On the iPhone: 5.8 Exploit

Friday, April 10, 2009

5.8 Exploit

I've been off the iPhone scene for a while. A couple days ago, I got an e-mail from Chronic asking for help with the new asr. I helped out with genpass, and started reading through theiphonewiki again. Thanks so much for all the information contributed so far; it prompted me to find this.

In bootloader 5.8 on the 3G, the loader signature validator is broken. Someone botched an if statement checking the location and length of the loader in the cert. Because of this, you can pass the run cert for the firmware you currently have on the phone instead of the loader cert, and send whatever you want as a loader.

Here is a bspatch file to be applied to ICE2_02.28.00.fls allowing downgrades from 2.30.03 using BBUpdaterExtreme. By replacing the patched cert with your current run cert, you can downgrade from any other version.

Unfortunately, most 3G's out there are bootloader 5.9 I was hoping, since RSA was added to the bootrom, that it would run the vulnerable ramstrapper, but I had no luck, although I didn't try that hard. I see no reason why it shouldn't work theoretically; the bootrom RSA is complicated, maybe when I finish EDA...

And dev, since you're into hashes
882B7B3E84B76125755A84FB0BE52B9D8E25284D

270 comments:

«Oldest ‹Older 1 – 200 of 270 Newer› Newest»

posixninja said...: Wow, *bows to master hotz* you really are amazing. Any chance of getting some more technical details? or do I gotta dig through the binary patch? =X; April 11, 2009 12:16 AM
planetbeing said...: This is the same bug we used to dump GGG's baseband bootrom. We had to get in at the EBL level because the bootrom was shut down by the time Nucleus was fully up and running, and we couldn't figure out which registers to poke to reactivate its power/clock gates. I don't have a hash to prove it, though, sorry. :P

I think we did ascertain the bug was closed in the latest bootloader. :(

But we were going to do a bb downgrader, since Apple already fixed this bug, but we had other projects too. It's cool that you took the time to make the patch, but it would be really nice if you could help the community out by making some sort of automated tool for this.; April 11, 2009 12:55 AM
davidbalbert said...: What's the quickest way to find out what baseband bootloader you've got?; April 11, 2009 1:25 AM
will.chronicdev said...: minicom or bbupdater -v

geohot: major congrats on this, dev may have beat you to it though it seems :/ (http://pastebin.com/f676ce11e + http://twitter.com/MuscleNerd/status/1108001008 [@dates]). still though, awesome job!; April 11, 2009 2:07 AM
davidbalbert said...: Thanks chronic. I wrote these instructions up before I saw your response, so I figured I'd post them anyway. I used BBUpdaterExtreme rather than bbupdater:

To answer my own question for others who might be wondering. You can view your version info by grabing BBUpdaterExtreme from one of Apple's firmware images.

It's in /usr/local/bin or /usr/local/sbin, on the ramdisk I don't remember which. To get to the ram disk, download an ipsw bundle (I used 2.2.1), rename it to .zip. The ramdisk is on one of the dmgs inside. Follow these instructions to decrypt the dmg and then you can mount it.

Upload BBUpdaterExtreme to your phone via scp, and then from within MobileTerminal run the following commands as root:

# launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist

Do this from the directory that you upload BBUpdaterExtreme to:

# ./BBUpdaterExtreme queryversion

Look for "Boot Loader Version:" in the output.

# launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

You have to do this on the phone and not over SSH because disabling CommCenter will kill your wifi connection.; April 11, 2009 3:19 AM
qwertzui said...: hi,

what could this discovery mean on the long run?
will a baseband downgrade be possible on the 3G?

thanks for explaining!

greetz; April 11, 2009 6:18 AM
Jan said...: It is possible just right now. You just need an iphone 3g with 5.8 bootloader. Unfortunatly mine already has 6.2 bootloader *sigh*; April 11, 2009 8:05 AM
Zibri said...: Hi George!
Happy to see you're still 'alive' :)

How's your new work ?; April 11, 2009 8:48 AM
George Hotz said...: posixninja:
There aren't really more technical details. Just replace the hash and put w/e you want for the loader. I just patch out the version check. You'll see it right away

planetbeing:
I figured you guys might have it. I'm convinced theres a way to make it run the 5.8 ramloader instead of the bb in ram. We can also do a yellowsnowish thing to grab the bb reset and command boot from the bootrom level, even if the main sig doesn't validate. Unlocks for all versions... And you guys make much nicer automated tools then me :P; April 11, 2009 10:35 AM
will.chronicdev said...: Jan,
Are you sure you have 6.2? I didnt even know that existed, I thought that there was only 5.9 and 5.8.

Geohot,
Just out of curiosity, do you plan on posting instructions for dumping bootrom? That would be very fun to reverse, but I know nothing about bb so i couldnt dump it myself with this exploit :P; April 11, 2009 11:04 AM
will.chronicdev said...: qwertzui,
a bb downgrade for 5.8bl people who accidently upgraded, yes, but for people on higher bl versions, it might not work for or will need some extra hax as geohotz said he attempted in the post.; April 11, 2009 11:50 AM
Eric said...: I wonder how easy it is to manipulate the bootloader; I'm really not familiar at all with it but how difficult would it be to downgrade from bootloader 5.9 to 5.8? I guess time to try and find some exploits!

Great job by the way geo, this is exciting news!; April 11, 2009 12:38 PM
planetbeing said...: @geohot:

Pretty interesting idea; it'd be nice if we can unlock anything with bl 5.8. There's a couple of practical considerations that I just thought of. Right now, the NOR is mapped straight into memory and the baseband firmware runs directly from NOR. If instead we loaded the bb fw into memory, is there even enough memory for that?

Second, we would almost certainly have to patch the MMU setup routines so that our in-RAM fw would appear in the place that the fw expects itself to be. The concern is that we might not get every place the page tables are adjusted; but probably we could do that.

Third, since we will have to adjust the page tables anyway, why not just have it use most of the FW that's on NOR, but use the MMU to map in some pages from RAM: The ones that we patch for the unlock. This way, we'll have to upload a lot less data for each bb reset.

All of this sounds pretty challenging though. So it may be more efficient for all of us just to stare at that bootrom dump for awhile first. :); April 11, 2009 2:22 PM
George Hotz said...: I was only imagining two pages, the page table setup and the unlock. Or branching in post page table setup. idk, could be tricky. I also kicked myself after yellowsn0w came out for not doing it back then, or copying and running task_sim from RAM. Beats actual reversing.

I'm getting back to work on EDA today, hopefully it'll blast through the bootrom crypto.; April 11, 2009 3:31 PM
zRa said...: Hey GeoHotz :)

Awesome discovery man. I don't need it cuz im still on 2.2 with 2.28.00 but i have a question. how do you find out my iphone bootloader version for the 3G iphone?

Thanks; April 11, 2009 11:22 PM
zRa said...: Hey GeoHotz :)

Awesome discovery man. I don't need it cuz im still on 2.2 with 2.28.00 but i have a question. how do you find out my iphone bootloader version for the 3G iphone?

Thanks; April 11, 2009 11:26 PM
D3Code said...: i take my hat off to geo.

by the way can you tell me how to use the bspatch to applied in ICE2_02.28.00.fls?; April 12, 2009 6:36 AM
Pedro Henrique said...: Hey GeoHot! I done a script to automate the downgrade process. You can get it here:

http://rapidshare.com/files/220472173/phasebandowngrader.zip.html

Bye!; April 12, 2009 11:41 AM
Tom said...: Damn. I have baseband 5.09 as it shows in the query. What is the possibility of downgrading the bootloader?

You don't really have to answer, as I get the feeling most of us 2.30.03 baseband users are kind of shut off from the development scene..

But I'm proud of myself anyway, I found out my bootloader version, and patched my fls in anticipation. I'm not so much of a noob now?; April 12, 2009 11:50 AM
Ramon said...: hi! how do i patch my fls? i have as well bl 5.9. is there any chance to downgrade then from 02.30.03?
greetings from berlin; April 12, 2009 1:13 PM
Jan said...: Could someone please explain how to find out the bootloader version step by step? I dont understand the post of davidbalbert.

Thanks a lot!; April 12, 2009 2:27 PM
Tom said...: Ok, so here's a tutorial for those of you who were like me, and had no idea what was going on, how to patch the file, or get the BBUpdaterExtreme or ICE2_02.28.00.fls files.

First thing you'll need to do is locate the files BBUpdaterExtreme, ICE2_02.28.00.fls, and ICE2_02.28.00.eep. You can use davidbalbert's method to decrypt apples firmware by using some tool that will require you to have some command prompt skills and I guess knowledge of both the key and IV for the ipod/iphone/apple's code. I can't tell you where to get the Key or IV, but what I can tell you is that you can find the aforementioned files by a simple google search.

