[3.1.3][Baseband] 7e18 > repair corrupted firmware tutorial request

First let me thank everyone here and at Redmondpie for helping me figure out what my iPhone 3g 8GB 3.1.3 7e18 05.12.01 problem is.

History:
I was given this phone over a year ago and had to jailbreak it to use it. I was already using AT&T so it seemed like a good idea. Everything was fine until two weeks ago I was talking on it and it glitched, just repeating the last few milliseconds of the conversation over and over for about 30 seconds and then died. I tried to reboot it a bunch but I could get no signal.

Being an overconfident idiot, I installed the latest firmware planning to jailbreak it as easily as I had before. That's when I learned that 3.1.3 wasn't breakable yet. I tried to jailbreak it with redsn0w, blackra1n, tried PwnageTool and then AutoInstalled ultrasn0w but that hung the phone. So I restored with just PwnageTool, the only tool that worked, but now I get no wifi, no cellular, and I don't even get the firmware version information listed in Settings.

Theories:
I think I've set up the phone OS right, and that isn't the problem with my device. I've either corrupted the baseband with all my jailbreak attempts, or the modem was dead in the first place and all this foolishness could have been avoided by replacing a chip.

The next step:
I've been looking at how to extract the modem NOR/NVRAM from the stock restore and manually flash the modem to get to some workable point. I can decrypt the deb files using a key I found on an Asian wiki using vfdecrypt, but from what I've read the files you need to actually do the flashing are signed by apple, and I'd have to do another restore and try to snatch the signed files from /tmp/ as the post is running before they get deleted. Even if I got those files I haven't found a recent tool to do the flashing...

My questions:

1. How do I tell if it's the NOR/NVRAM that's corrupted, or if the chip itself is actually broken?
2. Is flashing the modem chip NOR/NVRAM the answer, or even possible with 05.12.01?
3. If it's not the NOR/NVRAM that's corrupted from all the jailbreak attempts, how would I go through the process of replacing the chip itself, and once it's replaced how do I get the iPhone OS to use it?
4. If I end up having to replace the chip, are there schematics to the 'motherboard' of the phone and for the chip anywhere? I'm not afraid of doing a little soldering and multimeter testing.
5. if I have to replace the chip, where are the best places to buy one, and will it cost less then replacing the whole phone?

Summary:
So, I am truly asking for a tutorial, you anyone can give it, for people in my situation that answers the five questions above. If you post one here I'll be happy to post it elsewhere so that the chances of people asking the same question are lessened.

If I've posted this in the wrong forum, or with wrong or incomplete info, I apologize, and please let me know where I should direct my questions.

Thank you again! :D

See http://www.hackint0sh.org/f203/90394-2.htm#post455536 and http://www.hackint0sh.org/f203/90394-3.htm#post500077

The decryption keys can be found by navigating to the correct firmware on this page Firmware - The iPhone Wiki If the Build text is a link, then decryption keys should be available. Also note that the baseband files are 100% identical for 3GS and 3G for the same OS version.

This allows you to legally extract the baseband files from a specific firmware.

Depending on how screwed up the baseband is, you might not be able to reflash. There have been quite a few reports of restore errors 23, 29 and 1012 which all seem to be hardware issues. These can't be fixed by reflashing baseband on the iPhone. In these cases, one hopes you have warranty or Applecare to rely on.

To answer the questions you had

Quote:

---

Originally Posted by aproximation

My questions:

1. How do I tell if it's the NOR/NVRAM that's corrupted, or if the chip itself is actually broken?
2. Is flashing the modem chip NOR/NVRAM the answer, or even possible with 05.12.01?
3. If it's not the NOR/NVRAM that's corrupted from all the jailbreak attempts, how would I go through the process of replacing the chip itself, and once it's replaced how do I get the iPhone OS to use it?
4. If I end up having to replace the chip, are there schematics to the 'motherboard' of the phone and for the chip anywhere? I'm not afraid of doing a little soldering and multimeter testing.
5. if I have to replace the chip, where are the best places to buy one, and will it cost less then replacing the whole phone?

---

1. Some of the NVRAM values can be checked via iRecovery (getenv). There are two copies of the NVRAM (for security in case one gets corrupted). iRecovery might give some idea of the state of the NOR.
2. I am quite unsure if you will be able to reflash the baseband successfully.
3. You could have a professional de-solder the chip, re-flash your baseband bootloader and baseband then re-solder it
4. Need a professional surface mount desoldering/soldering equipment and experience to do this. I would not recommend trying yourself. Plus you need a NOR reprogrammer (HW + SW)
5. You can't just buy a new chip (as far as I know), you could maybe buy an iPhone 3g that was broken in some other way and salvage the chip from there.

Thanks for taking the time to reply!

The xpwn/xpwntool will definitely help me get the files I need, and there is the correct version of BBUpdaterExtreme within the restore ipsw as well. Nice! I was worried about using the wrong version.

My problem now is that I can't seem to connect to the phone with ssh - iTunnel doesn't find it and I can't find it's IP address via USB to do it without iTunnel. And MobileTerminal just opens and loads the keyboard and then closes right away - no error messages (but I still need to look at the phone logs to see if there are any there). So I'm stumped on how to make BBUpdaterExtreme executable and run it without some sort of terminal access.

Two more questions:

1. Is there a way to stick a Perl script or bash script in the AutoInstall directory and get around the need for terminal access?
2. Do you have links to posts that describe how to replace the chip itself if the hardware is indeed fried?

