Help with error 1002

[brokenBB]

I bought an 8GB iPhone 3G with a shattered screen planing to fix it. Sadly it turned out that the cracked glass wasn't all that's wrong with this phone. Firmware upgrades mostly end in a 1002 error and I get no Wi-Fi, no reception and no bluetooth. I've spent five days (and the better part of five nights) trying to fix this one.

I've tried just about every firmware and jailbreak there is. After generating 70+ iPhoneUpdater logs each one taking about 25 minutes to create I'm out of ideas. Please help!

Below are a few lines from a typical iPhoneUpdater log that I find especially interesting:

Code:

radio-error = 256
radio-error-string = 'Corrupted stack'

AMDeviceIoControl: failed, error 31, usbd status c0000004
USBControlTransfer: error 0, usbd status c0000004

<Restore Device 03791A28>: operation 19 progress -1
device returned AMR error 1002

I believe that operation 19 is a baseband upgrade. It takes about 10-15 minutes and is probably the source of the 1002 error. When iTunes finishes/gives up the restore, it spits out a whole lot of lines beginning with:

Code:

==== device restore output ====

Everything looks OK until it tries to Ping. It tries around 46 times, resetting and powercycling the baseband about 7 times. After the failed pings it says:

Code:

Modem appears to not be responding. Continuing to update with available firmware
		Firmware Version: Unknown
		EEP Version: Unknown
		EEP Revision: Unknown
		Boot Loader Version: Unknown or None
		FLS/EEP Mismatch: Mismatch
Configuring Hardware Mux...OK

It repeats the pinging a few times and then:

Code:

-------------------------------------------------------------------------------
 BEGINNING BOOT
-------------------------------------------------------------------------------
Sending boot code...Powering radio on through AppleBaseband
OK
Automagic-ing firmware from path /usr/local/standalone/firmware...
	- FLS file /usr/local/standalone/firmware/ICE2_04.26.08.fls and EEP file /usr/local/standalone/firmware/ICE2_04.26.08.eep are available
Automagic-ing firmware from path /usr/local/standalone/firmware -- All OK

Version ICE2-04.26.08 is available
Deciding whether to update or not...
	- Loaded version is unknown, updating anyway.
Deciding whether to update or not -- All OK
Reading Reference file /usr/local/standalone/firmware/ICE2_04.26.08.fls...OK
Sending EBL Loader...
	Sending EBL Loader Length...OK
	Sending EBL Loader Data...OK
	Sending EBL Loader Checksum...OK
Sending EBL Loader -- All OK
Sending EBL...
	Sending EBL Length...OK
	Sending EBL Data and Checksum...OK
Sending EBL -- All OK
Getting EBL Version......OK
	- Boot Mode 0xCC
	- EBL Version Major/Minor: 6.2
	- EBL Version 'ICE2_RAM_B'
	- Flashing Compression: 0, CRC Type: 0, CRC Method: 1
Reading Reference file /usr/local/standalone/firmware/ICE2_04.26.08.fls...OK
Sending Protocol configuration...OK
Sending Flash ID...OK
Doing CFI Stage 1...OK
Doing CFI Stage 2...OK
-------------------------------------------------------------------------------
 DONE BOOT
-------------------------------------------------------------------------------
Getting software version of file /usr/local/standalone/firmware/ICE2_04.26.08.fls...OK
Increasing baud rate to 921600...OK
Validating EBL Version...OK
-------------------------------------------------------------------------------
 SENDING FLS FILE: /usr/local/standalone/firmware/ICE2_04.26.08.fls
-------------------------------------------------------------------------------
Loading FLS file /usr/local/standalone/firmware/ICE2_04.26.08.fls...OK
>> Sending Block of type CodeClass(0) from file /usr/local/standalone/firmware/ICE2_04.26.08.fls...
	Beginning Dynamic EEP erase at 0x20E40000 to 0x20EBFFFE...Progress:  0 percent, 0 of 524286Progress:  100 percent, 524286 of 524286. OK
	Sending Security Block...Timed out
Trying again (9 tries left)
Configuring Hardware Mux...OK

It repeats from "BEGINNING BOOT" nine times but always ends with "Sending Security Block...Timed out". It then starts over with the pinging and tries to send security block another nine times (can't blame it for not trying!). Finally it ends with:

Code:

	Sending Security Block...Timed out
Giving up

!!! Exception at :0:
	- BBUReturnTimedOut(10)/2: Command receive error, progress 0 of 6

My conclusion is that iTunes isn't able to update the baseband. After restoring I usually get stuck in the recovery mode loop. I get out of it with iRecovery -s and "setenv auto-boot true". Here are a few interesting lines from iRecovery:

Code:

(Recovery) iPhone$ radio detect
Radio board detected.
(Recovery) iPhone$ radio version
Unknown
(Recovery) iPhone$ radio readnvram
Radio NVRAM Entries:
(Recovery) iPhone$ radio vitals
Radio status is Corrupted stack
ping ok med phasbandupdater

Again we see this Radio Corrupted stack which I believe is the problem. The empty Radio NVRAM is also worrying.

