Tuesday, August 28, 2007

The Easiest method for Hardware Unlock!

First off, I would like to thank the iphone-dev team (found on irc.osx86.hu), iZsh, HaRRo, Zf & bugout for making this a possibility... ok with the formalities out of the way.. let's get cracking..

What you need:
  • iPhone (OBVIOUSLY!)
  • bypassed Activation (methods found here.)
  • Jailbreaked
  • SSH Enabled (method found here along with jailbreak: Windows - Macintosh)
  • sftp-server installed (instruction found here, improvise with windows.)
  • binkit installed (instructions found here.)
  • 2 needles to conduct electricity (or use your imagination.)
  • and the files in the following rar package: iphone.unlock.toolkit.rar

Before we take the iPhone apart!
  • bypass the Activation.
  • jailbreak
  • install SSH
  • install sftp-server
  • install binkit
in that order...

Now the fun stuff...
Take
the back panels off using the following method found here (Use anything you can think of that would not scratch it a guitar pick is good but I used a 1.4mm screwdriver which made a few scratches, but if you want to I am sure you will find something that wont scratch). Once that's done you're gonna need to pry open the logic board metal shield (found right ontop of the battery) sadly, I can't find a guide online but it's easy.. use a tiny tiny screwdriver and proceed by unclipping the metal shield from the side (you'll see little dimples, those are the clips.)

Once that's done...
  • Start up your iPhone and plug it into your computer.
  • get the ip address of your iPhone (this is done by going to WiFi / To the right of ur selected network you will find a blue arrow, click it and this should show you your iPhones ip address.
  • connect to your iPhone via SCP using the username: root and the password: dottie (unless you changed the password, then use your chosen password.) ... ignore the errors if there are any..
  • Goto: /usr and create a folder "local" and then goto "local" and create a folder called "etc"
  • then go back to the root directory of your iPhone (a.k.a. "/") and then you will see a folder called "etc", double-click on this folder, it should now take you into that folder... once you're there upload termcap from the .rar into that directory.
  • copy bbupdater from the .rar into the /bin directory.
  • Goto the folder /system/library/launchdeamons and move the file commcenter.plist to your desktop (MAKE SURE YOU MOVE IT AND NOT COPY IT!)
Now Reboot your iPhone...
  • Once you're done rebooting, login to your iPhone with the specified username and password mentioned to login via SCP and type: minicom -s and an ASCII menu will appear...
  • Select "Serial Port Setup" and type A and change that information to /dev/tty.baseband and hit Enter then Esc.
  • Select "Save Setup as dfl"
  • Now Goto Exit and you should see "Initializing Modem"
  • once you're in the minicom type: AT and it should respond OK
More fun, but you're gonna need Steady hands..

you see where the red line following the wire in the picture above.. scrape off the tracer (a.k.a. blue stuff covering the wire) be extremely gentle .. i used a thumb tack to scrape the wire, but you can use anything sharp and with a thin point.. keep scraping untill you see a copper wire emerge. Now with your make shift conductor wire touch the wire and touch where the +1.8v wire is pointing to in the image above for about a second or so.. your minicom SSH window should freeze and when you type something into it it will not appear..
  • Open a new SSH window and login to your iPhone
  • now type: bbupdater -v
  • you will see AT OK AT OK AT OK in the minicom SSH window..
  • close the minicom SSH window.. don't wait for the AT OK AT OK AT OK to stop..
If the following happens, that means the needle touching was successful and if you made it this far you deserve a pat on the back ((=

Now back to the software..
  • Copy the files from folder NORDumper from the rar to /usr/bin on your iPhone using SCP
  • in ssh type: cd /usr/bin
  • in ssh type: ls
  • you should see NORDumper
  • now type: NORDumper dump.bin (CASE SENSITIVE.)
  • now you have to wait for about 10-20 mins.. go watch a tv show or something and by the time you get back.. it should be done ^^
Once that's done..
  • Copy the contents of the folder ieraser from the rar also to /usr/bin on your iphone using SCP.
  • Start Cygnus Hex Editor. and open the file ICE03.14.08_G.fls. (included in the rar) (only for firmware 1.0.1 and 1.0.2 !!!!)
  • Select the range from 000001A4-000009a4. In the taskbar the selection should show 1A4-9A4. (verry important !!)
  • then goto menu edit–> select copy to file. name the file : secpack
  • Upload this file to /usr/bin on the iphone.
  • in SSH type ieraser. (if it hangs try http://lpahome.com/ieraser.rar )
Getting close to Unlocking your iPhone..
  • copy the dump.bin from /usr/bin to your PC using SCP.
  • Open this file with Cygnus Hex Editor.
  • Select the range 00020000-00304000
  • In the taskbar it should show 20000-304000 (if not do the selection again)
  • goto menu edit–> select copy to file. name the file : nor
  • open this file with the hexeditor.
  • Find the row 215148 and change 04 00 A0 E1 to 00 00 A0 E3
  • save the file, and upload it to /usr/bin using SCP.
Getting closer..
  • copy the files in the folder iunlocker from ther rar to /usr/bin
  • Touch YOUR NEEDLES TOGETHER HERE AND KEEP THEM TOUCHING! (Touching where they should)
  • with SSH goto /usr/bin and type iunlocker
  • when the program halts. Remove your needles and press a character on your keyboard followed by Enter.
  • you will see a lot of numbers running on your screen. This also takes a while… so go get yourself a cup of coffee or something..
  • after it’s done type : bbupdater -v
  • it should show : +xgendata and some more text ... not really sure about the rest..
Almost Done!!
  • in SSH type: minicom
  • then type: AT+CLCK=”PN”,0,”00000000″
  • then type: AT+CLCK=”PN”,2 this should respond in a 0 .
Congrats !!!! youre phone is now simlockfree.
  • now copy back the commcenter.plist file (don’t forget!!!)
LAST STEP!!
  • now copy the file lockdownd located in the .rar to /usr/libexec
  • put your iPhone back together and insert your chosen sim..
  • Reboot your iPhone.. and Welcome to the Unlocked iPhone Club ^^ Congratulations...
I used this method on a few iPhones and if you're careful and follow this method then you will be fine... ^^

Take care...
- emmo