Geeks With Blogs

News
Welcome to my blog.
Here's what we've got on the menu today:

Lorin Thwaits A geek says what?

Looks like the iPhone has been set free by the persistent guys at iPhoneDevWiki.  No doubt the discovery will send the stock prices of Apple and T-Moble upwards.  This post is aimed to those technical souls out there who want to give it a try.  It's a concise look at all the steps necessary to get the job done and enjoy much cheaper iPhone service when traveling overseas.  (Don't get stuck with a $12000 bill!)  A quick look at the second phone ever unlocked in this way:

George Hotz who worked closely with the effort just today traded the 4GB phone pictured above for the Nissan 350Z pictured below, plus three brand new 8GB phones.

Okay, so on to the geeky.  The basic gist of the hack is that the flash memory inside the phone, referred to as the NOR, has a portion called the bootloader that is by default impossible to (easily) modify because there's a checksum involved.  But by moving its location to appear at a different place in memory _after_ you've booted, you can get in and patch crucial sections of the real bootloader.  The tricky part is how to move it somewhere else.  This is done with a small modification to the hardware, temporarily applying 1.8 volts to an address line called A17.  This shifts where the iPhone sees the flash (NOR) memory, and allows you to patch four crucial bytes in its contents.  Since this shift has to be done after the phone is booted up, part of the process is to solder in a switch that is temporarily enabled.

Ultimately this approach is not a permanent unlock because if you do a software update it will write back the NCK check routine, and you'll have to do the entire unlock process over again.  The _true_ unlock will be to recover the actual NCK, and unlock all the checksums.  When the NCK checksums have been properly calculated and stored there's no need to have to re-patch the phone when the next software update comes around.

In his blog, George Hotz (geohot) first gives a big round of applause to the iphonedevwiki crew.  He also included these kind words in the comments at the top of the source code for iEraser:

"Thanks to gray and the dev team for the implementation
thanks to nightwatch for the awesome toolchain
and thanks to anonymous, iProof, lazyc0der, and dinopio for the idea for this cool trick."

And also in the source code for iUnlocker there's a shout out to "the siemens guys", which may refer to the Martech team.  They're a group who has used a similar bootloader trick to unlock various Siemens phones that use the S-Gold2 chip from Infineon.  Just so happens that the iPhone also uses the same S-Gold2 chip for its baseband support.

George provides 10 posts on his blog that give excellent instructions on how to do all this trickery, which are consolidated below.

First, here's all the files you need:  iPhoneUnlock.zip

1. Open the iPhone. Remove the black part, the three screws, and the aluminum case. Disconnect the wire connecting the phone to the case. Do not remove anything else. More info available from the ifixit guys.

2. Also remove the metal cover over the comm board. This is all the disassembly you have to do. If you feel like being safe, desolder the red battery lead.

3. The red line in this picture is covering the A17 trace:

In order to trick the chip into thinking the flash is erased in the correct section, you will need to pull this high. Scrape away the green coating on the trace with something like a multimeter probe. Then solder a very thin wire to it. Be very careful not to damage the underlying copper of the trace. Only scrape away at that solder mask above that one trace. YOU DO NOT WANT TO BREAK THE TRACE. This is the hardest step in the whole process; the rest is cake.  So be careful. Also solder a wire to a 1.8v source, the easiest place is from a nearby capacitor as shown above.  You should end up with wiring similar to what you see in this picture:

Connect the wire coming from the trace and the wire coming from the 1.8v to your unlock switch.  Or if you're a real cheapskate then you can skip attaching a switch, and instead leave the bare wires disconnected while you boot, and twist them together during the two times that it's needed, once during step #5, and at first when you run iUnlocker.  Just make sure to never touch the wires to the metal case of the iPhone, or any other part of the circuit board.

(Thanks go outto Nick Chernyy for his detailed pictures of the circuit boards.)

