It's been a couple of days now and we have had the chance to play around with the NOR dump. All of us, and I believe the Dev Team as well, have one issue: the stupid 3G Infineon Chip. I am glad Geohot decided to talk about it, I was afraid no one was going to speak on the chip. Yes, the chip is as complicated as he says it is. And yes, without access to it an unlock is basically impossible.
-----
The 3G bootloader is sig checked by the bootrom. So even removing the NOR and patching the bootloader(to remove main fw sig checks) and main firmware doesn't work for an unlock. Big thanks to TA_Mobile for dumping the NOR and confirming this. You have some real skills.
The X-Gold 608 is the chip used. The lame "datasheet" infineon gives us shows the hardware RSA and the secure bootrom. So we have a real problem. Even if we find an unsigned code exploit, which wasn't done for the previous two bootloaders in software(we found tricks to play with the nor), we still can't unlock.
Even though the bootloader isn't available for download, theres really nothing there. This bootloader doesn't contain any of the interactive mode functions, just a stub which is very similar to the old bootrom(but with sig checking). The interactive loader is tacked on to the end of every fls and eep file, and is loaded at 0x86000. BBUpdaterExtreme contains several ramloaders as well, but I believe the one used is from the update file itself. You do not need the bootloader to work on the baseband, you just need the files off the ramdisk. Also interesting to note, the 2 rsa keys the bootloaders use haven't changed since 3.9 or 4.6 So you have these too.
Killing CommCenter on 2.0 kills the wi-fi, which will make working with the baseband a bit harder. Entering interactive mode is now done with a call to the kernel to raise an I/O pin before resetting.
The first step to tackling this is dumping the bootrom. We need some exploit, I don't care where, to dump arbitrary memory. Then we can dump 0x400000, which is the new "secure" bootrom.
-----
-----
The 3G bootloader is sig checked by the bootrom. So even removing the NOR and patching the bootloader(to remove main fw sig checks) and main firmware doesn't work for an unlock. Big thanks to TA_Mobile for dumping the NOR and confirming this. You have some real skills.
The X-Gold 608 is the chip used. The lame "datasheet" infineon gives us shows the hardware RSA and the secure bootrom. So we have a real problem. Even if we find an unsigned code exploit, which wasn't done for the previous two bootloaders in software(we found tricks to play with the nor), we still can't unlock.
Even though the bootloader isn't available for download, theres really nothing there. This bootloader doesn't contain any of the interactive mode functions, just a stub which is very similar to the old bootrom(but with sig checking). The interactive loader is tacked on to the end of every fls and eep file, and is loaded at 0x86000. BBUpdaterExtreme contains several ramloaders as well, but I believe the one used is from the update file itself. You do not need the bootloader to work on the baseband, you just need the files off the ramdisk. Also interesting to note, the 2 rsa keys the bootloaders use haven't changed since 3.9 or 4.6 So you have these too.
Killing CommCenter on 2.0 kills the wi-fi, which will make working with the baseband a bit harder. Entering interactive mode is now done with a call to the kernel to raise an I/O pin before resetting.
The first step to tackling this is dumping the bootrom. We need some exploit, I don't care where, to dump arbitrary memory. Then we can dump 0x400000, which is the new "secure" bootrom.
-----