Mav5 baseband on iPhone 5

[danylokos]

Hi, i'm using your tools to boot the baseband without the CommCenter. Oldest device i have is iPhone 5, i'm trying to boot it into DBL mode, but there is no such file as "dbl.mbn" in Mav5 firmware. Instead this files are present in iPhone 5 Mav5 baseband firmware are: apps.mbn dsp1.mbn dsp3.mbn sbl1.mbn bbticket.der dsp2.mbn rpm.mbn sbl2.mbn Could you please give me a hint which one i should upload to enter DBL mode, and which ones i should use on next step, when booting to normal operating mode using dbltool, instead of osbl.mbn and amss.mbn ? Thanks for your work!

[posixninja]

yea they changed some things and removed dload mode from iphone5. after baseband reset it expects to be in sahara mode sending dbl stuff

On Mon, 19 Nov 2018 at 05:56, Danylo Kostyshyn notifications@github.com wrote:

Hi, i'm using your tools to boot the baseband without the CommCenter. Oldest device i have is iPhone 5, i'm trying to boot it into DBL mode, but there is no such file as "dbl.mbn" in Mav5 firmware. Instead this files are present in iPhone 5 Mav5 baseband firmware are: apps.mbn dsp1.mbn dsp3.mbn sbl1.mbn bbticket.der dsp2.mbn rpm.mbn sbl2.mbn Could you please give me a hint which one i should upload to enter DBL mode, and which ones i should use on next step, when booting to normal operating mode using dbltool, instead of osbl.mbn and amss.mbn ?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaTTmT1dmkD2bfNB6KZtRj31aBVheks5uwo5YgaJpZM4Yo3IL .

-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | posixninja@gmail.com Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja

[posixninja]

the only real trick is figuring out which file_id numbers it requests and match which firmware you can bruteforce them, or interpose some functions and mitm them

On Mon, 19 Nov 2018 at 09:06, Joshua Hill posixninja@gmail.com wrote:

yea they changed some things and removed dload mode from iphone5. after baseband reset it expect to be in sahara mode sending dbl stuff

On Mon, 19 Nov 2018 at 05:56, Danylo Kostyshyn notifications@github.com wrote:

Hi, i'm using your tools to boot the baseband without the CommCenter. Oldest device i have is iPhone 5, i'm trying to boot it into DBL mode, but there is no such file as "dbl.mbn" in Mav5 firmware. Instead this files are present in iPhone 5 Mav5 baseband firmware are: apps.mbn dsp1.mbn dsp3.mbn sbl1.mbn bbticket.der dsp2.mbn rpm.mbn sbl2.mbn Could you please give me a hint which one i should upload to enter DBL mode, and which ones i should use on next step, when booting to normal operating mode using dbltool, instead of osbl.mbn and amss.mbn ?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaTTmT1dmkD2bfNB6KZtRj31aBVheks5uwo5YgaJpZM4Yo3IL .

-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | posixninja@gmail.com Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja

-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | posixninja@gmail.com Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja

[danylokos]

thanks for the answer! strange, if i just perform bbtool reset baseband will not appear in a system only after bbtool enter-dload i can see that baseband on my iPhone 5 iOS 10.3.3 registers as QHSUSB_DLOAD IOUSBHostDevice, so i assume DLOAD mode is still present?

by "interposing some functions" you mean, for example hooking WritePipe of IOUSBInterfaceStruct inside IOKit to find out what exactly is send to the baseband when CommCenter loads?

did't get a part about brute forcing, what exactly to bruteforce?

[danylokos]

Hi, so i've got an iPhone 4s with Trek baseband firmware, i'm able to boot it, everything works well!, but i have another question, maybe you had the same issue. After IOUSBInterfaceInterface is successfully opened, i'm trying to send ControlRequest, i'm using code form your other project libqmi

        IOUSBDevRequest req;
        req.bmRequestType = 0xa1;
        req.bRequest = 0x1;
        req.pData = buf;
        req.wIndex = 3;
        req.wValue = 0;
        req.wLenDone = 0;
        req.wLength = 0x2000;
        kr = (*iface)->ControlRequest(iface, 0, (IOUSBDevRequest*)&req);

my end goal is to try to communicate with baseband over QMI but right after i send this request kernel panics with this error: IOGMD: not wired for the IODMACommand Am i missing something obvious here? Or the the packet is malformed causing modem to crash and that leads to kernel panic?