Thanks again for your time and help!

Quote:

---

Originally Posted by aproximation

My problem now is that I can't seem to connect to the phone with ssh - iTunnel doesn't find it and I can't find it's IP address via USB to do it without iTunnel. And MobileTerminal just opens and loads the keyboard and then closes right away - no error messages (but I still need to look at the phone logs to see if there are any there). So I'm stumped on how to make BBUpdaterExtreme executable and run it without some sort of terminal access.

Two more questions:

1. Is there a way to stick a Perl script or bash script in the AutoInstall directory and get around the need for terminal access?
2. Do you have links to posts that describe how to replace the chip itself if the hardware is indeed fried?

---

I would try and solve the mobileterminal problem.

The AutoInstall directory is designed for Cydia packages. You would need to package the script up as a Cydia package to get it to work this way.

I explained the hardware side of things in an update to my previous post.

Do you not have warranty on this device? Applecare is always a good investment on an iPhone/iPad/iPod.

No warranty. The phone was given to me by someone who was given the phone by someone else. It's either fix the phone myself or buy a new one I think.

I was really hoping to be able to fix this one. I hate being defeated by my own inabilities.

It looks like you have confirmed what I was trying to deny - repairing the hardware is most likely going to break things worse if I try to do it myself, and flashing the NVRAM is a one in a million shot.

I'll give flashing the ram a shot and then if that doesn't work I guess I'll have to bite the bullet and get a new one. How much blood would I have to donate to get enough for a phone I wonder. :D

Thanks again for your help!

Please keep us updated on the reflashing!!! If we could reflash the baseband down to a version which is unlockable by sn0w then we wouldn't have to wait till the end of June for the next unlocking. This would be perfect for those of us who are stuck on the latest baseband with no way to go back (5.0.9 bootloader).

I created an account just to keep up with this. :P I accidentally updated today to 3.1.3 after using my iPhone for all of two weeks on T-mobile. :mad:

Quote:

---

Originally Posted by Slurms Mckenzie

Please keep us updated on the reflashing!!! If we could reflash the baseband down to a version which is unlockable by sn0w then we wouldn't have to wait till the end of June for the next unlocking. This would be perfect for those of us who are stuck on the latest baseband with no way to go back (5.0.9 bootloader).

---

The devteam have surely been looking for holes to allow baseband downgrade. Apple was incredibly fast in closing off the baseband bootloader 05.08 hole. Nothing has been found in the two years since. I really doubt there will be another downgrade solution via an exploit in 05.09 or higher.

Hardware reflashing has been demonstrated to work.

It seems that if BBUpdaterExtreme won't take downgrades, however, what's stopping us from convincing it that the firmware we're applying is a newer version? What sort of checks does BBUpdaterdo to verify the version number? We're not trying to put a modified baseband on there, just an older version renamed to an newer or "current" version, then using Ultras0w to unlock.

Looking at the command used to force 2.28 from 2.30 (from here 3G iPhone BaseBand Downgrader!! (go from 02.30.03 to 02.28.00 baseband) - Demonoid)
./BBUpdaterExtreme update -f ICE2_02.28.00.fls -e ICE2_02.28.00.eep

That -f tag looks like "force" to me. I wouldn't mind trying to force 5.11 on there, but I want to make sure I can get back to 5.12 if it ends up corrupting my flash. Does anyone know the parameters associated with BBUdaterExtreme and what checks it does on the firmware before flashing it? Again, I'd be putting apple signed stuff on there, so the bootloader shouldn't complain once its on there. Since the bootloader is "permanent" it won't complain about having an older firmware on it that is genuine. I don't see how its possible for it to fail integrity checks simply because its an older version then what was previously on there.

If the bootloader accepts the old code once its on there, then we can unlock using ultrasn0w as before, and all the 3g users can once again rejoice. :D

Perhaps we could look into modifying the BBUpdaterExtreme binary? Does the bootloader check the BBUpdater? I'd imagine so, and that's where the problem is. :rolleyes:

I'm probably going through the thought process that the Dev team did a few years ago, however, seeing that hardware flashing seems to work... I think that if we could convince the updater the older firmware is a newer version, or otherwise force the "update," then unlock is a hop and a skip away.

Quote:

---

Originally Posted by Slurms Mckenzie

Does the bootloader check the BBUpdater? I'd imagine so, and that's where the problem is. :rolleyes:

I'm probably going through the thought process that the Dev team did a few years ago, however, seeing that hardware flashing seems to work...

---

Hardware flashing focuses on just flashing the bootloader down to 5.8 version. Then the existing software based bootloader exploit is used to flash/downgrade the baseband

It's my understanding that the bootloader does check the baseband is correctly signed and is a higher version than currently loaded before it allows bbupdater to flash the baseband.

Well, looking at this it seems that you can flash the current firmware:
Manually flash iphone to 05.11.07 baseband

Of course they mention that you shouldn't try if you're on 5.12...
I guess the only way to get around this would to be to defeat the sign checks done by the bootloader.... which is how the 5.8 one lets you downgrade. Ugh. If only I had an early build of the 3g. :(

I think then the only way to get around this is to modify bbupdater to convince the bootloader that it's a later version. I think a good way to go about this is to pull the 4.0 beta baseband, 5.13, and have the bootloader "check" that, but have bbupdater flash the older firmware. Sort of like a card trick. :P

Forgive my ramblings, this is my way of getting out my frustration on having accidentally updated. My brain won't stop thinking about ways around it!