Finally we did the Iphone 2.30 Tsamba method

[GS_guy]

Hi all,
So me too ran the same procedure and it didn't work. BUT, looking at the log I can see this:

progress: 100 percent, 6266908 of 6266908. -- OK
Checking validation result... - Warning: Validation result code indicates failure, result code = 0x0
Maybe this can shade some light on what hapend. I think that if the validation failed then the ICE2_02.28.00.fls file (6M) was not applied.
Anyone ? any ideas? I cannot find strace file on the Iphone in order to trace it.
Thanks,
G

[fromArmenia]

Not working!

Here is log
What is wrong here ?

Code:

Validating parameters...OK
Disabling thermal Notifications...OK
Disabling sleep...OK
Powering radio on through AppleBaseband
Opening device path /dev/cu.debug, using initial baud 115200
- Ping failed, trying again, 56 tries left
- Ping failed, trying again, 55 tries left
- Ping OK
Gathering modem information...OK
Checking Static EEP backup...
    - backup is OK
Checking Static EEP backup -- All OK
        Firmware Version: ICE2-02.30.03
        EEP Version: EEP_VERSION:526
        EEP Revision: EEP_REVISION:0
        Boot Loader Version: ICE2_BOOT_05.09_G2M3S2
        FLS/EEP Mismatch: Match
Configuring Hardware Mux...OK
-------------------------------------------------------------------------------
 BEGINNING BOOT
-------------------------------------------------------------------------------
Sending boot code...OK
Reading Reference file ICE2_02.28.00.fls...OK
Sending EBL Loader...
    Sending EBL Loader Length...OK
    Sending EBL Loader Data...OK
    Sending EBL Loader Checksum...OK
Sending EBL Loader -- All OK
Sending EBL...
    Sending EBL Length...OK
    Sending EBL Data and Checksum...OK
Sending EBL -- All OK
Getting EBL Version......OK
    - Boot Mode 0xCC
    - EBL Version Major/Minor: 6.2
    - EBL Version 'ICE2_RAM_B'
    - Flashing Compression: 0, CRC Type: 0, CRC Method: 1
Reading Reference file ICE2_02.28.00.fls...OK
Sending Protocol configuration...OK
Sending Flash ID...OK
Doing CFI Stage 1...OK
Doing CFI Stage 2...OK
-------------------------------------------------------------------------------
 DONE BOOT
-------------------------------------------------------------------------------
Getting software version of file ICE2_02.28.00.fls...OK
Increasing baud rate to 921600...OK
Validating EBL Version...OK
-------------------------------------------------------------------------------
 SENDING FLS FILE: ICE2_02.28.00.fls
-------------------------------------------------------------------------------
Loading FLS file ICE2_02.28.00.fls...OK
>> Sending Block of type CodeClass(0) from file ICE2_02.28.00.fls...
    Beginning Dynamic EEP erase at 0x20E40000 to 0x20EBFFFE...Progress:  0 percent, 0 of 524286Progress:  100 percent, 524286 of 524286. OK
    Sending Security Block...OK
    Erasing Load Area from 0x20040000 to 0x2063A01A (this will take some time)...OK
    Sending data for mapping 0: progress:  0 percent, 0 of 6266908progress:  0 progress:  100 percent, 6266908 of 6266908.  -- OK
    Checking validation result...    - Warning: Validation result code indicates failure, result code = 0x0