4. Time to test what you just soldered.  First use the continuity check on a multimeter to make sure the wires aren't shorting to ground or to each other.  Make sure your newly-added A17 switch is in the off position.  Resolder the red power wire to the battery if you disconnected it in step #2.  Power up your iPhone.  For this you don't need to reconnect the case with the line to the power button, just connect it with USB, it'll power itself up.  Hopefully it doesn't smoke :)

5. Now to test connectivity you'll need minicom and a termcap file.  These are available in the .ZIP file above, or available separately here:

minicom: http://lpahome.com/iPhone/minicom

termcap: http://lpahome.com/iPhone/termcap

First add termcap. This defines the width and height of the terminal window used in minicom. Second you will also need to move com.apple.CommCenter.plist out of its folder and reboot your iPhone. Then when you start minicom for the first time, use minicom -s to enter into setup and set the modem as /dev/tty.baseband.

With minicom set to tty.baseband, send a few commands.  AT a few times will do.  It should respond OK.  Now flip your switch, the baseband should stop responding to AT commands.  Even when you flip it back, the baseband chip still shouldn't respond.  Be sure your switch is off, then open another ssh and run "bbupdater -v".  You can get bbupdater off the ramdisk.  This should reset the baseband, and AT commands in minicom should work again.  If so, your soldering is most likely good, and you are ready to start unlocking your phone.  If not, don't worry too much.  I must've thought I bricked my phone 100 times.

(When you're totally done with minicom you'll have to move com.apple.CommCenter.plist back otherwise your phone won't have service. But we're not done with minicom yet.)

6. Now, with the switch off, your baseband should be working perfectly.  Here you should take a NOR dump of your phone.  The dev team's NORDumper is a great way to do this.  Available either in the .ZIP file, or here:

NORDumper:  http://iphone.fiveforty.net/wiki/index.php

This is an application that you transfer to your iPhone via SCP (secure copy) and run.  You can't run it without using the hardware switch.  NORDumper is good to have in case something goes wrong.  You can extract the firmware from this as well, which we'll get to later.

7. Now it's time to erase the current firmware on your modem. Don't worry, you can always put it back with bbupdater. The tool that does the job is iEraser, found in the .ZIP or here:

iEraser:  http://lpahome.com/ieraser.rar

Here's how the bootrom check works: it reads from 0xA0000030, 0xA000A5A0, 0xA0015C58, and 0xA0017370. If all these addresses are blank, it reverts instead to its "failsafe" bootloader. In flash memory, a 32-bit entry is blank when it is 0xFFFFFFFF. The catch is that you can't normally erase those locations because they are in the bootloader. So that's where our fancy switch comes in. Pulling A17 high hardware OR's the address bus with 0x00040000 (offset one because data bus is 16 bits), so the bootrom instead checks locations 0xA0040030, 0xA004A5A0, 0xA0055C58, and 0xA0057370, which show up in the main firmware and can be erased. Pretty genius :)

To use this tool, you need the secpack for your modem's version. The erase of this section is protected. Check the modem version in Settings->About. It'll either be 3.12(1.0) or 3.14(1.0.1 and 1.0.2). You need the ramdisk which corresponds to your version. Then go into "/usr/local/standalone/firmware" and get the ICE*.fls file. Extract 0x1a4-0x9a4 and save it in a file called secpack and place it in the same directory as the iEraser tool. Run iEraser. This should erase the modem firmware and leave you one more step on your way to unlocking.

Update: This step, running iEraser, has proven to be difficult for a couple of people.  I don't have an iPhone that I can test this out with, so can't help that much.  For those that have success, if you could comment about creating the secpack file it would be great.

