DLOADTool
DLOADTool copied to clipboard
posixninja
Mav5 baseband on iPhone 5
Hi, i'm using your tools to boot the baseband without the CommCenter. Oldest device i have is iPhone 5, i'm trying to boot it into DBL mode, but there is no such file as "dbl.mbn" in Mav5 firmware. Instead this files are present in iPhone 5 Mav5 baseband firmware are: apps.mbn dsp1.mbn dsp3.mbn sbl1.mbn bbticket.der dsp2.mbn rpm.mbn sbl2.mbn Could you please give me a hint which one i should upload to enter DBL mode, and which ones i should use on next step, when booting to normal operating mode using dbltool, instead of osbl.mbn and amss.mbn ? Thanks for your work!
yea they changed some things and removed dload mode from iphone5. after baseband reset it expects to be in sahara mode sending dbl stuff
On Mon, 19 Nov 2018 at 05:56, Danylo Kostyshyn [email protected] wrote:
Hi, i'm using your tools to boot the baseband without the CommCenter. Oldest device i have is iPhone 5, i'm trying to boot it into DBL mode, but there is no such file as "dbl.mbn" in Mav5 firmware. Instead this files are present in iPhone 5 Mav5 baseband firmware are: apps.mbn dsp1.mbn dsp3.mbn sbl1.mbn bbticket.der dsp2.mbn rpm.mbn sbl2.mbn Could you please give me a hint which one i should upload to enter DBL mode, and which ones i should use on next step, when booting to normal operating mode using dbltool, instead of osbl.mbn and amss.mbn ?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaTTmT1dmkD2bfNB6KZtRj31aBVheks5uwo5YgaJpZM4Yo3IL .
-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | [email protected] Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja
the only real trick is figuring out which file_id numbers it requests and match which firmware you can bruteforce them, or interpose some functions and mitm them
On Mon, 19 Nov 2018 at 09:06, Joshua Hill [email protected] wrote:
yea they changed some things and removed dload mode from iphone5. after baseband reset it expect to be in sahara mode sending dbl stuff
On Mon, 19 Nov 2018 at 05:56, Danylo Kostyshyn [email protected] wrote:
Hi, i'm using your tools to boot the baseband without the CommCenter. Oldest device i have is iPhone 5, i'm trying to boot it into DBL mode, but there is no such file as "dbl.mbn" in Mav5 firmware. Instead this files are present in iPhone 5 Mav5 baseband firmware are: apps.mbn dsp1.mbn dsp3.mbn sbl1.mbn bbticket.der dsp2.mbn rpm.mbn sbl2.mbn Could you please give me a hint which one i should upload to enter DBL mode, and which ones i should use on next step, when booting to normal operating mode using dbltool, instead of osbl.mbn and amss.mbn ?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaTTmT1dmkD2bfNB6KZtRj31aBVheks5uwo5YgaJpZM4Yo3IL .
-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | [email protected] Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja
-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | [email protected] Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja
thanks for the answer!
strange, if i just perform bbtool reset baseband will not appear in a system
only after bbtool enter-dload i can see that baseband on my iPhone 5 iOS 10.3.3 registers as
QHSUSB_DLOAD IOUSBHostDevice, so i assume DLOAD mode is still present?
by "interposing some functions" you mean, for example hooking WritePipe of IOUSBInterfaceStruct inside IOKit to find out what exactly is send to the baseband when CommCenter loads?
did't get a part about brute forcing, what exactly to bruteforce?
Hi, so i've got an iPhone 4s with Trek baseband firmware, i'm able to boot it, everything works well!, but i have another question, maybe you had the same issue. After IOUSBInterfaceInterface is successfully opened, i'm trying to send ControlRequest, i'm using code form your other project libqmi
IOUSBDevRequest req;
req.bmRequestType = 0xa1;
req.bRequest = 0x1;
req.pData = buf;
req.wIndex = 3;
req.wValue = 0;
req.wLenDone = 0;
req.wLength = 0x2000;
kr = (*iface)->ControlRequest(iface, 0, (IOUSBDevRequest*)&req);
my end goal is to try to communicate with baseband over QMI
but right after i send this request kernel panics with this error: IOGMD: not wired for the IODMACommand
Am i missing something obvious here? Or the the packet is malformed causing modem to crash and that leads to kernel panic?