Alternatively, Pedro Henrique's post isn't malware as far as I can tell, and I'm not going to go into detail about his tool that he's created (it's actually easier to use, but we're trying to learn here right?) but his tool has the files you need already in the archive he has linked to (I'm not sure if his .fls is patched or not).

So, now that you have these files in your possession, you'll need to find bspatch so you can patch your .fls. A simple google search will find it.

Here's where you'll need some command prompt skills. Extract the BSPatch program and all of it's related files into a folder you can remember (ex. C:\patcher). Also, place the ICE2_02.28.00.fls in the same folder.

Open your command prompt by hitting start, then run, and type in "cmd" without the quotes and hit enter. In the command prompt, you'll need to type

cd C:\patcher

"C:\patcher" is the example directory but you can replace it with wherever you've placed the BSPatch and ICE2_02.28.00.fls files in.

Now type in:

bspatch ICE2_02.28.00.fls patchedbaseband.fls downgrade.patch

In the example folder, there will now be a new file called patchedbaseband.fls, which is pretty self explanatory.

Copy that file back to your desktop or a folder that you can easily find and also copy ICE2_02.28.00.eep and BBUpdaterExtreme into the same place.

Rename patchedbaseband.fls to ICE2_02.28.00.fls.

Now that you have your patched baseband, your BBUpdaterExtreme and the .eep file in one place, you're ready to move them onto your phone.

You'll need to know how to SSH into your iPhone, and I'm not going to go into detail about that, but you should be able to find that information easily.

Copy the three files *ICE2_02.28.00.fls* - the new one that is patched
ICE2_02.28.00.eep
and
BBUpdaterExtreme into /var/root
(make sure you're not in private/var/root).

Now, you'll need to find download and install Mobile Terminal, which can be found in Cydia or Installer, or I guess the new Icy.

After you've gotten Mobile Terminal installed, open it up and follow these instructions carefully (capitalization counts!) to check what version of bootloader you have.

1. Type in: su
2. Type in the password: alpine
3. Type in: chmod 755 BBUpdaterExtreme
4. Type in: launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
5. Type in: ./BBUpdaterExtreme queryversion

Look for "Boot Loader Version:" in the output.

Mine said "5.09" which I can only imagine means 5.9 so I did not have the availability to downgrade.

Here you can stop if you're like me, and don't have the option to downgrade. You can restart your phone (because the phone is now not working since the CommCenter process has stopped running) to restore it to normal, or alternatively you can type in

launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

But you may be in luck and have 5.8, in which case, continue on to the downgrade.

Close Mobile terminal, re-open it, and type in the following commands.

1. Type in: su
2. Type in the password: alpine
3. Type in: chmod 755 BBUpdaterExtreme
4. Type in: launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
5. Type in: ./BBUpdaterExtreme update -f ICE2_02.28.00.fls -e ICE2_02.28.00.eep
6. Reboot your iPhone

Check under Settings-General to see your (hopefully) downgraded baseband!

As I've mentioned before, I was unable to downgrade, but in theroy this should work, according to GeoHot.

I hope some more people have gained some understanding due to this tutorial I've written. Good Luck!; April 12, 2009 4:30 PM
Tom said...: Sorry!

Some stuff I forgot and messed up on!

You'll need to place the downgrade.patch file into your BSPatch folder!

Also, you'll get errors if you use the commmand

/System/Library/LaunchDaemons/com.apple.CommCenter.plist

As it is not complete! I was copying and pasting irresponsibly in some of my instructions, so make sure every time you use the command to use the proper one here!:

/System/Library/LaunchDaemons/com.apple.CommCenter.plist

Sorry!; April 12, 2009 4:36 PM
Tom said...: Damnit!

Again, I guess this comment system messes up the command

/System/Library/LaunchDaemons/
com.apple.CommCenter.plist

and cuts it off.

Use the one above, the full name of the process is:

com.apple.CommCenter.plist

And sorry for tripple posting, but I don't know how to edit!; April 12, 2009 4:38 PM
idoline said...: Thanks Tom for the intructons, it worked flawlessly. Hotz you are the greatest; April 12, 2009 7:19 PM
Mohammad said...: where do i get bbupdater extreme trying to find on google but no luck and the link posted on rapidshare says limit exceeded; April 12, 2009 8:26 PM
Bluecity-Salim said...: http://www.mediafire.com/?hdyizm3jhzv you can find it here; April 12, 2009 8:51 PM
Mohammad said...: i am unable to get to var/root it keeps taking me to private/var/root any suggestions; April 12, 2009 9:26 PM
Jan said...: Thanks Tom.
So just for me to understand. To SSH my iPhone i have to jailbreak it, right? So there is no way to find out the bootloader version without jailbreaking .... ?

Jan; April 12, 2009 9:53 PM
kako said...: ah crap it's version 5.09 on mine. Any Luck downgrading the BootLoader ?

Also how do we get the binary patch file for the baseband not bspatch itself ?

Thanks :); April 12, 2009 10:31 PM
zRa said...: I currently have 6.02. I can't update my baseband or I would try this and post a video. Sorry guys who are stuck on 2.30.03, I was just lucky i got my phone still on 2.28 :); April 12, 2009 10:52 PM
alexander said...: zRa

How do you find out you bootloader vercion; April 12, 2009 11:11 PM
Beau said...: No downgrade for me:
http://stuff.bgiles.net/IMG_0002.PNG
http://stuff.bgiles.net/IMG_0003.PNG

It'll be interesting if this works for the 3.x baseband. :); April 12, 2009 11:22 PM
ta_mobile said...: Finally you released it :) cheer geohot.
Hoping you and Dev find out a way to co-work ...
Br; April 12, 2009 11:44 PM
Hernan said...: 6.02 BootLoader.
May I use it?
I only heard news of:
Yes to 5.08
no to 5.09
6.02?

Thanks
Hernan; April 13, 2009 12:36 AM
D3Code said...: great guide tom,

renaming the bspatch file uploaded by geohot to ICE2_02.28.00.fls and copy it to folder where BBUpdaterExtreme, ICE2_02.28.00.eep stored and SSH them to var/root and proceed with cmd you posted it'll work.; April 13, 2009 12:46 AM
Mohammad said...: 6.02 Bootloader :(; April 13, 2009 1:16 AM
Kal said...: @Tom

Thanks for posting your method. I wanted to try out Pedro's Henrique's too and was wondering if there was anyway you could post his tool for us to download? I'm guessing you have it since you tested it out.

Like someone else mentioned it's "limit has reacheD" and I can't download it.

Thanks!; April 13, 2009 1:23 AM
DSMKilla said...: This post has been removed by the author.; April 13, 2009 2:24 AM
DSMKilla said...: OK how the hell am on 05.09 BL but yet I am still on 02.28.00 FW??

Firmware Version: ICE2-02.28.00
EEP Version: EEP_VERSION:526
EEP Revision: EEP_REVISION:0
Boot Loader Version: ICE2_BOOT_05.09_G2M3S2
FLS/EEP Mismatch: Match; April 13, 2009 2:26 AM
Eric said...: The bootloader isn't updated, the version you have is dependent on when you purchased your phone (if you got it on launch day then you should have 5.8).; April 13, 2009 2:47 AM
DSMKilla said...: OK Well I ran the BBUpdaterExtreme Query and it said I have 05.09 BL

But I ran the DOWNGRADE PATCH that Pedro Henrique/Bluecity-Salim posted and it worked for me even on 05.09 BL. Here is the Terminal Output!

