Unlocking an out of the box 1.1.2

This method is originally developed by George Hotz, as you can see in his blog. Big thanks to him, and the rest of the guys who helped him making this possible.

Step 1: Prepair your phone and install software

First of all, downgrade the firmware to 1.1.1 (only main firmware) and then jailbreak and activate it (don’t unlock sim-lock).

Now, launch Installer and let it refresh it’s sources. Then tap on Sources, Edit, Add: http://i.unlock.no/. Now tap on Done, then Install the following packages in the listed order:

• “BSD Subsystem” found in the System category
• “OpenSSH” found in the Network category
• “Bootloader downgrade” found in the Unlocking Tools category

Now you have the necessary software and will do the rest from your computer using a SSH terminal. If you use a PC i recommend using an application called PuTTY (Mac users can use the terminal application in OSX). In PuTTY, enter the IP-address of the phone in the “Host Name” field, and click Open button at bottom (you can find your phone’s IP-adress in Settings → Wi-Fi → Your network → Tap blue arrow). If it’s the first time you connect using SSH, it will take about a minute to connect. Log in using username: root and password: alpine.

Step 2: The hardware part: Disassemble your phone

Removing the covers from the phone is by most people considered to be the hardest part of the entire unlock solution. There’s no really obvious advices to give on this one, but here is a tutorial that shows some pictures (STOP AT PAGE 5/9!).

After you have removed the rear covers, you will see a metal shield/cover over the baseband. This one needs to be removed as well. Use a tiny screwdriver or similar to carefully lift it a little all way around (you could lift out the battery to reach the side facing it). There’s two places the shield is glued, so you’ll either need to heat it up, or just use force. You now have access to the testpoints which you will need to connect in Step 5.

 

Some pictures showing the two testpoints:

In the next step you are going to connect point A to B. Point B is a 1.8v power source which should be led to A which is the innermost trace on the board. The best way is to use two needles connected with a wire. If you have unlocked Nokia BB5/Siemens/Motorolas before you are already familiar with this. Since the area is pretty clear of components it’s “impossible” to damage anything if you are just a little careful.

Below is a picture of the needles i used (coming from a professional unlocking device). They are spring loaded to make it easier to hold stable. But as the picture to the right demonstrates, some regular needles supported by corks from bulgarian wine will also do (thanks to nasko for pic)

But first, you’ll need to expose a point in the trace (A). With something ultrasmall or thin, scratch VERY CAREFULLY on the wire until you see a golden surface. If you scratch too much, the trace will be cut and your phone is bricked (or maybe only the phone part?). Depending on what kind of needle you use, you might be able to just put the needle in it with a little pressure instead. You should not scratch the entire trace – only a tiny point to set the needle at!

Step 3: Erase baseband

Return to PuTTY (log in again if connection was dropped) and type these two commands to erase the modem firmware:

cd /usr/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plistienew

Some data is supposed to scroll through the screen.

# ieraserResetting the Baseband...DoneOpened: /dev/tty.basebandiEraser: tool by geohotthanks to gray and the dev team for the implementationthanks to nightwatch for the awesome toolchainand thanks to anonymous, iProof, lazyc0der, and dinopio for the idea for this cool trickthis tool erases your main fw, starting at 0x20000. you need this for the testpoint to workyou need a file called secpack matching your current firmware version in this foldersee http://iphonejtag.blogspot.com for instructions on finding this fileWaiting for data...Got Header: 77 0b cc02 00 85 00 02 00 FF FF 85 02 03 00SECPACK02 00 04 02 06 00 01 00 00 00 00 00 0B 02 03 0002 00 02 08 06 00 01 00 00 00 00 00 09 08 03 0002 00 03 08 20 00 00 20 00 00 FF DF FF FF C8 A326 A0 43 4A 4B 54 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 7C 0F 03 00Erase02 00 05 08 02 00 00 00 07 08 03 00...02 00 06 08 06 00 01 00 00 00 A0 00 AD 08 03 00Hopefully the main flash was erased, wait for the next step...

It’s extremely important that you DO NOT restart your phone after erasing!