ketnel panic log
Incident Identifier: DCE914B0-4CE9-462C-A858-1C7A65BF96E2 CrashReporter Key: c3143d363bbc4d53502b99191d3f73e4768be9eb Hardware Model: iPhone4,1 Date/Time: 2018-11-22 11:19:06.06 +0200 OS Version: iOS 9.0.2 (13A452)panic(cpu 1 caller 0x95b5bcc1): "IOGMD: not wired for the IODMACommand" Debugger message: panic OS version: 13A452 Kernel version: Darwin Kernel Version 15.0.0: Thu Aug 20 13:11:09 PDT 2015; root:xnu-3248.1.3~1/RELEASE_ARM_S5L8940X Paniclog version: 3 ECID: 0000028A0C0C9D89 Kernel slide: 0x0000000015800000 Kernel text base: 0x95801000 Boot : 0x5bf66ef9 0x00000000 Sleep : 0x00000000 0x00000000 Wake : 0x00000000 0x00000000 Calendar: 0x5bf67436 0x00072a19
Panicked task 0x8006fa98: 298 pages, 1 threads: pid 628: QMITest panicked thread: 0x807ed170, backtrace: 0x93ffb698 0x958c9bff 0x958c9ed5 0x95820835 0x95b5bcc1 0x95b5c239 0x96073f03 0x960b97ed 0x960ae423 0x95b4f1f9 0x9605c437 0x96072e73 0x95b4f1f9 0x96072d73 0x9607159b 0x95b4f1f9 0x960714fb 0x9607148b 0x9607140f 0x96067469 0x96083ac1 0x960808bb 0x96080b27 0x95b70471 0x958abbc1 0x958106bf 0x9581b77d 0x958c62fc
Task 0x80071ac8: 16219 pages, 131 threads: pid 0: kernel_task Task 0x80071790: 1058 pages, 3 threads: pid 1: launchd Task 0x80071120: 178 pages, 2 threads: pid 23: amfid Task 0x80071458: 290 pages, 7 threads: pid 30: syslogd Task 0x80070778: 400 pages, 2 threads: pid 33: misd Task 0x80070108: 1017 pages, 4 threads: pid 37: ptpd Task 0x8006fdd0: 294 pages, 3 threads: pid 39: keybagd Task 0x8006f760: 594 pages, 2 threads: pid 43: iaptransportd Task 0x8006f428: 801 pages, 8 threads: pid 45: configd Task 0x8006f0f0: 1104 pages, 2 threads: pid 47: lockdownd Task 0x8006edb8: 509 pages, 3 threads: pid 49: mDNSResponder Task 0x8006ea80: 702 pages, 3 threads: pid 51: imagent Task 0x8006e748: 1640 pages, 4 threads: pid 53: atc Task 0x8006e410: 1221 pages, 2 threads: pid 55: fairplayd.H1 Task 0x8006dda0: 1587 pages, 7 threads: pid 57: aggregated Task 0x8006e0d8: 1256 pages, 3 threads: pid 59: routined Task 0x8006d3f8: 771 pages, 4 threads: pid 65: timed Task 0x8006cd88: 657 pages, 2 threads: pid 69: installd Task 0x8006ca50: 2112 pages, 6 threads: pid 71: mediaserverd Task 0x8006c3e0: 572 pages, 3 threads: pid 75: mediaremoted Task 0x8006bd70: 1177 pages, 7 threads: pid 77: identityservices Task 0x8006c0a8: 9833 pages, 9 threads: pid 79: SpringBoard Task 0x8006ba38: 480 pages, 2 threads: pid 81: fileproviderd Task 0x8006b3c8: 549 pages, 2 threads: pid 83: wirelessproxd Task 0x80
yea, they changed some things on new devices. unfortunately my iphone5 I was using to develop updated version magically vanished. on newer device there is no dload mode. resetting baseband boots directly into dbl mode. you can check with iosusbenum
yes, you got the general idea. instrument the read/write pipe and control message functions to dump the contents and see how commcenter is doing it. at least on iphone6 I noticed baseband requesting some new files to be sent on upload which I was unable to locate the source of the data requested. I just tried sending every file with every "file id" to see if I could find it (hence brute force)
this resulted in me bricking my device... whooops... that's the end of that story ;P
my only guess would be perhaps the size of the USB buffer has changed. try doubling it and see if that helps. I wouldn't be surprised if a malformed usb packet was causing it to crash though. I didn't really give that part a full review
Thank you so much! Yes, I although thought about accidentally bricking the device, I do understand that it’s possible :) Anyway, currently i’m stuck with ControlRequest causing kernel panic, will investigate this further. My end goal is to send an APDU command to a SIM card and get a response. Thanks once again!
my recommendation is to download DBLTool, alter the USB vid/pid so it matches the one in dloadtool (yes I know it's really really annoying!!) and then give it a shot
can you give me the output of iosusbenum? it looks like dload mode, but it's not. dbl protocol has no control requests, it's only bulk pipes
ok, here it is, iPhone 5, iOS 10.3.3
don't know what this other device "M=HEIN m=6.9 V=m" is , but i left it in the log anyway
normal operating mode with CommCenter loaded:
Starting iOSUSBEnum
Device Name: M=HEIN m=6.9 V=m
Vendor ID: 0xa5c
Product ID: 0xbd1a
Version: 0x1
Location: 0x1400000
Configuration: 0
Length: 0x9
Descriptor Type: 0x2
Total Length: 0x27
Num Interfaces: 0x1
Configuration Value: 0x1
Configuration: 0x0
Attributes: 0x60
Max Power: 0x0
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x0
Alternate Setting: 0x0
Num Endpoints: 0x3
Interface Class: Vendor Specific
Interface SubClass: 0x2
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x81
Attributes: 0x3
Transfer Type: Interrupt
Max Packet Size: 0x10
Interval: 0x4
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x82
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x0
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x3
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x1
Device Name: Qualcomm CDMA Technologies MSM
Vendor ID: 0x5c6
Product ID: 0x9034
Version: 0x0
Location: 0x1200000
Configuration: 0
Length: 0x9
Descriptor Type: 0x2
Total Length: 0xf1
Num Interfaces: 0xb
Configuration Value: 0x1
Configuration: 0x1
Attributes: 0xe0
Max Power: 0xfa
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x0
Alternate Setting: 0x0
Num Endpoints: 0x2
Interface Class: Vendor Specific
Interface SubClass: 0xff
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x81
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x1
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x1
Alternate Setting: 0x0
Num Endpoints: 0x2
Interface Class: Vendor Specific
Interface SubClass: 0xff
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x82
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x2
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x2
Alternate Setting: 0x0
Num Endpoints: 0x3
Interface Class: Vendor Specific
Interface SubClass: 0xff
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x83
Attributes: 0x3
Transfer Type: Interrupt
Max Packet Size: 0x40
Interval: 0x5
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x84
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x3
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x3
Alternate Setting: 0x0
Num Endpoints: 0x1
Interface Class: Vendor Specific
Interface SubClass: 0xff
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x85
Attributes: 0x3
Transfer Type: Interrupt
Max Packet Size: 0x40
Interval: 0x5
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x4
Alternate Setting: 0x0
Num Endpoints: 0x2
Interface Class: Communication Data
Interface SubClass: 0x0
Interface Protocol: 0x0
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x86
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x4
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x5
Alternate Setting: 0x0
Num Endpoints: 0x1
Interface Class: Vendor Specific
Interface SubClass: 0xff
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x87
Attributes: 0x3
Transfer Type: Interrupt
Max Packet Size: 0x40
Interval: 0x5
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x6
Alternate Setting: 0x0
Num Endpoints: 0x2
Interface Class: Communication Data
Interface SubClass: 0x0
Interface Protocol: 0x0
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x88
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x5
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x7
Alternate Setting: 0x0
Num Endpoints: 0x1
Interface Class: Vendor Specific
Interface SubClass: 0xff
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x89
Attributes: 0x3
Transfer Type: Interrupt
Max Packet Size: 0x40
Interval: 0x5
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x8
Alternate Setting: 0x0
Num Endpoints: 0x2
Interface Class: Communication Data
Interface SubClass: 0x0
Interface Protocol: 0x0
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x8a
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x6
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x9
Alternate Setting: 0x0
Num Endpoints: 0x1
Interface Class: Vendor Specific
Interface SubClass: 0xff
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x8b
Attributes: 0x3
Transfer Type: Interrupt
Max Packet Size: 0x40
Interval: 0x5
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0xa
Alternate Setting: 0x0
Num Endpoints: 0x2
Interface Class: Communication Data
Interface SubClass: 0x0
Interface Protocol: 0x0
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x8c
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x7
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x20
after CommCenter unload:
Starting iOSUSBEnum
Device Name: M=HEIN m=6.9 V=m
Vendor ID: 0xa5c
Product ID: 0xbd1a
Version: 0x1
Location: 0x1400000
Configuration: 0
Length: 0x9
Descriptor Type: 0x2
Total Length: 0x27
Num Interfaces: 0x1
Configuration Value: 0x1
Configuration: 0x0
Attributes: 0x60
Max Power: 0x0
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x0
Alternate Setting: 0x0
Num Endpoints: 0x3
Interface Class: Vendor Specific
Interface SubClass: 0x2
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x81
Attributes: 0x3
Transfer Type: Interrupt
Max Packet Size: 0x10
Interval: 0x4
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x82
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x0
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x3
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x1
after `bbtool enter-dload`:
Starting iOSUSBEnum
Device Name: M=HEIN m=6.9 V=m
Vendor ID: 0xa5c
Product ID: 0xbd1a
Version: 0x1
Location: 0x1400000
Configuration: 0
Length: 0x9
Descriptor Type: 0x2
Total Length: 0x27
Num Interfaces: 0x1
Configuration Value: 0x1
Configuration: 0x0
Attributes: 0x60
Max Power: 0x0
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x0
Alternate Setting: 0x0
Num Endpoints: 0x3
Interface Class: Vendor Specific
Interface SubClass: 0x2
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x81
Attributes: 0x3
Transfer Type: Interrupt
Max Packet Size: 0x10
Interval: 0x4
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x82
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x0
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x3
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x1
Device Name: QHSUSB_DLOAD
Vendor ID: 0x5c6
Product ID: 0x9008
Version: 0x0
Location: 0x1200000
Configuration: 0
Length: 0x9
Descriptor Type: 0x2
Total Length: 0x20
Num Interfaces: 0x1
Configuration Value: 0x1
Configuration: 0x0
Attributes: 0x80
Max Power: 0x1
Interface
Length: 0x9
Descriptor Type: 0x4
Interface Number: 0x0
Alternate Setting: 0x0
Num Endpoints: 0x2
Interface Class: Vendor Specific
Interface SubClass: 0xff
Interface Protocol: 0xff
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x81
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x0
Endpoint
Length: 0x7
Descriptor Type: 0x5
Endpoint Address: 0x1
Attributes: 0x2
Transfer Type: Bulk
Max Packet Size: 0x200
Interval: 0x0
oh, about ControlRequest, i'm trying this on iPhone 4s with 9.0.2 after booting modem successfully using your guide, it's not an iPhone 5, sorry for a confusion. I'm currently using 4s to further investigate the whole thing, to send a QMI message.
