I'm at RIT

I came in yesterday and am finally setup. I barely have any free time; there is always something or other scheduled. I will be doing consulting work for Certicell and Puremobile in the little bit of free time I have. My project for now is a GPS for the iPhone that uses triangluation from the cell phone towers. I believe the towers are public record and you can use an AT command to get signal strengh.

THE iPhone HAS BEEN TRADED

Terry Daidone, the founder of Certicell contacted me this morning, and offered to make a trade for the iPhone. I traded it for a sweet Nissan 350Z and 3 8GB iPhones. I will be sending the iPhones, unlocked if they wish, to jpetrie(the first donater), gray(the reversing genius), and iProof(who is truly amazing at finding stuff online) Thanks a lot everyone. I leave for college tomorrow, and this has been a great end to a great summer. If I ever do anything more with the iPhone, it'll definitely be posted here. Also I contacted iphonesimfree and offered to verify on this blog their claims of a software unlock. No response yet...

More ebay problems

I was forced to end the listing early due to a total lack of cooperation from ebay. If you are interested in buying it, either e-mail me or comment on this blog post with a phone number.
If you contact me before 3 PM EST with an acceptable offer, I will hand the phone over to you live on CNN in the 5 PM segment.

ebay Problems

I have had tons of problems with ebay and this auction. If you are serious about buying the phone, please e-mail me with your phone number. I will call you to discuss it. I will cancel any bids that appear to be fraudulent, so please, don't be an ass. I understand no one would ever pay millions for this phone :-)

I PLAN ON SELLING THE PHONE TO THE HIGHEST LEGIT BIDDER AT 9:00 PM EST TOMORROW

I am hoping to buy a car with the money, as my previous summer project was going to be fixing up my 3000GT, which I got the engine out of, but never could quite get in back in :) I also want to buy iPhones for the members of the team that don't have them.

The Phone is for sale

eBay Auction

This is the phone that was unlocked live here this morning. It includes the phone, the worlds first serial dock, and the official unlock switch from the blog.

As a note, if you are only bidding on this to get an unlocked iPhone, don't. There are much cheaper and easier ways to get one. This is a piece of cell phone history. I have no intention of ever starting an unlocking service.

I have attempted to fix the auction. It is very hard to deal with the people at ebay. I may be reposting the auction if ebay can't solve this problem.

The Energy it took...

Postmortem

So if you follow these steps, you should have an unlocked iPhone. I'm sorry about how hard they are to follow, but someone will get them to work, and simplify them, and simplify them more. Hopefully a software unlock will be found in the near future.
I'm sorry to say I won't be in the iPhone scene anymore. I leave for college in two days, and I have so much to do. We still have a good amount, about a grand, of donation money left. We definitely need to buy jpetrie a new iPhone. He donated the original phone that made all this possible. I'll even unlock the new phone for him. With the money left over, if anyone wants it back, drop me a line. I wish I had time right now to unlock iPhones for people, but even with this method it'll take me two hours per phone, and I'm leaving so soon. I will continue to post to this blog, and I will continue to work with the iPhone, but not on a software unlock. I am pretty much useless there. I plan on setting up a ssh box into my test iPhone for gray to play around with. In these posts/files is basically everything I know. I have a few cool ideas for things I want to do with the phone, like a cell phone tower based gps. I will detail everything on this blog.
Using this exploit is should be very easy to permanently mod your phone to run unsigned code. Just write 0xFFFFFFF to the locations the bootrom checks. I don't believe they are used. Also, if anyone finds a way to erase the bootloader from software, this becomes a software unlock.
I really wish I had more time to detail all of this, and one day I will. You will always be able to reach me at geohot at gmail. This has been a great community and has been a great trip. I hope I was a positive influence on the community. Thanks so much everyone, I have learned so much. Coming into this project I didn't know that cell phones used at commands, or that there was a distinction between kernel/user space. I had once in my life looked at ida before this, and found it too confusing. I still can't reverse well, but this is definitely something I want to learn. Thanks again everyone.

Step 10: The Last One

minicom into /dev/tty.baseband. If you already used up your attempt counter, the phone should already be unlocked. If not just run 'AT+CLCK="PN",0,"00000000". That will unlock the phone for sure. Run 'AT+CLCK="PN",2'. It should finally return 0!!!
Your phone is now unlocked. Exit minicom and copy the CommCenter plist back to its place. Reboot. iASign. And enjoy your unlocked iPhone.