localhost:~ root# launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
localhost:~ root# ./BBUpdaterExtreme update -f ICE2_02.28.00.fls -e ICE2_02.28.00.eep
Validating parameters...OK
Disabling thermal Notifications...OK
Disabling sleep...OK
Powering radio on through AppleBaseband
Opening device path /dev/cu.debug, using initial baud 115200
- Ping failed, trying again, 56 tries left
- Ping failed, trying again, 55 tries left
- Ping OK
Gathering modem information...OK
Checking Static EEP backup...
- backup is OK
Checking Static EEP backup -- All OK
Firmware Version: ICE2-02.28.00
EEP Version: EEP_VERSION:526
EEP Revision: EEP_REVISION:0
Boot Loader Version: ICE2_BOOT_05.09_G2M3S2
FLS/EEP Mismatch: Match
Configuring Hardware Mux...OK
-------------------------------------------------------------------------------
BEGINNING BOOT
-------------------------------------------------------------------------------
Sending boot code...OK
Reading Reference file ICE2_02.28.00.fls...OK
Sending EBL Loader...
Sending EBL Loader Length...OK
Sending EBL Loader Data...OK
Sending EBL Loader Checksum...OK
Sending EBL Loader -- All OK
Sending EBL...
Sending EBL Length...OK
Sending EBL Data and Checksum...OK
Sending EBL -- All OK
Getting EBL Version......OK
- Boot Mode 0xCC
- EBL Version Major/Minor: 6.2
- EBL Version 'ICE2_RAM_B'
- Flashing Compression: 0, CRC Type: 0, CRC Method: 1
Reading Reference file ICE2_02.28.00.fls...OK
Sending Protocol configuration...OK
Sending Flash ID...OK
Doing CFI Stage 1...OK
Doing CFI Stage 2...OK
-------------------------------------------------------------------------------
DONE BOOT
-------------------------------------------------------------------------------
Getting software version of file ICE2_02.28.00.fls...OK
Increasing baud rate to 921600...OK
Validating EBL Version...OK
-------------------------------------------------------------------------------
SENDING FLS FILE: ICE2_02.28.00.fls
-------------------------------------------------------------------------------
Loading FLS file ICE2_02.28.00.fls...OK
>> Sending Block of type CodeClass(0) from file ICE2_02.28.00.fls...
Beginning Dynamic EEP erase at 0x20E40000 to 0x20EBFFFE...Progress: 100 percent, 524286 of 524286. OK
Sending Security Block...OK
Erasing Load Area from 0x20040000 to 0x2063A01A (this will take some time )...OK
Sending data for mapping 0: progress: 100 percent, 6266908 of 6266908. -- OK
Checking validation result... - Warning: Validation result code indicates failure, result code = 0x0

OK
>> Sending Block of type CodeClass(0) from file ICE2_02.28.00.fls -- All OK
-------------------------------------------------------------------------------
DONE SENDING FLS FILE
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
SENDING EEP FILE: ICE2_02.28.00.eep
-------------------------------------------------------------------------------
Loading EEP file ICE2_02.28.00.eep...OK
>> Sending Block of type StaticEEPClass(0) from file ICE2_02.28.00.eep...
Sending Security Block...OK
Erasing Load Area from 0x20FC0000 to 0x20FC57FE ...OK
Sending EEP Payload...progress: 100 percent, 22528 of 22528. -- OK
Checking validation result...OK
>> Sending Block of type StaticEEPClass(0) from file ICE2_02.28.00.eep -- All OK
-------------------------------------------------------------------------------
DONE SENDING EEP FILE
-------------------------------------------------------------------------------
Powering radio down...OK
Doing a hardware reset through AppleBaseband
Waiting for baseband power-up...
- Ping failed, trying again, 56 tries left
- Ping failed, trying again, 55 tries left
- Ping failed, trying again, 54 tries left
- Ping failed, trying again, 53 tries left
- Ping failed, trying again, 52 tries left
- Ping OK
- Baseband took 5.146697 seconds to power up
Powering off radio...
Powering off radio -- All OK
Waiting for baseband power-up -- All OK
Re-enabling thermal Notifications...OK; April 13, 2009 2:48 AM
ta_mobile said...: @DSMKilla: If your phone was in 2.28 so you can reflash it with 2.28.fls anytime :) that's not downgrade :D You must update iphone to 2.2.1 original firmware and BB 2.30 then ... :D better not do this.

BR; April 13, 2009 2:57 AM
Anish Dutta said...: This post has been removed by the author.; April 13, 2009 2:57 AM
Anish Dutta said...: I have the phone from the very first week of release, but I have updated it to iPhone 3.0 Beta 2, now assuming its the bootloader where I can downgrade the baseband, would the 3.0 beta 2 work with the 2.28 baseband and hence will yellowsn0w work on it?

Sorry for double posting, but yes if I can downgrade my firmware to 2.2.1 and then would I able to use this method to downgrade my baseband?

Thanks; April 13, 2009 3:18 AM
idoline said...: you can use iphone browser or diskaid to put this file on your phone if you find the SSH complicated. i used iphone browers and it worked fine for me; April 13, 2009 3:45 AM
DSMKilla said...: @ta_mobile: ok cool that's kinda what I was thinking but I am glad that you confirmed it =)

So do you have any idea why my BL 05.09 when I am on 02.28.00 FW? What FW comes with 05.08 BL?; April 13, 2009 4:17 AM
Kal said...: @Eric:

Do you know when they started shipping the 5.09 baseband? I remember for the first generation iPhone you could tell by the 3rd, 4th and 5th number of the Serial No. of your iPhone what week it was shipped in, and also what bootloader it had. For example. "828" would mean 28th week of 2008, and bootloader 4.6.

Do you happen to know the number for iPhone 3G?

Thanks bud!
Kal; April 13, 2009 4:39 AM
idoline said...: DSMKilla, mine was 5.8 and i did just exactly Tom said and it worked for me.
IS your baseband currently 02.28? if it is you don't need to do anything just jailbreak and use yellowsn0w; April 13, 2009 4:41 AM
DSMKilla said...: @Idoline

Yes I'm on 02.28.00 currently and I know that I can use yellowsn0w right now but I am wondering why I am on BL 05.09? What FW comes with BL 05.08?; April 13, 2009 4:54 AM
idoline said...: @DSMKilla.

Mine came with the 2.2 baseband 02.28. Tt crashed and wouldn't restart so i restored using Itune and didn't spot they hav.e updated it to 2.2.1. i bought my phone uk version june 2008. that's about it that i know; April 13, 2009 5:05 AM
D3Code said...: tried using pedro's method the phasebandowngrader but sad to say after reboot my bb still at 2.30.03; April 13, 2009 5:54 AM
idoline said...: @D3Code what was your Boot Loader Version:? if it is 5.8 it should work using Tom's instructions above.; April 13, 2009 6:47 AM
D3Code said...: @idoline ofcourse im on 5.8 as geohot instructed that it could be use in bl 5.8; April 13, 2009 7:20 AM
D3Code said...: @idoline

Tom guide works smoothly and now im happy with my 2.2.1 with 2.28 bb

great thanks geohot; April 13, 2009 7:53 AM
i_max2k2 said...: Hey George,

I had posted above but I still dont have it confirmed, to downgrade my baseband from 4.x.x from f/w 3.0 beta 2, if I manage to downgrade my f/w to 2.2.1 should I be able to do it? do I need a cert for 3.0 as you said? how can I extract one, please do let me know, anyone..

I have bootloader 5.8.

Thanks; April 13, 2009 10:03 AM
Lilskata said...: Good to see ya back George!
Thanks for the update.; April 13, 2009 10:35 AM
idoline said...: @D3Code That's brilliant.

For other people who still needs a full instruction, here is an update to Tom's instruction.

Download BBUpdaterExtreme here:
http://rapidshare.com/files/198571862/iPhone_3G_02.28.00_baseband.zip

Download BSPatch Here:
http://gbatemp.net/index.php?download=1741

Here's where you'll need some command prompt skills. Extract the BSPatch program and iPhone_3G_02.28.00_baseband.zip and all related files into a folder you can remember (ex. C:\patcher). Also, place the ICE2_02.28.00.fls and downgrade.patch in the same folder (downgrade.patch is from Master geohot above found here: http://lpahome.com/geohot/downgrade.patch)

Open your command prompt by hitting start, then run, and type in "cmd" without the quotes and hit enter. In the command prompt, you'll need to type

cd C:\patcher

"C:\patcher" is the example directory but you can replace it with wherever you've placed the BSPatch and ICE2_02.28.00.fls files in.

Now type in:

bspatch ICE2_02.28.00.fls patchedbaseband.fls downgrade.patch

In the example folder, there will now be a new file called patchedbaseband.fls, which is pretty self explanatory.

Copy that file back to your desktop or a folder that you can easily find and also copy ICE2_02.28.00.eep and BBUpdaterExtreme into the same place.

Rename patchedbaseband.fls to ICE2_02.28.00.fls.

Now that you have your patched baseband, your BBUpdaterExtreme and the .eep file in one place, you're ready to move them onto your phone.

You'll need to know how to SSH into your iPhone, and I'm not going to go into detail about that, but you should be able to find that information easily.

(you can also use DiskAid or Iphone Browser to upload the files instead of SSH)

Copy the three files *ICE2_02.28.00.fls* - the new one that is patched
ICE2_02.28.00.eep
and
BBUpdaterExtreme into /var/root
(make sure you're not in private/var/root).

Now, you'll need to find download and install Mobile Terminal, which can be found in Cydia or Installer, or I guess the new Icy.

After you've gotten Mobile Terminal installed, open it up and follow these instructions carefully (capitalization counts!) to check what version of bootloader you have.

