Fix Your Stuff Community Store

Apple's March 2019 refresh of its iPad Air tablet, sporting an A12 Bionic processor and a 10.5" screen.

40 Questions View all

Options

The Nand on cellular iPad is dead. Is it doomed?

It is an iPad Air3 Cellular model.

After replacing the nand chip, the ipad works normally. However, since the existing nand chip is completely dead, there is no way to extract the serial, Wi-Fi, and Bluetooth Mac addresses. (I tried the nand programmer, but I couldn't query any Mac addresses. The chip is completely dead.) Sadly, I don't even have a Mac address written down before, so there is no way to know it.

+For devices A12 and above, I understand that Mac Address is also stored in AP, and I was wondering if there is a way to extract it.

Answer this question I have this problem too

Is this a good question?

Yes No
Score 2
6 Comments

Why is the nand chip dead?

by

@wellbinn ok thats fine, why did you replace the last one?

by

@hampter probably because it died?

by

@hampter It was someone else's device, so I don't know its history. It was already broken when I got it. DFU recovery failed, so I tried various things to repair it, and after replacing the NAND, I succeeded in recovering iPadOS.

When I put the original NAND I extracted into the v1s pro programmer, it says it needs to be formatted. However, even after formatting, it outputs a message asking me to format it again.

When I try syscfg queries, they all fail. The only output is the NAND capacity and model name. Of course, I also tried NAND reball, but that didn't work either.

by

Show 1 more comment

Add a comment

3 Answers

Filter by:
Most Helpful Newest Oldest
Most Helpful Answer

Options

In theory there are decryption keys to these adresses stored in apples "secure enclave" there could be a way to exploit and read some of this information

You could also see if your home wifi router logs the devices Mac adresses that have been formerly connected to to.

If you have any previously paired Bluetooth devices they may also have unencypted Mac adresses cashed internally. I don't know enough about the Bluetooth protocol to be certain but from what I understand it's not very secure and there are certainly plenty of tools to diagnose and dedug Bluetooth communication.

See what a memory dump of any previously paired device yields.

In theory to the best of my knowledge it possible to find the information you need.

A custom solution and a lot of research and hardware hacking would be in order to fix this in practice.

So it's probably doomed unless you are really really good at hardware hacking.

You may be able to jailbreak the ipad, there is some 0day unpatchable hardware level exploits on a lot of apple devices. There are entire companies dedicated to breaking into and extracting information from smartphones to extract data for law enforcement and courts of law.

Was this answer helpful?

Yes No
Score 3

1 Comment:

Thank you for your answer.

It's been broken since I first received the device, so this ipad only has a history of wired to itunes in recovery mode. Sad.

by

Add a comment

Options

You can use a nand programmer p13 from JC for example and put a compatible nand in the programmer and format nand for a ipad air 3 and write/unbind wifi. Then solder Nand back on to Ipad and update firmware in dfu mode.

Try to activate the device over wifi and you will not bypass activation.

Remove nand from ipad and put it in nand programmer again and QueryCode//Unbind and choose fast mode. Wait untill process is done and you have the old serial wifi and bluetooth.

Was this answer helpful?

Yes No
Score 1

3 Comments:

I already own JC's NAND programmer. However, iPad Air 3 is an A12 chip, and starting with A12, AP also has a WIFI MAC address registered, so if you inject another MAC address into the NAND, activation is not possible. (Actually, I've already tested it with a different MAC address. I get an activation error.)

And as far as I know, even if the chip is less than A11, the cellular model cannot be activated only by WIFI/BT MAC change.

by

yes bur you are not supposed to pass activate with wrong serial and bt/wifi rather Get the original serial and Mac adresses by connecting to the act. server with the wrong serial/bt/wifi. After you try activate the a12+ iPad it will send information from and back to iPad. With that info you can obtain the original serial, bt and wifi from p13 reader with quary option on the new nand.

by

Does it mean that the Apple activation server has a serial address and a bt/wifi address?

But how can I read it? I'm trying to activate it but nothing shows up except an error message...You told me to query NAND after the activation attempt, but will the server's mac address data come into NAND if I try to activate it with the wrong serial?

by

Add a comment

Options

While I’m no expert on iPad NAND programming, I think your best bet is finding a junker to swap out the NAND. Basically, the chip is to far gone to salvage the needed data, a still good NAND from a compatible system even if it’s addresses are different should work.

Was this answer helpful?

Yes No
Score 0

6 Comments:

It is my understanding that Apple devices A12~A13 have the Wi-Fi/BT mac address hardcoded into the AP. Even when replacing the nand, it cannot be activated unless the original mac address is written to the nand. Rather, starting with A14, MAC addresses are stored only in APs, so it doesn't matter if existing NANDs are damaged.

by

@wellbinn - That doesn’t make sense, it would either be programmed within the Apple/Universal Scientific Industrial USI 339S00551 Wi-Fi/Bluetooth Module or held within the NAND. If it was programmed then the chips markings should give you a clue. The more elegant way is to use the NAND in a protected cell area.

by

@danj But there's no way to read syscfg in this broken nand. I've tried several ways, but the programmer still hasn't been able to query syscfg in nand.

by

@wellbinn - Yes, I figured that, which is why you need a preprogrammed NAND from another system using its MAC address. Cloning the chip might work but you would then need a fresh MAC address to replace the duplicate.

by

@danj In the case of the A14, it is certain that the AP and the WIFI IC are serialized. In fact, the iPhone 12 and MacBook Air M1 (=A14X) cannot be repaired if the WIFI IC module fails. Hardcoding parts' serials on the AP seems to be technically possible. I am not sure exactly about the A12.

by

Show 1 more comment

Add a comment

Add your answer

wellbinnn will be eternally grateful.
View Statistics:

Past 24 Hours: 32

Past 7 Days: 44

Past 30 Days: 115

All Time: 115