Step 9

The final tool is iUnlocker. This tool uploads a small program, "testcode.bb", to the baseband using the bootrom exploit. This program needs to be in a dir with "nor", the file you obtained in the last step. You need to have the switch on when running this program. This will download and run the code in "testcode.bb" Then the program will stop and ask to to turn off the switch. Do so. You type any character then hit enter. The nor download starts right away. When the counter reaches 0x2E4000, it is done. Run "bbupdater -v". Hopefully it will return the xgendata. If is does, the nor upload was successful.

Step 8

Now its time to patch the firmware. Thanks to gray for finding these patches, this required some very complicated reversing. First, you need to extract the firmware from your nor dump. The range you need is 0x20000-0x304000. Save this file as "nor". The patches you need to apply are as follows. These are offsets from the begininning of the file to saved as "nor". Choose your version, and patch.
3.12: (213740): 04 00 a0 e1 -> 00 00 a0 e3
3.14: (215148): 04 00 a0 e1 -> 00 00 a0 e3
Resave the file nor, you'll need it soon...

Step 7

So here is the first tool release, iEraser. This erases the current firmware on your modem. Don't worry, you can always put it back with bbupdater. Here how the bootrom check works; it reads from 0xA0000030 0xA000A5A0 0xA0015C58 0xA0017370 and all these addresses must read as blank, or 0xFFFFFFFF. When you erase flash, it becoms 0xFFFFFFFF. But you can't erase those locations, because they are in the bootloader. So thats where the testpoint comes in. Pulling A17 high hardware OR's the address bus with 0x00040000(offset one because data bus is 16 bit) So the bootrom instead checks locations 0xA0040030 0xA004A5A0 0xA0055C58 0xA0057370, which are in the main firmware and can be erased. Pretty genius :)
To use this tool, you need the secpack from your modems version. The erase of this section is protected. Check the modem version in Settings->About. It'll either be 3.12(1.0) or 3.14(1.0.1 and 1.0.2). You need the ramdisk which cooresponds to your version. Then go into "/usr/local/standalone/firmware" and get the ICE*.fls file. Extract 0x1a4-0x9a4 and save it in a file called secpack and place it in the same directory as the ieraser tool. Run ieraser. This should erase the modem firmware and leave you one more step on your way to unlocking.

Think of how pretty it'll be...

A Little Motivation

This is the world's second (outside super secret apple vault) unlocked iPhone.

Step 6

Now, with the switch off, your baseband should be working perfectly. Here you should take a NOR dump of your phone. The dev team's NORDumper is a great way to do this. This is good to have in case something goes wrong. You can extract the firmware from this as well, which we'll get to later.

Step 5

If it passed the checks in step 4, congratulate yourself. You are a pro solderer. Go eat lunch. If not, don't worry yet. I must've thought I bricked my phone 100 times. First of all, to power up your phone you don't need to reconnect the case with the power button. Just connect it with USB, it'll power itself up. Secondly, don't waste time compiling minicom. Download the binary here, and termcap here.

Step 4

Ok, time to test what you just soldered. First use the continuity check on a multimeter to make sure the wires aren't shorting to ground or to each other. Make sure your switch is in the off position. Power up your iPhone. Hopefully it didn't smoke :) Now go into minicom to tty.baseband and send a few commands, AT a few times will do. It should respond OK. Now flip your switch, the baseband should stop responding. Even when you flip it back, the baseband still shouldn't respond. Be sure your switch is off, then open another ssh and run "bbupdater -v" You can get bbupdater off the ramdisk. This should reset the baseband, and minicom should start working again. If it did this, your soldering is most likely good, and you are ready to actually start unlocking your phone!!!

Zoomed In Step 3

You can do it. I believe in you.

My Finished Step 3

Hopefully yours will look like this.