Now its time to patch the firmware.  Thanks to gray for finding these patches, this required some very complicated reverse-engineering.  First, you need to extract the firmware from your NOR dump.  The range you need is 0x20000-0x304000.  Save this as a file called "nor". These offset to patch from the begininning of the file depends on your version, and is as follows:

3.12: (213740): 04 00 a0 e1 -> 00 00 a0 e3

3.14: (215148): 04 00 a0 e1 -> 00 00 a0 e3

Resave the file nor.  You'll now upload this updated version to the phone using iUnlocker, found in the .ZIP or here:

iUnlocker:  http://lpahome.com/iunlocker.rar

This tool uploads a small program, "testcode.bb", to the baseband using the bootrom exploit. This program needs to be in a directory with "nor", the file you obtained in the last step. You need to have the switch on when running this program. This will download and run the code in "testcode.bb". Then the program will stop and ask to to turn off the switch.  Do so.  Then type any character then hit enter. The nor upload starts right away. When the counter reaches 0x2E4000, everything is uploaded. Run "bbupdater -v". Hopefully it will return the xgendata. If is does, the NOR upload was successful.

The final step is to once again minicom into /dev/tty.baseband. If you already used up your attempt counter, the phone should already be unlocked. If not just run AT+CLCK="PN",0,"00000000", which updates the checksums. That will unlock the phone for sure.  To check if it's unlocked, run AT+CLCK="PN",2. It should return 0.

Your phone is now unlocked.  Exit minicom and copy the CommCenter plist (com.apple.CommCenter.plist) back to its place.  Reboot.  iASign.  And enjoy your unlocked iPhone.

***  End of unlocking steps  *** 

George continues:

"I won't be in the iPhone scene anymore. I leave for college in two days, and I have so much to do. We still have a good amount, about a grand, of donation money left. We definitely need to buy jpetrie a new iPhone. He donated the original phone that made all this possible. I'll even unlock the new phone for him. With the money left over, if anyone wants it back, drop me a line. I wish I had time right now to unlock iPhones for people, but even with this method it'll take me two hours per phone, and I'm leaving soon. I will continue to post to this blog, and I will continue to work with the iPhone, but not on a software unlock. I am pretty much useless there. I plan on setting up a ssh box into my test iPhone for gray to play around with. In these posts/files is basically everything I know. I have a few cool ideas for things I want to do with the phone, like a cell phone tower based GPS. I will detail everything on this blog.

"Using this exploit is should be very easy to permanently mod your phone to run unsigned code. Just write 0xFFFFFFF to the locations the bootrom checks. I don't believe they are used. Also, if anyone finds a way to erase the bootloader from software, this would open up a software unlock.

"I really wish I had more time to detail all of this, and one day I will. You will always be able to reach me at geohot at gmail. This has been a great community and has been a great trip. I hope I was a positive influence on the community. Thanks so much everyone, I have learned so much. Coming into this project I didn't know that cell phones used AT commands, or that there was a distinction between kernel/user space. I had once in my life looked at ida before this, and found it too confusing. I still can't reverse engineer well, but this is definitely something I want to learn. Thanks again everyone."

Big thanks out to George Hotz and the many hours put in by the whole iPhoneDevWiki crew!

As a side-note, a company with much more commercial interests has begun advertising a software-only unlock.  It looks like they don't actually have a product ready yet, but they are advertising that they will soon.  FWIW George contacted them, offering to validate their claim on his insanely popular blog if they would do a software-only unlock on one of his phones.  He hasn't heard back from them yet.

Another way to effectively unlock the iPhone is with the TurboSim, which is a "SIM proxy".  Regardless what your SIM card's ICCID is, this go-between device always sends the following MCCMNC codes to the phone:

310-150
310-170
310-410
001-010
311-180
310-980

This fools the phone into thinking it's a true AT&T iPhone SIM.  These proxy cards initially sold for $80 each, but they now go for $400-$500 on eBay.  To use it you have to carve down the actual SIM card you want to use, and put it inside this piggyback thing.