yea, you can see it only exposes 2 bulk endpoints, no control messages (although technically that's just endpoint 0 iirc)
about interposing,
so i wrote small library where i'm trying to interpose some basic standard library functions as fopen and also couple functions from IOKit
but i can not inject library into CommCenter using launchd plist's EnvironmentVariables field, in the system logs i can this Disallowing environment variable: DYLD_INSERT_LIBRARIES
and if i'm trying to run CommCenter from ssh command prom i can inject the lib but CommCenter stucks at some point and aborts itself after timeout
maybe you had a similar issue?
command prom log
iphone-4s:~ root# /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter
_fopen(/etc/master.passwd, r)
libInter injected.
_fopen(/etc/master.passwd, r)
_fopen(/var/wireless/Library/Preferences/csidata, r)
2018-11-28 18:32:03.456 CommCenter[1518:69674] interposed: _IOServiceGetMatchingService
2018-11-28 18:32:03.457 CommCenter[1518:69674] matching: {
IOProviderClass = AppleBaseband;
}
_fopen(/etc/master.passwd, r)
_fopen(/var/wireless/Library/Preferences/csidata, r)
_fopen(/var/wireless/Library/Preferences/csidata.tmp, w)
_fopen(/usr/local/standalone/firmware/Baseband/Trek/dbl.mbn, r)
_fopen(/usr/local/standalone/firmware/Baseband/Trek/osbl.mbn, r)
_fopen(/usr/local/standalone/firmware/Baseband/Trek/amss.mbn, r)
Going through the contents in the directory searching for pattern 'overrides', and extension: 'plist'
_fopen(/var/wireless/Library/Preferences/csidata, r)
_fopen(/var/wireless/Library/Preferences/csidata, r)
_fopen(/var/wireless/Library/Preferences/csidata, r)
_fopen(/var/wireless/Library/Preferences/csidata.tmp, w)
_fopen(/var/wireless/Library/Preferences/csidata, r)
_fopen(/var/wireless/Library/Preferences/csidata.tmp, w)
_fopen(/var/wireless/Library/Preferences/csidata, r)
_fopen(/var/wireless/Library/Preferences/csidata.tmp, w)
2018-11-28 18:32:04.095 CommCenter[1518:69767] opening backingstore /var/wireless/Library/Databases/DataUsage.sqlite, read/write
_fopen(/var/wireless/spool/loading, w)
2018-11-28 18:32:04.343 CommCenter[1518:69782] interposed: _IOServiceGetMatchingService
2018-11-28 18:32:04.344 CommCenter[1518:69782] matching: {
IOPropertyMatch = {
"built-in" = 1;
};
IOProviderClass = IOPMPowerSource;
}
_fopen(/System/Library/Frameworks/CoreTelephony.framework/Support/Instruments.config, rb)
_fopen(/tmp/libETL.log, a)
2018-11-28 18:32:04.915 CommCenter[1518:69645] BTM: attaching to BTServer
_fopen(/usr/local/standalone/firmware/Baseband/Trek/bbticket.der, r)
Assertion failed: (false && "Callback fault reached; crashing"), function triggerFault, file /BuildRoot/Library/Caches/com.apple.xbs/Sources/CoreTelephony/CoreTelephony-3310.4/CommCenter/Source/CCXpcServer/CCXpcServerWatchdog.cpp, line 169.