ketnel panic log

Incident Identifier: DCE914B0-4CE9-462C-A858-1C7A65BF96E2 CrashReporter Key: c3143d363bbc4d53502b99191d3f73e4768be9eb Hardware Model: iPhone4,1 Date/Time: 2018-11-22 11:19:06.06 +0200 OS Version: iOS 9.0.2 (13A452) panic(cpu 1 caller 0x95b5bcc1): "IOGMD: not wired for the IODMACommand" Debugger message: panic OS version: 13A452 Kernel version: Darwin Kernel Version 15.0.0: Thu Aug 20 13:11:09 PDT 2015; root:xnu-3248.1.3~1/RELEASE_ARM_S5L8940X Paniclog version: 3 ECID: 0000028A0C0C9D89 Kernel slide: 0x0000000015800000 Kernel text base: 0x95801000 Boot : 0x5bf66ef9 0x00000000 Sleep : 0x00000000 0x00000000 Wake : 0x00000000 0x00000000 Calendar: 0x5bf67436 0x00072a19 Panicked task 0x8006fa98: 298 pages, 1 threads: pid 628: QMITest panicked thread: 0x807ed170, backtrace: 0x93ffb698 0x958c9bff 0x958c9ed5 0x95820835 0x95b5bcc1 0x95b5c239 0x96073f03 0x960b97ed 0x960ae423 0x95b4f1f9 0x9605c437 0x96072e73 0x95b4f1f9 0x96072d73 0x9607159b 0x95b4f1f9 0x960714fb 0x9607148b 0x9607140f 0x96067469 0x96083ac1 0x960808bb 0x96080b27 0x95b70471 0x958abbc1 0x958106bf 0x9581b77d 0x958c62fc Task 0x80071ac8: 16219 pages, 131 threads: pid 0: kernel_task Task 0x80071790: 1058 pages, 3 threads: pid 1: launchd Task 0x80071120: 178 pages, 2 threads: pid 23: amfid Task 0x80071458: 290 pages, 7 threads: pid 30: syslogd Task 0x80070778: 400 pages, 2 threads: pid 33: misd Task 0x80070108: 1017 pages, 4 threads: pid 37: ptpd Task 0x8006fdd0: 294 pages, 3 threads: pid 39: keybagd Task 0x8006f760: 594 pages, 2 threads: pid 43: iaptransportd Task 0x8006f428: 801 pages, 8 threads: pid 45: configd Task 0x8006f0f0: 1104 pages, 2 threads: pid 47: lockdownd Task 0x8006edb8: 509 pages, 3 threads: pid 49: mDNSResponder Task 0x8006ea80: 702 pages, 3 threads: pid 51: imagent Task 0x8006e748: 1640 pages, 4 threads: pid 53: atc Task 0x8006e410: 1221 pages, 2 threads: pid 55: fairplayd.H1 Task 0x8006dda0: 1587 pages, 7 threads: pid 57: aggregated Task 0x8006e0d8: 1256 pages, 3 threads: pid 59: routined Task 0x8006d3f8: 771 pages, 4 threads: pid 65: timed Task 0x8006cd88: 657 pages, 2 threads: pid 69: installd Task 0x8006ca50: 2112 pages, 6 threads: pid 71: mediaserverd Task 0x8006c3e0: 572 pages, 3 threads: pid 75: mediaremoted Task 0x8006bd70: 1177 pages, 7 threads: pid 77: identityservices Task 0x8006c0a8: 9833 pages, 9 threads: pid 79: SpringBoard Task 0x8006ba38: 480 pages, 2 threads: pid 81: fileproviderd Task 0x8006b3c8: 549 pages, 2 threads: pid 83: wirelessproxd Task 0x80

[posixninja]

yea, they changed some things on new devices. unfortunately my iphone5 I was using to develop updated version magically vanished. on newer device there is no dload mode. resetting baseband boots directly into dbl mode. you can check with iosusbenum

[posixninja]

yes, you got the general idea. instrument the read/write pipe and control message functions to dump the contents and see how commcenter is doing it. at least on iphone6 I noticed baseband requesting some new files to be sent on upload which I was unable to locate the source of the data requested. I just tried sending every file with every "file id" to see if I could find it (hence brute force)

[posixninja]

this resulted in me bricking my device... whooops... that's the end of that story ;P

[posixninja]

my only guess would be perhaps the size of the USB buffer has changed. try doubling it and see if that helps. I wouldn't be surprised if a malformed usb packet was causing it to crash though. I didn't really give that part a full review

[danylokos]

Thank you so much! Yes, I although thought about accidentally bricking the device, I do understand that it’s possible :) Anyway, currently i’m stuck with ControlRequest causing kernel panic, will investigate this further. My end goal is to send an APDU command to a SIM card and get a response. Thanks once again!

