Jump to content

Advertisement

--


Donate

Skrill

Stripe

BitPay



Photo

CommCenter Patch by wortel (4ALL4) Update


  • Please log in to reply
414 replies to this topic

#201
aneagle

aneagle

    Whats an iPhone

  • Members
  • PipPipPipPipPipPipPip
  • 188 posts

Thanks. If it is the same, then the patch from post 109 or the version from post 113 (I gather they are essentially the same) should work just as fine, right?
Cheers

#109 is correct, #113 is a .deb file to be installed from Cydia and may include an iOS version limit at 4.3.3, You can PM to jav4 and ask him to change the limit.

Edited by aneagle, 28 September 2011 - 08:03 AM.

  • 1

x-bot

x-bot

    x-bot

  • Ad-Bot
  • Ad post

--



#202
Halibutt

Halibutt

    Newbie

  • Members
  • Pip
  • 9 posts

#109 is correct, #113 is a .deb file to be installed from Cydia and may include an iOS version limit at 4.3.3, You can PM to jav4 and ask him to change the limit.


Sadly, installing the .deb from post 109 returns errors

(Reading database ... 4021 files and directories currently installed.)
Unpacking ccpatch.wortel.4all4 (from CCPatch.jav4.4ALL4.deb) ...
dpkg: error processing CCPatch.jav4.4ALL4.deb (--install):
 trying to overwrite `/usr/CommPatch/CC-3GS-410', which is also in package com.d23.wortel
Errors were encountered while processing:
 CCPatch.jav4.4ALL4.deb

When I removed the source altogether and tried the modified .deb from post 109, it seems the version check was still in there:

(Reading database ... 4006 files and directories currently installed.)
Unpacking ccpatch.wortel.4all4 (from CCPatch.jav4.4ALL4.deb) ...
Setting up ccpatch.wortel.4all4 (4.x-2) ...
CommCenter 4.x Patch by wortel@######
4.3.5 is the wrong version must be 4.x
dpkg: error processing ccpatch.wortel.4all4 (--install):
 subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
 ccpatch.wortel.4all4

So it seems that the lengthy manual update is the only option.
Cheers
  • 0

#203
Halibutt

Halibutt

    Newbie

  • Members
  • Pip
  • 9 posts
Okay, one final question.

Here's what I did so far:
  • I took the CommCenter file from my /System/Library/Frameworks/CoreTelephony.framework/Support
  • opened with a hex editor (HxD), located HEX 85538 per post 108
  • replaced 28 46 with 01 20
  • saved
What I have to do now is:
  • replace my old CommCenter at /System/Library/Frameworks/CoreTelephony.framework/Support with my newly-patched version
  • run "ldid -s CommCenter" and "chmod +x CommCenter" in MobileTerminal on my iPhone
  • double-check that the permissions for the patched file are set to 755 (say, in WinSCP)
  • reboot my device and hope for the best
Am I right about the second list?

Edited by Halibutt, 28 September 2011 - 07:03 PM.

  • 0

#204
aneagle

aneagle

    Whats an iPhone

  • Members
  • PipPipPipPipPipPipPip
  • 188 posts

Okay, one final question.

Here's what I did so far:

  • I took the CommCenter file from my /System/Library/Frameworks/CoreTelephony.framework/Support
  • opened with a hex editor (HxD), located HEX 85530 per post 108
  • replaced 28 46 with 01 20
  • saved
What I have to do now is:
  • replace my old CommCenter at /System/Library/Frameworks/CoreTelephony.framework/Support with my newly-patched version
  • run "ldid -s CommCenter" and "chmod +x CommCenter" in MobileTerminal on my iPhone
  • double-check that the permissions for the patched file are set to 755 (say, in WinSCP)
  • reboot my device and hope for the best
Am I right about the second list?

right, and ldid is lower case of LDID. The correct address should be HEX85538.
You can try to make the iOS version to appear as 4.3.3 by using a plist editor to edit the SystemVersion.plist in System/Library/CoreServices and change back to 4.3.5 before reboot.

Edited by aneagle, 28 September 2011 - 04:17 PM.

