Hardware unlock of iPhone
From OoKoo.org
Contents |
Hardware Unlock
Preamble
This hardware unlock is based on the one released by geohot. Pictures are taken from there (for now). I'll upload pictures and improve the text as I do it myself.
Remember to always backup your data before doing anything to your iPhone !
Probably before Monday August 27th, I'll have new pictures available, from my iPhone, and from my unlock. Just wait a bit more.
Warning
Opening an iPhone is far from an easy job. It's not really hard but requires a whole lot of patience. Also the whole process may take up to 4 hours (1~2 hours only for opening/closing the iphone if you're really meticulous).
Opening the iPhone with a swiss army knife as proposed is dangerous, and shouldn't be done if you're not absolutely sure of yourself. In any way, explanations on this page are only to follow if you understand that your own responsibility is the only thing you got. You are warned, so don't hurt yourselves.
Steps
Step 0 : get ready
First, make sure you have everything required. You'll also need an incredible amount of patience to get the iphone open...
Hardware
- an iPhone (with ssh/jailbreak, and commcenter disabled by moving LaunchDaemon.plist out of the way. Google it if you don't understand)
- Tools to open the iPhone (a swiss army knife or guitar picks should do)
- Soldering iron (not too big)
- Screw driver
- Fine pitch wire
- A switch (the "unlock switch". Can be big, small, whatever, we don't care)
Software
Step 1 : opening the iPhone
Depends on: Step 0
First, we need to open the iPhone. I guess there's enough tutorials about this around for you to find a way to do that. Remove the black part on the back side, the three screws and the aluminium case. Disconnect the wire connecting the phone to the case.
Now, remove the metal cover over the comm board.
Step 2 : the unlock switch
Depends on: Step 1
The unlocking is done by sending 1.8v in the A17 trace (as shown on the picture).
The goal is to solder one of the wires on the 1.8v, and the other on the A17 trace. Scrape away at the trace with something like a multimeter probe. Then solder a very thin wire to it. Be very careful. Only scrape away at that solder mask above that one trace. YOU DO NOT WANT TO BREAK THE TRACE. This is the hardest step in the whole process; the rest is cake.
Connect both wires to the unlock switch (make sure it's set to OFF).
Use the continuity check on your multimeter to make sure both wires aren't already connected to each other, and that none is connected to the ground.
Step 3 : testing the unlock switch
Depends on: Step 2
Power up your iPhone (hopefully it'll work). Open minicom and connect to /dev/tty.baseband, then send some commands (AT will do). You should get "OK" replies. Flip the switch and you shouldn't get any response anymore. Flip the switch again to OFF, open another ssh and run bbupdater -v (you get bbupdater from the ramdisk).
This should reset the baseband and it should respond again when you send AT commands.
Step 4 : Patch the NOR
Depends on: Step 0
Check the modem version in Settings->About. It'll either be 3.12(1.0) or 3.14(1.0.1 and 1.0.2).
Run NORDumper, and save your NOR and copy it on your computer.
First, you need to extract the nor from your dump. The range you need is 0x20000-0x304000.
dd if=mydump of=nor skip=131072 bs=1 count=3031040
Then patch the file "nor" at those offsets (depending on your modem version) :
3.12: (213740): 04 00 a0 e1 -> 00 00 a0 e3 3.14: (215148): 04 00 a0 e1 -> 00 00 a0 e3
Save the file nor.
Step 5a : Erase the iPhone's NOR
Depends on: Step 0
You'll need the iEraser tool (look in the "Software" part of this page). This erases the current firmware of your modem, making it ready to accept a new one. You can still put the old one back using bbupdater, so don't worry.
You'll need the ramdisk corresponding to your version, then go into "/usr/local/standalone/firmware" and get the ICE*.fls file. Extract 0x1a4-0x9a4 from this file sand save it as secpack at the same place as iEraser is.
dd if=ICE*.fls of=secpack skip=420 bs=1 count=2048
You can now run iEraser. Remember that the switch is still "OFF" at this point.
Step 5b : Write the new NOR
Depends on: Step 3 & Step 4 & Step 5a
You'll now need iUnlocker (see "Software" part of this page to get it). You'll need to put the "nor" file obtained previously in step 4.
You'll have to put the unlock switch (step 3) on ON position while running this program. It will download and run the code in "testcode.bb", then ask you to turn the unlock switch OFF.
Type any character and press enter once it's done, the nor download starts right away.
When the counter reaches 0x2E4000, it's done.
Run bbupdater -v
If it returns the "xgendata", it means that the nor upload was successful.
Step 6 : unlock
Depends on: Step 5b
At this step you don't need anymore the unlock switch. You may leave the wires inside the iphone for future use (after an apple update? We don't know yet if apple will try to counter that and how, so you might want to keep the two wires) but make sure they do not contact with anything.
Run minicom and connect to /dev/tty.baseband, and run the following:
AT+CLCK="PN",0,"00000000"
Your iPhone should now be unlocked. To make sure, run:
AT+CLCK="PN",2
It should finally show +CLCK: 0
Your phone is now unlocked. Exit minicom and copy the CommCenter plist back to its place. Reboot. iASign. And enjoy your unlocked iPhone.