[posixninja]

my recommendation is to download DBLTool, alter the USB vid/pid so it matches the one in dloadtool (yes I know it's really really annoying!!) and then give it a shot

[posixninja]

same vid and pid as dload mode, but SAH protocol

[posixninja]

can you give me the output of iosusbenum? it looks like dload mode, but it's not. dbl protocol has no control requests, it's only bulk pipes

[danylokos]

ok, here it is, iPhone 5, iOS 10.3.3

don't know what this other device "M=HEIN m=6.9 V=m" is , but i left it in the log anyway

normal operating mode with CommCenter loaded:

``` Starting iOSUSBEnum Device Name: M=HEIN m=6.9 V=m Vendor ID: 0xa5c Product ID: 0xbd1a Version: 0x1 Location: 0x1400000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0x27 Num Interfaces: 0x1 Configuration Value: 0x1 Configuration: 0x0 Attributes: 0x60 Max Power: 0x0 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x0 Alternate Setting: 0x0 Num Endpoints: 0x3 Interface Class: Vendor Specific Interface SubClass: 0x2 Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x81 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x10 Interval: 0x4 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x82 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x3 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x1 Device Name: Qualcomm CDMA Technologies MSM Vendor ID: 0x5c6 Product ID: 0x9034 Version: 0x0 Location: 0x1200000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0xf1 Num Interfaces: 0xb Configuration Value: 0x1 Configuration: 0x1 Attributes: 0xe0 Max Power: 0xfa Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x0 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x81 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x1 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x1 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x82 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x2 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x2 Alternate Setting: 0x0 Num Endpoints: 0x3 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x83 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x84 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x3 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x3 Alternate Setting: 0x0 Num Endpoints: 0x1 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x85 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x4 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Communication Data Interface SubClass: 0x0 Interface Protocol: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x86 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x4 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x5 Alternate Setting: 0x0 Num Endpoints: 0x1 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x87 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x6 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Communication Data Interface SubClass: 0x0 Interface Protocol: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x88 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x5 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x7 Alternate Setting: 0x0 Num Endpoints: 0x1 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x89 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x8 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Communication Data Interface SubClass: 0x0 Interface Protocol: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x8a Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x6 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x9 Alternate Setting: 0x0 Num Endpoints: 0x1 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x8b Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0xa Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Communication Data Interface SubClass: 0x0 Interface Protocol: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x8c Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x7 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 ```

after CommCenter unload:

``` Starting iOSUSBEnum Device Name: M=HEIN m=6.9 V=m Vendor ID: 0xa5c Product ID: 0xbd1a Version: 0x1 Location: 0x1400000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0x27 Num Interfaces: 0x1 Configuration Value: 0x1 Configuration: 0x0 Attributes: 0x60 Max Power: 0x0 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x0 Alternate Setting: 0x0 Num Endpoints: 0x3 Interface Class: Vendor Specific Interface SubClass: 0x2 Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x81 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x10 Interval: 0x4 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x82 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x3 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x1 ```

after `bbtool enter-dload`:

``` Starting iOSUSBEnum Device Name: M=HEIN m=6.9 V=m Vendor ID: 0xa5c Product ID: 0xbd1a Version: 0x1 Location: 0x1400000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0x27 Num Interfaces: 0x1 Configuration Value: 0x1 Configuration: 0x0 Attributes: 0x60 Max Power: 0x0 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x0 Alternate Setting: 0x0 Num Endpoints: 0x3 Interface Class: Vendor Specific Interface SubClass: 0x2 Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x81 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x10 Interval: 0x4 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x82 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x3 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x1 Device Name: QHSUSB_DLOAD Vendor ID: 0x5c6 Product ID: 0x9008 Version: 0x0 Location: 0x1200000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0x20 Num Interfaces: 0x1 Configuration Value: 0x1 Configuration: 0x0 Attributes: 0x80 Max Power: 0x1 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x0 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x81 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x1 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x0 ```

[danylokos]

oh, about ControlRequest, i'm trying this on iPhone 4s with 9.0.2 after booting modem successfully using your guide, it's not an iPhone 5, sorry for a confusion. I'm currently using 4s to further investigate the whole thing, to send a QMI message.

[posixninja]

yea, you can see it only exposes 2 bulk endpoints, no control messages (although technically that's just endpoint 0 iirc)

[posixninja]

the other device might be the battery controller. interesting

[posixninja]

also 4s should work fine. it's been well tested on it

[posixninja]

however, it was on iOS6/7

[danylokos]

about interposing, so i wrote small library where i'm trying to interpose some basic standard library functions as fopen and also couple functions from IOKit

but i can not inject library into CommCenter using launchd plist's EnvironmentVariables field, in the system logs i can this Disallowing environment variable: DYLD_INSERT_LIBRARIES

and if i'm trying to run CommCenter from ssh command prom i can inject the lib but CommCenter stucks at some point and aborts itself after timeout

maybe you had a similar issue?

command prom log

