How To Hack iPhone baseband Using BBTool, DLOADTool, DBLTool and iOSUSBEnum

While one hackers working on iOS jalbreaking the others on baseband hacking. Now it is possible to hack iPhone baseband of the newer models. There are four tools that were written by P0sixninja to hack only with Qualcomm hardware iPhone 5, 4S and 4 (CDMA). There is a possibility to access iPhone 5 baseband using Minicom and Signal 2 app but here is something different.

You can use BBTool, DLOADTool, DBLTool and iOSUSBEnum to boot up Qualcomm baseband’s files which are related to QHSDLOAD protocol (Qualcomm DLOAD protocol). These program will allow you to open iPhone bb giving the possibility to find exploits and try to use them to unlock iPhone 5 and other models. It can be used for raw communication with the baseband like fuzzing. Fuzzing is one of the easiest and most efficient ways to find vulnerabilities.

  • iOSUSBEnum (Utility to enumerate USB (HSIC) devices on iOS)
  • BBTool (Tool for communicating with AppleBaseband Kext on iOS)
  • DBLTool (Tool for communicating with Sahara protocol (DBL) on iPhone4 CDMA, iPhone4s, and iPhone5 (Apple SAH Protocol)
  • DLOADTool (Tool for communicating with QHSDLOAD protocol on iPhone4 CDMA, iPhone4s, and iPhone5 (Qualcomm DLOAD protocol)

Important Notes

How to Boot Up iPhone baseband Files Using Hacking Tools

Step 1. Download CommCenter to use BBTool, DLOADTool, DBLTool and iOSUSBEnum. To perform this you need to SSH your device and add this command:

launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist

Step 2. Make Qualcomm baseband to be not shown in the device list – type:

iosusbenum

Step 3. Now you need to access iPhone filesystem, because bb hasn’t internal flash to keep a firmware. Unzip these firmware files and access file system using the command below:

cd /usr/local/standalone/firmware/Baseband/Trek
unzip Trek-personalized.zip

If your device is still running iOS 5.x, just type the following:

cd /usr/standalone/firmware/Trek
unzip Trek-personalized.zip

There are will be various files but bbticket.der, dbl.mbn, osbl.mbn, and amss.mbn files you need.

Step 3.1. Now use BBTool to put iPhone in DLOAD mode (DFU mode). Enter the command below:

bbtool enter-dload

To make sure that your device entered DLOAD mode you will see the following using iosusbenum command:

Device Name: QHSUSB_DLOAD Vendor ID: 0x5c6 Product ID: 0x9008 Version: 0x0 Location: 0x1200000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0x20 Num Interfaces: 0x1 Configuration Value: 0x1 …………………………………….. Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x1 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x0

Step 4. Now you need DLOADTool to boot iPhone into DBL (SAH) mode. to make it work just enter the following:

dloadtool -f /usr/local/standalone/firmware/Baseband/Trek/dbl.mbn

After receiving and sending a bunch of messages you can use iosusbenum to verify if your device is in the DBLmode and get something like this:

Device Name: Qualcomm CDMA Technologies MSM Vendor ID: 0x5c6 Product ID: 0x900e Version: 0x0 Location: 0x1200000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0x20 Num Interfaces: 0x1 Configuration Value: 0x1 …………………………………….. Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x1 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20

Step 5. You can also use DBLOADTool to enter the normal operating mode after DBL mode. As you may guess you will need to step to bbticket, osbl, and amss into DBLTool entering the following command to hack iPhone baseband:

dbltool -b /usr/local/standalone/firmware/Baseband/Trek/bbticket.der -o /usr/local/standalone/firmware/Baseband/Trek/osbl.mbn -a /usr/local/standalone/firmware/Baseband/Trek/amss.mbn

Step 6. Wait up to 30 seconds because AMSS loading may take some time. To see if the iPhone baseband was booted up, you can use iosusbenum command without CommCenter been loaded. The command output should be like these below:

Device Name: Qualcomm CDMA Technologies MSM Vendor ID: 0x5c6 Product ID: 0x9001 Version: 0x0 Location: 0x1200000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0x118 Num Interfaces: 0xd Configuration Value: 0x1 ……………………………. ……………………………. ……………………………. ……………………………. Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x8 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20

Step 7. To reset the iPhone baseband to its original settings use command:

bbtool reset

Seeing this bunch of information you can be sure that you have just hacked iPhone baseband and fully boot it up even without CommCenter. The last thing left is to send commands to iPhone baseband using DIAGTool and QMITool and explore the modem firmware and filesystem in general. Use comment section below to share your experience with booting up iPhone bb.

Source: iPhone Wiki. Via: P0sixninja GitHub