After getting out of the recovery mode loop I can jailbreak and get into the phone. Here are some info from Settings > General > About:

Code:

Network:	Not Available
Carrier:	Not Availible
Wi-Fi Address:	N/A
Bluetooth:	00:00:00:00:00:00
IMEI:
ICCID:
Modem Firmware:

I can get the iPhone to this state on just about every firmware available for the 3G. I've transfered a whole bunch of apps through USB. OpenSSH, Mobile Terminal, Fuzzyband, Bootneuter, etc...
Fuzzyband, Bootneuter, etc. all gets stuck at Querying Modem and similar.

The one thing I did that actually yielded some kind of result was running phasebandowngrader. On firmware 3.0 and 3.1.2 it didn't do much, but on 2.2.1 however it got interesting:

Code:

Validating parameters...OK
Disabling sleep...OK
Powering radio on through AppleBaseband
Opening device path /dev/cu.debug, using initial baud 115200
- Ping OK
Modem appears to not be responding. Continuing to update with available firmware
		Firmware Version: Unknown
		EEP Version: Unknown
		EEP Revision: Unknown
		Boot Loader Version: Unknown or None
		FLS/EEP Mismatch: Mismatch
Configuring Hardware Mux...OK
-------------------------------------------------------------------------------
 BEGINNING BOOT
-------------------------------------------------------------------------------
Sending boot code...OK
Reading Reference file ICE2_02.28.00.fls...OK
Sending EBL Loader...
	Sending EBL Loader Length...OK
	Sending EBL Loader Data...OK
	Sending EBL Loader Checksum...OK
Sending EBL Loader -- All OK
Sending EBL...
	Sending EBL Length...OK
	Sending EBL Data and Checksum...OK
Sending EBL -- All OK
Getting EBL Version......OK
	- Boot Mode 0xCC
	- EBL Version Major/Minor: 6.2
	- EBL Version 'ICE2_RAM_B'
	- Flashing Compression: 0, CRC Type: 0, CRC Method: 1
Reading Reference file ICE2_02.28.00.fls...OK
Sending Protocol configuration...OK
Sending Flash ID...OK
Doing CFI Stage 1...OK
Doing CFI Stage 2...OK
-------------------------------------------------------------------------------
 DONE BOOT
-------------------------------------------------------------------------------
Getting software version of file ICE2_02.28.00.fls...OK
Increasing baud rate to 921600...OK
Validating EBL Version...OK
-------------------------------------------------------------------------------
 SENDING FLS FILE: ICE2_02.28.00.fls
-------------------------------------------------------------------------------
Loading FLS file ICE2_02.28.00.fls...OK
>> Sending Block of type CodeClass(0) from file ICE2_02.28.00.fls...
	Beginning Dynamic EEP erase at 0x20E40000 to 0x20EBFFFE...Progress:  0 percent, 0 of 524286Progress:  100 percent, 524286 of 524286. OK
	Sending Security Block...Timed out
Trying again (9 tries left)
Configuring Hardware Mux...OK

It tries nine times but "Sending Security Block" always Times out. Finally it Gives up:

Code:

Sending Security Block...Timed out
Giving up

!!! Exception at :0:
	- BBUReturnTimedOut(10)/2: Command receive error, progress 0 of 6
	Re-enabling sleep...OK
___________________________________

Sucess! 
Reboot your device and check your Baseband number. 
It should be 02.28.00 now. Run Yellowsn0w and have fun.

Still it's not able to send the security block what ever that is. But at least it managed to Ping OK! This should mean that the radio unit isn't completely dead?

After booting up something has changed in Settings > General > About:

Code:

Carrier:	(null) (null)
Wi-Fi-address:	N/A
Bluetooth:	00:00:00:00:00:00
IMEI:		XX XXXXXXXXXXXX X (censored)
ICCD:		
Modemfirmware:	02.11.07

In this state I once again ran the radio commands from iRecovery but they still didn't show any improvement.

One interesting thing I did was to in iRecovery enter the wifiaddress:

Code:

setenv wifiaddr xx:xx:xx:xx:xx:xx

The wifiaddress I entered then showed up in Settings > General > About. Wifi still didn't work though. I suspect that it needs a few lines more then just the MAC address.

The symptoms of this problem matches almost exactly those of a problem that people had with the 2G iphone. They seem to have fixed it by downgrading to 1.x firmwares and then reflashing the baseband. Sadly I haven't been able to get a 1.x firmware working on my 3G. I've come across a few people with the same problem on the 3G but no one seems to have fixed it.