``` iphone-4s:~ root# /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter _fopen(/etc/master.passwd, r) libInter injected. _fopen(/etc/master.passwd, r) _fopen(/var/wireless/Library/Preferences/csidata, r) 2018-11-28 18:32:03.456 CommCenter[1518:69674] interposed: _IOServiceGetMatchingService 2018-11-28 18:32:03.457 CommCenter[1518:69674] matching: { IOProviderClass = AppleBaseband; } _fopen(/etc/master.passwd, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/usr/local/standalone/firmware/Baseband/Trek/dbl.mbn, r) _fopen(/usr/local/standalone/firmware/Baseband/Trek/osbl.mbn, r) _fopen(/usr/local/standalone/firmware/Baseband/Trek/amss.mbn, r) Going through the contents in the directory searching for pattern 'overrides', and extension: 'plist' _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) 2018-11-28 18:32:04.095 CommCenter[1518:69767] opening backingstore /var/wireless/Library/Databases/DataUsage.sqlite, read/write _fopen(/var/wireless/spool/loading, w) 2018-11-28 18:32:04.343 CommCenter[1518:69782] interposed: _IOServiceGetMatchingService 2018-11-28 18:32:04.344 CommCenter[1518:69782] matching: { IOPropertyMatch = { "built-in" = 1; }; IOProviderClass = IOPMPowerSource; } _fopen(/System/Library/Frameworks/CoreTelephony.framework/Support/Instruments.config, rb) _fopen(/tmp/libETL.log, a) 2018-11-28 18:32:04.915 CommCenter[1518:69645] BTM: attaching to BTServer _fopen(/usr/local/standalone/firmware/Baseband/Trek/bbticket.der, r) Assertion failed: (false && "Callback fault reached; crashing"), function triggerFault, file /BuildRoot/Library/Caches/com.apple.xbs/Sources/CoreTelephony/CoreTelephony-3310.4/CommCenter/Source/CCXpcServer/CCXpcServerWatchdog.cpp, line 169. Abort trap: 6 iphone-4s:~ root# ```