OK
>> Sending Block of type CodeClass(0) from file ICE2_02.28.00.fls -- All OK
-------------------------------------------------------------------------------
 DONE SENDING FLS FILE
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
 SENDING EEP FILE: ICE2_02.28.00.eep
-------------------------------------------------------------------------------
Loading EEP file ICE2_02.28.00.eep...OK
>> Sending Block of type StaticEEPClass(0) from file ICE2_02.28.00.eep...
    Sending Security Block...OK
    Erasing Load Area from 0x20FC0000 to 0x20FC57FE ...OK
    Sending EEP Payload...progress:  9 percent, 2048 of 22528progress:  18 percent, 4096 of 22528progress:  27 percent, 6144 of 22528progress:  36 percent, 8192 of 22528progress:  45 percent, 10240 of 22528progress:  54 percent, 12288 of 22528progress:  63 percent, 14336 of 22528progress:  72 percent, 16384 of 22528progress:  81 percent, 18432 of 22528progress:  90 percent, 20480 of 22528progress:  100 percent, 22528 of 22528. -- OK
    Checking validation result...OK
>> Sending Block of type StaticEEPClass(0) from file ICE2_02.28.00.eep -- All OK
-------------------------------------------------------------------------------
 DONE SENDING EEP FILE
-------------------------------------------------------------------------------
Powering radio down...OK
Doing a hardware reset through AppleBaseband
Waiting for baseband power-up...
    - Ping failed, trying again, 56 tries left
    - Ping failed, trying again, 55 tries left
    - Ping failed, trying again, 54 tries left
    - Ping failed, trying again, 53 tries left
    - Ping failed, trying again, 52 tries left
    - Ping OK
    - Baseband took 5.143725 seconds to power up
    Powering off radio...
    Powering off radio -- All OK
Waiting for baseband power-up -- All OK
Re-enabling thermal Notifications...OK
Re-enabling sleep...OK

[fromArmenia]

Also iPhone keep restarting each 2,3 minutes.

[V'Ista]

Quote:

Originally Posted by fromArmenia

Not working!

Here is log
What is wrong here ?

Code:

Validating parameters...OK
Disabling thermal Notifications...OK
Disabling sleep...OK
Powering radio on through AppleBaseband
Opening device path /dev/cu.debug, using initial baud 115200
- Ping failed, trying again, 56 tries left
- Ping failed, trying again, 55 tries left
- Ping OK
Gathering modem information...OK
Checking Static EEP backup...
    - backup is OK
Checking Static EEP backup -- All OK
        Firmware Version: ICE2-02.30.03
        EEP Version: EEP_VERSION:526
        EEP Revision: EEP_REVISION:0
        Boot Loader Version: ICE2_BOOT_05.09_G2M3S2
        FLS/EEP Mismatch: Match
Configuring Hardware Mux...OK
-------------------------------------------------------------------------------
 BEGINNING BOOT
-------------------------------------------------------------------------------
Sending boot code...OK
Reading Reference file ICE2_02.28.00.fls...OK
Sending EBL Loader...
    Sending EBL Loader Length...OK
    Sending EBL Loader Data...OK
    Sending EBL Loader Checksum...OK
Sending EBL Loader -- All OK
Sending EBL...
    Sending EBL Length...OK
    Sending EBL Data and Checksum...OK
Sending EBL -- All OK
Getting EBL Version......OK
    - Boot Mode 0xCC
    - EBL Version Major/Minor: 6.2
    - EBL Version 'ICE2_RAM_B'
    - Flashing Compression: 0, CRC Type: 0, CRC Method: 1
Reading Reference file ICE2_02.28.00.fls...OK
Sending Protocol configuration...OK
Sending Flash ID...OK
Doing CFI Stage 1...OK
Doing CFI Stage 2...OK
-------------------------------------------------------------------------------
 DONE BOOT
-------------------------------------------------------------------------------
Getting software version of file ICE2_02.28.00.fls...OK
Increasing baud rate to 921600...OK
Validating EBL Version...OK
-------------------------------------------------------------------------------
 SENDING FLS FILE: ICE2_02.28.00.fls
-------------------------------------------------------------------------------
Loading FLS file ICE2_02.28.00.fls...OK
>> Sending Block of type CodeClass(0) from file ICE2_02.28.00.fls...
    Beginning Dynamic EEP erase at 0x20E40000 to 0x20EBFFFE...Progress:  0 percent, 0 of 524286Progress:  100 percent, 524286 of 524286. OK
    Sending Security Block...OK
    Erasing Load Area from 0x20040000 to 0x2063A01A (this will take some time)...OK
    Sending data for mapping 0: progress:  0 percent, 0 of 6266908progress:  0 progress:  100 percent, 6266908 of 6266908.  -- OK
    Checking validation result...    - Warning: Validation result code indicates failure, result code = 0x0