Abort trap: 6
iphone-4s:~ root#
com.apple.CommCenter.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnablePressuredExit</key>
<false/>
<key>EnableTransactions</key>
<true/>
<key>EnvironmentVariables</key>
<dict>
<key>DYLD_INSERT_LIBRARIES</key>
<string>/var/root/libInterAT.dylib</string>
</dict>
<key>ExitTimeOut</key>
<integer>20</integer>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.apple.CommCenter</string>
<key>LimitLoadToHardware</key>
<dict>
<key>machine</key>
<array>
<string>iPod5,1</string>
...all the models
<string>iPad11,3</string>
</array>
</dict>
<key>MachServices</key>
<dict>
<key>com.apple.CellularPlanDaemon.xpc</key>
<true/>
<key>com.apple.CellularPlanManager.vinylTest.xpc</key>
<true/>
<key>com.apple.basebandd.xpc</key>
<true/>
<key>com.apple.commcenter</key>
<dict>
<key>ResetAtClose</key>
<true/>
</dict>
<key>com.apple.commcenter.atcs.xpc</key>
<true/>
<key>com.apple.commcenter.cupolicy.xpc</key>
<true/>
<key>com.apple.commcenter.xpc</key>
<true/>
<key>com.apple.ipTelephony</key>
<true/>
</dict>
<key>POSIXSpawnType</key>
<string>Interactive</string>
<key>ProgramArguments</key>
<array>
<string>/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter</string>
</array>
<key>UserName</key>
<string>_wireless</string>
</dict>
</plist>
I was using mobilesubstrate filters iirc. I might be able to dig up my old dylib. there was a few tricky parts, such as hooking IOKit functions which required a callback. I had to do some tricky stuff to override the callback function while keeping track of it to call later after my callback function was triggered
On Wed, 28 Nov 2018 at 11:42, Danylo Kostyshyn [email protected] wrote:
about interposing, so i wrote small library where i'm trying to interpose some basic standard library functions as fopen and also couple functions from IOKit
but i can not inject library into CommCenter using launchd plist's EnvironmentVariables field, in the system logs i can this Disallowing environment variable: DYLD_INSERT_LIBRARIES
and if i'm trying to run CommCenter from ssh command prom, it stucks at some point and aborts itself after timeout
maybe you had a similar issue? command prom log
iphone-4s:~ root# /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter _fopen(/etc/master.passwd, r) libInter injected. _fopen(/etc/master.passwd, r) _fopen(/var/wireless/Library/Preferences/csidata, r) 2018-11-28 18:32:03.456 CommCenter[1518:69674] interposed: _IOServiceGetMatchingService 2018-11-28 18:32:03.457 CommCenter[1518:69674] matching: { IOProviderClass = AppleBaseband; } _fopen(/etc/master.passwd, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/usr/local/standalone/firmware/Baseband/Trek/dbl.mbn, r) _fopen(/usr/local/standalone/firmware/Baseband/Trek/osbl.mbn, r) _fopen(/usr/local/standalone/firmware/Baseband/Trek/amss.mbn, r) Going through the contents in the directory searching for pattern 'overrides', and extension: 'plist' _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) 2018-11-28 18:32:04.095 CommCenter[1518:69767] opening backingstore /var/wireless/Library/Databases/DataUsage.sqlite, read/write _fopen(/var/wireless/spool/loading, w) 2018-11-28 18:32:04.343 CommCenter[1518:69782] interposed: _IOServiceGetMatchingService 2018-11-28 18:32:04.344 CommCenter[1518:69782] matching: { IOPropertyMatch = { "built-in" = 1; }; IOProviderClass = IOPMPowerSource; } _fopen(/System/Library/Frameworks/CoreTelephony.framework/Support/Instruments.config, rb) _fopen(/tmp/libETL.log, a) 2018-11-28 18:32:04.915 CommCenter[1518:69645] BTM: attaching to BTServer _fopen(/usr/local/standalone/firmware/Baseband/Trek/bbticket.der, r) Assertion failed: (false && "Callback fault reached; crashing"), function triggerFault, file /BuildRoot/Library/Caches/com.apple.xbs/Sources/CoreTelephony/CoreTelephony-3310.4/CommCenter/Source/CCXpcServer/CCXpcServerWatchdog.cpp, line 169. Abort trap: 6 iphone-4s:~ root#
com.apple.CommCenter.plist
EnablePressuredExit EnableTransactions EnvironmentVariables DYLD_INSERT_LIBRARIES /var/root/libInterAT.dylib ExitTimeOut 20 KeepAlive Label com.apple.CommCenter LimitLoadToHardware machine iPod5,1 ...all the modelsiPad11,3 MachServices com.apple.CellularPlanDaemon.xpc com.apple.CellularPlanManager.vinylTest.xpc com.apple.basebandd.xpc com.apple.commcenter ResetAtClose com.apple.commcenter.atcs.xpc com.apple.commcenter.cupolicy.xpc com.apple.commcenter.xpc com.apple.ipTelephony POSIXSpawnType Interactive ProgramArguments /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter UserName _wireless — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3#issuecomment-442516179, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaX7pSzuvnlO1Gc3pXXfkAsGf-qJTks5uzrzXgaJpZM4Yo3IL .