  • 0

#205
Halibutt

Halibutt

    Newbie

  • Members
  • Pip
  • 9 posts

right, and ldid is lower case of LDID. The correct address should be HEX85538.
You can try to make the iOS version to appear as 4.3.3 by using a plist editor to edit the SystemVersion.plist in System/Library/CoreServices and change back to 4.3.5 before reboot.


Thanks for all the help guys. Not sure if I succeeded though. I needed the patch to install a custom carrier bundle (specifically this .ipcc I prepared for myself). The ipcc was meant to add correct settings (internet, mms and such), as well as change the ugly POL to proper carrier logo (for some strange reason Polish operator Play (26006) shows up as "POL" both on main screen and in the settings). I applied the patch as mentioned above, installed the ipcc through iTunes and... nothing. I tried respringing, rebooting (quite time-consuming given I'm on Gevey+redsn0w), removing the SIM - nothing works.

Any ideas how to check where the error is? Or should I start a new thread for that?

BTW, I also tried installing some other machine- and man-made ipcc's for my carrier as well, but they do not use signatures, which might be a problem in post-4.1 versions.
Cheers
  • 0

#206
JustMe2

JustMe2

    Whats an iPhone

  • Members
  • PipPipPip
  • 31 posts
Is "ldid" device specific? If someone else ldid'ed the patched executable already will that one run on my device as well or do I have to ldid it again?
  • 0

#207
aneagle

aneagle

    Whats an iPhone

  • Members
  • PipPipPipPipPipPipPip
  • 188 posts

Is "ldid" device specific? If someone else ldid'ed the patched executable already will that one run on my device as well or do I have to ldid it again?


No, but the assignment can get lost by some file transfer mode, no harm to run again ldid -s
  • 0

#208
aneagle

aneagle

    Whats an iPhone

  • Members
  • PipPipPipPipPipPipPip
  • 188 posts

Thanks for all the help guys. Not sure if I succeeded though. I needed the patch to install a custom carrier bundle (specifically this .ipcc I prepared for myself). The ipcc was meant to add correct settings (internet, mms and such), as well as change the ugly POL to proper carrier logo (for some strange reason Polish operator Play (26006) shows up as "POL" both on main screen and in the settings). I applied the patch as mentioned above, installed the ipcc through iTunes and... nothing. I tried respringing, rebooting (quite time-consuming given I'm on Gevey+redsn0w), removing the SIM - nothing works.

Any ideas how to check where the error is? Or should I start a new thread for that?

BTW, I also tried installing some other machine- and man-made ipcc's for my carrier as well, but they do not use signatures, which might be a problem in post-4.1 versions.
Cheers

1. It doesn't work with Gevey sim, at least for the first type of Gevey, commcenter can't get to the second stage and load the custom carrier bundle to var/Library which is done after the phone is registered with the carrier by remove and re-insert the sim.
2.The carrier.plist in your ipcc is not correct because you mod it from the unknown bundle, more chance to get a correct mod if you do it on the 26002 or 26003 bundle, it needs the key SupportedSIMs with value=26006. Make a custom bundle in System/Library/Carrier Bundles/iPhone and create its symlink 26006.
  • 1

#209
Halibutt

Halibutt

    Newbie

  • Members
  • Pip
  • 9 posts

1. It doesn't work with Gevey sim, at least for the first type of Gevey, commcenter can't get to the second stage and load the custom carrier bundle to var/Library which is done after the phone is registered with the carrier by remove and re-insert the sim.

That's a shame. But from the next part of your post I infer that by-passing the loading problems is still possible by copying (SSH) the bundle manually to some folder?

2.The carrier.plist in your ipcc is not correct because you mod it from the unknown bundle, more chance to get a correct mod if you do it on the 26002 or 26003 bundle, it needs the key SupportedSIMs with value=26006. Make a custom bundle in System/Library/Carrier Bundles/iPhone and create its symlink 26006.

The problem is I copied the Orange.pl (260-03) and built upon it by modifying all the data. So no, it was not modded from unknown bundle. And the following code is definitely there:

	<key>SupportedSIMs</key>
	<array>
		<string>26006</string>
	</array>

I wonder if my handling of fake signatures is correct though. Or are there any more errors?

BTW, I copied the files to that directory, but it didn't work either. But I'm trying once again just in case. Rebooting/Reapplying Gevey/respringing now.....

