You're viewing YouTube in English (US).
Switch to another language: | View all
You're viewing YouTube in English.
Switch to another language: | View all

#HITB2012AMS D1T2 - MuscleNerd - Evolution of iPhone Baseband and Unlocks





The interactive transcript could not be loaded.



Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Jun 16, 2012


Presentation Materials:

Since the first iPhone in 2007, the baseband that Apple uses for cellular communications has evolved in terms of both hardware and software. Some of the changes were minor but others were quite drastic and obviously aimed at deterring carrier unlocks. This paper details the most interesting of the changes and what effects they've had on both software-based unlocks and hardware-based SIM interposers. In addition to comparing the most recent baseband against its own earlier hardware and software incarnations, we compare it to other current Qualcomm handsets and discuss the ramifications of changes Apple has made to the traditional Qualcomm baseband boot sequence. This presentation will cover:

Baseband ROP: Overview of the role ROP plays in software unlocks like yellowsn0w and ultrasn0w. Comparison to ROP on the main Application-side CPU (jailbreaks). Why ROP wasn't even necessary on the first generation of iPhones.

Software Unlocks vs. Hardware Unlocks: How iPhone software unlocks differ from those using hardware SIM interposers. Which layers of the baseband are exposed to each, and how the exploit development environment differs. Description of even more radical hacks like baseband chipset retrofitting and what Apple has done to prevent them.

iPhone4 DEP: How Apple implemented DEP with specific hardware changes on the iPhone4 baseband, and what went wrong. How ultrasn0w was made to work despite aggressive hardware-based DEP.

Operating Systems: So far, Apple has used 3 completely different baseband operating systems in the iPhone line. Description of which parts Apple tends to customize and why. Comparison of past and present custom command parsing.

Infineon vs. Qualcomm: Discussion of the transition from Infineon baseband chipsets to Qualcomm chipsets. Comparison of the older serial-based AT interface (still used on many other handsets) to the USB-based QMI used by the iPhone4S.

Activation Tickets: Detailed description of the "activation ticket" Apple uses to authorize use with specific (or all) carriers. How activation tickets interact with the traditional PIN-based NCK codes. Contrasting activation tickets and baseband tickets.

Baseband Tickets: Details on how Apple authenticates software updates to the baseband. Comparison of baseband tickets to "ApTickets" that Apple now uses on the main Application CPU to control software changes. Why baseband tickets provide even strong protection than ApTickets. The role of nonces in both the baseband and main application CPU.

iPhone4S: What we've learned so far about the iPhone4S baseband. Overview of changes Apple has made to the original Qualcomm bootrom. How the iPhone4S baseband boot process differs from most other Qualcomm-based handsets. Which features the iPhone4S baseband has in common with other handsets and which have been removed. Description of the current attack surfaces, and comparing iPhone4 vs iPhone4S hardware-based protection mechanisms.


Member of the iPhone Dev Team, providing free jailbreaks and carrier unlocks since 2007. Our most popular programs have been redsn0w and PwnageTool for jailbreaks, and AnySim, yellowsn0w, and ultrasn0w for unlocks.


  1. 1

    #HITB2012AMS - KEYNOTE 1 - Andy Ellis - Getting Ahead of the Security Poverty Line

  2. 2

    #HITB2012AMS D1T1 - Ivo Pooters - Turning Android Inside Out

  3. 3

    #HITB2012AMS D1T2 - Sebastien Renaud and Kevin Szkudlapski - WinRT

  4. 4

    #HITB2012AMS D1T1 - Claudio Guarnieri - Cuckoo Sandbox - Automated Malware Analysis

  5. 5

    #HITB2012AMS D1T2 - Itzhak Avraham and Nir Goldshlager - Killing a Bug Bounty Program TWICE

  6. 6

    #HITB2012AMS D1T1 - Arnauld Mascret - Whistling Over the Wire

  7. #HITB2012AMS D1T2 - MuscleNerd - Evolution of iPhone Baseband and Unlocks

  8. 8

    #HITB2012AMS D1T1 - Juan Pablo Echtegoyen - Attacking the SAP Solution Manager

  9. 9

    #HITB2012AMS D1T2 - Adam Gowdiak - Part 1 - Security Threats in The World of Digital Sat TV

  10. 10

    #HITB2012AMS D1T1 - Roberto Suggi Liverani and Scott Bell - Browser Bug Huting in 2012

  11. 11

    #HITB2012AMS D1T2 - Adam Gowdiak - Part 2 - Security Vulnerabilities of DVB Chipsets

  12. 12

    #HITB2012AMS DAY 1 SPECIAL CLOSING - Rop Gonggrijp

  13. 13

    #HITB2012AMS KEYNOTE 2 - Bruce Schneier - Trust Security and Society

  14. 14

    #HITB2012AMS D2T1 - Andrei Costin - PostScript - Danger Ahead - Hacking MFPs, PCs and Beyond

  15. 15

    #HITB2012AMS D2T2 - Rahul Sasi - CXML VXML IVR Pentesting for Auditors

  16. 16

    #HITB2012AMS D2T1 - A. Bazhanyuk and N. Tarakanov - Automatically Searching for Vulnerabilities

  17. 17

    #HITB2012AMS D2T2 - Dream Team - Part 1 - Corona for iOS 5.0.1

  18. 18

    #HITB2012AMS D2T1 - Georgia Weidman - Bypassing the Android Permission Model

  19. 19

    #HITB2012AMS D2T2 - Dream Team - Part 2 - Absinthe for iOS 5.0.1 (... and One More Thing)

  20. 20

    #HITB2012AMS D2T1 - Kenneth White - A Deep Analysis of Amazon Web Services

  21. 21

    #HITB2012AMS D2T2 - Nicolas Gregoire - Attacking XML Preprocessing

  22. 22

    #HITB2012AMS D2T1 - Dr Marco Balduzzi - SatanCloud

  23. 23

    #HITB2012AMS D2T2 - Steven Seeley - Ghost in the Windows 7 Allocator

  24. 24

    #HITB2012AMS CLOSING KEYNOTE - Ms jaya Baloo - Identity, Privacy and Security

Sign in to add this to Watch Later

Add to