IOS Baseband Tools

p0sixninja has written four tools baseband hacking: All these tools are related to the QHSDLOAD protocol for the iPhone 4 CDMA, iPhone 4S and iPhone 5 (Qualcomm DLOAD protocol).
 * DLOADTool
 * BBTool
 * DBLTool
 * iOSUSBEnum

Description
These are some little tools that p0sixninja made for interfacing with the Qualcomm baseband in iOS. They should work on iPhone 4S and iPhone 5 (although he only tested them on iPhone 4S CDMA).

Setup
To build these tools you need Xcode with the iOS SDK, and iOSOpenDev installed and setup (http://www.iosopendev.com/). In the terminal switch the each directory and type " " to build the tool.

Usage
Before you can use any of the tools (other than iOSUSBEnum) you should first upload CommCenter so it won't interfere. First SSH onto the device and type the following command to unload CommCenter.

launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist

Once CommCenter is uploaded you can type "iosusbenum" to verify that the Qualcomm baseband is no longer showing up in the device list. Since the baseband no longer has any internal flash to store the baseband firmware, all the firmware is located on the device filesystem. To access these firmware files you first need to unzip them. To do this type

(for 6.x) cd /usr/local/standalone/firmware/Baseband/Trek unzip Trek-personalized.zip

(for 5.x) cd /usr/standalone/firmware/Trek unzip Trek-personalized.zip

After the firmware has been unzipped you'll see a few different files. The important ones are bbticket.der, dbl.mbn, osbl.mbn, and amss.mbn. Next you need to use bbtool to tell the device to enter DLOAD mode (basically baseband's bootrom or DFU mode). Type

You can then verify the device has entered DLOAD mode by using "iosusbenum" once again, you should see something like this.

Device Name: QHSUSB_DLOAD Vendor ID: 0x5c6 Product ID: 0x9008 Version: 0x0 Location: 0x1200000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0x20 Num Interfaces: 0x1 Configuration Value: 0x1 Configuration: 0x0 Attributes: 0x80 Max Power: 0x1 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x0 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x81 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x1 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x0

Once you've verified the baseband is in DLOAD mode you can then just DLOADTool to boot the device into DBL (or SAH) mode. Depending on where your baseband firmware files are at just send the following command.

You should see a bunch of send and recv messages followed by "Closing Interface". Now the device should be in DBL mode. You can verify this by using "iosusbenum" once again. You should see output that looks similar to

Device Name: Qualcomm CDMA Technologies MSM Vendor ID: 0x5c6 Product ID: 0x900e Version: 0x0 Location: 0x1200000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0x20 Num Interfaces: 0x1 Configuration Value: 0x1 Configuration: 0x1 Attributes: 0xe0 Max Power: 0x32 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x0 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x81 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x1 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20

Now that the device is in DBL mode you can use DBLTool to continue to boot the baseband up to it's normal operating mode. To do this you must pass the path to bbticket, osbl, and amss into DBLTool using the following command.

You should see a bunch of send and recvs once again followed by "Closing Interface". AMSS usually takes a little while to load, but after about 10-20 seconds, you can verify the baseband has fully booted up without the help of CommCenter by using "iosusbenum" once again. There are a bunch of interfaces in AMSS mode, but you should get output similar to the following.

Device Name: Qualcomm CDMA Technologies MSM Vendor ID: 0x5c6 Product ID: 0x9001 Version: 0x0 Location: 0x1200000 Configuration: 0 Length: 0x9 Descriptor Type: 0x2 Total Length: 0x118 Num Interfaces: 0xd Configuration Value: 0x1 Configuration: 0x1 Attributes: 0xe0 Max Power: 0x32 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x0 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x81 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x1 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x1 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x82 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x2 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x2 Alternate Setting: 0x0 Num Endpoints: 0x3 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x83 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x84 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x3 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x3 Alternate Setting: 0x0 Num Endpoints: 0x1 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x85 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x4 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Communication Data Interface SubClass: 0x0 Interface Protocol: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x86 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x4 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x5 Alternate Setting: 0x0 Num Endpoints: 0x1 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x87 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x6 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Communication Data Interface SubClass: 0x0 Interface Protocol: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x88 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x5 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x7 Alternate Setting: 0x0 Num Endpoints: 0x1 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x89 Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x8 Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Communication Data Interface SubClass: 0x0 Interface Protocol: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x8a Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x6 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0x9 Alternate Setting: 0x0 Num Endpoints: 0x1 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x8b Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0xa Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Communication Data Interface SubClass: 0x0 Interface Protocol: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x8c Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x7 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0xb Alternate Setting: 0x0 Num Endpoints: 0x1 Interface Class: Vendor Specific Interface SubClass: 0xff Interface Protocol: 0xff Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x8d Attributes: 0x3 Transfer Type: Interrupt Max Packet Size: 0x40 Interval: 0x5 Interface Length: 0x9 Descriptor Type: 0x4 Interface Number: 0xc Alternate Setting: 0x0 Num Endpoints: 0x2 Interface Class: Communication Data Interface SubClass: 0x0 Interface Protocol: 0x0 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x8e Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20 Endpoint Length: 0x7 Descriptor Type: 0x5 Endpoint Address: 0x8 Attributes: 0x2 Transfer Type: Bulk Max Packet Size: 0x200 Interval: 0x20

You've successfully used the tools to boot up the baseband without any help from CommCenter. If you want to shutdown the baseband again or if you had problems during any of the steps just use " " to reset the baseband and try again. He will try to finish up his QMITool and DIAGTool for sending commands to the baseband shortly as well as documenting what each interface exposed by AMSS is used for.

References to github

 * DLOADTool on github
 * BBTool on github
 * DBLTool on github
 * iOSUSBEnum on github