Hacker MuscleNerd of the iPhone Dev Team has shed some light on the fascinating evolution of iPhone baseband and unlocks, from the first iPhone back in 2007. A recently released video at the Hack In The Box (HITB) conference 2012 reveals Apple's use of baseband for cellular communication - an evolution both in terms of hardware and software - over time.
According to iClarified, while some changes were minor, others were drastic and aimed at blocking carrier unlocks. MuscleNerd's video presentation clearly outlines the most significant changes and factors influencing both software-based unlocks and hardware-based SIM interposers.
The audio quality of the recorded video is rather poor, despite the subject matter being interesting. The 43 minute presentation takes us into the realm of unlocking fundamentals, including the baseband unlocking concept and a comparison between software and hardware unlocks, detailing how the exploit development environment differs between the two.
Among other intriguing concepts, there is mention of iPhone 4 Data Execution Prevention (DEP), explaining how Apple implemented DEP with specific hardware changes in the iPhone 4 baseband and the reason for its failure. Interesting tidbits on how ultrasn0w was designed to work despite aggressive hardware-based DEP are also outlined. Other points of interest include MuscleNerd's explanation of various basebands and customisations employed by Apple, besides detailing the use of activation tickets and baseband tickets.
Here is the complete list of the topics covered as part of the presentation at the 2012 Hat in the Box (HITB) conference, courtesy of modmyi:
Baseband ROP: Overview of the role ROP plays in software unlocks like yellowsn0w and ultrasn0w; comparison to ROP on the main Application-side CPU (jailbreaks) and why ROP wasn't even necessary on the first generation of iPhones.
Software Unlocks vs. Hardware Unlocks: How iPhone software unlocks differ from those using hardware SIM interposers; which layers of the baseband are exposed to each and how the exploit development environment differs. This includes a description of even more radical hacks like baseband chipset retrofitting and what Apple has done to prevent them.
iPhone4 DEP: How Apple implemented DEP with specific hardware changes on the iPhone4 baseband and what went wrong and how ultrasn0w was made to work despite aggressive hardware-based DEP.
Operating Systems: So far, Apple has used three completely different baseband operating systems in the iPhone line; includes description of which parts Apple tends to customise and why, as well as comparison of past and present custom command parsing.
Infineon vs. Qualcomm: Discussion of the transition from Infineon baseband chipsets to Qualcomm chipsets; comparison of the older serial-based AT interface (still used on many other handsets) to the USB-based QMI used by the iPhone4S.
Activation Tickets: Detailed description of the "activation ticket" Apple uses to authorise use with specific (or all) carriers; how activation tickets interact with the traditional PIN-based NCK codes; and contrasting activation tickets and baseband tickets.
Baseband Tickets: Details on how Apple authenticates software updates to the baseband; comparison of baseband tickets to "ApTickets" that Apple now uses on the main Application CPU to control software changes and why baseband tickets provide even strong protection than ApTickets. This includes the role of nonces in both the baseband and main application CPU.
iPhone4S: What we've learned so far about the iPhone4S baseband; an overview of changes Apple has made to the original Qualcomm BootROM and how the iPhone4S baseband boot process differs from most other Qualcomm-based handsets. This includes which features the iPhone4S baseband has in common with other handsets and which have been removed, a description of the current attack surface, and comparison of iPhone4 and iPhone4S hardware-based protection mechanisms.
Watch MuscleNerd's Video Presentation on Working Principles of iPhone Basebands and Unlocks: