IPhone unlock (1)

11712 people read comments (21) collect reports

 

What is written before

 

 

I used the iPhone for more than a year. I had to upgrade, jailbreak, and unlock the iPhone for 41 weeks ago. I was a little tired of playing, and it was a little cool, just as the limera1n suddenly fell, although I already had 4.1 million self-made 4.1 million yuan of experience, I still want to try again at that moment, but I am a Japanese version and cannot upgrade the baseband. However, when green rain is used, the official firmware must be used. When I saw that the umbrella could protect the baseband upgrade (I didn't see that only iPhone 4 was supported), I resolutely tasted it. There was no 1005 error in the update process, after the iPhone is restarted successfully, I can see the baseband version 05.14.02 displayed in the umbrella. I don't know why I'm not depressed. I have a smile in my mouth. Hey, it's fun ......

 

Discussion

I will write this balabala again. It is estimated that everyone has sprayed me and started to answer the question. First of all, I am also a programmer. Why can't we Chinese people do what others can do, instead of refreshing forums and other soft solutions every day, it is better to do something actually, because I have never touched Mac development before. Everything started from scratch. After a week of research and research, it was the first result. I don't know if I can unlock it. But the study shows that the learning process is another kind of achievement. Here, I will share with you what I have learned. There are still a lot of difficult topics to help solve. (Due to limited personal knowledge and the first access to Mac development, there must be many incorrect understandings, or even low-level ones. I hope everyone can understand them and point out in time that everyone can make common progress .)

 

Origin of Soft Solution

As the name implies, the soft solution is to use the software method to unlock. Why should 3g/3gs/4 be soft? Apple has added a lot of verification mechanisms to cope with the 2G unlock. the bootloader of the baseband must pass the bootrom verification, and the programs in the baseband must pass the bootloader verification, this verification is performed before the corresponding program starts, so any modifications to the Bootloader and baseband program are not allowed. So how can we unlock it? There are three methods!

 

1. Use a special SIM card to ensure that it can be verified by both Apple and telecom carriers.

This is probably the principle of the three G versions earlier than 2.2. Only two imsi vulnerabilities are verified by Apple.

For details, please refer to Baidu (iPhone SIM cracking Principles)

 

2. After running the baseband program, find a vulnerability, inject code, modify and unlock some programs, and use this principle for ultrasn0w and blacksn0w. Because it only modifies the ram cracking, the code needs to be re-injected every restart or baseband reset.

 

3. Use the baseband bootloader vulnerability to downgrade the baseband program and then unlock it through ultrasn0w. This vulnerability exists in the baseband of 3G 5.8. However, only a small number of machines can benefit.

At command

There was no accident. We all unlocked through method 2, so the second method is how to unlock it, which is similar to General PC vulnerability attacks, if the recipient is closed, there is no way at all. However, the baseband must communicate with the mobile phone, so we have a chance. The method for communication between the baseband and the mobile phone is the AT command. There are many AT commands, for details, refer to Baidu. If you want to try the AT command, you also need to install minicom on your mobile phone and mobileterminal. However, I suggest you install OpenSSH, in this way, it is convenient to operate on the computer through putty or other SSH clients.

1) Use minicom-s to set

 

 

 

 

2) Modify serial deceive in Serial Port setup to/dev/tty. debug, save setup as DF1, and select exit to enter the command mode.

3) enter the command at for testing. In some cases, it is not easy to use and may be occupied by other devices. Restart is generally useful. We recommend that you uninstall the ultrasn0w and try again.

4) after entering at, if OK is displayed, it indicates that the flight mode is successful (or the flight mode is disabled)

 

5) at + xgendata obtains some information about the baseband. Here we can see the baseband version number.

 

 

If the input command does not display the echo, We can enter ate1 and press enter to set the echo mode on, and then re-enter it to see the command we entered. There are many other commands. You can continue to use Baidu. General commands are common. You can play it as you like. If any command is entered, it will lead to a baseband crash, so remember that it may be a usable vulnerability ~ But don't publish it easily. If Apple knows it, they can make it up.

 

 

 

 

Buffer Overflow

What is a buffer overflow attack? It is actually a code injection attack caused by the weak border check of the CPU architecture and the C language. In the past, the Windows shock wave and so on were all exploited by this vulnerability.