OK
>> Sending Block of type CodeClass(0) from file ICE2_02.28.00.fls -- All OK
-------------------------------------------------------------------------------
 DONE SENDING FLS FILE
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
 SENDING EEP FILE: ICE2_02.28.00.eep
-------------------------------------------------------------------------------
Loading EEP file ICE2_02.28.00.eep...OK
>> Sending Block of type StaticEEPClass(0) from file ICE2_02.28.00.eep...
    Sending Security Block...OK
    Erasing Load Area from 0x20FC0000 to 0x20FC57FE ...OK
    Sending EEP Payload...progress:  9 percent, 2048 of 22528progress:  18 percent, 4096 of 22528progress:  27 percent, 6144 of 22528progress:  36 percent, 8192 of 22528progress:  45 percent, 10240 of 22528progress:  54 percent, 12288 of 22528progress:  63 percent, 14336 of 22528progress:  72 percent, 16384 of 22528progress:  81 percent, 18432 of 22528progress:  90 percent, 20480 of 22528progress:  100 percent, 22528 of 22528. -- OK
    Checking validation result...OK
>> Sending Block of type StaticEEPClass(0) from file ICE2_02.28.00.eep -- All OK
-------------------------------------------------------------------------------
 DONE SENDING EEP FILE
-------------------------------------------------------------------------------
Powering radio down...OK
Doing a hardware reset through AppleBaseband
Waiting for baseband power-up...
    - Ping failed, trying again, 56 tries left
    - Ping failed, trying again, 55 tries left
    - Ping failed, trying again, 54 tries left
    - Ping failed, trying again, 53 tries left
    - Ping failed, trying again, 52 tries left
    - Ping OK
    - Baseband took 5.143725 seconds to power up
    Powering off radio...
    Powering off radio -- All OK
Waiting for baseband power-up -- All OK
Re-enabling thermal Notifications...OK
Re-enabling sleep...OK

Tried every way, failure.
If that guy remember the steps and all is what he is writing here than it is totaly a fake solution(just a great idea failed, not completed, not lucky this time). Your iphone 3G will never be the same(it will not recognize even it own sim, no full activationany more) until a new baseband update will come out from Apple so again you will be a step behind unlocking(newer baseband). Someone close it as it is a shame for this forum.

[badi]

fakkkkkkkkeeeeee...................

[.:Nocturne:.]

hi,

can somebody from those who tested this clarify more about those 2 steps, i would be so thankful.

9. <root>/system/library/audio/uisounds copy paste this file...
10. then <root>/var/root/ this file...

i mean what r the files meant here


Regards

[adeelnet]

we all r waiting for Devteam .... they will find solution

[nass83]

realy???? the dev team find solution??????
when????
where we can see this solution ????

[platinumLA]

Quote:

Originally Posted by gesundheit

@platinumLA
using a different account now because your other one is banned? why you hate us so much?

peace to all. DEV team at last spoke, thanks very much. Maybe its pure luck for some guys.

pure luck to use erotic sound files ? You know what I use erotic soundfiles for _ .. yeah to jerk off.. so solution is a w a n k ? Is this what you are telling us ?

LOL

[Geronino]

Hi all,
i've found this side:

http://www.ilikemyiphone.com/?p=724

there is mentioned "This has nothing to do with downgrading the baseband from 2.30 to 2.28"

But,
i think there and maybe this is a solution for manipulating the baseband.
I'm a developer not a hacker, so i just want to make my phone work with my card.
And all that i've seen here are just normal unix commands.
I have ssh and root access as everybody!
So i've tried this solution with OSX and iTerm using the standard scp cmd.

And I really shot my baseband !

Don't know in the brain or the heart.
I think it was the brain and the heart still beats.

The baseband entry(modem firmeware) disappeared under ->general->settings
even the IMEI and ICCID dissapeared.