(All case sensitive and you may need to use cd .. to change to the right directory you've uploaded the files to)

1. Type in: su
2. Type in the password: alpine
3. Type in: chmod 755 BBUpdaterExtreme
4. Type in: launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
5. Type in: ./BBUpdaterExtreme queryversion

Look for "Boot Loader Version:" in the output.

Mine said "5.09" which I can only imagine means 5.9 so I did not have the availability to downgrade.

Here you can stop if you're like me, and don't have the option to downgrade. You can restart your phone (because the phone is now not working since the CommCenter process has stopped running) to restore it to normal, or alternatively you can type in

launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

But you may be in luck and have 5.8, in which case, continue on to the downgrade.

Close Mobile terminal, re-open it, and type in the following commands.

(All case sensitive and you may need to use cd .. to change to the right directory you've uploaded the files to)

1. Type in: su
2. Type in the password: alpine
3. Type in: chmod 755 BBUpdaterExtreme
4. Type in: launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
5. Type in: ./BBUpdaterExtreme update -f ICE2_02.28.00.fls -e ICE2_02.28.00.eep
6. Reboot your iPhone

Check under Settings-General to see your (hopefully) downgraded baseband!

As I've mentioned before, I was unable to downgrade, but in theroy this should work, according to GeoHot.

I hope some more people have gained some understanding due to this tutorial I've written. Good Luck!; April 13, 2009 11:15 AM
Eric said...: @i_max2k2 Why don't you try and find out? We're not going to know until someone tries it. I would imagine that it'll work as the exploit is in the bootloader not the baseband firmware so theoretically this exploit will allow you to downgrade from any future firmware.; April 13, 2009 11:33 AM
change mangament said...: Tried to downgrade with 6.02, no success. Great work anyway for people who got 5.8.; April 13, 2009 11:36 AM
i_max2k2 said...: @Eric

Yep I'm gonna give it a shot tonight, and will post the results, I do think that once I have 2.2.1, I should be able to downgrade my baseband.; April 13, 2009 11:37 AM
Eric said...: @DSMKilla I don't think you understand the bootloader, its version number is dependent on when you got your phone, not what firmware version you have. I would imagine that the vast majority of people out there have bootloader 5.9 (firmware version doesn't matter as it changes when you update; bl version does not)

@kal sorry I have no idea when Apple decided to start updating their bootloaders but I do know that versions 5.8, 5.9 and 6.2 have been seen in the wild.; April 13, 2009 11:38 AM
Eric said...: @i_max2k2 I would be sure to downgrade the firmware first, it is known that 3.0 firmwares are incompatible with 2.28.00 (and probably 2.30.03 too but I can't confirm that).

Downgrade the firmware then try to downgrade the baseband.; April 13, 2009 11:39 AM
dormopoco said...: i love u; April 13, 2009 12:03 PM
i_max2k2 said...: @Eric : Yes thats what I know as well, that the 2.xx baseband cant communicate with the 3.0 firmware. will be downgrading the f/w and then the bb.; April 13, 2009 1:16 PM
Adrian Galvan said...: This post has been removed by the author.; April 13, 2009 1:25 PM
Adrian Galvan said...: i just got a replacement iphone from apple last week because mine had a problem with the screen, but it came with 02.30.03 baseband, im stuck after typing "chmod 755 BBUpdaterExtreme" still dont know which BL im on.. need help; April 13, 2009 1:29 PM
Bart said...: It all works on my Iphone, unfortunately I have the 6.2 Bootloader as well, and that unfortunately won't work with the downgrade neither (yet)..; April 13, 2009 1:35 PM
Imanzano said...: It worked with my 3g iphone boot loader ICE2_BOOT_05.08_G2M3S2
firmware 2.2.1 baseband 02.30.

Thank you George, and thank you Tom for your post, it helped me very much.

Good luck; April 13, 2009 4:32 PM
My SAE Experience said...: bad luck I've got 6.02 ... sucks... any solution maybe???; April 13, 2009 6:21 PM
jacoch said...: @i_max2k2 I tried to downgrade from 4.20.01 (f/w 3.0b2) unsuccessfully. But I didn't patch the fls file myself. I used fls and eep files from another site. Unfortunately, patching returns an error when processing eep file. Do you have same error or did you downgrade successfully?; April 13, 2009 6:28 PM
Bluecity-Salim said...: jacoch
I have patched the required .fls, try this one instead.
http://uploading.com/files/B4PIB3YV/baseband-patched.rar.html; April 13, 2009 6:58 PM
Tom said...: When you get the .eep error:

Are you sure this is an eep file?

Or something similar, that means your bootloader cannot be exploited, i.e. you're screwed for now.; April 13, 2009 7:16 PM
DSMKilla said...: @Eric

Ohhhhh OK yeah that wasn't making sense to me at all lol. Thanks for clearing that up for me =)

One more thing, so no matter what FW you upgrade to your phone will always stay on the same BL then is that correct?; April 13, 2009 8:10 PM
kako said...: I was on FW 2.2 however with the baseband from FW 3.0 beta 2 (04.22.01) and I have bootloader 5.9. First i tried the regular 5.8 exploit and it didn't work. BBUpdaterExtreme would timeout when trying to get the EBL version and it did a total of about 9 retries before giving up.

Next, I tried the same method but with a regular UNPATCHED 2.28.00 baseband. This time BBUpdateExtreme did the whole process successfully and no errors were reported. So I loaded CommCenter but my phone couldn't get a signal even after a restart and the baseband version was also unchanged. I was a little scared at this point that I bricked my phone but a restore to the OS 3.0 beta 2 FW fixed this problem.

Event though I didn't really make any progress it's quite interesting that the downgrade method DID NOT complain about any errors and finished the whole process. Here is the log from running BBUpdaterExreme on the unpatched 2.28.00 baseband:

iPhone:~ root# ./BBUpdaterExtreme update -f ICE2_02.28.00.fls -e ICE2_02.28.00.eep
Validating parameters...OK
Disabling thermal Notifications...OK
Disabling sleep...OK
Powering radio on through AppleBaseband
Opening device path /dev/cu.debug, using initial baud 115200
- Ping failed, trying again, 56 tries left
- Ping failed, trying again, 55 tries left
- Ping failed, trying again, 54 tries left
- Ping OK
Gathering modem information...OK
Checking Static EEP backup...
- backup is OK
Checking Static EEP backup -- All OK
Firmware Version: ICE2-04.22.01
EEP Version: EEP_VERSION:706
EEP Revision: EEP_REVISION:1
Boot Loader Version: ICE2_BOOT_05.09_G2M3S2
FLS/EEP Mismatch: Match
Configuring Hardware Mux...OK
-------------------------------------------------------------------------------
BEGINNING BOOT
-------------------------------------------------------------------------------
Sending boot code...OK
Reading Reference file ICE2_02.28.00.fls...OK
Sending EBL Loader...
Sending EBL Loader Length...OK
Sending EBL Loader Data...OK
Sending EBL Loader Checksum...OK
Sending EBL Loader -- All OK
Sending EBL...
Sending EBL Length...OK
Sending EBL Data and Checksum...OK
Sending EBL -- All OK
Getting EBL Version......OK
- Boot Mode 0xCC
- EBL Version Major/Minor: 6.2
- EBL Version 'ICE2_RAM_B'
- Flashing Compression: 0, CRC Type: 0, CRC Method: 1
Reading Reference file ICE2_02.28.00.fls...OK
Sending Protocol configuration...OK
Sending Flash ID...OK
Doing CFI Stage 1...OK
Doing CFI Stage 2...OK
-------------------------------------------------------------------------------
DONE BOOT
-------------------------------------------------------------------------------
Getting software version of file ICE2_02.28.00.fls...OK
Increasing baud rate to 921600...OK
Validating EBL Version...OK
-------------------------------------------------------------------------------
SENDING FLS FILE: ICE2_02.28.00.fls
-------------------------------------------------------------------------------
Loading FLS file ICE2_02.28.00.fls...OK
>> Sending Block of type CodeClass(0) from file ICE2_02.28.00.fls...
Beginning Dynamic EEP erase at 0x20E40000 to 0x20EBFFFE...Progress: 100 percent, 524286 of 524286. OK
Sending Security Block...OK
Erasing Load Area from 0x20040000 to 0x2063A01A (this will take some time)...OK
Sending data for mapping 0: progress: 100 percent, 6266908 of 6266908. -- OK
Checking validation result... - Warning: Validation result code indicates failure, result code = 0x0