Sadly the 3G doesn't have a separate communications board so changing the baseband/radio chip would mean changing the whole board. These boards cost more than I payed for the phone so it's not an option.

Desoldering the radio chip and reprogramming it should work, but I can't find anyone with the required tools and skills. Does anyone know where I could get a job like this done?

Any and all input would be much appreciated!

[i.Annie]

Have you tried this (assuming you're on 3.1/3.1.2):

Restore the phone. Error 1002 shows up, click "ok". Open up Blackra1n and run it. It might just kick the phone out of whatever bad state it's in. Go back into iTunes and see if it reads.

If not on 3.1/3.1.2 and on 3.0/3.0.1 try doing the same with Redsn0w.

If not on that and on 2.x then try doing it with quickpwn or pwnagetool.

I'm afraid to say it might be the commboard but if you haven't tried ^ you should give it a go, it's better than not doing anything?

[brokenBB]

I've tried:

• Blackra1n on 3.1/3.1.2.
• Redsn0w on 3.0/3.0.
• QuickPwm on 2.2.1 (and a few other 2.x firmwares).

All of the above with and without SIM card, on three different computers, using three different USB cables, iTunes 7.5, 7.7 and the newest. I didn't do them all perfectly systematic so I could have missed one or two combinations, but I sure have tried most combinations several times.

I'm also afraid it might be the commboard. And sadly on the 3G it's not possible to replace merely the commboard since it's all on the same board.

But since it's possible to ping the radio I'm thinking the problem is software related. Perhaps a baseband flash gone wrong or similar? I wish there were a way to use all those baseband flashing tools from the 1.x firmware days.

Thanks for the input!

[brokenBB]

Bump, bump!

Okay, perhaps there's just to much information for anyone to bother reading.

Lets just start with this: What does "Sending Security Block...Timed out" mean and is there a way around the "Timed out" part?

[brokenBB]

Time for another update. I've played around a bit more with this phone and tried to keep a detailed log of each step. After cleaning the log a bit this is what's left:

Phasebanddowngrader
19:20 2010-02-07 Flashing fw2.2.1 from DFU mode, iTunes 7.7.
19:48 2010-02-07 Error (1002) as usual.
22:56 2010-02-07 Jailbroke with QuickPWN.
22:56 2010-02-07 Installed mobile terminal through iPhone PC Suite.
22:58 2010-02-07 Phone keeps restarting every 3:rd minute.
23:05 2010-02-07 Moved mobilewatchdog to / and thereby extending reboot period to 10 minutes.
23:30 2010-02-07 Transfered phasebanddowngrader.
23:37 2010-02-07 Executed phasbanddowngrader. Radio wouldn't respond to pings this time. But do note that I have gotten the radio to respond to pings which makes me think that it isn't all dead.
23:41 2010-02-07 After phasebanddowngrader phone displays IMEI and modemfirmware: 02.11.07.

ienew
23:55 2010-02-07 Transfered bbupdater, ICE04.02.13_G.eep, ICE04.02.13_G.fls, ienew, ieraser and secpack to /usr/bin/
00:19 2010-02-08 Tried to run ienew, but it gets instantly killed.
00:40 2010-02-08 Ran the command "sysctl -w security.mac.proc_enforce=0 security.mac.vnode_enforce=0" got "security.mac.proc_enforce: 1 -> 0
security.mac.vnode_enforce: 1 -> 0"
00:42 2010-02-08 Success. ienew isn't killed.
00:47 2010-02-08 Ran ienew, got:
dyld: Library not loaded: /usr/lib/libgcc_s_v6.1.dylib
Referenced from /usr/bin/ienew
Reason: image not found
Trace/BPT trap
07:03 2010-02-08 I hate vfdecrypt on windows! It won't take the keys!
11:33 2010-02-08 Managed to compile a vfdecrypt with keys inside. Now I can decrypt the dmg's.
11:35 2010-02-08 Decrypted just about every firmware from 2.2.1 to 1.0. libgcc_s_v6.1.dylib can be found in 1.1.4 and earlier.
11:46 2010-02-08 ienew won't take any of my libgcc's. Complains about file size etc.
11:52 2010-02-08 Tried a couple of ienew's from other sources but still no go. I'm pretty sure I got ienew to accept a libgcc extracted from a dmg a few weeks ago but I'm unable to recreate it right now. Then I got ienew running but it didn't complete for some reason. I thought I'd try some other secpacks etc. but it doesn't seem like it's gonna happen today.

The main problem is still the 1002 error, no Wi-Fi, no reception and no bluetooth. The problem seems to be the baseband, it's somehow corrupted and all reflashing attempts fails. Perhaps because of some problem with secpack?

A secondary problem that just recently appeared is the constant rebooting. Every third minute. I've done some minor attempts to fix it w/o success.

Hopefully someone will see something I missed. Please share your thoughts and ideas.

