This is an old tutorial - new one at http://iphone.unlock.no/
This method is originally developed by George Hotz, as you can see in his blog. Big thanks to him, and the rest of the guys who helped him making this possible. The reason i write this guide is because his tutorial was requiring a lot more technical knowledge from the user, and had some unneccesary steps, so i'll try to make it a little easier for you. I'm also going to skip all the technical info, so you'll not have any idea what you're really doing. If you are interested in learning, read Hotz' blog.
Before you start
* I might have forgotten some minor things, so if anything is unclear, please let me know: IRC: GeeZuZz: #iphone.unlock @ undernet, or email unlock @ unlock.no.
* This tutorial assumes you are using Windows, but you'll easily find alternative software for Mac, just do a search on Google if i haven't already linked to something. Hacktheiphone.net also made a tutorial especially for Mac users.
* There is a company who claims to have a vaporware software solution being able to unlock the iphone using software only (for approx $50). I'm not going to expose that company any before they actually release something. But if you are afraid of opening your iphone, it could probably be cowardly smart to wait a little. But remember, unlocking your phone by following this tutorial is FREE, and you're not even exposed to advertisements ;)
Step 1: Prepair your phone to install software
First of all make sure you upgrade your phone to latest firmware (1.02). This tutorial assumes you have version 1.02. To confirm, go to Settings → General → About → Version. Modem Firmware should also say 03.14.08_G. If you have an older version, you need to get your phone updated using iTunes. It should ask you to update when you connect your phone.
The phone needs to be "jailbreaked" before you can upload software to it. If you are on Windows, i highly recommend downloading iBrickr, which i will use as an example through this tutorial. Extract all files to a directory on your PC, and run ibrickr.exe. Follow the instructions on screen. For more info, and video tutorial visit Nate True's website.
Step 2: Install and setup the software
Download and extract this archive of required files to a directory on your PC: Server1 | Server2
Now you must bypass the activation mecanism on the iphone. Do this even if your phone is already activated (unless you used patched lockdownd method).
In iBrickr, click Files, and on the iPhone screen to the right, navigate to /usr/libexec/. Click Upload file, and select the file named lockdownd which you downloaded in the archive above. When it's done, restart your phone, and you will see that it goes right to the home screen without asking for activation.
Get your iPhone connected to your Wi-Fi access point by going to Settings → Wi-Fi → Your network. When it's connected tap the blue arrow on it and make note of the IP Address. Also, go to Settings → General → Autolock and set it to Never. This will make sure the phone does not go to standby and drop the Wifi connection.
Go back to iBrickr to install the "Installer" application, by clicking Applications → Browse applications button. You'll find "Installer" in the list.
Now you'll see a new icon called Installer on your iphone home screen, tap on it. It will connect to internet and download a list of available applications. First time you start it, it will probably find a new version of itself (Installer), tap on it then "Update" in the top right corner. When it's done updating, press the home button to exit and wait for it to refresh, then tap on Installer again. When installer is started again, install the following software in this order:
* Community Sources
* OpenSSH
* BSD Subsystem (might take some minutes)
Now you need to manually upload some files and executables to your phone. Use iBricker (or other application) to upload the following files to your phone in the /usr/bin/ directory.
(All files are included in archive in Step 2)
* bbupdater
* ieraser
* iunlocker
* minicom
* nor
* secpack
* testcode.bb
Navigate to back to /usr/ directory, and click the "Create folder" button. Name it local. Click on your new folder, and inside it create another folder named etc. You should now be in /user/local/etc/ where you must upload minirc.dfl.
Now it's time to log onto your phone via SSH from your PC, using an application called PuTTY (or any other SSH client). In PuTTY, enter the IP-address you found previously in the "Host Name" field, and click Open button at bottom. If it's the first time, you will get a message you should click yes, and it will take some time to connect. Log in using username: root and password: dottie. Type the following commands (remember it's case sensitive!):
cd /usr/bin/
chmod +x minicom
chmod +x iunlocker
chmod +x iereaser
chmod +x bbupdater
launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
Your phone now has the necessary software.
Step 3: Dump and patch NOR
Note: This step can be skipped if you already got hold of a pre-patched nor file (was included in the archive linked to in Step 2)
Clicking here will show the procedure to manually dump and patch nor.
Download NORDumper and upload it to the /usr/bin/ directory on your phone. Then using PuTTY run the following commands:
cd /usr/bin/
chmod +x NORDumper
NORDumper nordump.bin
This last command will start dumping NOR, a process which will take up to 30 minutes. When it's done, there's a file called nordump.bin located in /usr/bin/ - you can download this file using iBrickr. File should be 4MB.