Step 3

The red line is covering the A17 trace. In order to trick the chip into thinking the flash is erased in the correct section, you will need to pull this high. Scrape away at the trace with something like a multimeter probe. Then solder a very thin wire to it. Be very careful. Only scrape away at that solder mask above that one trace. YOU DO NOT WANT TO BREAK THE TRACE. This is the hardest step in the whole process; the rest is cake. Also solder a wire to the 1.8v line. Connect to wire coming from the trace and the wire coming from the 1.8v to your unlock switch. Be careful, you only get one chance to do this right. Thanks again to Nick Chernyy for the picture.

Step 2

Also remove the metal cover over the comm board. This is all the disassembly you have to do. If you feel like being safe, desolder the battery red lead. I didn't :)

Step 1

First, I would like to say thanks again to gray, iProof, dinopio, lazyc0der, anonymous, the dev team, nightwatch, and everyone who donated. Without them, there would be no unlock today, and I surely wouldn't be up at 8AM.
Second, you may brick your iPhone using this tutorial. YOU ARE WARNED.
Okay on to the actual step. Remove the black part, the three screws, and the aluminum case. Disconnect the wire connecting the phone to the case. Do not remove anything else. Comment on these posts if you are with me so far. Once we get a good number of comments I'll move on.

Some Comments on the Method

This method is very similar to the method used to unlock the Siemens phones with the S-Gold2 chipset. The S-Gold2 has a bootrom which allows you to download a bit of unsigned code. This code is run if certain flash addresses are blank. Using a little hardware trick, which I'll explain later, we make them appear blank. Then once we have unsigned code running on the baseband, we can download a modified firmware, with the unlock patched in, to the nor flash. The signature checks only cover this region while it is being downloaded the first time. Once the code is on the NOR we can do whatever we want. So patch out the PN lock; Voila, unlocked iPhone.

What you need

--First, an iPhone. Of the sshed and jailbroken variety. Also, kill commcenter by moving the LaunchDaemon plist out of the directory.
--Some trusty case opener tools(read: guitar picks) Read one of the many tutorials available online for taking apart your phone.
--A soldering iron. This should've cost you more than $10.
--Fine pitch wire. I used magnet wire salvaged from a little motor.
--An unlock switch. The bigger and more badass, the better. Or if you are cheap, wire cutters :-)
--A red bull. This requires concentration, something I don't have without Red Bull.

ITS RELEASE TIME

Welcome to the final countdown. I am leaving for college Saturday, and have been busy lately with getting everything ready. And once I am there, I really won't have much time to work on the iPhone. But I don't want to leave being the only person with an unlocked iPhone :) So we have decided to release the hardware unlock. The hardware required is decently simple, and most people who have modded a game system have the soldering ability required to do it. This has been a great adventure, the "summer of the iPhone", and I finally achieved my goal of getting my phone working on T-Mobile. So its about time everyone else can do this too.
Here is the release plan. Last night, I went to the Apple store, and purchased a brand new 4GB iPhone. At 8AM EST sharp, I will begin unlocking a NIB iPhone step by step on the blog along with everyone who wants to come along. I'll be answering any questions on #iphone.unlock @ undernet. I'll be doing the hardware part first, so you can wait to see if you think the hardware is too complicated before diving in and taking apart the phone. But it really is only a wire that needs to be soldered. So see you all at 8 AM EST.

FULL HARDWARE UNLOCK OF IPHONE DONE

Video

Yes thats right, we have an unlocked iPhone. The hardware is only used to unlock the iPhone, and can be removed after it's unlocked. Thanks to gray, iProof, geohot, dinopio, lazyc0der, and an anonymous contributor for making this possible. Thanks also to everyone who donated and stuck with us in #iphone.unlock. Our group has agreed to release the method in one week. The current method involves taking apart your phone and doing some complicated soldering, with a high probablity of a bricked phone. Although after the phone is unlocked all the hardware can be removed. We hope to find a software unlock very soon. So in one week exactly from this blog post(thats less than the time it takes to ship a turbosim) we will release simple step by step instructions for unlocking, probably not even involving hardware. Sorry about the wait, but I assure you it will be worth it.

Allowed MCCMNC's

310-150
310-170
310-410
001-010
311-180
310-980
Thanks to gray who has been reversing the main fw for finding this.

Your iPhone can CLCK, but can it CLUCK?

Just to clarify, CLUCK is the noise a chicken makes and nothing more.

The Unlock Switch

Booting from the Bootrom

This was the wrong testpoint. Please see the correct one in the unlocking tutorial.