[EdzwanShah]

brokenBB, dude, I got THE EXACT SAME PROBLEM with you... I think our main problem is not the Baseband, after 3 weeks straight of reading, I think what gone wrong is the Bootloader itself, mother of the baseband...
here's the thing... in my case, it's an iPhone 3G... we can get all the Bootloader hacking tools in iPhone 2G, but I can't seem to find any for iPhone 3G, for example, ZiPhone, it can crack the bootloader 3.9/4.6 in firmware 1.1.4 which is for 2Gs. I tried ZiPhone on this 3G, nothing happens, don't care whether it's in Normal/Recovery/DFU mode...
the best thing i can do with my iphone 3g now is just treat it like an iPod Touch, we can restore, jailbreak, see the goddamn home screen, play around with the ipod feature, take pics with the camera, play offline games, but no calls, no wifi, no bluetooth, no sms, no mail.
about the constant restart problem, here's what i found out, use iTunes 9.0.3 with the modified iTunesMobileDevice_902_patch dll, google for bspatch.exe and the dll patch, put in 3.1.2 Firmware in the thing, then jailbreak with either blackra1n or redsn0w 0.93, the choice is yours, and the thing runs. it will remind you about the need for restore, but it won't restart itself.
One more thing, try PandaApp.com | manage your smart phone easily and safely!, there's this one thing called iPhone Suite, made by some chinese peoples i think, cause it's in chinese (Gotta respect da chinese hackers/programmers), it let you install even Cydia Packages through USB, hope that will somehow help you, so that you would find a fix to help me too. :P
[EDIT] Sorry, I don't notice you already know about iPhone Suite...

[martinsolna]

Time for another update. I've played around a bit more with this phone and tried to keep a detailed log of each step. After cleaning the log a bit this is what's left:

Phasebanddowngrader
19:20 2010-02-07 Flashing fw2.2.1 from DFU mode, iTunes 7.7.
19:48 2010-02-07 Error (1002) as usual.
22:56 2010-02-07 Jailbroke with QuickPWN.
22:56 2010-02-07 Installed mobile terminal through iPhone PC Suite.
22:58 2010-02-07 Phone keeps restarting every 3:rd minute.
23:05 2010-02-07 Moved mobilewatchdog to / and thereby extending reboot period to 10 minutes.
23:30 2010-02-07 Transfered phasebanddowngrader.
23:37 2010-02-07 Executed phasbanddowngrader. Radio wouldn't respond to pings this time. But do note that I have gotten the radio to respond to pings which makes me think that it isn't all dead.
23:41 2010-02-07 After phasebanddowngrader phone displays IMEI and modemfirmware: 02.11.07.

ienew
23:55 2010-02-07 Transfered bbupdater, ICE04.02.13_G.eep, ICE04.02.13_G.fls, ienew, ieraser and secpack to /usr/bin/
00:19 2010-02-08 Tried to run ienew, but it gets instantly killed.
00:40 2010-02-08 Ran the command "sysctl -w security.mac.proc_enforce=0 security.mac.vnode_enforce=0" got "security.mac.proc_enforce: 1 -> 0
security.mac.vnode_enforce: 1 -> 0"
00:42 2010-02-08 Success. ienew isn't killed.
00:47 2010-02-08 Ran ienew, got:
dyld: Library not loaded: /usr/lib/libgcc_s_v6.1.dylib
Referenced from /usr/bin/ienew
Reason: image not found
Trace/BPT trap
07:03 2010-02-08 I hate vfdecrypt on windows! It won't take the keys!
11:33 2010-02-08 Managed to compile a vfdecrypt with keys inside. Now I can decrypt the dmg's.
11:35 2010-02-08 Decrypted just about every firmware from 2.2.1 to 1.0. libgcc_s_v6.1.dylib can be found in 1.1.4 and earlier.
11:46 2010-02-08 ienew won't take any of my libgcc's. Complains about file size etc.
11:52 2010-02-08 Tried a couple of ienew's from other sources but still no go. I'm pretty sure I got ienew to accept a libgcc extracted from a dmg a few weeks ago but I'm unable to recreate it right now. Then I got ienew running but it didn't complete for some reason. I thought I'd try some other secpacks etc. but it doesn't seem like it's gonna happen today.

The main problem is still the 1002 error, no Wi-Fi, no reception and no bluetooth. The problem seems to be the baseband, it's somehow corrupted and all reflashing attempts fails. Perhaps because of some problem with secpack?

A secondary problem that just recently appeared is the constant rebooting. Every third minute. I've done some minor attempts to fix it w/o success.

Hopefully someone will see something I missed. Please share your thoughts and ideas.

hi I got the very same problem - after whole day trying I managed to get out of error 1002 but now have no wifi/bluetooth/imei and the phone restarts every 3minutes

have you managed to sort this problem since then?