...nope, still same old POL carrier.
Posted Image

Cheers

Edited by Halibutt, 29 September 2011 - 12:47 PM.

  • 0

#210
aneagle

aneagle

    Whats an iPhone

  • Members
  • PipPipPipPipPipPipPip
  • 188 posts

That's a shame. But from the next part of your post I infer that by-passing the loading problems is still possible by copying (SSH) the bundle manually to some folder?

The problem is I copied the Orange.pl (260-03) and built upon it by modifying all the data. So no, it was not modded from unknown bundle. And the following code is definitely there:

	<key>SupportedSIMs</key>
	<array>
		<string>26006</string>
	</array>

I wonder if my handling of fake signatures is correct though. Or are there any more errors?

BTW, I copied the files to that directory, but it didn't work either. But I'm trying once again just in case. Rebooting/Reapplying Gevey/respringing now.....

...nope, still same old POL carrier.

Cheers

After successful registration with the mobile carrier, CommCenter takes MCC/MNC from the network (26006 in your case), it starts scanning Carrier Bundles folder for the symlink 26006, if there's no 26006 it cleans carrier info from var/mobile/Library and copy Unknown bundle from System area to var. If there's a 26006, it gets the path to the carrier bundle and creates a symlink Carrier Bundle.bundle and run through carrier.plist. At this stage the carrier logo from the bundle is shown but data network settings is not applied until you remove and re-insert the SIM card and a symlink Operator Bundle.bundle is created in var/mobile/Library, this is where it doesn't work with Gevey because the whole procedure has to be restarted.
The patch bypasses signature check of carrier.plist but all these signature keys (dummy) should be there.
Check var/mobile/Library, click the symlink Carrier Bundle.bundle for its content and see if it's your custom bundle or still the Unknown bundle.

PS. remove the key "MandatoryVerify"

Edited by aneagle, 29 September 2011 - 02:15 PM.

  • 1

#211
Halibutt

Halibutt

    Newbie

  • Members
  • Pip
  • 9 posts

After successful registration with the mobile carrier, CommCenter takes MCC/MNC from the network (26006 in your case), it starts scanning Carrier Bundles folder for the symlink 26006, if there's no 26006 it cleans carrier info from var/mobile/Library and copy Unknown bundle from System area to var. If there's a 26006, it gets the path to the carrier bundle and creates a symlink Carrier Bundle.bundle and run through carrier.plist. At this stage the carrier logo from the bundle is shown but data network settings is not applied until you remove and re-insert the SIM card and a symlink Operator Bundle.bundle is created in var/mobile/Library, this is where it doesn't work with Gevey because the whole procedure has to be restarted.

Correct me if I'm wrong, but if that's the case shouldn't it be better to prepare an .ipcc with only the fields related to carrier logo graphics, omitting all the apns, sms settings and so on? That way the bundle shouldn't have a problem with Gevey as I have to fill in all the settings manually anyway. Or am I missing something?

EDIT/ Tried a simplified carrier.plist, with no fields related to calling, apns and such. It doesn't return any iTunes errors, but doesn't show my carrier logo either.

Check var/mobile/Library, click the symlink Carrier Bundle.bundle for its content and see if it's your custom bundle or still the Unknown bundle.

Weird, that's an unknown bundle, but apparently with traces of my earlier attempts at manual edit in the form of manual addition of "Play". It shouldn't collide with "POL" though, should it? Or should I remove the carrier bundle.bundle via ssh and try to reinstall the .ipcc again?

PS. remove the key "MandatoryVerify"

Here's a new version. When using the earlier version with iTunes the progress bar advanced quickly and without errors. After removal of MandatoryVerify the progress bar takes some 2 minutes to stop and then returns unknown error (0xE8000051) in iTunes. Needless to say, the files do not get copied to /System/Library/Carrier Bundles/iPhone and the Carrier Bundle.bundle still points to Unknown.

