A "secret" coprocessor only in the S5L8900 devices. The phys / virt addresses are unknown.
Registers[edit source]
I'll have to dig up my IDB to get the whole thing, but this is what I remember:
- Register 0x0 - Calm2ADM Configuration Register
- Register 0x50 - Calm2ADM Instruction Area (ie. pointer to payload)
IMG3 Obfuscation[edit source]
This became known and looked into because in the 3.0 GM firmware release, for the S5L8900 devices, Apple made use of this to compute a "soft" GID Key to be used to decrypt the KBAG of the firmware image being loaded. The computation was based off of a hash of the first 0x1B000 of the running iBoot, so to get the correct output you needed to do some tricky patching.
See also[edit source]
 | This hardware article is a stub. Please add more content to this article and remove this tag. |