Do you need iphone 3gs baseband solution ?

[CTPACT]

btw if any one interest he takes 120$ for the job... if u don`t have shsh there is no problem also

[rogerboogie]

Quote:

Originally Posted by CTPACT

btw if any one interest he takes 120$ for the job... if u don`t have shsh there is no problem also

which iphone version is currently working ?

iphone 4
3gs

and whith this solution is downgrading baseband and firmware also and can repair imei too please specify the posibilities to work on this solution ?

thanks for share

[toky06]

wow nice .........very good idea

[rogerboogie]

another tip for research , here is the possible jtag interface on the iphone 4 on the board, this is placed un der the simcard conector , too risky way and hard place to solder the jtag but possible for sure

[OMBOSSMAN]

Yes and also need solution for all iphone recent models vote now

[azerty_soft]

with jtag i dont know (i thank imposible )
change baseband ic if you wont bath be careful it's easy

[yedish]

Quote:

Originally Posted by azerty_soft

with jtag i dont know (i thank imposible )
change baseband ic if you wont bath be careful it's easy

have you tried for iphone 4 , where do we get already programmed baseband chip for iphone 4??

[rogerboogie]

Quote:

Originally Posted by yedish

have you tried for iphone 4 , where do we get already programmed baseband chip for iphone 4??

i think no one have progamed baseband ic with 01.59 baseband for iphone 4 i never know something regarding this

the goal is downgrade the baseband on the iphone 4 to 01.50 by reflashing baseband chip using the jtag , i prety sure riff box can support thie chipset inside, the problem is if pda disable the jtag , or if jtag is totaly disabled

also maybe can be possible to change or modify the ECID to rewrite and the we can program some ECID with blobs on cydia to downgrade via itunes to 4.3.3 and got unlock & jailbroken device

thats why i ask to legija if is possible cause he is the expert

[tostefo]

please boys start use your brains, here is enought info to make your own research .... yes it will be great to have "one button" baseband downgrader but it is not so easy

3G/3GS/Ipad 3G uses X-Gold 608 baseband processor is also known as the PMB8878 and is also used on the LG KM900 ARENA, architecture is ARM926

http://img218.imageshack.us/img218/149/baseband.jpg


memory map
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

BR

[gsm3rdG]

modifying baseband = unlock can be done !!!!!!
it's so hard to do and must have a big hard tolls to do it !!

[wasim_mobile200]

yes we need it will be great...............

[ferhel]

Yes if possible we want security repair to

[underbird_gsm]

would be very good to fix my iPhone

[rogerboogie]

Where are the supporters ? Whats the possible answer to this request please let us know

[rogerboogie]

Quote:

Originally Posted by tostefo

please boys start use your brains, here is enought info to make your own research .... yes it will be great to have "one button" baseband downgrader but it is not so easy

3G/3GS/Ipad 3G uses X-Gold 608 baseband processor is also known as the PMB8878 and is also used on the LG KM900 ARENA, architecture is ARM926

http://img218.imageshack.us/img218/149/baseband.jpg


memory map
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

BR

do you try by yourself ? please let me know i try to conect with the jtag by selecting ARM926 with the lg P500 profile , but i faced one problem , i cant find nrst pin on the jtag , as fas as i know riff box requires nrst signal to conect

second idea is , the jtag can be blocked by the firmware and maybe have especial way to conect

or we cant and the only way to get sucess is desoldering flash ic from board and program using external programer

thats why i want to know if any one have sucess experience by trying to conect by jtag

the goal is ,

1.-read full dump from memory ( just in case )
2.-get dump from full memory from a good baseband phone 05.13 for example
to have secpack to send to this region "SECPACK 0x20EC0000 0x40000"
maybe this can solve just the firmware of baseband and leave intact the SECZONE 0x20F80000 0x40000


i think imei is located on this region( seczone ) , but if we rewrite from the other phone full dump , all will be writen including imei and this will cause imei 004999xxxx and phone will work but will have imei problems

i have changed baseband flash on 1 iphone 4, the phone works on 2 of 3 carriers , but need to unlock it using gevey , this imei 00499xxx avoid factory activation via itunes , hacktivation is needed to activate phone after imei mismatch

so the goal is flash only the baseband section without the imei

if anybody have sucess to conect via jtag port please share here