-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | [email protected] Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja
also, I believe at some point they moved some of the modem interaction to communicate over xpc. I personally never got that far, but have heard from others that this is the case
On Fri, 30 Nov 2018 at 20:08, Joshua Hill [email protected] wrote:
I was using mobilesubstrate filters iirc. I might be able to dig up my old dylib. there was a few tricky parts, such as hooking IOKit functions which required a callback. I had to do some tricky stuff to override the callback function while keeping track of it to call later after my callback function was triggered
On Wed, 28 Nov 2018 at 11:42, Danylo Kostyshyn [email protected] wrote:
about interposing, so i wrote small library where i'm trying to interpose some basic standard library functions as fopen and also couple functions from IOKit
but i can not inject library into CommCenter using launchd plist's EnvironmentVariables field, in the system logs i can this Disallowing environment variable: DYLD_INSERT_LIBRARIES
and if i'm trying to run CommCenter from ssh command prom, it stucks at some point and aborts itself after timeout
maybe you had a similar issue? command prom log
iphone-4s:~ root# /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter _fopen(/etc/master.passwd, r) libInter injected. _fopen(/etc/master.passwd, r) _fopen(/var/wireless/Library/Preferences/csidata, r) 2018-11-28 18:32:03.456 CommCenter[1518:69674] interposed: _IOServiceGetMatchingService 2018-11-28 18:32:03.457 CommCenter[1518:69674] matching: { IOProviderClass = AppleBaseband; } _fopen(/etc/master.passwd, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/usr/local/standalone/firmware/Baseband/Trek/dbl.mbn, r) _fopen(/usr/local/standalone/firmware/Baseband/Trek/osbl.mbn, r) _fopen(/usr/local/standalone/firmware/Baseband/Trek/amss.mbn, r) Going through the contents in the directory searching for pattern 'overrides', and extension: 'plist' _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) 2018-11-28 18:32:04.095 CommCenter[1518:69767] opening backingstore /var/wireless/Library/Databases/DataUsage.sqlite, read/write _fopen(/var/wireless/spool/loading, w) 2018-11-28 18:32:04.343 CommCenter[1518:69782] interposed: _IOServiceGetMatchingService 2018-11-28 18:32:04.344 CommCenter[1518:69782] matching: { IOPropertyMatch = { "built-in" = 1; }; IOProviderClass = IOPMPowerSource; } _fopen(/System/Library/Frameworks/CoreTelephony.framework/Support/Instruments.config, rb) _fopen(/tmp/libETL.log, a) 2018-11-28 18:32:04.915 CommCenter[1518:69645] BTM: attaching to BTServer _fopen(/usr/local/standalone/firmware/Baseband/Trek/bbticket.der, r) Assertion failed: (false && "Callback fault reached; crashing"), function triggerFault, file /BuildRoot/Library/Caches/com.apple.xbs/Sources/CoreTelephony/CoreTelephony-3310.4/CommCenter/Source/CCXpcServer/CCXpcServerWatchdog.cpp, line 169. Abort trap: 6 iphone-4s:~ root#
com.apple.CommCenter.plist
EnablePressuredExit EnableTransactions EnvironmentVariables DYLD_INSERT_LIBRARIES /var/root/libInterAT.dylib ExitTimeOut 20 KeepAlive Label com.apple.CommCenter LimitLoadToHardware machine iPod5,1 ...all the modelsiPad11,3 MachServices com.apple.CellularPlanDaemon.xpc com.apple.CellularPlanManager.vinylTest.xpc com.apple.basebandd.xpc com.apple.commcenter ResetAtClose com.apple.commcenter.atcs.xpc com.apple.commcenter.cupolicy.xpc com.apple.commcenter.xpc com.apple.ipTelephony POSIXSpawnType Interactive ProgramArguments /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter UserName _wireless — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3#issuecomment-442516179, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaX7pSzuvnlO1Gc3pXXfkAsGf-qJTks5uzrzXgaJpZM4Yo3IL .
-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | [email protected] Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja
-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | [email protected] Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja
Thanks for MobileSubstace hint. I also noticed mentions of XPC all over the CommCenter and libATCommandStudioDynamic.dylib, But according to CommCenter's launchd plist it itself exposes "com.apple.basebandd.xpc" XPC service, so as i understand other processes can connect to it over XPC, but all the USB communication with modem should still happens inside CommCenter process, is't that true?
I think so, but I didn't verify it. hooking all usb functions on the device isn't advisable. I didn't figured out which process was sending them ;P
On Mon, 3 Dec 2018 at 04:04, Danylo Kostyshyn [email protected] wrote:
Thanks for MobileSubstace hint. I also noticed mentions of XPC all over the CommCenter and libATCommandStudioDynamic.dylib, But according to CommCenter's launchd plist it itself exposes "com.apple.basebandd.xpc" XPC service, so as i understand other processes can connect to it over XPC, but all the USB communication with modem should still happens inside CommCenter process, is't that true?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3#issuecomment-443637027, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaYySKEg_JJBG7-1u-drFmiIqGf8Fks5u1OkMgaJpZM4Yo3IL .
-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | [email protected] Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja
For some reason i can't interpose IOCreatePlugInInterfaceForService function from IOKit, it doesn't show up in the log, but i can hook all the other functions like:
IOServiceGetMatchingService
IOServiceOpen
IOServiceClose
IOConnectCallScalarMethod
And i can see all the stages of the baseband boot process.