Now you'll need to switch yourself into hacker mode, cause this is probably the most advanced thing you are going to do: Extract and patch a part of the NOR manually using a hex editor.
Download HxD by Maël Hörz (or if you're geek, use your favorite Hex editor) and load nordump.bin in it.
1. Click Edit → Select block, and paste 20000 as Start-offset and 304000 as End-offset. Make sure hex is selected before you click OK. Now copy the selection (CTRL+C), create a new file (CTRL+N) and paste it into the new file (CTRL-V). Click OK on the warning message.
2. Click Edit → Select block, and paste 215148 as Start-offset and 21514B as End-offset. 04 00 A0 E1 should be selected! While it's selected, type: 0000A0E3. It should overwrite the selected part and show up as: 00 00 A0 E3. You are done hacking. Save the file as: "nor" (important: It has to be exactly nor with lower case, without any extension). The nor file should be 2,89 MB (3031041 bytes). Note: If your file is 3031040 bytes that is also ok.
1. 98968 2. 98969
After you have saved it, upload it to your iphone in /usr/bin/ (same place as iunlocker).
You are done with most of the software now. Proceed to the hardest step of them all:
Step 4: The hardware part: Disassemble your phone
Removing the covers from the phone is by most people considered to be the hardest part of the entire unlock solution. There's no really obvious advices to give on this one, but here is a tutorial that shows some pictures (STOP AT PAGE 5/9!).
After you have removed the rear covers, you will see a metal shield/cover over the baseband. This one needs to be removed as well. Use a tiny screwdriver or similar to carefully lift it a little all way around (you could lift out the battery to reach the side facing it). There's two places the shield is glued, so you'll either need to heat it up, or just use force. You now have access to the testpoints which you will need to connect in Step 5.
The testpoints:
98920 98921
In the next step you are going to connect point A to B. Point B is a 1.8v power source which should be led to A which is the innermost trace on the board. Geohot prefered to solder wires to it and making a switch, but if you have unlocked Siemens/Motorolas before, you know that the easiest way is to use needles connected with a wire. Since the area is pretty clear of components it's "impossible" to damage anything if you are just a little careful.
Below is a picture of the needles i used (coming from a professional unlocking device). They are spring loaded to make it easier to hold stable. But as the picture to the right demonstrates, some regular needles supported by corks from bulgarian wine will also do (thanks to nasko for pic)
98892 98897
But first, you'll need to expose a point in the trace (A). With something ultrasmall or thin, scratch VERY CAREFULLY on the wire until you see a golden surface. If you scratch too much, the trace will be cut and your phone is bricked (or maybe only the phone part?). Depending on what kind of needle you use, you might be able to just put the needle in it with a little pressure instead. You should not scratch the entire trace - only a tiny point to set the needle at!
Step 5: Erase baseband and write to NOR
Return to PuTTY (log in again if connection was dropped) and type these two commands to erase the modem firmware:
cd /usr/bin/
ieraser
Some data is supposed to scroll through the screen (click here to show/hide expected result), before it says the main flash was erased, and asks you to wait for next step (it actually means it's done).
# ieraser
Resetting the Baseband...Done
Opened: /dev/tty.baseband
iEraser: tool by geohot
thanks to gray and the dev team for the implementation
thanks to nightwatch for the awesome toolchain
and thanks to anonymous, iProof, lazyc0der, and dinopio for the idea for this cool trick
this tool erases your main fw, starting at 0x20000. you need this for the testpoint to work
you need a file called secpack matching your current firmware version in this folder
see http://iphonejtag.blogspot.com for instructions on finding this file
Waiting for data...
Got Header: 77 0b cc
02 00 85 00 02 00 FF FF 85 02 03 00
SECPACK
02 00 04 02 06 00 01 00 00 00 00 00 0B 02 03 00
02 00 02 08 06 00 01 00 00 00 00 00 09 08 03 00
02 00 03 08 20 00 00 20 00 00 FF DF FF FF C8 A3
26 A0 43 4A 4B 54 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 7C 0F 03 00
Erase
02 00 05 08 02 00 00 00 07 08 03 00
...
02 00 06 08 06 00 01 00 00 00 A0 00 AD 08 03 00
Hopefully the main flash was erased, wait for the next step...