Here's the content of the modified carrier.plist just in case.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ASCIIFileNameRequired</key>
	<true/>
	<key>AllowEDGEEditing</key>
	<true/>
	<key>AllowMMSCEditing</key>
	<true/>
	<key>AllowMMSEditing</key>
	<true/>
	<key>CarrierName</key>
	<string>POL</string>
	<key>IntlDataRoamingSwitch</key>
	<true/>
	<key>MMS</key>
	<dict>
		<key>GroupModeEnabled</key>
		<false/>
		<key>MMSC</key>
		<string>http://10.10.28.164/mms/wapenc</string>
		<key>MaxMessageSize</key>
		<integer>614400</integer>
		<key>MaxVideoBitrate</key>
		<integer>131072</integer>
		<key>OnWhileRoaming</key>
		<true/>
		<key>Proxy</key>
		<string>10.10.25.5:8080</string>
	</dict>
	<key>MaxBluetoothModemConnections</key>
	<integer>5</integer>
	<key>MyAccountURL</key>
	<string>http://www.play.pl</string>
	<key>MyAccountURLTitle</key>
	<string>Play</string>
	<key>OverrideCarrierMenuTo</key>
	<true/>
	<key>PhoneNumberRegistrationGatewayAddress</key>
	<string>+447786205094</string>
	<key>RegistrationOptInRequired</key>
	<true/>
	<key>Services</key>
	<array>
		<dict>
			<key>ServiceCode</key>
			<string>790200200</string>
			<key>ServiceName</key>
			<string>Poczta głosowa</string>
		</dict>
		<dict>
			<key>ServiceCode</key>
			<string>*500</string>
			<key>ServiceName</key>
			<string>Biuro Obsługi</string>
		</dict>
	</array>
	<key>ShowCallForwarded</key>
	<false/>
	<key>ShowCallForwarding</key>
	<false/>
	<key>ShowDialAssist</key>
	<false/>
	<key>ShowTTY</key>
	<false/>
	<key>StatusBarImages</key>
	<array>
		<dict>
			<key>AllowPrefixMatching</key>
			<false/>
			<key>CarrierName</key>
			<string>POL</string>
			<key>DefaultImage</key>
			<string>Default_CARRIER_POL.png</string>
			<key>FullScreenOpaqueImage</key>
			<string>FSO_CARRIER_POL.png</string>
			<key>StatusBarCarrierName</key>
			<string>Play</string>
		</dict>
		<dict>
			<key>AllowPrefixMatching</key>
			<false/>
			<key>CarrierName</key>
			<string>POL</string>
			<key>DefaultImage</key>
			<string>Default_CARRIER_POL.png</string>
			<key>FullScreenOpaqueImage</key>
			<string>FSO_CARRIER_POL.png</string>
			<key>StatusBarCarrierName</key>
			<string>Play</string>
		</dict>
	</array>
	<key>SupportedSIMs</key>
	<array>
		<string>26006</string>
	</array>
	<key>SupportsNITZ</key>
	<false/>
	<key>SupportsUserBusyCauseCode</key>
	<true/>
	<key>VVMIgnoresIntlDataRoaming</key>
	<false/>
	<key>VisualVoicemailServiceName</key>
	<string>none</string>
	<key>VoicemailPilotNumber</key>
	<string>790200200</string>
	<key>apns</key>
	<array>
		<dict>
			<key>apn</key>
			<string>internet</string>
			<key>password</key>
			<string></string>
			<key>signature</key>
			<data>
			JakasWydumanaSygnaturaBoPrzeciezAjfonNieWspolpracuje
			ZPla
			</data>
			<key>type-mask</key>
			<integer>49</integer>
			<key>username</key>
			<string></string>
		</dict>
		<dict>
			<key>apn</key>
			<string>mms</string>
			<key>password</key>
			<string></string>
			<key>signature</key>
			<data>
			InnaWydumanaSygnaturaBoPrzeciezAjfonNieWspolprac
			</data>
			<key>type-mask</key>
			<integer>4</integer>
			<key>username</key>
			<string></string>
		</dict>
		<dict>
			<key>apn</key>
			<string>internet</string>
			<key>password</key>
			<string></string>
			<key>signature</key>
			<data>
			TrzeciaWydumanaSygnaturaBoPrzeciezAjfonNieWspolpracu
			</data>
			<key>type-mask</key>
			<integer>48</integer>
			<key>username</key>
			<string></string>
		</dict>
	</array>
	<key>signature</key>
	<data>
	CzwartaWydumanaSygnaturaBoPrzeciezAjfonNieWspolpracu
	</data>
</dict>
</plist>

Edited by Halibutt, 30 September 2011 - 09:32 AM.