com.apple.CommCenter.plist

``` EnablePressuredExit EnableTransactions EnvironmentVariables DYLD_INSERT_LIBRARIES /var/root/libInterAT.dylib ExitTimeOut 20 KeepAlive Label com.apple.CommCenter LimitLoadToHardware machine iPod5,1 ...all the models iPad11,3 MachServices com.apple.CellularPlanDaemon.xpc com.apple.CellularPlanManager.vinylTest.xpc com.apple.basebandd.xpc com.apple.commcenter ResetAtClose com.apple.commcenter.atcs.xpc com.apple.commcenter.cupolicy.xpc com.apple.commcenter.xpc com.apple.ipTelephony POSIXSpawnType Interactive ProgramArguments /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter UserName _wireless ```

[posixninja]

I was using mobilesubstrate filters iirc. I might be able to dig up my old dylib. there was a few tricky parts, such as hooking IOKit functions which required a callback. I had to do some tricky stuff to override the callback function while keeping track of it to call later after my callback function was triggered

On Wed, 28 Nov 2018 at 11:42, Danylo Kostyshyn notifications@github.com wrote:

about interposing, so i wrote small library where i'm trying to interpose some basic standard library functions as fopen and also couple functions from IOKit

but i can not inject library into CommCenter using launchd plist's EnvironmentVariables field, in the system logs i can this Disallowing environment variable: DYLD_INSERT_LIBRARIES

and if i'm trying to run CommCenter from ssh command prom, it stucks at some point and aborts itself after timeout

maybe you had a similar issue? command prom log

iphone-4s:~ root# /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter _fopen(/etc/master.passwd, r) libInter injected. _fopen(/etc/master.passwd, r) _fopen(/var/wireless/Library/Preferences/csidata, r) 2018-11-28 18:32:03.456 CommCenter[1518:69674] interposed: _IOServiceGetMatchingService 2018-11-28 18:32:03.457 CommCenter[1518:69674] matching: { IOProviderClass = AppleBaseband; } _fopen(/etc/master.passwd, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/usr/local/standalone/firmware/Baseband/Trek/dbl.mbn, r) _fopen(/usr/local/standalone/firmware/Baseband/Trek/osbl.mbn, r) _fopen(/usr/local/standalone/firmware/Baseband/Trek/amss.mbn, r) Going through the contents in the directory searching for pattern 'overrides', and extension: 'plist' _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) 2018-11-28 18:32:04.095 CommCenter[1518:69767] opening backingstore /var/wireless/Library/Databases/DataUsage.sqlite, read/write _fopen(/var/wireless/spool/loading, w) 2018-11-28 18:32:04.343 CommCenter[1518:69782] interposed: _IOServiceGetMatchingService 2018-11-28 18:32:04.344 CommCenter[1518:69782] matching: { IOPropertyMatch = { "built-in" = 1; }; IOProviderClass = IOPMPowerSource; } _fopen(/System/Library/Frameworks/CoreTelephony.framework/Support/Instruments.config, rb) _fopen(/tmp/libETL.log, a) 2018-11-28 18:32:04.915 CommCenter[1518:69645] BTM: attaching to BTServer _fopen(/usr/local/standalone/firmware/Baseband/Trek/bbticket.der, r) Assertion failed: (false && "Callback fault reached; crashing"), function triggerFault, file /BuildRoot/Library/Caches/com.apple.xbs/Sources/CoreTelephony/CoreTelephony-3310.4/CommCenter/Source/CCXpcServer/CCXpcServerWatchdog.cpp, line 169. Abort trap: 6 iphone-4s:~ root#

com.apple.CommCenter.plist

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

EnablePressuredExit EnableTransactions EnvironmentVariables DYLD_INSERT_LIBRARIES /var/root/libInterAT.dylib ExitTimeOut 20 KeepAlive Label com.apple.CommCenter LimitLoadToHardware machine iPod5,1 ...all the models iPad11,3 MachServices com.apple.CellularPlanDaemon.xpc com.apple.CellularPlanManager.vinylTest.xpc com.apple.basebandd.xpc com.apple.commcenter ResetAtClose com.apple.commcenter.atcs.xpc com.apple.commcenter.cupolicy.xpc com.apple.commcenter.xpc com.apple.ipTelephony POSIXSpawnType Interactive ProgramArguments /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter UserName _wireless

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3#issuecomment-442516179, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaX7pSzuvnlO1Gc3pXXfkAsGf-qJTks5uzrzXgaJpZM4Yo3IL .

-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | posixninja@gmail.com Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja

[posixninja]

also, I believe at some point they moved some of the modem interaction to communicate over xpc. I personally never got that far, but have heard from others that this is the case

On Fri, 30 Nov 2018 at 20:08, Joshua Hill posixninja@gmail.com wrote:

I was using mobilesubstrate filters iirc. I might be able to dig up my old dylib. there was a few tricky parts, such as hooking IOKit functions which required a callback. I had to do some tricky stuff to override the callback function while keeping track of it to call later after my callback function was triggered

On Wed, 28 Nov 2018 at 11:42, Danylo Kostyshyn notifications@github.com wrote:

about interposing, so i wrote small library where i'm trying to interpose some basic standard library functions as fopen and also couple functions from IOKit

but i can not inject library into CommCenter using launchd plist's EnvironmentVariables field, in the system logs i can this Disallowing environment variable: DYLD_INSERT_LIBRARIES

and if i'm trying to run CommCenter from ssh command prom, it stucks at some point and aborts itself after timeout

maybe you had a similar issue? command prom log

