone Wiki i looked in the secpack giving me 2 sections of code.
section1: A0000000h, len: 20000h
section2: A0020000h, len: 3A0000h
I loaded the file into IDA with sections 1 and 2. I take it that section 2 is the main firmware.
I'm assuming this baseband uses 4.6 bootloader. Looking at this document 4.6-fakeblank Bootloader [iPhone Dev Team]
I can see that the bootloader is mapped into the same address range as section 1. Is section1 a second stage bootloader loaded after the 4.6 one?
from the page above:
This code surrounds the 0xA0015C58 checkblank location: sub_10C44+20 02 50 82 E2 ADD R5, R2, #2
why is this listed in a different address range, sub_10C44+20 ? Is it reloced or copied?
Another question I have is re the "bootrom" S-Gold bootrom check for blank bootloader [iPhone Dev Team]
This has addresses in the 0x400000 range and if I understand correctly is ROM code. How do I dump this or has a dump been posted somewhere?
Random other questions:
Where do I get baseband versions? Are they part of general firmware releases?
Where/How do I get the bootloaders? I have seen 3.9/4.6BL available but how does one dump them originally?
"CJKT" Is this a header of some kind? Do the dwords before the "CJKT" denote loading addresses?
Is there any more information posted on the 3.9/4.6 BL bugs as far as locations in BL, in order to understand them?
This page mentions relocs sgold_bootrom:relocs [iPhone Dev Team] . These are relocs with the bootrom itself?