  • 0

#212
aneagle

aneagle

    Whats an iPhone

  • Members
  • PipPipPipPipPipPipPip
  • 188 posts
If it's just the carrier logo you want to display, you can try this instruction My link, hj23 on sinfuliphone forum confirmed the logo change. Other settings for apn...won't work with Gevey.

Just 1 detail in your carrier.plist: the status bar carrier name is POL without prefix, with prefix it's PL_POL. "Play" doesn't match, try "POL".

Edited by aneagle, 30 September 2011 - 11:14 AM.

  • 1

#213
Halibutt

Halibutt

    Newbie

  • Members
  • Pip
  • 9 posts
EDIT / Scratch everything below, IT WORKED!!!

The problem was not with the Winterboard or Springboard or carrier bundles. The problem was that I had FakeOperator installed. Eventhough it was switched off in the settings, it must've somehow collided with custom graphics. I uninstalled FakeOperator and - Taddaaa! - respring did the trick. Thanks again for all your assistance mate.

----

If it's just the carrier logo you want to display, you can try this instruction My link, hj23 on sinfuliphone forum confirmed the logo change. Other settings for apn...won't work with Gevey.

Sadly, no success either. Unless Generator's "* First character/digit of carrier logo name" (P in my case) should rather be "* Full name of carrier logo name" (POL in my case).

Just 1 detail in your carrier.plist: the status bar carrier name is POL without prefix, with prefix it's PL_POL. "Play" doesn't match, try "POL".

Thanks for pointing that out. POL didn't work, will try PL_POL later on.

EDIT/ Somewhere along the path the bundle indeed got copied and unpacked to "/private/var/mobile/Library/Carrier Bundles/iPhone/POL_pl_custom.bundle". Not that it changed anything as the graphics still won't show...
Cheers

Edited by Halibutt, 30 September 2011 - 12:49 PM.

  • 0

#214
Vitorio

Vitorio

    Newbie

  • Members
  • Pip
  • 5 posts
Hi!

Can please someone confirm that this offset is still valid on the final iOS 5?

Thanks in advance

change the bytes at 0x8fc6e to 01 20

Easiest way to do it is to install vim as then you get the xxd command. This is exactly how I did it on my phone:

Dorkodile:~ root# cd /System/Library/Frameworks/CoreTelephony.framework/Support/
Dorkodile:/System/Library/Frameworks/CoreTelephony.framework/Support root# cp CommCenterClassic CommCenterClassic.save
Dorkodile:/System/Library/Frameworks/CoreTelephony.framework/Support root# cp CommCenterClassic CommCenterClassic.hack
Dorkodile:/System/Library/Frameworks/CoreTelephony.framework/Support root# apt-get install ldid
Dorkodile:/System/Library/Frameworks/CoreTelephony.framework/Support root# apt-get install vim
Dorkodile:/System/Library/Frameworks/CoreTelephony.framework/Support root# echo "008fc6e: 0120" | xxd -r - CommCenterClassic.hack 
Dorkodile:/System/Library/Frameworks/CoreTelephony.framework/Support root# ldid -s CommCenterClassic.hack 
Dorkodile:/System/Library/Frameworks/CoreTelephony.framework/Support root# cp CommCenterClassic.hack CommCenterClassic
Dorkodile:/System/Library/Frameworks/CoreTelephony.framework/Support root# sync
Dorkodile:/System/Library/Frameworks/CoreTelephony.framework/Support root# reboot


  • 0

#215
aneagle

aneagle

    Whats an iPhone

  • Members
  • PipPipPipPipPipPipPip
  • 188 posts

Hi!

Can please someone confirm that this offset is still valid on the final iOS 5?

Thanks in advance


It's 8E910 on the GM, please upload your CommCenterClassic and I'll check.
and also on 5(9A334)

Edited by aneagle, 14 October 2011 - 02:06 AM.

  • 1

#216
Vitorio

Vitorio

    Newbie

  • Members
  • Pip
  • 5 posts
Thanks aneagle!


