iPhone 3G, S-Gold Chip... Unlock?

iPhone 3G, S-Gold Chip... Unlock?

Posted by · 16322 views
It's been a couple of days now and we have had the chance to play around with the NOR dump. All of us, and I believe the Dev Team as well, have one issue: the stupid 3G Infineon Chip. I am glad Geohot decided to talk about it, I was afraid no one was going to speak on the chip. Yes, the chip is as complicated as he says it is. And yes, without access to it an unlock is basically impossible.

-----
The 3G bootloader is sig checked by the bootrom. So even removing the NOR and patching the bootloader(to remove main fw sig checks) and main firmware doesn't work for an unlock. Big thanks to TA_Mobile for dumping the NOR and confirming this. You have some real skills.

The X-Gold 608 is the chip used. The lame "datasheet" infineon gives us shows the hardware RSA and the secure bootrom. So we have a real problem. Even if we find an unsigned code exploit, which wasn't done for the previous two bootloaders in software(we found tricks to play with the nor), we still can't unlock.

Even though the bootloader isn't available for download, theres really nothing there. This bootloader doesn't contain any of the interactive mode functions, just a stub which is very similar to the old bootrom(but with sig checking). The interactive loader is tacked on to the end of every fls and eep file, and is loaded at 0x86000. BBUpdaterExtreme contains several ramloaders as well, but I believe the one used is from the update file itself. You do not need the bootloader to work on the baseband, you just need the files off the ramdisk. Also interesting to note, the 2 rsa keys the bootloaders use haven't changed since 3.9 or 4.6 So you have these too.

Killing CommCenter on 2.0 kills the wi-fi, which will make working with the baseband a bit harder. Entering interactive mode is now done with a call to the kernel to raise an I/O pin before resetting.

The first step to tackling this is dumping the bootrom. We need some exploit, I don't care where, to dump arbitrary memory. Then we can dump 0x400000, which is the new "secure" bootrom.
-----


iPhone 3G, S-Gold Chip... Unlock?
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
You must login or register to add a comment...
dvbuljan
dvbuljan - July 24, 2008 at 11:11am
I'm a noob and it's maybe a stupid idea. But would it help to get insight in one of the iPhones that are sold in countries where you can put any SIM in phone (like Italy..)?
iKAOS
iKAOS - July 24, 2008 at 2:48am
While it's disappointing to know this, we can rest a little easier knowing that all these amazingly talented people are working hard to bring out a solution. And lets not forget, there all ready is an Unlock for the iPhone 3G it's just it's not a software unlock. And most people won't want to purchase a xSIM Chip.
Recent