iphone-4s:~ root# /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter _fopen(/etc/master.passwd, r) libInter injected. _fopen(/etc/master.passwd, r) _fopen(/var/wireless/Library/Preferences/csidata, r) 2018-11-28 18:32:03.456 CommCenter[1518:69674] interposed: _IOServiceGetMatchingService 2018-11-28 18:32:03.457 CommCenter[1518:69674] matching: { IOProviderClass = AppleBaseband; } _fopen(/etc/master.passwd, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/usr/local/standalone/firmware/Baseband/Trek/dbl.mbn, r) _fopen(/usr/local/standalone/firmware/Baseband/Trek/osbl.mbn, r) _fopen(/usr/local/standalone/firmware/Baseband/Trek/amss.mbn, r) Going through the contents in the directory searching for pattern 'overrides', and extension: 'plist' _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) _fopen(/var/wireless/Library/Preferences/csidata, r) _fopen(/var/wireless/Library/Preferences/csidata.tmp, w) 2018-11-28 18:32:04.095 CommCenter[1518:69767] opening backingstore /var/wireless/Library/Databases/DataUsage.sqlite, read/write _fopen(/var/wireless/spool/loading, w) 2018-11-28 18:32:04.343 CommCenter[1518:69782] interposed: _IOServiceGetMatchingService 2018-11-28 18:32:04.344 CommCenter[1518:69782] matching: { IOPropertyMatch = { "built-in" = 1; }; IOProviderClass = IOPMPowerSource; } _fopen(/System/Library/Frameworks/CoreTelephony.framework/Support/Instruments.config, rb) _fopen(/tmp/libETL.log, a) 2018-11-28 18:32:04.915 CommCenter[1518:69645] BTM: attaching to BTServer _fopen(/usr/local/standalone/firmware/Baseband/Trek/bbticket.der, r) Assertion failed: (false && "Callback fault reached; crashing"), function triggerFault, file /BuildRoot/Library/Caches/com.apple.xbs/Sources/CoreTelephony/CoreTelephony-3310.4/CommCenter/Source/CCXpcServer/CCXpcServerWatchdog.cpp, line 169. Abort trap: 6 iphone-4s:~ root#

com.apple.CommCenter.plist

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

EnablePressuredExit EnableTransactions EnvironmentVariables DYLD_INSERT_LIBRARIES /var/root/libInterAT.dylib ExitTimeOut 20 KeepAlive Label com.apple.CommCenter LimitLoadToHardware machine iPod5,1 ...all the models iPad11,3 MachServices com.apple.CellularPlanDaemon.xpc com.apple.CellularPlanManager.vinylTest.xpc com.apple.basebandd.xpc com.apple.commcenter ResetAtClose com.apple.commcenter.atcs.xpc com.apple.commcenter.cupolicy.xpc com.apple.commcenter.xpc com.apple.ipTelephony POSIXSpawnType Interactive ProgramArguments /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter UserName _wireless

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3#issuecomment-442516179, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaX7pSzuvnlO1Gc3pXXfkAsGf-qJTks5uzrzXgaJpZM4Yo3IL .

-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | posixninja@gmail.com Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja

-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | posixninja@gmail.com Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja

[danylokos]

Thanks for MobileSubstace hint. I also noticed mentions of XPC all over the CommCenter and libATCommandStudioDynamic.dylib, But according to CommCenter's launchd plist it itself exposes "com.apple.basebandd.xpc" XPC service, so as i understand other processes can connect to it over XPC, but all the USB communication with modem should still happens inside CommCenter process, is't that true?

[posixninja]

I think so, but I didn't verify it. hooking all usb functions on the device isn't advisable. I didn't figured out which process was sending them ;P

On Mon, 3 Dec 2018 at 04:04, Danylo Kostyshyn notifications@github.com wrote:

Thanks for MobileSubstace hint. I also noticed mentions of XPC all over the CommCenter and libATCommandStudioDynamic.dylib, But according to CommCenter's launchd plist it itself exposes "com.apple.basebandd.xpc" XPC service, so as i understand other processes can connect to it over XPC, but all the USB communication with modem should still happens inside CommCenter process, is't that true?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3#issuecomment-443637027, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaYySKEg_JJBG7-1u-drFmiIqGf8Fks5u1OkMgaJpZM4Yo3IL .

-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | posixninja@gmail.com Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja

[danylokos]

For some reason i can't interpose IOCreatePlugInInterfaceForService function from IOKit, it doesn't show up in the log, but i can hook all the other functions like:

IOServiceGetMatchingService
IOServiceOpen 
IOServiceClose
IOConnectCallScalarMethod

And i can see all the stages of the baseband boot process. Here is my log if you are curious. (All interposed functions are prefixed with INTER:) And i've pushed code that i'm using right now here

[danylokos]

do you know if there is another way how to upload the firmware without plugin -> interface -> WritePipe ? seems unlikely, but i don't understand why i can't hook IOCreatePlugInInterfaceForService, and why it's not showing up in the log.

[danylokos]

Figured that out! looks like it's uploading firmware using IOConnectCallMethod function

[posixninja]

weird. check all async calls as well

On Tue, 4 Dec 2018 at 04:31, Danylo Kostyshyn notifications@github.com wrote:

Figured that out! looks like it's uploading firmware using some undocumented function - IOConnectCallMethod

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/posixninja/DLOADTool/issues/3#issuecomment-444031991, or mute the thread https://github.com/notifications/unsubscribe-auth/AADDaWXgvHlsHvvK-bKhYJHvmI32Tehtks5u1kDWgaJpZM4Yo3IL .

-- Joshua Hill CEO & Founder | Chronic-Dev, LLC +1 678-662-0376 | posixninja@gmail.com Web: http://www.greenpois0n.com Twitter: http://twitter.com/p0sixninja

[danylokos]

it's definitely using IOConnectCallMethod here is the log (PBL boot on 4s):

log