Here is my log if you are curious. (All interposed functions are prefixed with INTER:)
And i've pushed code that i'm using right now here
do you know if there is another way how to upload the firmware without plugin -> interface -> WritePipe ? seems unlikely, but i don't understand why i can't hook IOCreatePlugInInterfaceForService , and why it's not showing up in the log.
Figured that out! looks like it's uploading firmware using IOConnectCallMethod function
weird. check all async calls as well
On Tue, 4 Dec 2018 at 04:31, Danylo Kostyshyn [email protected] wrote:
Figured that out! looks like it's uploading firmware using some undocumented function - IOConnectCallMethod
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3#issuecomment-444031991, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaWXgvHlsHvvK-bKhYJHvmI32Tehtks5u1kDWgaJpZM4Yo3IL .
-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | [email protected] Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja
it's definitely using IOConnectCallMethod here is the log (PBL boot on 4s):
log
INTER: _IOServiceOpen
-> name: IOUSBHostInterface, service: 75523
-> conn: 75779, type: 0x00
-> properties: {
IOCFPlugInTypes = {
"2d9786c6-9ef3-11d4-ad51-000a27052861" = "IOUSBHostFamily.kext/PlugIns/IOUSBLib.bundle";
};
IOUserClientClass = AppleUSBHostInterfaceUserClient;
USBPortType = 2;
USBSpeed = 3;
bAlternateSetting = 0;
bConfigurationValue = 1;
bInterfaceClass = 255;
bInterfaceNumber = 0;
bInterfaceProtocol = 255;
bInterfaceSubClass = 255;
bNumEndpoints = 2;
bcdDevice = 0;
iInterface = 0;
idProduct = 36872;
idVendor = 1478;
locationID = 18874368;
"port-type" = <03000000>;
}
INTER: _IOConnectCallScalarMethod
-> sel: 0x02, conn: 75779
-> output: 1
03 | .
INTER: _IOConnectCallScalarMethod
-> sel: 0x00, conn: 75779
-> input: 1
00 | .
INTER: _IOConnectCallScalarMethod
-> sel: 0x05, conn: 75779
-> input: 1
01 | .
-> output: 5
01 00 00 00 00 | .....
INTER: _IOConnectCallScalarMethod
-> sel: 0x05, conn: 75779
-> input: 1
02 | .
-> output: 5
00 00 00 00 00 | .....
INTER: _IOConnectCallScalarMethod
-> sel: 0x0b, conn: 75779
-> input: 2
02 00 | ..
INTER: _IOConnectCallScalarMethod
-> sel: 0x0b, conn: 75779
-> input: 2
01 00 | ..
INTER: _IOConnectCallScalarMethod
-> sel: 0x1c, conn: 75779
-> input: 2
00 00 | ..
INTER: _IOConnectCallMethod
-> sel: 0x07, conn: 75779
-> input: 5
02 00 00 00 00 | .....
-> inputStruct: 5
7e 07 c7 84 7e | ~...~
INTER: _IOConnectCallMethod
-> sel: 0x06, conn: 75779
-> input: 5
01 00 00 00 00 | .....
-> outputStruct: 12
7e 08 06 01 01 00 90 00 00 14 70 7e | ~.........p~
INTER: _IOConnectCallMethod
-> sel: 0x07, conn: 75779
-> input: 5
02 00 00 00 00 | .....
-> inputStruct: 5
7e 0c 14 3a 7e | ~..:~
INTER: _IOConnectCallMethod
-> sel: 0x06, conn: 75779
-> input: 5
01 00 00 00 00 | .....
-> outputStruct: 24
7e 0d 14 50 42 4c 5f 44 6f 77 6e 6c 6f 61 64 65 | ~..PBL_Downloade
72 56 45 52 31 2e 30 7e | rVER1.0~
INTER: _IOConnectCallMethod
-> sel: 0x07, conn: 75779
-> input: 5
02 00 00 00 00 | .....
-> inputStruct: 6
7e 14 dd de f0 7e | ~....~
INTER: _IOConnectCallMethod
-> sel: 0x06, conn: 75779
-> input: 5
01 00 00 00 00 | .....
-> outputStruct: 10
7e 14 20 c4 ff f0 27 71 63 7e | ~. ...'qc~
INTER: _IOConnectCallMethod
-> sel: 0x07, conn: 75779
-> input: 5
02 00 00 00 00 | .....
-> inputStruct: 267
7e 0f 20 01 20 00 01 00 0a 00 00 00 03 00 00 00 | ~. . ...........
00 00 00 00 28 20 01 20 0c e0 01 00 0c c7 01 00 | ....( . ........
34 e7 02 20 00 01 00 00 34 e8 02 20 00 18 00 00 | 4.. ....4.. ....
02 00 00 ea 00 60 00 a2 98 c6 01 00 0c 00 00 00 | .....`..........
d3 f0 21 e3 00 70 a0 e1 b4 60 9f e5 00 d0 86 e5 | ..!..p...`......
0d 00 a0 e1 db f0 21 e3 00 d0 a0 e1 d7 f0 21 e3 | ......!.......!.