For specific technical details, you can refer to the following connection. Although it is an overflow attack on Windows, the principle is basically the same.

Http://www.vckbase.com/document/viewdoc? Id = 1503 Buffer Overflow Attack and Defense Author: local variables

 

The baseband unlocking from 4.26.08 to 5.13.04, and the rest are completed with an AT command (ultrasn0w)

We only need one command to unlock it !!

The following information comes from the Wiki maintained by the great gods (http://theiphonewiki.com/wiki/index.php)

(If you are good at English, you can browse it by yourself (you need to flip the wall). I will explain it in detail later)

 

4.26.08: At + xlog = 1, "dddddddddddddddddddddddddddddddd44445555pppp"

D. Fill in the data to overwrite the stack of the baseband program and overwrite the following registers.

R4 = 4444, R5 = 5555, Pc = PPPP

R4, 5, and 6 are the registers of the arm cpu, and the PC is the program counter. That is to say, through such a command, we can change the normal operation of the program, modifying the PC allows the program to jump to the address we want to jump. Of course, the above commands are not really unlock commands (the real commands will be explained in detail later)

 

5.11.07, 5.12.01, 5.13.04 (ip4: 1.59.00 ):

At + xapp = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa4444555566667777pppp"

 

Among them, R7 = 7. The others are exactly the same as xlog. This vulnerability can be maintained in version 3. The reason why Dev term did not release the vulnerability earlier is that it was not repaired, therefore, you need to understand why you cannot upgrade a version to the next generation. The vulnerabilities must be retained and are wasted. If there are major upgrades, you cannot unlock them in time. This will be even more depressing, that's why we have to manage our own hands.

 

5.14.02: (the main character is on the stage)

After my research, I also found a command that can crash baseband. Hey hey, temporarily keep it confidential. Currently, it cannot completely prove whether the vulnerability can be exceeded. However, verification on the 5.13.04 baseband basically works similar to xapp.

 

How to parse the unlock code

Next, I will explain how to parse the injection code of snow.

 

To be continued, please wait ..................

 

 

 

 

 

 

What is written before

 

 

I used the iPhone for more than a year. I had to upgrade, jailbreak, and unlock the iPhone for 41 weeks ago. I was a little tired of playing, and it was a little cool, just as the limera1n suddenly fell, although I already had 4.1 million self-made 4.1 million yuan of experience, I still want to try again at that moment, but I am a Japanese version and cannot upgrade the baseband. However, when green rain is used, the official firmware must be used. When I saw that the umbrella could protect the baseband upgrade (I didn't see that only iPhone 4 was supported), I resolutely tasted it. There was no 1005 error in the update process, after the iPhone is restarted successfully, I can see the baseband version 05.14.02 displayed in the umbrella. I don't know why I'm not depressed. I have a smile in my mouth. Hey, it's fun ......

 

Discussion

I will write this balabala again. It is estimated that everyone has sprayed me and started to answer the question. First of all, I am also a programmer. Why can't we Chinese people do what others can do, instead of refreshing forums and other soft solutions every day, it is better to do something actually, because I have never touched Mac development before. Everything started from scratch. After a week of research and research, it was the first result. I don't know if I can unlock it. But the study shows that the learning process is another kind of achievement. Here, I will share with you what I have learned. There are still a lot of difficult topics to help solve. (Due to limited personal knowledge and the first access to Mac development, there must be many incorrect understandings, or even low-level ones. I hope everyone can understand them and point out in time that everyone can make common progress .)

 

Origin of Soft Solution

As the name implies, the soft solution is to use the software method to unlock. Why should 3g/3gs/4 be soft? Apple has added a lot of verification mechanisms to cope with the 2G unlock. the bootloader of the baseband must pass the bootrom verification, and the programs in the baseband must pass the bootloader verification, this verification is performed before the corresponding program starts, so any modifications to the Bootloader and baseband program are not allowed. So how can we unlock it? There are three methods!

 

1. Use a special SIM card to ensure that it can be verified by both Apple and telecom carriers.

This is probably the principle of the three G versions earlier than 2.2. Only two imsi vulnerabilities are verified by Apple.