The key, at least in the Siemens phones, to getting the S-Gold2 to boot from the BootROM, is to disable the flash. The BootROM is believed to check for "CJKT" @ 0xA000003C then boot from the address @ 0xA0000038 So if it can't find that CJKT then it will boot into recovery mode. That "testpoint" is #R_OE so pulling it low will enable the ram outputs, effectively disabling the flash ones. But the Siemens protocol to access the bootrom doesn't seem to be working. The logic analyzer picture is what TX from S-Gold2 looks like, so something is definitely running. We need to dump it(0x00400000) and reverse it.

Dump 0x00400000

This is the bootrom, and the key to full nor access.

NORtool

This is the start of a universal nor access tool using interactive mode of the bootloader. Have fun, I'll release the executable file at a later date when I feel it is mature enough to do so. It needs to be linked with IOkit. This was written by reversing the dev team's NORdumper.

AT Commands from the Computer

I connected up a level converter board to the UART found earlier. I cut tx coming from the logic board to stop the signals from conflicting. The lag came from minicom, so this interface is instant.

Some Chip Internals

iProof PMed me this morning with some new information, and it seems to be correct. First, he found a register list, which at least matches up for USART0. Also there is a bootrom at 0x00400000 which loads in case the flash isn't working. This is our new in. It should allow a full reflash without any sig checking. Although the protocol for the bootrom doesn't seem to match the Siemens phones.

Ha Ha

They really don't do a good job checking the signature of the EEP

T-Mobile Sim Fully Working using JTAG

First, this is a bootleg hack, and isn't by any means an unlock. But it does work. The original idea of disabling the sim detect switch was brought to me by florin_m, and the idea is you boot with a valid sim then switch it. Thanks to JTAG I found out that the SIM is polled every second or so. So even if the detect switch is disabled, the phone still won't work with the new sim card. But here is a little trick, although impractical, to get a phone working with another sim.

Boot phone or AT+XSIMSTATE=1 with an AT&T SIM. It doesn't have to have service.
Halt the core with jtag(EXTEST all 1's)
Replace sim with any other SIM with valid service
Resume core with jtag(EXTEST back to old state)

Now it should work with any SIM. This functions similar to a SIM proxy without the SIM proxy hardware being required. But instead you need the JTAG hardware, which is arguably harder to get. Unfortunately a software halt won't work as the SIM is polled in an interrupt which still runs.

!!Call for ARM Reversers!!

I am setting aside JTAG for now until we come across more information. We have an idea for an attack on the baseband, but we need people who can reverse well. Basically we need people who are *very good* with ida. PM geohot on undernet if you think you can help.

Where we stand now...

We have three pretty much stalled approaches right now:
Cerberus--IO_SUPERVISOR still doesn't work. Find a datasheet or a PMB8876 tool. Latest tool code is here.
SAMPLE/PRELOAD--These are the raw dumps from the I/O pins. I don't have anyway to understand them. Find a datasheet.
Stack in Trace mode--This is where I am focusing now. This is hopefully the stack of the running chip, but it's a mess. We need some good reversers to look at this.

And we need new approaches. I know a lot about this hardware, and can find just about anything. Like I could find the H5 debug or the network port. But what good would it be. These things all connect to the logic chip, which we already have full control over. We need new ways into the S-Gold2.

I have a surefire unlock, but it'd be a *real* hack. We could remove the NOR chip, download a modified firmware to it, and put it back. Or we could just remove it and connect an FPGA in it's place. Then we could run whatever code we wanted. Including a hacked firmware.

S-Gold2 Datasheet

I heard rumors that the full S-Gold2 datasheet was 1200 pages. So I went around my house and collected all the papers I could find, just to get an idea of what it would look like. I would have so much fun reading that. Please, somebody get it.

Trace Mode...Not even a hardware hack

Since we figured out which UARTs were which, I figured it was safe enough to enter trace mode. UART2=tty.baseband UART0=tty.debug So run AT+XSIO=2, reboot, set AT+TRACE=1, and minicom to /dev/tty.debug When I run AT I get
.P. ..SCC: T:0 C: ATSCC: T:0 R: OK
as a response.