I have the same indication as GS_guy and fromArmenia after the procedure.
100 percent: OK
the phone restarts every 3 Minutes
Network search

So let's have a look at what this guys are doin.

@MuscleNerd and everybody
(first let's thank you for your great work NuscleNerd!)

If i unload the baseband via launchctl, didn' i have to load it after the procedure! (maybe the entry for the autostart is destroyed)
I mean you stop the service and overwrite the baseband.
(I don't really know if it's flashing the modem-chip?)
The BBUpdater flashes the baseband-chip after i have manualy unload the baseband? And normaly while reboot the service is started again.

So, my question is:

Did the Updater deleted the baseband and can't write the 02.28.00 in?
Or didn't the updater realy deleted the baseband?

The terminal output shows me, there is something written with 100% success. I think the only way for apple to disable this manipulation
from the baseband is the setting of a flag in the config.
I mean they have to leave an entry somewhere in a config file that a special firmware was installed!

I still believe, this way could be a solution.
Just to downgrade the baseband.

I can't locate the entry from apple, but i'wil try to replace the config files with one from an other phone with 02.28.00 baseband on.
If somebody with more experience than me is able to clarify some points of
this solution and of the functions we're talking about i would be happy.

And if someone knows how to read out the old 02.28.00 firmware.

[GS_guy]

I did find another blog talking about this procedure exactly only there is it in the context of upgrading the firmware from a lower version and it seems that it works there. So I guess someone decided it will also wok for downgrade. http://www.hackint0sh.org/forum/f187/61788-2.htm
I'm not a hacker either but what Geronino said makes sense, I do believe that another modification is needed in order for it to work. I know how to use unix/Linux machins so I will try to add somekind of a trace while running the procedure and see where it gets us.

Geronino, if you can compare the old version config files with the new files that would be intersting to see whick files were changed and what is the change.
G

[MuscleNerd]

Quote:

Originally Posted by Geronino

I still believe, this way could be a solution.
Just to downgrade the baseband.

Nope, it isn't.

The thing you unload to run BBUpdaterExtreme isn't the baseband. It's CommCenter. You stop CommCenter so that you can talk to the baseband without interference.

The decision as to whether to accept a proposed baseband that you upload is left entirely up to the current baseband. The flow is basically:
(a) get baseband's attention
(b) through a series of loading stages, upload the proposed new baseband to the existing one. It's put in RAM temporarily for this part.
(c) After the entire new proposed baseband is uploaded, some basic checks are done: (1) Is this baseband properly signed? (2) Has any part of it been tampered with, including its version number? (3) IS THE VERSION YOU SENT ME LESS THAN THE VERSION I'M RUNNING?

That third check is what kills the deal. The baseband simply rejects as invalid a proposed new baseband whose version is lower than itself. And you can't trick it into thinking the version is higher than it is because of checks (c)(1) and (c)(2) above.

So after that long upload stage, where the proposed baseband is stored in RAM, a verification stage goes on. It quickly decides at that point to simply reject the proposed baseband.

Because the version number is "protected" with a signed hash, you can't tamper with it undetected. If you try, the exisiting baseband sees an invalid signed hash and just drops your proposed baseband from consideration.

NOTE: The Tsamba "solution" consists of *stock* versions of the BBUpdaterExtreme and baseband files. The only thing additional in their package is the erotic sound files. Erotic sound files won't affect in any way shape or form the flow I've described above.

[GS_guy]

Thanks for the explenation MuscleNerd
There must be a way to trick it or overide it by force don't you think?

[MuscleNerd]

Quote:

Originally Posted by GS_guy

Thanks for the explenation MuscleNerd
There must be a way to trick it or overide it by force don't you think?

Sure...if you can run unsigned code on the baseband CPU, you can get around all of those checks. The only way to run unsigned code on the baseband CPU is through an "injection vector" like what yellowsn0w uses to get itself injected. Using an injection vector requires you to find and then exploit some hole in the existing baseband (typically, in the AT command parser).

[nass83]

what is mobileterminator????
where we can fide it????
how we use it ????
pleas