For details, please refer to Baidu (iPhone SIM cracking Principles)

 

2. After running the baseband program, find a vulnerability, inject code, modify and unlock some programs, and use this principle for ultrasn0w and blacksn0w. Because it only modifies the ram cracking, the code needs to be re-injected every restart or baseband reset.

 

3. Use the baseband bootloader vulnerability to downgrade the baseband program and then unlock it through ultrasn0w. This vulnerability exists in the baseband of 3G 5.8. However, only a small number of machines can benefit.

At command

There was no accident. We all unlocked through method 2, so the second method is how to unlock it, which is similar to General PC vulnerability attacks, if the recipient is closed, there is no way at all. However, the baseband must communicate with the mobile phone, so we have a chance. The method for communication between the baseband and the mobile phone is the AT command. There are many AT commands, for details, refer to Baidu. If you want to try the AT command, you also need to install minicom on your mobile phone and mobileterminal. However, I suggest you install OpenSSH, in this way, it is convenient to operate on the computer through putty or other SSH clients.

1) Use minicom-s to set

 

 

 

 

2) Modify serial deceive in Serial Port setup to/dev/tty. debug, save setup as DF1, and select exit to enter the command mode.

3) enter the command at for testing. In some cases, it is not easy to use and may be occupied by other devices. Restart is generally useful. We recommend that you uninstall the ultrasn0w and try again.

4) after entering at, if OK is displayed, it indicates that the flight mode is successful (or the flight mode is disabled)

 

5) at + xgendata obtains some information about the baseband. Here we can see the baseband version number.

 

 

If the input command does not display the echo, We can enter ate1 and press enter to set the echo mode on, and then re-enter it to see the command we entered. There are many other commands. You can continue to use Baidu. General commands are common. You can play it as you like. If any command is entered, it will lead to a baseband crash, so remember that it may be a usable vulnerability ~ But don't publish it easily. If Apple knows it, they can make it up.

 

 

 

 

Buffer Overflow

What is a buffer overflow attack? It is actually a code injection attack caused by the weak border check of the CPU architecture and the C language. In the past, the Windows shock wave and so on were all exploited by this vulnerability.

For specific technical details, you can refer to the following connection. Although it is an overflow attack on Windows, the principle is basically the same.

Http://www.vckbase.com/document/viewdoc? Id = 1503 Buffer Overflow Attack and Defense Author: local variables

 

The baseband unlocking from 4.26.08 to 5.13.04, and the rest are completed with an AT command (ultrasn0w)

We only need one command to unlock it !!

The following information comes from the Wiki maintained by the great gods (http://theiphonewiki.com/wiki/index.php)

(If you are good at English, you can browse it by yourself (you need to flip the wall). I will explain it in detail later)

 

4.26.08: At + xlog = 1, "dddddddddddddddddddddddddddddddd44445555pppp"

D. Fill in the data to overwrite the stack of the baseband program and overwrite the following registers.

R4 = 4444, R5 = 5555, Pc = PPPP

R4, 5, and 6 are the registers of the arm cpu, and the PC is the program counter. That is to say, through such a command, we can change the normal operation of the program, modifying the PC allows the program to jump to the address we want to jump. Of course, the above commands are not really unlock commands (the real commands will be explained in detail later)

 

5.11.07, 5.12.01, 5.13.04 (ip4: 1.59.00 ):

At + xapp = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa4444555566667777pppp"

 

Among them, R7 = 7. The others are exactly the same as xlog. This vulnerability can be maintained in version 3. The reason why Dev term did not release the vulnerability earlier is that it was not repaired, therefore, you need to understand why you cannot upgrade a version to the next generation. The vulnerabilities must be retained and are wasted. If there are major upgrades, you cannot unlock them in time. This will be even more depressing, that's why we have to manage our own hands.

 

5.14.02: (the main character is on the stage)

After my research, I also found a command that can crash baseband. Hey hey, temporarily keep it confidential. Currently, it cannot completely prove whether the vulnerability can be exceeded. However, verification on the 5.13.04 baseband basically works similar to xapp.

 

How to parse the unlock code

Next, I will explain how to parse the injection code of snow.

 

To be continued, please wait ..................