``` INTER: _IOServiceOpen -> name: IOUSBHostInterface, service: 75523 -> conn: 75779, type: 0x00 -> properties: { IOCFPlugInTypes = { "2d9786c6-9ef3-11d4-ad51-000a27052861" = "IOUSBHostFamily.kext/PlugIns/IOUSBLib.bundle"; }; IOUserClientClass = AppleUSBHostInterfaceUserClient; USBPortType = 2; USBSpeed = 3; bAlternateSetting = 0; bConfigurationValue = 1; bInterfaceClass = 255; bInterfaceNumber = 0; bInterfaceProtocol = 255; bInterfaceSubClass = 255; bNumEndpoints = 2; bcdDevice = 0; iInterface = 0; idProduct = 36872; idVendor = 1478; locationID = 18874368; "port-type" = <03000000>; } INTER: _IOConnectCallScalarMethod -> sel: 0x02, conn: 75779 -> output: 1 03 | . INTER: _IOConnectCallScalarMethod -> sel: 0x00, conn: 75779 -> input: 1 00 | . INTER: _IOConnectCallScalarMethod -> sel: 0x05, conn: 75779 -> input: 1 01 | . -> output: 5 01 00 00 00 00 | ..... INTER: _IOConnectCallScalarMethod -> sel: 0x05, conn: 75779 -> input: 1 02 | . -> output: 5 00 00 00 00 00 | ..... INTER: _IOConnectCallScalarMethod -> sel: 0x0b, conn: 75779 -> input: 2 02 00 | .. INTER: _IOConnectCallScalarMethod -> sel: 0x0b, conn: 75779 -> input: 2 01 00 | .. INTER: _IOConnectCallScalarMethod -> sel: 0x1c, conn: 75779 -> input: 2 00 00 | .. INTER: _IOConnectCallMethod -> sel: 0x07, conn: 75779 -> input: 5 02 00 00 00 00 | ..... -> inputStruct: 5 7e 07 c7 84 7e | ~...~ INTER: _IOConnectCallMethod -> sel: 0x06, conn: 75779 -> input: 5 01 00 00 00 00 | ..... -> outputStruct: 12 7e 08 06 01 01 00 90 00 00 14 70 7e | ~.........p~ INTER: _IOConnectCallMethod -> sel: 0x07, conn: 75779 -> input: 5 02 00 00 00 00 | ..... -> inputStruct: 5 7e 0c 14 3a 7e | ~..:~ INTER: _IOConnectCallMethod -> sel: 0x06, conn: 75779 -> input: 5 01 00 00 00 00 | ..... -> outputStruct: 24 7e 0d 14 50 42 4c 5f 44 6f 77 6e 6c 6f 61 64 65 | ~..PBL_Downloade 72 56 45 52 31 2e 30 7e | rVER1.0~ INTER: _IOConnectCallMethod -> sel: 0x07, conn: 75779 -> input: 5 02 00 00 00 00 | ..... -> inputStruct: 6 7e 14 dd de f0 7e | ~....~ INTER: _IOConnectCallMethod -> sel: 0x06, conn: 75779 -> input: 5 01 00 00 00 00 | ..... -> outputStruct: 10 7e 14 20 c4 ff f0 27 71 63 7e | ~. ...'qc~ INTER: _IOConnectCallMethod -> sel: 0x07, conn: 75779 -> input: 5 02 00 00 00 00 | ..... -> inputStruct: 267 7e 0f 20 01 20 00 01 00 0a 00 00 00 03 00 00 00 | ~. . ........... 00 00 00 00 28 20 01 20 0c e0 01 00 0c c7 01 00 | ....( . ........ 34 e7 02 20 00 01 00 00 34 e8 02 20 00 18 00 00 | 4.. ....4.. .... 02 00 00 ea 00 60 00 a2 98 c6 01 00 0c 00 00 00 | .....`.......... d3 f0 21 e3 00 70 a0 e1 b4 60 9f e5 00 d0 86 e5 | ..!..p...`...... 0d 00 a0 e1 db f0 21 e3 00 d0 a0 e1 d7 f0 21 e3 | ......!.......!. 00 d0 a0 e1 d3 f0 21 e3 07 00 a0 e1 94 50 9f e5 | ......!......P.. 35 ff 2f e1 00 00 a0 e3 00 10 a0 e3 00 20 a0 e3 | 5./.......... .. 00 30 a0 e3 00 40 a0 e3 00 50 a0 e3 00 60 a0 e3 | .0...@...P...`.. 00 70 a0 e3 00 80 a0 e3 00 90 a0 e3 00 a0 a0 e3 | .p.............. 00 b0 a0 e3 00 c0 a0 e3 5c 00 9f e5 01 10 a0 e3 | ........\....... 00 10 80 e5 fb ff ff ea 10 0f 11 ee 01 0a 80 e3 | ................ 10 0f 01 ee 00 00 a0 e3 1e ff 2f e1 3c 50 9f e5 | ........../. sel: 0x06, conn: 75779 -> input: 5 01 00 00 00 00 | ..... -> outputStruct: 5 7e 02 6a d3 7e | ~.j.~ INTER: _IOConnectCallMethod -> sel: 0x07, conn: 75779 -> input: 5 02 00 00 00 00 | ..... -> inputStruct: 267 7e 0f 20 01 21 00 01 00 04 26 01 20 0c 80 01 80 | ~. .!....&. .... 98 28 01 20 b8 28 01 20 c8 28 01 20 94 28 01 20 | .(. .(. .(. .(. 28 04 9f e5 28 24 9f e5 28 34 9f e5 00 10 90 e5 | (...($..(4...... 02 10 81 e0 10 00 51 e3 0e 00 00 2a 04 10 90 e5 | ......Q....*.... 00 00 51 e3 0b 00 00 0a 0c 20 90 e5 02 00 51 e1 | ..Q...... ....Q. 08 00 00 1a 08 00 90 e5 fc 13 9f e5 01 00 50 e1 | ..............P. a1 1f 81 11 01 00 50 11 f0 13 9f 15 01 00 50 11 | ......P.......P. d8 03 9f 05 00 00 00 0a 00 00 a0 e3 00 00 83 e5 | ................ 1e ff 2f e1 cc 13 9f e5 f0 41 2d e9 00 c0 91 e5 | ../......A-..... 00 e0 a0 e3 00 00 5c e3 10 70 9c 15 00 00 57 13 | ......\..p....W. 14 50 9c 15 00 00 55 13 f0 81 bd 08 b0 63 9f e5 | .P....U......c.. 1c 00 00 ea 00 20 97 e5 94 33 9f e5 07 10 a0 e1 | ..... ...3...... 03 30 82 e0 10 00 53 e3 1b 00 00 2a 04 30 91 e5 | .0....S....*.0.. 00 00 53 e3 18 00 00 0a 0c 40 91 e5 04 00 53 e1 | ..S......@....S. 15 00 00 1a 08 30 91 e5 6c 43 9f e5 04 00 53 e1 | .....0..lC....S. 06 00 53 11 64 43 9f 15 04 00 53 11 0e 00 00 1a | ..S.dC....S..... 60 33 9f e5 03 00 52 e1 77 c5 7e | `3....R.w.~ ... ```