If it just hangs at "Wating for data", hit CTRL-C and try to start it again. If it's still hangs, try rebooting your phone. If rebooting doesn't even help, try uploading the alternative version of ieraser (ieraser2). After it's done erasing it's very important that you don't restart your phone! (if you do, Wi-Fi will stop working)
You'll need to connect the testpoints at the same time you execute the next command. Since both your hands are busy with the testpoints, here is a nice trick (thanks nasko): Run the command with a 20 second delay (or any delay you want). Here is the command:
sleep 20; iunlocker
Right after you hit enter, grab your needles, and set the first needle in point A. Then put the second needle on point B. Note: If you have troubles putting it stable on top of the capacitor, you could just put it right next to it, leaning onto the side of the capacitor. Hold them stable until iunlocker will output some data and say one of the following:
* TESTPOINT WORKS: 55 (click to show complete output) - You're a hero. Remove your needles, and do what it tells you. If it says something about bus error, see "Troubleshooting" for more info. If eveything is OK, it should start uploading NOR and will output the blocks offset it's writing to. It will take up to 10 minutes - it's done when it's on 2E4000. Go to the next step
* "Please connect the testpoint" (click to display complete output) - Sorry, you did not get the tespoint connected right. Don't worry, you will probably need some tries before you get it. So just try setting the testpoints again an run iunlocker after you have connected them.
# iunlocker
Resetting the Baseband...Done
Opened: /dev/tty.debug
iUnlocker: tool by geohot
uploads and runs testcode.bb in the same dir
uploads the nor image in "nor"
make sure your switch is on
thanks to iProof and lazyc0der for finding this method
thanks to the siemens guys for discovering it
and thanks to nightwatch for the awesome toolchain
Spamming AT, waiting for a response
Attempting to read[1]...c0
Connected established to bootrom
File size: 1608
Checksum: 0x37
Attempting to read[2]...c1
TESTPOINT WORKS: 55
Press any char, then hit enter after testpoint has been disconnected
x
Attempting to read[1]...54
Downloading modified nor...
.....
Downloaded: 2E3E00
Downloaded: 2E3F00
Attempting to read[1]...44
run bbupdater -v and pray
if it worked, enjoy your unlocked iPhone!!!
# iunlocker
Resetting the Baseband...Done
Opened: /dev/tty.debug
iUnlocker: tool by geohot
uploads and runs testcode.bb in the same dir
uploads the nor image in "nor"
make sure your switch is on
thanks to iProof and lazyc0der for finding this method
thanks to the siemens guys for discovering it
and thanks to nightwatch for the awesome toolchain
Spamming AT, waiting for a response
Attempting to read[1]...c0
Connected established to bootrom
File size: 1608
Checksum: 0x37
Attempting to read[1]...c1
Attempting to read[3]...c1
Please connect the testpoint
Step 6: Completing the unlock
Congratulations, you have completed the hard parts, and the rest is just piece of cake. While still in PuTTY, you run the following command: bbupdater -v (Click here to show/hide expected result)
# bbupdater -v
Resetting target...
pinging the baseband...
issuing +xgendata...
firmware: DEV_ICE_MODEM_03.14.08_G
eep version: EEP_VERSION:207
eep revision: EEP_REVISION:7
bootloader: BOOTLOADER_VERSION:3.9_M3S2
Done
Look for xgendata somewhere in the ouputs - if you find it, it means it was succsessfull! Now, start minicom using the command: minicom. It should setup an AT connection to your baseband. If you get a warning telling you configuration file not found, go back and redo this correctly. When minicom is loaded it should display something like this:
Welcome to minicom 2.2
OPTIONS:
Compiled on Jul 21 2007, 05:09:51.
Port /dev/tty.baseband
Press CTRL-A Z for help on special keys
AT S7=45 S0=0 L1 V1 X4 &c1 E1 Q0
OK
Type AT followed by enter. It should respond OK. Now type the following two commands:
AT+CLCK="PN",0,"00000000"
AT+CLCK="PN",2
After the last one, it should respond with a zero (Click here to show/hide expected result) if it does, phone is unlocked!
AT+CLCK="PN",0,"00000000"
OK
AT+CLCK="PN",2
+CLCK: 0
OK
(If you get ERROR after the first command, try to exit minicom (see below) and run bbupdater -v again, then start minicom and try once more.)
AT+CLCK="PN",0,"00000000"
ERROR
AT+CLCK="PN",2
+CLCK: 1
OK
To exit minicom, press CTRL-a followed by q and select "Yes".
Now run the following command to enable the baseband:
launchctl load -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
You are done! Put in any SIM and make a call to confirm!
When you are sure it's working you can reassamble the phone. Be aware that the last black cover piece can be tough to get properly on - just be patient. Congratulations!
Troubleshooting and common problems
Is the unlock permanent? Can i restore my phone or upgrade it?
The unlock is not permanent. You can however upgrade/restore, as long as baseband is not updated. That means (as far as i know):
* If you have 1.00, phone will be locked when you upgrade to anything
* If you have 1.01, you can update to 1.02 since modem is not updated
* If you have 1.01 or 1.02 you can perform a restore in iTunes without locking it again
* If 1.03 is released, WAIT till we get confirmed that it's not updating baseband
* It will probably be possible in some way to prevent updates from writing the baseband firmware. Maybe spoofing version number on the phone or something?