UARTs UARTs everywhere

It's getting hard to make progress on JTAG, so I decided to relook at the UARTs. I logic analyzed the UART we found on the test points eariler. It is /dev/tty.debug, and thats why it isn't used on startup. It is called UART0 by the S-Gold2. Therefore UART2 is /dev/tty.baseband But the chip only has 2 standard serial UARTs. I think UART2 is the USIF interface, but this is really just a guess. UART1 definitely doesn't connect to the logic board, because it is not on the connector. In fact I couldn't find it anywhere on the board. It may not be broken out. It's also weird that tty.debug only works for a little while after resetting the baseband. So therefore, AT+XSIO=2 shouldn't brick the phone. UART2 is the one you have to be careful of disabling.

The drink of choice for leet hackers...

...who can't afford red bull.

Not that way to the NOR

Although I am reading from the io pins themselves, the A* pins must not be included. There must be a controller for the NOR flash that this dump isn't accessing. These are dumps of the SAMPLE/PRELOAD command at 50ms intervals. They are online here.

New Angle

Cerberus isn't working, I'm stuck on that IO_SUPERVISOR command. So I figured I take a more basic look at jtag. JTAG has to implement two basic commands, EXTEST and SAMPLE/PRELOAD. EXTEST will load a register onto the I/O bus. SAMPLE/PRELOAD will read the IO bus and load that register. Now what good is raw access to the I/O pins. Well NOR flash is one on the simplest things to use; basically load the address bus, then pulse a pin to read, or load the address and data buses, and pulse a pin to write. So this should give us halted access to the NOR flash. With halted access, assuming we figure out how to patch out the sig checks, we could upload a modified firmware. Unfortunately we have no idea where any of these I/O pins correspond to. The register is 510 bits long. A datasheet for the S-Gold2 will tell us this. But it may be possible to determine with some clever reasoning.

IO_SUPERVISOR

This command doesn't work, and it needs to work. Latest code is here. No further progress can be made on JTAG until we figure out why this command doesn't work. Read the docs here and here. We cannot do anything more until this works. I have tried a lot of things, and no luck. This isn't security, no security I've heard about would cause IO_SUPERVISOR to fail. It just keeps returning 1's and stays busy forever.

We haven't hit security yet...

I'll start by saying JTAGing in is still a very viable option. My current understanding of security is this, it only stops *running* memory access. Pre-reset halted memory access should work fine anyway. If we hold the reset pin while setting jtag up it should work. This can be done in software by patching AppleBaseband. It's also very possible that it will work as is, and we just don't have the right commands. We know Infineon has make changes to Cerberus since that doc was written. So find the latest Cerberus doc...

JTAG Commands

0x00-0x07 Standard JTAG CMD's
0x10 Should be CCONF but acts like bypass(no 1)
0x22-0x23 noisemaker, randomly garbled data
0x2e 0xffff passes through, else 0x0000
0x54-0x55 always return 0
0xC0-0xCF Cerberus
Every other command behaves as a bypass

Doesn't seem to be working

I wrote code to run the Cerberus commands as detailed in the doc, but they don't seem to work. Either the S-Gold2 doesn't support these commands, I overlooked something stupid, or the security features are set.

So Infineon JTAG is documented

HERE. And the lengths match what I found.

The BB board makes noise...

Well, I think the IR register length of 8 is okay. The JTAG is totally non standard. Infineon has modded the hell out of it. So we need one of three things, in order of goodness. One, S-Gold2 datasheet. Two, S-Gold2 jtag tools, but not the lauterbach ones. Three, another datasheet for an Infineon ARM9 chip with JTAG.

IR=Len of DR
00000000=510
00000001=510
00000010=510
00000011=510
00000100=32
00000101=32
00000110=1
00000111=1
rest are 1
00100010=1(MAKES SOUNDS)

You have JTAG, where is the unlock?

Here is the idea once we do get JTAG, and I'll explain why we don't have it later. The function that handles the CLCKing of PN clears two 16 byte blocks of memory. One has the user entered NCK copied into it. The other, I can only assume, has the real NCK. In that function, the real NCK is cleared from memory. So the idea is to put a breakpoint right before that clear, and read the contents of memory. JTAG should be able to do this, but the current software isn't working right. I know that all the hardware works, but for some reason the software will only connect when I set an Instruction Register length of 8. But all ARM9 processors should have an IR length of 4. The halt command isn't working, and that is the first step toward a gdb over jtag interface. So if you have any ideas about this, please tell me.