OK
>> Sending Block of type CodeClass(0) from file ICE2_02.28.00.fls -- All OK
-------------------------------------------------------------------------------
DONE SENDING FLS FILE
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
SENDING EEP FILE: ICE2_02.28.00.eep
-------------------------------------------------------------------------------
Loading EEP file ICE2_02.28.00.eep...OK
>> Sending Block of type StaticEEPClass(0) from file ICE2_02.28.00.eep...
Sending Security Block...OK
Erasing Load Area from 0x20FC0000 to 0x20FC57FE ...OK
Sending EEP Payload...progress: 100 percent, 22528 of 22528. -- OK
Checking validation result...OK
>> Sending Block of type StaticEEPClass(0) from file ICE2_02.28.00.eep -- All OK
-------------------------------------------------------------------------------
DONE SENDING EEP FILE
-------------------------------------------------------------------------------
Powering radio down...OK
Doing a hardware reset through AppleBaseband
Waiting for baseband power-up...
- Ping failed, trying again, 56 tries left
- Ping failed, trying again, 55 tries left
- Ping failed, trying again, 54 tries left
- Ping failed, trying again, 53 tries left
- Ping failed, trying again, 52 tries left
- Ping OK
- Baseband took 5.144748 seconds to power up
Powering off radio...
Powering off radio -- All OK
Waiting for baseband power-up -- All OK
Re-enabling thermal Notifications...OK
Re-enabling sleep...OK
iPhone:~ root# launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist; April 13, 2009 9:03 PM
Lioracle said...: plz help
i have 5.0.8
but
1. i cant see /var i see just /private/var

2. when i stop the commcenter my iphone do restart why?
thaks; April 13, 2009 9:12 PM
Ramon said...: is there any possibility to downgrade the bootloader from 5.9 too 5.8???; April 13, 2009 9:30 PM
Ramon said...: This post has been removed by the author.; April 13, 2009 9:30 PM
joao said...: Well im just another one , but keep on goodjob.

tks from Brazil.; April 13, 2009 10:27 PM
Logan Forand's Blog said...: Your the man, man, lol At the moment I have the 5.9 bootloader, I'm sure soon we'll see a way of downgrading from 5.9 to 5.8 so I can then patch the 2:30 to 2:28 and run Yellowsn0w.

But cheers keep up the great work; April 13, 2009 11:39 PM
kako said...: @Logan Forand

I wouldn't count on downgrading the bootloader. Everyone seems to say its device specific meaning that It probably isn't even upgradable. Or why wouldn't apple release bootloader updates in order to get everyone up to the latest version ?; April 13, 2009 11:43 PM
Telenierer said...: My phone says 5.09, too bad ;-)

But still great news, that gives me hope that maybe this is also a first step for a softunlock for me :-)

I stupidly updated to 2.2.1 just a few days ago and was wondering to get myself a ProxySIM as a temporarily solution but I guess I just wait and see now a little longer ;-)

Thanks for your efforts and good luck!; April 13, 2009 11:45 PM
jacoch said...: @Bluecity-Salim : Thanks for the files. The eep file that you posted doesn't have the same size as the ones I used. I could be glad that my iphone as not been broken by the process :-) Will try tonight when back at home and let you know the result.; April 14, 2009 4:10 AM
1phone said...: hey guys!

This is Awfull Geohot thx a lot! I read all, but how can i easyli check my bootloader version on iphone 3G ? i was try ./BBUpdaterExtreme -v but no luck... any idea someone?; April 14, 2009 5:04 AM
the_fx said...: From an earlier comment:
# ./BBUpdaterExtreme queryversion
Look for "Boot Loader Version:" in the output.; April 14, 2009 5:16 AM
1phone said...: Thx mate!

anyway: launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist needed for it. And of course mobile terminál.; April 14, 2009 5:26 AM
Sunsetraving said...: Hey,

is it possible that we need another patch file for patch the Baseband 4.22? I´ve OS 2.2.1 BB 4.22

Thanks in advance; April 14, 2009 6:18 AM
i_max2k2 said...: I tried with the 4.22 baseband in 2.2 firmware and I kept getting the EBL timed out error as kako, I'm now trying with a unpatched fls. I have 5.8bl anything that you can do hotz?; April 14, 2009 7:31 AM
Sunsetraving said...: @i_max2k2

Same Problem for me.

With a unpatched file you got no error, bott BB is still 4.22 :(; April 14, 2009 8:21 AM
i_max2k2 said...: @Sunsetraving

What f/w are you on? I'm on 2.2 and I'm thinkin to try this on 2.2.1; April 14, 2009 8:51 AM
Sunsetraving said...: I have 2.2.1 Jailbreak; April 14, 2009 9:15 AM
Bluecity-Salim said...: jacoch
If your iphone is not having 5.8 bootloader, then do not try..It will not downgrade; April 14, 2009 9:18 AM
kako said...: I have OS 3.0 beta 2 baseband with FW 2.2 and bootloader 5.9. I tried downgrading using the patched 02.28.00 fls but BBUpdaterExtreme timeout getting EBL Version. Then I tried downgrading using a regular unpatched 02.28.00 fls. This time the downgrade process went fine with no errors. It went through from 0 % to 100 % and "said" everythin is fine. tried launcing CommCenter and restarting but the modem couldn't get a signal. Later I did a ./BBUpdaterExtreme queryversion and it reports there is a MISMATCH between the eep and fls. Not sure if this whole process is of any value for unlocking with Bootloader 5.9 ?; April 14, 2009 9:45 AM
Telenierer said...: Sorry if this may seem like a stupid question, but just curious, what does EDA stand for?; April 14, 2009 10:27 AM
Tolik85 said...: Guys,

What's not clear in saying:
"IT WON'T WORK ON 5.9 NOR 6.2 BOOTLOADERS"?

I mean, we all wish it worked on those bootloader (mine is 5.9 also), but it doesn't, unfortunately.

It doesn't make it any better asking the same question 1000 times.

The only thing it can do, is crash our iphones forever, if we keep trying it again and again.

Let's all be patient, and just let Geohot and Dev-Team do their job.

Cheers!; April 14, 2009 10:42 AM
oswaldo said...: Estou muito feliz com o progresso, infelismente meu BL é 5.9, Mas continuo com esperança de dias melhores!!! Parabéns pra vcs!!!; April 14, 2009 11:11 AM
jacoch said...: I'm on BL 5.8, firmware 2.2.1, baseband 04.20.01 (from fw 3.0b1). I'm having the same timeout on "Getting EBL version". I suppose another patch is required to downgrade from BB installed by fw 3.0.; April 14, 2009 12:04 PM
Sunsetraving said...: Yes,

i have read in another Forum, that some peaople have succes with there Downgrade from BB 2.30 to 2.28

So i wait for another Patch file...; April 14, 2009 12:09 PM
Logan Forand's Blog said...: I'll get a loan of a phone for the time being I'm 100% confident that the guys will crack 5.9 and allow us to downgrade or will crack 2:30.

Either way my phone is working which it didn't before so thats one thing down, just the phone bit and i'm laughing; April 14, 2009 12:24 PM
Bluecity-Salim said...: Hi all...
My iPhone bl 5.8 and it works ,( 2.2.1 and base band is downgraded to 02.28.00); April 14, 2009 12:53 PM
neftec said...: Success! Dgrade from 2.30.03 with bootloader 5.8 and 2.2.1 fw worked like a charm. First tried the PH's automated tool with no luck. Then with Tom's instructions and it was like dancing! Thank you!!!; April 14, 2009 1:20 PM
jacoch said...: I think that I found the response to the downgrade from baseband 04.20.01 or 04.22.01. Geohot indeed says : "Because of this, you can pass the run cert for the firmware you currently have on the phone instead of the loader cert, and send whatever you want as a loader." So you have to pass information about the firmware you have. As the patch was made for 02.30, there no chance it will work on 04.x. Well as long as I understand correctly. Geohot, could you please do such a patch for baseband 04.xx? Would be very kind.; April 14, 2009 1:49 PM
kako said...: yea GeoHotz a patch for 04.20.01 would be very much appreciated. Thanks ;); April 14, 2009 1:52 PM
George Hotz said...: do it yourself :)

look at where the 230 run cert came from and copy the cooresponding cert from the 4xx into the patched 228 file.; April 14, 2009 3:06 PM
oswaldo said...: hy George.
some forecast downgrade with bl 5.9?
thanks; April 14, 2009 3:23 PM
jacoch said...: @geohot :) I'm working on it. No success so far. Any advice?; April 14, 2009 3:39 PM
Xavi said...: there is any possibility to download the firmware from bootloader?; April 14, 2009 4:25 PM
kako said...: Anybody wanna elaborate on this (with Screenshot):

Possible Baseband 04.22.01 unlock

http://mykmchong.blogspot.com/2009/04/day-210-after-event.html; April 14, 2009 4:35 PM
hayyan said...: When u say not to place in private/var/root and place it in /var/root. There is no /var/root (theres a shortcut var, which just goes to private var)

what shall i do?; April 14, 2009 6:56 PM
Mohammad said...: put the files in private/var/root

make sure after you log into terminal to type
cd /private/var/root

that will work; April 14, 2009 7:00 PM
Maher said...: I'm glad things like this are progressing, now its just a matter of time to be able to exploit other bootloaders.

just 1 question hope someone can answer me here about it..