it's the same protocol as over iface->WritePipe just over IOConnectCallMethod now, at-least on iOS 9 and 10

[danylokos]

looks like all the functions inside IOUSBDeviceInterface and IOUSBInterfaceInterface structs and a lot of others are translated into IOConnectCallMethod in run-time, i've hooked them in my lib and injected it into your DLOADTool, here is an example of SW-request response from the modem

Interface Opened
Send:

    INTER: _IOUSBInterfaceInterface_WritePipe
        -> pipeRef: 2
    7e 07 c7 84 7e                                    | ~...~

        INTER: _IOConnectCallMethod
            -> sel: 0x07, conn: 4099
            -> input: 5
        02 00 00 00 00                                    | .....
            -> inputStruct: 5
        7e 07 c7 84 7e                                    | ~...~
Recv:

    INTER: _IOUSBInterfaceInterface_ReadPipe
        -> pipeRef: 1

        INTER: _IOConnectCallMethod
            -> sel: 0x06, conn: 4099
            -> input: 5
        01 00 00 00 00                                    | .....
            -> outputStruct: 12
        7e 08 06 01 01 00 90 00  00 14 70 7e              | ~.........p~

    7e 08 06 01 01 00 90 00  00 14 70 7e              | ~.........p~

08 06 01 01 00 90 00 00                           | ........
Protocol Version: 0x6
Min Protocol Version: 0x1
Max Write Size: 0x100
Model: 0x0
Device Size: 0x0
Device Type: 0x0