Step 4: Write the old bootloader

You’ll need to connect the testpoints at the same time you execute the next command. Since both your hands are busy with the testpoints, here is a nice trick (thanks nasko): Run the command with a 20 second delay (or any delay you need to prepair the testpoint). Here is the command:

sleep 20; iunew

Right after you hit enter, grab your needles, and set the first needle in point A. Then put the second needle on point B. Note: If you have troubles putting it stable on top of the capacitor, you could just put it right next to it, leaning onto the side of the capacitor. Hold them stable until iunew will output some data and say one of the following:

• TESTPOINT WORKS: 55 – You’re a hero. Remove your needles, and do what it tells you. If it says something about bus error, see “Troubleshooting” for more info. If eveything is OK, it should start uploading NOR and will output the blocks offset it’s writing to. It will take up to 10 minutes – it’s done when it’s on 2E4000. Go to the next step

Output:

# iunewResetting the Baseband...DoneOpened: /dev/tty.debugiUnlocker: tool by geohotuploads and runs testcode.bb in the same diruploads the nor image in "nor"make sure your switch is onthanks to iProof and lazyc0der for finding this methodthanks to the siemens guys for discovering itand thanks to nightwatch for the awesome toolchainSpamming AT, waiting for a responseAttempting to read[1]...c0Connected established to bootromFile size: 1608Checksum: 0x37Attempting to read[2]...c1TESTPOINT WORKS: 55Press any char, then hit enter after testpoint has been disconnectedxAttempting to read[1]...54Downloading modified nor........Downloaded: 2E3E00Downloaded: 2E3F00Attempting to read[1]...44run bbupdater -v and pray

• “Please connect the testpoint”- Sorry, you did not get the tespoint connected right. Don’t worry, you will probably need some tries before you get it. So just try setting the testpoints again an run iunew after you have connected them.

Output:

# iunewResetting the Baseband...DoneOpened: /dev/tty.debugiUnlocker: tool by geohotuploads and runs testcode.bb in the same diruploads the nor image in "nor"make sure your switch is onthanks to iProof and lazyc0der for finding this methodthanks to the siemens guys for discovering itand thanks to nightwatch for the awesome toolchainSpamming AT, waiting for a responseAttempting to read[1]...c0Connected established to bootromFile size: 1608Checksum: 0x37Attempting to read[1]...c1Attempting to read[3]...c1Please connect the testpoint

if it worked, enjoy your unlocked iPhone!!!

# iunew Resetting the Baseband...Done Opened: /dev/tty.debug iUnlocker: tool by geohot uploads and runs testcode.bb in the same dir uploads the nor image in "nor" make sure your switch is on thanks to iProof and lazyc0der for finding this method thanks to the siemens guys for discovering it and thanks to nightwatch for the awesome toolchain Spamming AT, waiting for a response Attempting to read[1]...c0 Connected established to bootrom File size: 1608 Checksum: 0x37 Attempting to read[2]...c1 TESTPOINT WORKS: 55 Press any char, then hit enter after testpoint has been disconnected x Attempting to read[1]...54 Downloading modified nor... ..... Downloaded: 2E3E00 Downloaded: 2E3F00 Attempting to read[1]...44 run bbupdater -v and pray if it worked, enjoy your unlocked iPhone!!!

# iunew Resetting the Baseband...Done Opened: /dev/tty.debug iUnlocker: tool by geohot uploads and runs testcode.bb in the same dir uploads the nor image in "nor" make sure your switch is on thanks to iProof and lazyc0der for finding this method thanks to the siemens guys for discovering it and thanks to nightwatch for the awesome toolchain Spamming AT, waiting for a response Attempting to read[1]...c0 Connected established to bootrom File size: 1608 Checksum: 0x37 Attempting to read[1]...c1 Attempting to read[3]...c1 Please connect the testpoint

Step 5: Completing the unlock

Congratulations, you have completed the hard parts, and the rest is just piece of cake. While still in PuTTY, you run the following command: bbupdater -v

# bbupdater -vResetting target...pinging the baseband...issuing +xgendata...firmware: DEV_ICE_MODEM_03.14.08_Geep version: EEP_VERSION:207eep revision: EEP_REVISION:7bootloader: BOOTLOADER_VERSION:3.9_M3S2Done

 

# bbupdater -v Resetting target... pinging the baseband... issuing +xgendata...     firmware: DEV_ICE_MODEM_03.14.08_G  eep version: EEP_VERSION:207 eep revision: EEP_REVISION:7   bootloader: BOOTLOADER_VERSION:3.9_M3S2 Done

If bootloader is now 3.9 it means it was succsessfull, and your phone can be unlocked like any other 1.1.1 or older phones.

Before you can do anything you need to reflash the baseband firmware. To do that, restore your phone to 1.1.1 firmware. When restore is done, you can just unlock the phone as normal

Troubleshooting and common problems

I get a “Resource Busy” error – why?

You probably forgot to disable the baseband. Run the following command:

launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist

To enable it again when you are done unlocking, use the following command:

launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

I lost wifi – now it just says “No Wi-Fi”

You probably restarted your phone after running ienew. Unfortunately, the only way to fix this is to upgrade your phone to 1.1.3.

FINAL WORDS OF CAUTION
There is a high probability in bricking/ scratching/ damaging/ ruining your $400+ iPhone if you don’t know what you are doing.