I bought my iPhone from eBay as it was saying its AT&T, but, i see now everyone here is posting that their bootloader is 5.09 (at least the most) while mine is 6.02. So I saw something else regarding the model number in the iPhone mine was saying MB489KS when I checked this on the net at

http://support.apple.com/kb/HT1937?viewlocale=nl_NL

i came to the conclusion that my iPhone is from finland. or could this be wrong or some kind of coincidence?; April 14, 2009 7:13 PM
Ramon said...: my phone: 3g fw2.2.1 bb20.30.03 bl5.9

i followed kako's link and here's what i found:

1) from baseband 2.30.01, upgrade to firmware 2.2.1
2) upgrade to firmware 3.0beta and the baseband will be at 4.22.01
3) use quickpwn 3.02 and jailbreak and activate options
4) at completion of quickpwn 3.02, force downgrade to firmware 2.2 thru itune restore
5) error code 1013
6) phone restarted
7) use a no pin lock sim and connect to itune again
8) let itune sync and work on
9) phone unlock success
10) telco signal detected with baseband 4.22.01
The steps could miss out one or another but fundamentally it require upgrade to higher baseband then downgrade via firmware 2.2.1. Forget the error code 1013 and activate the phone and hopefully even at baseband 4.22.01, the phone had been unlocked just like the phone shown to me. I will post a photo with baseband and the telco signal soon.; April 14, 2009 7:13 PM
Maher said...: @Ramon, read the post below ur comment on

http://mykmchong.blogspot.com/2009/04/day-210-after-event.html

Comment

"Maybe i'm misunderstanding you, but...

The phone on the screenshot is model MB489ZA, which is the official Malaysian version and locked to the Matrix network.

http://support.apple.com/kb/HT1937"

MY SUGGESTION IS, DO NOT UPGRADE TO ANY NEW VERSION OF THE OS OR AN UPGRADE TO THE FIRMWARE, NEW EXPLOITS WILL DEFINITELY COME! DONT FOLLOW UP RAMONS COMMENT; April 14, 2009 7:22 PM
hayyan said...: help i deleted the var file shortcut in /var (shortcut)/root. now my iphone wont connect to ssh and is just on the apple logo. what shall i do.

please help; April 14, 2009 7:24 PM
Maher said...: @Hayyan

now you have to put your iPhone into DFU mode (search google) and restore a firmware version

dont delete directories in the shell, its permanent, there is no recycle bin like in windows. everything with a / is a directory; April 14, 2009 7:27 PM
hayyan said...: i cant get it into recovery mode (i know how to), but its not working (my computer is not recognising it at all). atleast i have warrenty, i will take it to shop they shud give me new one right?; April 14, 2009 7:38 PM
hayyan said...: holy shit, i restored it (well i think i have, the computer is resoring firmware)
Thanks Maher!; April 14, 2009 7:43 PM
hayyan said...: @maher
where exactly in mobile terminal do you type in cd /private/var/root?

i was following these steps, as someone posted above:
1. Type in: su
2. Type in the password: alpine
3. Type in: chmod 755 BBUpdaterExtreme
4. Type in: launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist; April 14, 2009 8:01 PM
Maher said...: @ Hayyan

first of all, it doesn't matter how you type a directory you will always come there if you start with / (which is root)

second of all you shouldnt be in /private/var/root you should be in /var/root

read the post below which came from "idoline" (thanks)

For other people who still needs a full instruction, here is an update to Tom's instruction.

Download BBUpdaterExtreme here:
http://rapidshare.com/files/198571862/iPhone_3G_02.28.00_baseband.zip

Download BSPatch Here:
http://gbatemp.net/index.php?download=1741

Here's where you'll need some command prompt skills. Extract the BSPatch program and iPhone_3G_02.28.00_baseband.zip and all related files into a folder you can remember (ex. C:\patcher). Also, place the ICE2_02.28.00.fls and downgrade.patch in the same folder (downgrade.patch is from Master geohot above found here: http://lpahome.com/geohot/downgrade.patch)

Open your command prompt by hitting start, then run, and type in "cmd" without the quotes and hit enter. In the command prompt, you'll need to type

cd C:\patcher

"C:\patcher" is the example directory but you can replace it with wherever you've placed the BSPatch and ICE2_02.28.00.fls files in.

Now type in:

bspatch ICE2_02.28.00.fls patchedbaseband.fls downgrade.patch

In the example folder, there will now be a new file called patchedbaseband.fls, which is pretty self explanatory.

Copy that file back to your desktop or a folder that you can easily find and also copy ICE2_02.28.00.eep and BBUpdaterExtreme into the same place.

Rename patchedbaseband.fls to ICE2_02.28.00.fls.

Now that you have your patched baseband, your BBUpdaterExtreme and the .eep file in one place, you're ready to move them onto your phone.

You'll need to know how to SSH into your iPhone, and I'm not going to go into detail about that, but you should be able to find that information easily.

(you can also use DiskAid or Iphone Browser to upload the files instead of SSH)

Copy the three files *ICE2_02.28.00.fls* - the new one that is patched
ICE2_02.28.00.eep
and
BBUpdaterExtreme into /var/root
(make sure you're not in private/var/root).

Now, you'll need to find download and install Mobile Terminal, which can be found in Cydia or Installer, or I guess the new Icy.

After you've gotten Mobile Terminal installed, open it up and follow these instructions carefully (capitalization counts!) to check what version of bootloader you have.

(All case sensitive and you may need to use cd .. to change to the right directory you've uploaded the files to)

1. Type in: su
2. Type in the password: alpine
3. Type in: chmod 755 BBUpdaterExtreme
4. Type in: launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
5. Type in: ./BBUpdaterExtreme queryversion

Look for "Boot Loader Version:" in the output.

Mine said "5.09" which I can only imagine means 5.9 so I did not have the availability to downgrade.

Here you can stop if you're like me, and don't have the option to downgrade. You can restart your phone (because the phone is now not working since the CommCenter process has stopped running) to restore it to normal, or alternatively you can type in

launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

But you may be in luck and have 5.8, in which case, continue on to the downgrade.

Close Mobile terminal, re-open it, and type in the following commands.

(All case sensitive and you may need to use cd .. to change to the right directory you've uploaded the files to)

1. Type in: su
2. Type in the password: alpine
3. Type in: chmod 755 BBUpdaterExtreme
4. Type in: launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
5. Type in: ./BBUpdaterExtreme update -f ICE2_02.28.00.fls -e ICE2_02.28.00.eep
6. Reboot your iPhone

Check under Settings-General to see your (hopefully) downgraded baseband!

As I've mentioned before, I was unable to downgrade, but in theroy this should work, according to GeoHot.

I hope some more people have gained some understanding due to this tutorial I've written. Good Luck!; April 14, 2009 8:07 PM
Maher said...: if you still have problems with this, search on google for basic linux or basic unix command line

good luck and take care,

time to sleep here (@ 2.09am); April 14, 2009 8:10 PM
Perhaps said...: I have an iPhone 3G bought in Oct last year with the version 5.08. I updated the firmware to 2.2.1 and the baseband was also changed to 02.30.03.

Tom's protocol worked perfect for me. Now my baseband is back to 02.28.00; April 14, 2009 8:40 PM
Melanie said...: i'm not very familiar with commands, but have done a few phone tweaks in the past on a different phone.

i would like to try this on my iphone, particularly cause i think it probably has 5.8 based on when i got the phone

question: can i screw my phone up trying this out? and if so, can i just put it back in dfu and restart it?; April 15, 2009 12:36 AM
jacoch said...: Does someone have fls from 02.30 and 04.22. It would be nice to make them avaialable for download. Or give me a link how to get these files with firmware 2. Last time I extracted these files, it was on iphone 1g. Files were available in ramdisk.; April 15, 2009 2:15 AM
kako said...: @GeoHotz

Hey man any chance you could put up the patch for downgrading from Baseband 04.22.01. Thanks :); April 15, 2009 2:17 AM
Sunsetraving said...: I agree with you.

