[Solution] No baseband / Invalid calibration data in device tree / major 2, minor 0
Hi folks. I've just fixed a very broken iPhone. I know of several people who have had the same problem so I'm very pleased to have got this phone 100% working again. If you have the same symptoms then this method may help.
- iPhone appears to have no baseband.
- iPhone shows "Repair needed" and the info button shows unknown IMEI and ICCID.
- When you restore - even from DFU mode - the OS changes but the firmware never gets uploaded. Restores take ages and eventually timeout with an error, leaving you in Restore mode.
- You can bash out of restore mode and boot normally using the tools available, but you still get "Repair needed", etc.
- Settings / About shows WiFi greyed-out, all 0s for Bluetooth, and nothing for baseband info.
- No signal (obviously)
- No sound from keypad or ringtones.
- When you try jailbreaking using ZiPhone or iPlus, it fails during the process. (If I recall, ZiPhone says "Hmm, what did you do...?" and then fails to unlock. It scrolls forever. With iPlus you get the red banner and text but it stalls and locks up.)
- After you've tried ZiPhone/iPlus, your phone will not boot in normal mode. You get "AppleMRVL868x: Invalid calibration data in device tree" in the scrolling white-on-black text.
- Eventually you might be left with "BSD root: md0, major 2, minor 0" scrolling continuously.
- From this point you can Restore in DFU mode but it still won't restore the baseband and will take ages to time out. You can get it to boot again but you're back at square 1.
Okay that's a fairly horrible list and not a good place to start from. This is clearly more than a simple "WiFi greyed out" issue. I'm sure you've spotted the problem with this picture: with no EDGE and no WiFi you can't get into the phone to install helpful tools on it.
You might also have tried things like erasing the baseband in ZiPhone and found this also failed. In my opinion your phone is NOT totally bricked. It's just poorly. All your network IDs and IMEI etc are still there. But nothing can read them. In fact it's so broken that none of the tools seem able to erase the baseband so you can install it again.
After a couple of days of research and a million different attempts at stuff, here's what worked for me. I'll give you the overview and then some details but please bear in mind that the nitty-gritty of carrying out all of these steps has been done to death elsewhere so please have a search. I'm not going to attempt to write out a step-by-step guide in minute detail because that leads to mistakes. Plus there's a good chance a lot of people reading this have worked through most of this at least once before.
The key seems to be properly erasing your baseband and 'ienew' seemed to be what worked.
1) DFU mode restore to 1.1.4. It will eventually end in an error and leave you in Restore mode.
2) Bash out and boot normally.
3) Jailbreak and (h)activate the phone. DO NOT ATTEMPT TO UNLOCK.
4) Send ienew and support files over USB.
5) Run ienew in Mobile Terminal
6) DFU Restore to 1.1.4 again.
You should know if you were sucessful when you Restore because this time it will recognise you have no baseband and flash the 1.1.4 one. Now you have it back to factory conditions (well apart from bootloader 3.9 of course) and you'll notice the phone reads the SIM card and you get IMEI and ICCID back. If you jailbreak you'll see that WiFi, Bluetooth and sound works. And if you unlock you'll be able to use your own SIM again. Give yourself a pat on the back (and give me some credit) if it worked :)
1) Get DFU mode by plugging into iTunes, holding Power and Home buttons down. After 7 seconds the screen will switch off. Keep holding until 10 seconds then let go of Power button but keep holding Home. After another 10/15 seconds the screen will still be off but iTunes will find an iPhone in Restore mode. You can now just go ahead and click the Restore button. (NB if you're reading this when 1.1.4 has been superseded then I suggest you get the 1.1.4 restore file and force iTunes to restore from that, since we know 1.1.4 is unlockable.)
2) Use your favourite method to bash out of Restore mode. iBrickr might do it. I use iphone-tools or iPlus. Independence on Mac can do it. Hell, even ZiPhone 2.6 has a button to boot in Normal mode.
3) You need to jailbreak and activate so that you get the BSD Subsystem and Mobile Terminal. I think I used iPlus. (Don't use the -U option - trying to unlock will put you back at square one).
4) All the files you need are here: http://stuff.uselessblather.com/tools46.zip. There are various options for transferring files over USB to the iPhone. I used a Total Commander plugin which worked great:
Get a Total Commander trial version here: http://www.ghisler.com/download.htm
Get the T-pot plugin here: http://t-pot.googlecode.com/files/T-PoT.1.1.zip (There's at least one other such plugin but this one worked for me.)
If you open the zip file with Total Commander it will recognise that it has a plugin and install it for you. Nice. Now you'll find your iPhone is accessible under Network Neighbourhood / T-Pot and you can make a new folder (e.g. in /usr/bin) and put the files there.
Other ways to send files over USB include "iPhone PC Suite" for windows and iphonedisk for OS X.
5) Mobile Terminal next. (Login password for root is alpine). Because the baseband is hosed you'll find input very slow and laggy. This gets better when you sucessfully kill CommCenter, which you need to do anyway for the erase. "launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist". This just wasn't doing it for me so I rebooted and used the more persistent version: "launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist". The -w option will kill CommCenter on the next boot. Don't worry about that because you'll be restoring soon. Now you can type properly, set the permission on ienew by changing to the folder it's in (e.g. /usr/bin/unscrew or whatever) and entering "chmod +x ienew". You should get the following:
If so - congrats. You're nearly there. (If you happened to bother setting the permission for bbupdater and running "bbupdater -v" at this point you'd be told that it is unresponsive to pinging. Which is exactly what you want. Because it's not there. D'you see?) DON'T bother trying to install a new baseband manually with all that "bbupdater -f and -e" stuff. You don't need to. Restoring 1.1.4 in DFU mode will do that for you.
Resetting the Baseband...Done
iEraser for 112OTB: tool by geohot
Waiting for data...
Got Header: 77 0b cc
02 00 85 00 02 00 FF FF 85 02 03 00
02 00 04 02 06 00 01 00 00 00 00 00 0B 02 03 00
02 00 05 08 02 00 00 00 07 08 03 00
02 00 06 08 06 00 01 00 00 00 A0 00 AD 08 03 00
Hopefully the main flash was erased, wait for the next step...
6) DFU Restore. You know the drill.
There we go. Hope it works for you. Sorry for errors. It's 4am and I wrote this from memory because I didn't get the sequence right straight away or right it down at the time. I'll certainly correct this when errors in the instructions are pointed out. It's possible I've left a vital step out. This is because I've tried to whittle it down to the bare minimum number of steps so I've left out stuff I did that I believe wasn't necessary. We'll see. Good luck!