Notes on a 1.1.2 OTB Software Unlock
January 19th, 2008
I don't see it happening anytime soon.
The old exploits aren't there anymore. The hope would be finding an exploit in the new baseband code itself to run a large chunk of code. But I think the bootloader is pretty well locked down.
First of all, downgrading the bootloader from software is out of the question. The bootrom exploit runs before the current bootloader, so it can access the bootloader. But when the bootloader boots, it locks down its sections of flash. So after the bootloader runs, the bootloader can't be touched.
Secondly, the only secpack that validates on 4.6 is >= 1.1.3 They made a change to the format of the secpack so the older ones don't validate. So if we looked for an exploit in the baseband itself, it would have to be on post 1.1.2
Firmware is written as it is uploaded, and this is what IPSF and AnySim take advantage of. The old bootloader just relied on waiting for the sig to verify before writing the first 0x400 bytes, which contain the start vector. The new bootloader also needs the "secpack" in 0x3c0000 to not verify. So we would have to find an exploit which can write the first 0x400 and erase 0x3c0000.
The IPSF unlock itself uses an RSA hack in bootloader 3.9 This has been thoroughly patched in 4.6
Also even if we found a way to brute force the NCK's in reasonable time, we can't get the information to do the brute force off 4.6 The only hope here is to find the Apple algorithm used to generate the NCK. I don't think this is possible, unless we have a spy in Apple :)
I hope I am wrong, and some clever person will come along with a software unlock.
Read the rest of the story from source
The old exploits aren't there anymore. The hope would be finding an exploit in the new baseband code itself to run a large chunk of code. But I think the bootloader is pretty well locked down.
First of all, downgrading the bootloader from software is out of the question. The bootrom exploit runs before the current bootloader, so it can access the bootloader. But when the bootloader boots, it locks down its sections of flash. So after the bootloader runs, the bootloader can't be touched.
Secondly, the only secpack that validates on 4.6 is >= 1.1.3 They made a change to the format of the secpack so the older ones don't validate. So if we looked for an exploit in the baseband itself, it would have to be on post 1.1.2
Firmware is written as it is uploaded, and this is what IPSF and AnySim take advantage of. The old bootloader just relied on waiting for the sig to verify before writing the first 0x400 bytes, which contain the start vector. The new bootloader also needs the "secpack" in 0x3c0000 to not verify. So we would have to find an exploit which can write the first 0x400 and erase 0x3c0000.
The IPSF unlock itself uses an RSA hack in bootloader 3.9 This has been thoroughly patched in 4.6
Also even if we found a way to brute force the NCK's in reasonable time, we can't get the information to do the brute force off 4.6 The only hope here is to find the Apple algorithm used to generate the NCK. I don't think this is possible, unless we have a spy in Apple :)
I hope I am wrong, and some clever person will come along with a software unlock.
Read the rest of the story from source
Recent Comments