I get a "Resource Busy" error - why?
You probably forgot to disable the baseband. Run the following command:
launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
To enable it again when you are done unlocking, use the following command:
launchctl load -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
You could also just backup the file, and then delete it from your phone, then upload it again when you want to enable it, but that would require a restart in both cases to apply the change.
I lost wifi - now it just says "No Wi-Fi"
You probably restarted your phone after running ieraser. To restore Wi-Fi you could either do a restore in iTunes and start over again, or the much faster way, reflash only the baseband from a terminal directly from the phone, which i will explain.
You will need the file called "ICE03.14.08_G.fls" (ICE03.12.06_G.fls if you have 1.00 firmware). I will not link to this file because of copyright reasons, but you'll find it in /usr/local/standalone/firmware/ in the ramdisk image (i might explain this later). Using iBrickr or some other application, transfer this file to /usr/bin/. Also, you need to install a terminal application on the phone. Using iBrickr, click Applications → Reload app list → scroll down to you see MobileTerminal xxx and click it.
Launch the Terminal, and run the following commands:
cd /usr/bin/
bbupdater -f ICE03.14.08_G.fls
It will take a couple of minutes before it's done. When it's done, restart your phone and enjoy your Wi-Fi. And make sure you don't restart your phone after running ieraser! Thanks to ziel for telling me about this possibility.
I'm getting a "bus error"
This problem is usually caused by missing or incorrect files. If you get this error when running ieraser, make sure you have a correct secpack in the same directory. If you get this error when using iunlocker, before you get any testpoint message - make sure you have testcode.bb in the same directory as iunlocker. If you get the error after "Testpoint works" message, make sure nor file is correct and placed in same directory as iunlocker. All names should be lower case!
I get errors when using minicom
minicom: cannot open /dev/tty.baseband: Resource busy
See Resource busy question above
minicom: WARNING: configuration file not found, using defaults
minicom: cannot open /dev/modem: No such file or directory
You probably forgot to upload minirc.dfl to /usr/local/etc/. You could also just start minicom with "minicom -s" and change serial port to "/dev/tty.baseband" manually.
Where can i find the iPhone firmware files?
The files can be downloaded from the url's underneith. They are 91,2MB in size. Rename to .zip to extract the DMG images. The main firmware image is encrypted, while the modem firmware image should be possible to mount directly on Mac.
* iPhone1,1_1.0_1A543a_Restore.ipsw
* iPhone1,1_1.0.1_1C25_Restore.ipsw
* iPhone1,1_1.0.2_1C28_Restore.ipsw
Tips and tricks
Configuring EDGE settings (internet)?
If you have firmware 1.01 or later you can go to Settings → General → Netword → EDGE to configure EDGE. Check your provider's website for settings.
Making the carrier name/logo fit without scrolling
Apple left a rather small space for operator name, so if it's above 7(?) characters, it will scroll, and display only first part (click picture at right). I found a way to decrease the font size, making it fit.
Load the following file in a Hex editor:
System/Library/CoreServices/SpringBoard.app/SpringBoard
Font size should be at offset 7C176. In HxD, just click "Search → Goto" and set offset to 7C176 as shown in picture below. If the font size is not at this offset in your file, you can try a text string search for loopOperatorToBeginning, it should be right above that.
99603 98989
As you can see, you can also change the font type, and color of the text. Default is size 14. Changing it to 11 or 12 should do. So far, i have not found a way to trick the phone into using a logo image file instead, like it does for AT&T/T-mobile etc, if someone finds out, let me know. I wonder why the iPhone only display the name of the GSM-network - not the name provider name stored on SIM like most other phones do.
Changing phone number formating: (123) 456-7890
Formatting is stored in:
/System/Library/Frameworks/AddressBookUI.framework/ABPhoneFormats.plist
Download this file from your phone. The file is stored in binary format, so you'll need to convert it to text. Now save this file and open it in a text editor. Change the formatting under us to look like you want (if you find your region in the file, just copy from your region to the us). There's probably some way to just make it use your language (instead of 'us'), but i don't know where you specify that. When you are done changing formatting, save the file and upload it to the iphone in same directory you found it. You don't need to convert i back to binary.
Disabling autocorrection when typing on keyboard
Read here until i write a more detailed way.
Adding international characters on the keyboard?
Read here until i write a more detailed way.
Other PC-applications
* WinSCP (download/upload files from your phone)
* Suggestions?
No comments:
Post a Comment