Posted on Saturday, August 25, 2007 3:53 AM Community , Gadgets | Back to top


Comments on this post: Time to buy an iPhone

# re: Time to use the iPhone in Iran
Requesting Gravatar...
Just got a note from a couple of guys, Bashir and Siavash from Iran, who followed the directions above and now claim to have what is quite possibly the first unlocked iPhone in Iran! Check out their adventures here:

http://www.syavash.com/portal/users/siavash/blogs/the-first-unlocked-iphone-in-iran
Left by Lorin Thwaits on Aug 27, 2007 12:01 PM

# re: Time to unlock an iPhone with a Windows machine
Requesting Gravatar...
No Linux / OSX required! You can use WinSCP to push the files / tools out to the phone, and Putty to shell into the box. (Errr... Phone.)

At the end after it's unlocked you still have to activate, which can be done with the Windows version of iASign. Or you can use DVD Jon's iPhone Unlock Toolkit. (This must be done under iTunes 7.3.0.54, but after activation you can upgrade to the latest version of iTunes, currently 7.3.2.6.)

I wouldn't be too worried about attempting this procedure. As long as you have some soldering skills, you should do fine. After all, it's only two wires, one of which is kinda tricky (A17) but the other is pretty easy (+1.8V). Even if you do break the trace, you could bridge it again and it would jump back to life.
Left by Lorin Thwaits on Aug 29, 2007 5:11 AM

# re: Time to buy an iPhone
Requesting Gravatar...
Hey there, a friend of mine bricked my phone.
Can't upgrade firmware, error 1002.
Is there a way to downgrade firmware or to undo jailbrake etc so the iphone gets back to out of the box setting ?

Many thanks,

Michael
Left by Michael on Sep 09, 2007 5:37 AM

# re: Time to buy an iPhone
Requesting Gravatar...
Hi, I got this problem
AT+CLCK="PN",0,"00000000"
error
AT+CLCK="PN",2
ok
0
look like my iphone is unlocked buy I cant get service I think is something about CommCenter plist what can I do I repeted everything 3 times same error any advice..tks
Left by OooH on Sep 10, 2007 10:47 AM

# re: Time to buy an iPhone
Requesting Gravatar...
I get the same thing as michael please help
Left by Jose on Sep 12, 2007 6:56 PM

# re: Time to buy an iPhone
Requesting Gravatar...
Please have patience with my lack of knowledge, but, what is the difference between an iphone and an unlocked iphone???? :|
Left by billy bob on Dec 13, 2007 5:17 AM

# re: sim card problem
Requesting Gravatar...
i bought a 8gb i phone in france and my sim card doesnt work as its i comes up no service
Left by mick on Mar 16, 2009 1:13 PM

# top lesbian sites
Requesting Gravatar...
This is such a great resource that you are providing and you give it away for free. I love seeing websites that understand the value of providing a quality resource for free. It’s the old what goes around comes around routine. Did you acquired lots of links and I see lots of trackbacks?
lesbian pissing vidshttp://nudelesbianteen.oxyhost.com/lesbian-pissing-vids.html
Left by Ignitte on Aug 23, 2009 4:25 PM

# re: Time to buy an iPhone
Requesting Gravatar...
I just wanted to share this bankruptcy info resource.
Left by DDos Protection on Nov 08, 2009 11:31 PM

# re: Time to buy an iPhone
Requesting Gravatar...
I am not sure about the iphone developers what is in there mind since I see it more of a computer like device than a phone :)
Left by Carpet Cleaners San Antonio on Mar 04, 2010 6:39 PM

# re: Time to buy an iPhone
Requesting Gravatar...
Hi webmaster, thnx for providing this blog post. I found it so cool. Greets, Jason!!!!
Left by adventure games on Mar 06, 2010 6:56 PM

# re: Time to buy an iPhone
Requesting Gravatar...
Huh,this is like a computer or a not book,its has gone the level of not being a phone no more,nice device to have but its damn expensive
Left by compare life insurance quotes on Mar 09, 2010 5:34 PM

# re: Time to buy an iPhone
Requesting Gravatar...
If the girls in the car matched a Coach Purses, will become more apparent elegant
Left by coach purses on Mar 26, 2010 10:18 PM

Your comment:
 (will show your gravatar)


Copyright © Lorin Thwaits | Powered by: GeeksWithBlogs.net