Dump iPhone Baseband NOR Memory using NORDumper

The famous hackers from Dev Team had managed to extract the full content of the NOR memory (from the S-Gold2), which is the main key to achieving a true iPhone baseband unlock. Releasing this memory dump would be of course illegal and risky, as it contains personal information and copyrighted code. That said, they are going to release the NOR Dumper binary to enable everyone else to continue working on the iPhone unlocking. We’ll release the source code of the NORDumper  at a later date.

What is NOR memory? How can I find it in my iPhone?

NOR flash is used by iPhone’s baseband. This is actually the flash chip for booting up the application processor. NOR can be accessed by using a kernel hack or patched version of iBoot.

S-Gold NORDumper – the iPhone Dev Team’s NOR memory dumper. Extract the contents from the S-Gold2′s NOR memory. Used strictly for analysis and development purposes. S-Gold 2 is the baseband chipset used on iPhone 2G devices. It’s also known as  baseband chip PMB8876.

NORDumper Features:

• dump NOR memory in the bootloader interactive mode (S Gold 2 baseband)
• dump bootloader
• dump the main code
• dump eeprom information

How to Dump iPhone Baseband NOR Memory using NORDumper binary

Step 1: Install openssh (standard  Cydia package) and wget (add http://cydia.myrepospace.com/etgamingx/ repo to your Cydia sources) pachages from Cydia. (you could also use MobileTerminal or any other SSH software)

Step 2: Login into your iPhone and navigate to /usr/bin/ directory

cd /usr/bin/

Step 3: Download NORDumper using following command

wget http://www.letsunlockiphone.com/scripts/NORDumper.tar

Step 4: Extract the bin file from archive:

tar xvf NORDumper.tar

Step 5: set the executable flag to NORDumper with chmod command:

chmod +x /usr/bin/NORDumper

Step 6: We are almost done. Now you have to make some changes to com.apple.CommCenter.plist file in order to dump the memory. Just enter this command in terminal:

nano /System/Library/LaunchDaemons/com.apple.CommCenter.plist

End enter the following files your file

<key>Disabled</key>  <true/>

NOTE: Remember to remove the Disabled key from your com.apple.CommCenter.plist file after dumping the NOR, then reboot, otherwise you won’t be getting any calls.

Step 7: Reboot you iPhone. You can manually reboot or as soon as we are using the terminal we can execute reboot process by entering

reboot

Step 8: Now here is the time to launch our binary file and dump that S-Gold baseband

./NORDumper dump.bin

If everything from the previous setup steps is okay you should see ……… Don’t touch your iPhone while the dump file is writting. Here is the question I’ve found online about baseband dumping process.

Question: I know this is possibly the most time consuming step of the entire (some waiting as long as 30-40mins for this step to complete) and i’m just wondering, what does this “NORdumper” really do? i understand that it is “dumping” something into the file that we are creating “dump.bin” but besides the dump, is there any munipulation happening? Are we writing information into the phone while the dump is taking place? Or is this process strictly dumping the information from the sgold2 chip inside the phone?

Answer: NOR memory is dumped while in the bootloader’s interactive mode; the resulting file will contain the bootloader, the main code, and the eeprom. Somewhere in that mess of binary data is what we’re looking for!

Okay I have successfully dumped my baseband, what can should I do next or how can I read the dump.bin file?

Copy the dump.bin from /usr/bin to your PC and open this file with the Hex Editor. Now select the range 00020000-00304000. In the taskbar it should show 20000-304000 (if not do the selection again) Goto menu edit–> select copy to file. name the file : nor. Open this file (nor) with the hexeditor. Find the row 215148 and change 04 00 A0 E1 to 00 00 A0 E3 and save the file, and upload it to /usr/bin

Use Python script by Dogbert to decrypt the dumped memory file.

There are few iPhone unlock methods. Those are:

• Software unlock with ultrasn0w package from Cydia.
• Hardware unlock (the first iPhone unlock developed by GeoHot). Designed for iPhone 2G.
• Unlock with help of SIM cards  aka Gevey SIM, Gevey Ultra, TPSim, RSim developed mostly by chinese guys. Those unlock are for iPhone 4/4S which couldn’t be unlocked by any software methods right now.
• The iPhone NCK unlock method. This method is imposible unless you dump the iPhone baseband. There is a nice software from Dev Team called iPhone NORDumper. It can dump iPhone 2 baseband memory into the binary file.

Downloads:

My dump.bin file from locked iPhone 2G (S-Gold) locked to AT&T carrier. To download copy command to terminal:

wget http://www.letsunlockiphone.com/scripts/dump.bin

Examples:

Modified com.apple.CommCenter.plist file

<?xml version="1.0" encoding="UTF-8"?>   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">   <plist version="1.0">   <dict>   <key>Disabled</key>   <true/>   <key>HopefullyExitsFirst</key>   <true/>   <key>Label</key>   <string>com.apple.CommCenter</string>   <key>MachServices</key>   <dict>   <key>com.apple.commcenter</key>   <dict>   <key>ResetAtClose</key>   <true/>   </dict>   </dict>   <key>OnDemand</key>   <false/>   <key>ProgramArguments</key>   <array>   <string>/System/Library/PrivateFrameworks/CoreTelephony.framework/Support/CommCenter</string>   </array>   <key>ServiceIPC</key>   <false/>   </dict>   </plist>

Remember another way to Dump the iPhone Baseband is to use OpeniBoot Software from Cydia. I am going to release the short guide soon. NORDumper, hnor, norz and speedynor (the other iPhone baseband dumping tools by Zibri and other iPhone Elite Members) all give the same results when dumping the NOR

Resources:

NOR Flash Chip: theiphonewiki info

Tags: baseband, dumper, iphone 2g, nck, NOR, NORDumper, NORDumper.bin, unlock

Loading

Popular Posts