THE CHIPID HAS BEEN READ

The chipid has been read, so that means the JTAG hardware is working. The first half of the battle is over. I used OpenWinCE to connect, but it doesn't support this chip yet. So now we have to write software for JTAGing ARM926. But we know that the hardware is working!!!

Soldered

I knew if anyone could do this soldering, it would be my ex-mentor and friend Joe Barbetta. I brought the board down to his shop this morning, and under a microscope with some very fine gauge magnet wire, he soldered it. Thanks.

This is taking forever...

It is really hard to get tbe jtag soldered while still retaining the ability to put the boards back together. Hopefully we will be getting the datasheet soon, so we can start looking for the power button again. The power up isn't simple, and because of that the best solution is to just JTAG with the boards still connected. I thought that sounded rigged at first but the "power button" is really hard to push.
The easiest way to do the soldering would be to find a cable like this and soldered that right the the connector. But the pitch of the iPhone is really weird, I keep getting like .383mm If I had a .4mm ribbon cable I could probably use that. When I get home, I will make an eagle cad file of a flex breakout board. spoonet said he may be able to have this laser cut. Also I will try to make the flex board myself.

Connector Size

NOR Flash Dumped by dev team

Nice job on the NOR flash dump. I seriously mean this, I couldn't figure out how to do this. But since you just posted your tool without any explanation, I'll try to fill everyone in. The dev team has succeeding in dumping the NOR flash by using the bootloaders interactive mode. This contains the bootloader, the main code, and the eeprom. So why do we still need JTAG? A NOR dump is very different from a running RAM dump which JTAG can do. I have no idea where anything is stored in the NOR flash. I couldn't find the IMEI in the dump, so I am assuming it's encrypted in some way, probably the same way the NCK is. With JTAG we can get a running RAM dump and extract the NCK while it is being checked. JTAG is like a debugger. We can set registers then run the code to fetch the NCK. Simply by reading locations in memory we can get it. The NOR flash obfuscates it in some way. I may be totally wrong, but I don't want to invest time doing work that the dev team has already done. Also, using this dump method, it will never be possible to get a running ram dump, because the dumper runs using the bootloader; before the main code is executed. Dev team, can't you just make your source and findings public?

Where we are...

First I got a few requests to explain in plain english what the purpose of this is. I will try. Ok, JTAG is the lowest level debugging. JTAG is an interface, availible to almost every processor, which supports simple commands like "PEEK" and "POKE" If you remember from the Apple II days, these commands will raw read and write to memory. Now I've also gotten a few question from people concerned that they can't do the JTAG mod themselves. Hopefully, you won't have to. The idea is to get dumps from my chip and find a software exploit we can use to unlock the phone. So you won't have to deal with JTAG at all, but you will get an unlocked phone.
If you want to help find the datasheet, the part number is PMB6812. The 2 page product brief is not the datasheet, and doesn't contain the information we need. The real datasheet will contain pinouts and be over 10 pages.
Also does anyone know about martech.pl These guys seem to unlock S-Gold2 based phones with two test points. What are these test points? What do they send to them?

Doesn't stay powered up

The comm board doesn't stay powered up when you disconnect it from the main board. This is rather sad, meaning we still need to find the on button. The above trace is of RX, TX, and B1. Remember that RX comes from the logic board. I still think B1 looks like a power on signal. I also found that TX goes low on a baseband reset through the AppleBaseband kext, but that TX/RX don't appear to be tty.baseband. Which is weird, but maybe they do the baseband trace.

Cable Done

The cable is done. Electrically perfect except that TRST short to two tracepkts on the other side. I will fix this if needed, but I don't think it'll matter. Also, no hot glue, I discovered the wonders of blue tape :)

Headphone+Switch Connector

Figured since I was butchering this anyway, I should get the pinouts.

So Modular...