I'm not on iOS 5 yet. Waiting for untethered jailbreak. But It's good to know that this hack will work. I don't want to pay more to use the modem mode with my operator. I don't use it often, but I like to know I can do it if I want.
  • 0

#217
alpineflip

alpineflip

    Newbie

  • Members
  • Pip
  • 5 posts

It's 8E910 on the GM, please upload your CommCenterClassic and I'll check.
and also on 5(9A334)


Hi aneagle, been following this post for a while and thanks for all you the other have done to provide these patches just curious if 8E910 is the HEX address or firmware name I know 9A334 is the new 5.0 fw but don't know where you got 8E910 haven't come across any of the GM's yet that had that labeled so maybe I missed it? I am still trying to learn myself how to find the address to patch in CommCenter (I know how to do it if someone told me the address) but just opening a hex editor or IDA I don't know where to start but I'll keep reading. Thanks
  • 0

#218
aneagle

aneagle

    Whats an iPhone

  • Members
  • PipPipPipPipPipPipPip
  • 188 posts

Hi aneagle, been following this post for a while and thanks for all you the other have done to provide these patches just curious if 8E910 is the HEX address or firmware name I know 9A334 is the new 5.0 fw but don't know where you got 8E910 haven't come across any of the GM's yet that had that labeled so maybe I missed it? I am still trying to learn myself how to find the address to patch in CommCenter (I know how to do it if someone told me the address) but just opening a hex editor or IDA I don't know where to start but I'll keep reading. Thanks


Run IDA, demo mode can do the job because you don't need to recompile, drop CommCenterClassic in IDA window and wait for the un-assembling is completed, if it displays as flowchart right click and select TEXT VIEW, on IDA menu click search and select Text, search the ASCII seckeyrawverify and you'll be in the subroutine of interest. After the last CFRelease there's a MOV instruction, its address is 8F910, this is the memory address and if you look at the start of the un-assembling text you'll see that CommCenterClassic is loaded at 1000 so in the raw file when you edit with a hex editor the address should be 8F910-01000=8E910. The difficult part is how to know that the particular MOV is the right one and it's Wortel's work from the very first CommCenter patch.
  • 0

#219
ryanpeiris

ryanpeiris

    Whats an iPhone

  • Members
  • PipPipPip
  • 47 posts

Run IDA, demo mode can do the job because you don't need to recompile, drop CommCenterClassic in IDA window and wait for the un-assembling is completed, if it displays as flowchart right click and select TEXT VIEW, on IDA menu click search and select Text, search the ASCII seckeyrawverify and you'll be in the subroutine of interest. After the last CFRelease there's a MOV instruction, its address is 8F910, this is the memory address and if you look at the start of the un-assembling text you'll see that CommCenterClassic is loaded at 1000 so in the raw file when you edit with a hex editor the address should be 8F910-01000=8E910. The difficult part is how to know that the particular MOV is the right one and it's Wortel's work from the very first CommCenter patch.


Can you please help me with this by giving step by step guide with I am very new to this...

Thanks.

Edited by ryanpeiris, 15 October 2011 - 07:47 PM.

  • 0

#220
atmb82

atmb82

    Donator

  • +Contributor
  • PipPip
  • 10 posts

Run IDA, demo mode can do the job because you don't need to recompile, drop CommCenterClassic in IDA window and wait for the un-assembling is completed, if it displays as flowchart right click and select TEXT VIEW, on IDA menu click search and select Text, search the ASCII seckeyrawverify and you'll be in the subroutine of interest. After the last CFRelease there's a MOV instruction, its address is 8F910, this is the memory address and if you look at the start of the un-assembling text you'll see that CommCenterClassic is loaded at 1000 so in the raw file when you edit with a hex editor the address should be 8F910-01000=8E910. The difficult part is how to know that the particular MOV is the right one and it's Wortel's work from the very first CommCenter patch.


I tried opening the file with IDA, but I wasn't able to edit the address... and I couldn't find the string to edit it with, except for post #214 which hinted me wit the hex value...

Could you please attach here the edited CommCenterClassic file?
Thanks in advance for your kind help!
  • 0




IPB skins by Skinbox
-->