00 d0 a0 e1 d3 f0 21 e3 07 00 a0 e1 94 50 9f e5 | ......!......P..
35 ff 2f e1 00 00 a0 e3 00 10 a0 e3 00 20 a0 e3 | 5./.......... ..
00 30 a0 e3 00 40 a0 e3 00 50 a0 e3 00 60 a0 e3 | [email protected]...`..
00 70 a0 e3 00 80 a0 e3 00 90 a0 e3 00 a0 a0 e3 | .p..............
00 b0 a0 e3 00 c0 a0 e3 5c 00 9f e5 01 10 a0 e3 | ........\.......
00 10 80 e5 fb ff ff ea 10 0f 11 ee 01 0a 80 e3 | ................
10 0f 01 ee 00 00 a0 e3 1e ff 2f e1 3c 50 9f e5 | ........../.<P..
03 00 00 ea 38 50 9f e5 01 00 00 ea 34 50 9f e5 | ....8P......4P..
ff ff ff ea 18 80 9f e5 00 60 98 e5 0d 70 a0 e1 | .........`...p..
04 d0 4d e2 07 00 56 e1 35 ff 2f 01 18 50 9f e5 | ..M...V.5./..P..
35 ff 2f e1 cc 4e 03 20 98 f4 7e | 5./..N. ..~
INTER: _IOConnectCallMethod
-> sel: 0x06, conn: 75779
-> input: 5
01 00 00 00 00 | .....
-> outputStruct: 5
7e 02 6a d3 7e | ~.j.~
INTER: _IOConnectCallMethod
-> sel: 0x07, conn: 75779
-> input: 5
02 00 00 00 00 | .....
-> inputStruct: 267
7e 0f 20 01 21 00 01 00 04 26 01 20 0c 80 01 80 | ~. .!....&. ....
98 28 01 20 b8 28 01 20 c8 28 01 20 94 28 01 20 | .(. .(. .(. .(.
28 04 9f e5 28 24 9f e5 28 34 9f e5 00 10 90 e5 | (...($..(4......
02 10 81 e0 10 00 51 e3 0e 00 00 2a 04 10 90 e5 | ......Q....*....
00 00 51 e3 0b 00 00 0a 0c 20 90 e5 02 00 51 e1 | ..Q...... ....Q.
08 00 00 1a 08 00 90 e5 fc 13 9f e5 01 00 50 e1 | ..............P.
a1 1f 81 11 01 00 50 11 f0 13 9f 15 01 00 50 11 | ......P.......P.
d8 03 9f 05 00 00 00 0a 00 00 a0 e3 00 00 83 e5 | ................
1e ff 2f e1 cc 13 9f e5 f0 41 2d e9 00 c0 91 e5 | ../......A-.....
00 e0 a0 e3 00 00 5c e3 10 70 9c 15 00 00 57 13 | ......\..p....W.
14 50 9c 15 00 00 55 13 f0 81 bd 08 b0 63 9f e5 | .P....U......c..
1c 00 00 ea 00 20 97 e5 94 33 9f e5 07 10 a0 e1 | ..... ...3......
03 30 82 e0 10 00 53 e3 1b 00 00 2a 04 30 91 e5 | .0....S....*.0..
00 00 53 e3 18 00 00 0a 0c 40 91 e5 04 00 53 e1 | [email protected].
15 00 00 1a 08 30 91 e5 6c 43 9f e5 04 00 53 e1 | .....0..lC....S.
06 00 53 11 64 43 9f 15 04 00 53 11 0e 00 00 1a | ..S.dC....S.....
60 33 9f e5 03 00 52 e1 77 c5 7e | `3....R.w.~
...
it's the same protocol as over iface->WritePipe just over IOConnectCallMethod now, at-least on iOS 9 and 10
looks like all the functions inside IOUSBDeviceInterface and IOUSBInterfaceInterface structs and a lot of others are translated into IOConnectCallMethod in run-time, i've hooked them in my lib and injected it into your DLOADTool, here is an example of SW-request response from the modem
Interface Opened
Send:
INTER: _IOUSBInterfaceInterface_WritePipe
-> pipeRef: 2
7e 07 c7 84 7e | ~...~
INTER: _IOConnectCallMethod
-> sel: 0x07, conn: 4099
-> input: 5
02 00 00 00 00 | .....
-> inputStruct: 5
7e 07 c7 84 7e | ~...~
Recv:
INTER: _IOUSBInterfaceInterface_ReadPipe
-> pipeRef: 1
INTER: _IOConnectCallMethod
-> sel: 0x06, conn: 4099
-> input: 5
01 00 00 00 00 | .....
-> outputStruct: 12
7e 08 06 01 01 00 90 00 00 14 70 7e | ~.........p~
7e 08 06 01 01 00 90 00 00 14 70 7e | ~.........p~
08 06 01 01 00 90 00 00 | ........
Protocol Version: 0x6
Min Protocol Version: 0x1
Max Write Size: 0x100
Model: 0x0
Device Size: 0x0
Device Type: 0x0