Please, could you create the patch file?; April 15, 2009 2:19 AM
dkml said...: well I have bl 5.9 also.. thank u.

i keep checking the blog for further updates... hopefully something is found for bl 5.9 or different way downgrade.; April 15, 2009 2:31 AM
ta_mobile said...: @jacosh:

2.30 fls here: http://support.gsm.vn/index.php?dir=iPhone/; April 15, 2009 3:25 AM
Maher said...: @Melanie,

dont worry about it, it can be fixed indeed when its put in DFU mode, if you want a good description just read a couple of posts higher when I replied to Hayyan; April 15, 2009 7:31 AM
jacoch said...: @ta_mobile : thanks for the file. Got it ;-); April 15, 2009 7:44 AM
geek78 said...: did someone found where the 2.30 cert came from ?; April 15, 2009 8:25 AM
jacoch said...: 2.30 cert come from 2.30 baseband. It has to be put in 2.28. That's what geohot did. Now, we just need fls of 4.22 to put its cert into 2.28 in place of 2.30. And hopefully it will work.; April 15, 2009 11:39 AM
geek78 said...: OK. Thanks. Maybe someone can do this (I have not all the tools) :

1) decrypt and mounting ramdisk
http://www.hackint0sh.org/forum/f201/68384-11.htm post 108

2) backup of eep and fls
they should be here /usr/local/standalone/firmware; April 15, 2009 12:13 PM
kako said...: @geek78

I'd be willing to do that but then how do you make the patch after that ?; April 15, 2009 1:00 PM
geek78 said...: I will find where is the cert ...

I am trying to do the stuff under Windows but I have some issue with the ramdisk, my eep and fls file are empty ....; April 15, 2009 1:04 PM
fdjdfjl;j said...: Hi Everyone.
Iam Facing Some Problem Doing This.
I uplaod All Three Files In My Iphone By Using Winscp. Now Iam Using Terminal When I Type chmod Command I get an error
"chmod:cannot access 'BBUpdater':No Such File Or Directory; April 15, 2009 2:07 PM
jacoch said...: I have decrypted the ramdisk. But there is no folder /usr/local/standalone/firmware. If I look in an old ipcc (from iphone 1 for example), that folder exist and contains the file. On 2.2 and 2.2.1, I don't have that folder. Maybe I did something wrong, but unzipping ipcc, run vfdecrypt and mount image, I don't know where I could have made something wrong. But in fw 2.2, there are two more dmg files and a folder named firmware, that contains a lot of small files. I have not been able to mount or decrypt the dmg. If someone can help...; April 15, 2009 3:04 PM
Mathieu said...: nice geohot !!

my blog : http://iphone-astuces.blogspot.com/; April 15, 2009 3:11 PM
geek78 said...: you have made something wrong because they are there... but empty in my case...; April 15, 2009 3:11 PM
cgblah74 said...: Geohot: I have been following your iphone posts since the beginning when you first did a hardware unlock. I have stopped myself purchasing an IPhone for so long, until the other day, I just caved in and thought, **** it go and do it. Ended up with a new 3G.
Only to be really bummed out, I have bootloader 5.09 :-( and baseband 02.30.03. I have read that this is really fuc*ed me now because I may never unlock it due to Quickpwning it on 2.2.1. Is this true or is there any possibility of a future unlock?

Anyways seriously keep up with the good work and the iphone scene..

cg; April 15, 2009 3:12 PM
samlecool said...: Hi!
i have a Problem.
i did all steps but when i run (chmod 755 BBUpdaterExtreme) this is what i have: cannot access BBUpdaterExtreme: no such file or directory.
what i have to do???
help plz.; April 15, 2009 4:43 PM
hayyan said...: @samlecool, what location on your iphone 3g did u put the 3 files in? was it private/var/root or var/root?. Because if u did the first one, then in mobileTerminal you need to change the directory..; April 15, 2009 5:05 PM
tattoo said...: http://www.modmyi.com/forums/iphone-news/575351-downgrade-3g-baseband-2-30-2-28-a.html

go and download the phasebandowngrader

only works on 5.8
but there is a way to check first and doin it anyway wil not brick your phone, but it will not downgrade if you have 5.09 bootloader; April 15, 2009 6:45 PM
mohaz said...: THANKS a lot GeoHotz ,your patch works with one of my friends iphone 5.8 , it's magical thanks man

i tested with 5.9 , no success ,cause my phone is 4.22.01 with bl5.9 , every body hope that you successed man , thanks; April 15, 2009 8:14 PM
samlecool said...: yes, they are in private/var/root.
where can i find just var/root because always apear private/var/root in winscp?
thanx hayyan; April 15, 2009 8:15 PM
hayyan said...: dont worry, leave it in private/var/root and just adjust the setting in mobileterminal. Adjust the setting in mobileterminal by opening the app and then typing cd /private/var/root

now the directory that mobileterminal reads from is changed and everything should work now, you can type chmod...etc as usual and it will work.
best of luck; April 15, 2009 8:37 PM
Bluecity-Salim said...: Hi..
Iphone tunnel suite 2.7 is easier to use than MobileTerminal on iPhone, just install ssh connect USB cable and select Terminal ( You do not need to install terminal on iPhone) easy and works as charm.
1-Type in: chmod 755 BBUpdaterExtreme
2- Type in: launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
3- Type in: ./BBUpdaterExtreme queryversion
http://iphone-tunnel-suite.software.informer.com/; April 15, 2009 9:10 PM
Bluecity-Salim said...: This post has been removed by the author.; April 15, 2009 9:12 PM
Bluecity-Salim said...: Make sure you go to the directory where you have placed file cd /var/root .Then use iphone tunnel suite (Terminal) you will be able to see all the process on your pc rather than terminal on iphone.; April 15, 2009 9:16 PM
samlecool said...: It put "permission denied"; April 16, 2009 2:45 AM
samlecool said...: Finelly i got it (very happy)Thanx a lot hayyan.
my bootloader is 5.09 :-(
When can i downgrade my baseband plz?; April 16, 2009 4:27 AM
alvin john said...: i hope this work for baseband 5.09 soon. thank you for the efforts.; April 16, 2009 4:57 AM
Laze Janev said...: I'm having bootloader 6.02 hope this patching will be done for it too.; April 16, 2009 7:16 AM
i_max2k2 said...: George if you could put up the cert or files for the 3.0 firmware, it would be the quickest, since all of us who would try this would take a lot of time. And for you it'd probably be 10-15mins work.

Thanks! :); April 16, 2009 8:00 AM
hayyan said...: Is it true some people have got this to work on bootloader 5.9? even though the exploit is only on 5.8...; April 16, 2009 9:02 AM
i_max2k2 said...: I have been able to decrypt and mount the firmware 3.0 beta 2, but cant find the 4.22 fls and eep files, where are these files supposed to be? and the cert?

Thanks; April 16, 2009 9:11 AM
jacoch said...: The files are in the additional dmg, not in the main image. If you have decrypted the ramdisk, files are in /usr/local/standalone/firmware. But unfortunately, I noticed that Apple changed something with FW3. Files are not flat data files anymore. It seems they are compressed (fls file is only 3.4 MB) and data are in resource fork (pay attention if you move the file to Windows). So I'm afraid until someone finds how to decrypt/unstuff this new format, we stuck with BB 04.xx.; April 16, 2009 9:16 AM
i_max2k2 said...: @Jacoh: are you sure they are compressed, cause if they are having an .fls / .eep extension, then they are probably not compressed. Also how did u decrypt the other 2 dmg's coz I'm not able to do so, also where is this cert we need in these files?

GeoHotz any help will be appreciated.; April 16, 2009 9:22 AM
Areg said...: here is how to decrypt OS 3.0 beta filesystem
http://tungchingkai.blogspot.com/2009/04/how-to-decrypt-iphone-os-30-beta.html; April 16, 2009 9:35 AM
jacoch said...: I'm not sure, but old fls files are about 6 MB, that one is about the half. Seems strange. That's why I supposed the file is compressed. To decrypt the dmg, I used img3decrypt with keys found on theiphonewiki. But pay attention, one dmg is the update, the other one the restore. If you use the restore key with the update image, it fails and vice versa.; April 16, 2009 10:04 AM
jacoch said...: @Areg Interesting link. Would have earn lot of time with it yesterday :-); April 16, 2009 10:08 AM
geek78 said...: @jacoch, do you know how to read the downgrade.patch ? Would be interesting to know what is exactely the cert value in this patch, to find it on the 2.2.1 firmware files...; April 16, 2009 10:17 AM
jacoch said...: If you compare original and patch 02.28, you notice that there are two ranges that have changed (offset 600A48->600A92 and 60E700->60E77F). So in my opinion, the patch file is just the content of these two ranges and the offset where to write them. Both these ranges are found in 02.30 of course. The problem is that they are in a complete different location. As I don't know how geohot can find a cert in the fls file, it's a bit difficult to know which part of 04.xx file to copy (if we can even use it as format changed).; April 16, 2009 11:04 AM
madcowz said...: Wow. Nice work. Is it possible to flash/edit the bootloader? Or is it like ROM? Or can you upgrade but not downgrade?; April 16, 2009 3:50 PM
Areg said...: i think on OS 3.0 they use compressed ramdisk that's why files are half size........; April 16, 2009 4:02 PM
Areg said...: This post has been removed by the author.; April 16, 2009 4:03 PM
jacoch said...: And did you hear something about the compression used?