We aren't haven't any luck finding the power button for the baseband. We will eventually get the datasheet, but until then... When I first soldered the JTAG I wasn't aware of how difficult it was going to be. I rushed into in and didn't do such a clean job. It will work, but I couldn't put the boards back together with it. So I took apart my personal iPhone and decided to JTAG it. I desoldered a power connector off the dead iPhones logic board. Desoldering connectors is really really hard, because it is so easy to melt the plastic. But I got it and soldered it to the JTAG header. Now, with that connector in place, the boards will snap together ok. So the plan is to snap the boards together, power up the baseband, then disconnect the boards. I believe the comm board will stay powered on, so then I just connect the JTAG connector and JTAG in...

Elusive Power Button

We still haven't found the power button, because we still don't have a datasheet for the PMB6812. On the plus side, my dock breakout board finally came in the mail today, so tonight I will probe at it. I'm pretty sure there is no JTAG on the dock, but pins 7-10 are, I think, an ethernet port. That'll be cool to find.

Where we stand...

So we still haven't powered up the board. I have heard two suggestions over and over throughout the day, so I will address them. One, why can't you put the boards back together? I could but I would have to desolder what I did for JTAG. I still think it shouldn't be too hard to find the "on button" We are still looking for the connectors, so we can probe the 64-pin header. The other suggestion probing the interboard connector; get me a connector first. I made this pinout sheet because I like pretty colored diagrams of stuff. And Wind River, expect a call tomorrow. That's what you get for mentioning a 52-pin debug header without providing pinouts :)

Updated...UART found

All the JTAG pins are soldered, but the only problem is we don't know how to turn the board on.

Hardest Soldering I have ever done

Those pads are very very very small. It looks like crap, but electrically its good.

WE FOUND BASEBAND JTAG

This is the 52 pin connector as viewed with the square corner of the board in the upper left. This is really awesome...but we have a casualty. An iPhone died in the making of this picture. RIP

It looks bad, but it's good

The pads were smaller than I imagined. All the JTAG pads are intact and ready for tracing.

BGA Removal

The place couldn't do it so I bought a heat gun. 254/256 isn't bad

It's go time...

First of all, thanks so much for all your donations, it's you that make this possible. Here is how things are going to go down. It's 7 AM now, and I have a linux box and a homebrew JTAG adapter. I leave here at 8:15 and pick up bagels. I like bagels. Then it's off to these guys to see if they can remove the S-Gold2 from the communications board. If not, it's over to Home Depot for a heat gun, seeing as mine sparked and died last night. Then I'll head over to the Apple store and pick up an iPhone. After probing the contacts, I'll get the location of JTAG on the board and connect up my adapter to the new phone. Hopefully it'll connect, and I can download and modify the full contents of the BB NOR flash+ram!!!

Last Resort

Unfortunely the boards in the pictures below have been destroyed. So probing them is out of the question. The traces in the pictures are very hard to trace anywhere because this board has many layers and blind vias. So here is what has to be done, the S-Gold2 has to be removed from the board. Once this is done I will have full access to the pins of the chip; and I know the pinouts. In the previous post I showed the location of the pins to probe. The chips are sealed to the board and don't have any place to stick a small wire in. So the only option is to remove the chip.
It makes me really sad to wreck an iPhone like this, but there are two plus sides. One, only the communications board will be touched. And a replacement is only $150. Two, if I do this really carefully I could get a new S-Gold2 and replace it. Possibly the old one could even be reballed.
The information we will get from this is, I feel, worth the sacrifice. If this goes well, we will know the location of JTAG within a few hours. The donation pot has reached $509, and I'll put the rest in to get a 4GB iPhone tomorrow. Because we need an iPhone to actually do the JTAG into. Now more then ever, we need donations. We still need to buy a JTAG adapter. My paypal address is geohot@gmail.com

S-Gold2 JTAG confirmed broken out

Thanks to Nick Chernyy we got scans of iPhone bare boards. I see vias for TDI, TDO, and TCK, and I can't see a reason Apple would do that unless JTAG was accessible somewhere. I wish I had these boards to probe.

Serial with a test point

I can SSH into this...

All you need is the battery, the WiFi antenna, and the power button.

The update...

The baseband firmware was updated from 03.12.06 to 03.14.08 The bootloaders aren't included in seperate files anymore, and there aren't three of them. The eep files have very minor differences. And imeisv and bbupdater were changed a little; I haven't loaded them in IDA, but the changes are probably very minor. For unlocking purposes, ignoring the update is probably the best option.