@madcowz Until then, bootloader is even not updated by Apple. It doesn't mean it's readonly, but on iPhone 1G, there was already some hack available on given BL. So if it was easy to update, they would have choosen that solution.; April 16, 2009 4:49 PM
madcowz said...: @jacoch So where is the bootloader, like in the baseband/X-Gold NOR or what? And I guess you could update the baseband, but it might brick your iPhone. :(; April 16, 2009 5:07 PM
madcowz said...: Somebody should make this into an app and put it on a Cydia repo. And in my above post, I mean that upgrading the BOOTLOADER can brick the phone.; April 16, 2009 6:00 PM
jacoch said...: There is no way to upgrade the bootloader yet. We are talking here about downgrading the baseband on BL 5.08.; April 16, 2009 7:07 PM
Melanie said...: so, i was able to figure out what bootloader i have (thanks to the wonderful people who posted detailed instructions), 5.9 :(

i'm not a computer guru, so i'm curious if there's hope for people with 5.9BL in the near future??; April 16, 2009 9:40 PM
Denis said...: Omg i just found that i have bl 6.02 i am so pissed of any solution to be releAsed in neat
R future thanka; April 17, 2009 12:39 AM
Maher said...: @ Melanie

good! everything is able to be fixed (as far as I know) in DFU mode; April 17, 2009 9:07 AM
Areg said...: you know what is real confusing that dev team blog is not allowing me to add this news for 5.8 bootloader, and how to do that....
i don't understand them. . .
i don't think that dev team is working on this and it's really confusing.; April 17, 2009 9:16 AM
geek78 said...: @areg, don't worry about that ;) The best thing to do is to find exactely how to do that with all the baseband (os 3.x) and to post it on several forum... If Georges could help us we will win a lot of time...; April 17, 2009 9:28 AM
Areg said...: @geek78 you are absolutely right but in this case with that compressed ramdisk it is more dificult to do something, George made it with non compressed ramdisk.; April 17, 2009 9:43 AM
geek78 said...: yes, we have to find a unit with Snow leopard and work on it...; April 17, 2009 10:02 AM
无聊考拉 said...: unlucky :( 6.02; April 17, 2009 11:30 AM
Areg said...: @geek78 good luck man! i'm using XP; April 17, 2009 12:53 PM
samlecool said...: Hello,
will something be find for bl 5.09 or still wait until OS 3.0 unlock? am thinking to buy a piggy sim
thanx; April 17, 2009 4:03 PM
Bob said...: Unfortunately I'm on 5.09
Was restoring and didnt realise it was on slightly higher version and got suckered with 02.30

Any turbo sim / piggy back sim I have tried to date is not working for Ireland. Network connection is lost continuously.

Is anyone working on method to downgrade from 5.09 or 02.30 baseband so I can use yellowsnow again?; April 18, 2009 6:57 AM
stupriory said...: I agree with Bob. However I am on BL6.02 and it does seem that other than this forum, no-one is actively trying to do anything. I purchased my iphone in Feb so it was not due to me updating blindly. I watch this forum every hour and am praying to get away from my TurboSim. I am an advanced user (can copy code/use terminal etc) but totally rely on 'smart' people to work these things out. So.........'smart' people......how far are we away? ....... are we just waiting for the new iphone and holding our breath or is there work being done out there? If 5.9 and 6.2 is totally not do-able please let me know and I will stop checking for now.....and get some life back ;); April 18, 2009 7:28 AM
sesesergiosrl said...: dude, you're the MAN!!!!!!!!! without you the iPhone would have been a PIECE OF JUNK!!!!!
You saved us when it first came out, you saved us when the 3G came out, please also save us now with these freakin bootloaders!!

THANKS GEORGE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!; April 18, 2009 8:42 AM
Thomas said...: Hi! Thanks for your great work!!!
Will there be a possibility to downgrade from 6.02 ???; April 18, 2009 10:16 AM
Telenierer said...: I got my iPhone not too long ago but already heard about you GeoHot so you are a true legend!
If you could now help me and many others with the higher bootloaders (in my case 5.09) this would make you for me a god ;); April 18, 2009 11:10 AM
Edward said...: George Hotz, I am fascinated by your DLP research. "http://lpahome.com/DLP/" is a dead link, I am more than happy to host this data on my media temple server. I'd also like a copy for myself. Please get in touch asap.

I think you'll love what we want to do with the DMD technology.; April 18, 2009 6:38 PM
Asim said...: Dear hotz

I am sure there are thousands of people like me waiting for an unlock solution to iphone 3g bought in 2009.

Please do something for them as well.
We all know that you can do it.
All the best.; April 19, 2009 3:18 AM
alvin john said...: please save us Mr. Hotz =]; April 19, 2009 3:30 AM
Tongas said...: You are great man; April 19, 2009 3:43 AM
Houser said...: Hey Guys...

HAs anyone tried what this guy posted?:

>Ramon said...
>my phone: 3g fw2.2.1 bb20.30.03 >bl5.9
>
> i followed kako's link and >here's what i found:
>
> 1) from baseband 2.30.01, >upgrade to firmware 2.2.1
> 2) upgrade to firmware >3.0beta and the baseband will be >at 4.22.01
> 3) use quickpwn 3.02 and >jailbreak and activate options
> 4) at completion of quickpwn >3.02, force downgrade to firmware >2.2 thru itune restore
> 5) error code 1013
> 6) phone restarted
> 7) use a no pin lock sim and >connect to itune again
> 8) let itune sync and work on
> 9) phone unlock success
> 10) telco signal detected >with baseband 4.22.01
> The steps could miss out one >or another but fundamentally it >require upgrade to higher >baseband then downgrade via >firmware 2.2.1. Forget the error >code 1013 and activate the phone >and hopefully even at baseband >4.22.01, the phone had been >unlocked just like the phone >shown to me. I will post a photo >with baseband and the telco >signal soon.
>
> April 14, 2009 7:13 PM; April 19, 2009 2:39 PM
Maher said...: @Houser

ITS BS,

if you have read more carefully you wouldnt ask the question again!; April 19, 2009 4:27 PM
derek chong said...: hope to hear something on bootloader 5.9 soon... it is exhausted work to follow on the unlock. But, it is enjoy to be a part of 'locked group'!

think positively, life will be easy.

please keep me update on the development.

thank you; April 19, 2009 10:55 PM
geek78 said...: maybe someone running snow leopard can help us. here is a zip of ramdisk.dmg decrypted (os 3 beta 2). This dmg has to be "unzipped" under snow leopard. the eep and lfs files are under /usr/local/standalone/firmware

http://rapidshare.de/files/46819159/ramdiskrestore.dmg.html; April 20, 2009 4:29 AM
Areg said...: @geek78 you know how to unzip it???
i wanna try it on my friends Mac running snow leopard; April 20, 2009 7:28 AM
Areg said...: @geek78 i unzipped them with TransMac software there are 4 files.
ICE2_04.22.01.eep.mbn 33KB
ICE2_04.22.01.fls.mbn 3493KB
ICE04.05.04_G.eep 0KB
ICE04.05.04_G.fls.mbn 1713KB; April 20, 2009 7:36 AM
geek78 said...: This post has been removed by the author.; April 20, 2009 7:40 AM
geek78 said...: those new dmg are HFS+ compressed image and only snow leopard beta 2 or higher seems to be able to unzip correctely the image...; April 20, 2009 7:43 AM
Areg said...: @geek78 so even if the Mac OS is 10.5.6 it will not unzip it correctly!?; April 20, 2009 8:29 AM
geek78 said...: seems to no... you have to try under 10.6 Beta 2 and higher; April 20, 2009 8:37 AM
Areg said...: @geek78 no luck i was thinking that my friends os is 10.6... i called him he told me that he's os is 10.5.6
ANYBODY WITH MAC OS 10.6 ???; April 20, 2009 10:07 AM
Melanie said...: Like I said in a previous post, I'm not a computer guru, but want to help get my phone unlocked...

I have Mac OS X 10.5.5, because I've been holding out on updating in case I could get my phone to work somehow, does this help?; April 20, 2009 10:13 AM

«Oldest ‹Older 1 – 200 of 270 Newer› Newest»

On the iPhone

Friday, April 10, 2009

5.8 Exploit

270 comments:

Blog Archive

Downloads

About Me