Apple started selling refurbed iPhones at a discount in Aug 07, so I picked one up. A guy named Geohot published instructions on how to unlock it. A few days later he was a rockstar. I managed to unlock my iPhone using Geohot's info and now I use a T-Mobile To Go sim. I never fooled with AT&T. It took me 12 hours of fumbling around on endless problems so I thought I better write down some notes.
How?
Refer to the editunes guy, Geohot's original docs, and Macworld's guide.
I used a PowerPC to do everything and it took me awhile to find the tools I needed since it seems all the hackers like the intel Macs.
At first I was going to solder the wires to the circuit board but after looking at that, I thought no way. The traces are practically microscopic. So I thought up a much better way. A fresh AA battery is nearly 1.6 volts which is close enough to the 1.8V to pull the line high. All you need is to solder a wire to a safety pin and use the safety pin to contact the trace on the board. No fooling around soldering and risking destruction and madness.
The negative of the battery connects to the frame on your iPhone. The positive goes to the safety pin which you will use to touch A17 per Geohot's instructions.
1. Remove the AT&T sim.
2. Use iPhoneTool to activate the phone by entering "tool --activate a.plist" in Terminal. Note this will not officially activate the phone, just get you past the first screen.
3. Use iFunTastic to restore the phone (via iTunes). I restored mine to v1.0.2.
4. Use iFunTastic to jail break.
5. Use iFunTastic to copy com.apple.update.plist to your desktop from /System/Library/LaunchDaemons/
6. Use iFunTastic to drop these files onto your iPhone:
| File | Purpose | Destination |
| sh | unix shell | /bin/sh |
| dropbear | ssh client | /usr/bin/dropbear |
| au.asn.ucc.matt.dropbear.plist | for dropbear | /System/Library/LaunchDaemons |
| dropbear_rsa_host_key | for dropbear | /etc/dropbear |
| dropbear_dss_host_key | for dropbear | /etc/dropbear |
| chmod | sets permissions | /usr/sbin/update* |
| com.apple.update.plist.hacked | initial setup | /System/Library/LaunchDaemons/com.apple.update.plist* |
| au.asn.ucc.matt.dropbear.plist | for dropbear | /System/Library/LaunchDaemons/ |
| minicom | access to modem | /usr/bin |
| ls | directory listings | /bin |
| chmod | sets permissions | /bin |
| ieraser | Geohot hack | /usr/bin |
| nor | modified nor dump | /usr/bin |
| secpack | modem dump | /usr/bin |
| iunlocker | Geohot hack | /usr/bin |
| testcode.bb | Geohot hack | /usr/bin |
| bbupdater | Geohot hack | /usr/bin |
| NORDumper | Dumps NOR image | /usr/bin |
| termcap | for minicom | /etc/etc |
7. Backup /usr/sbin/update. Rename chmod to update. Drop your new update to /usr/sbin. Backup /System/Library/LaunchDaemons/com.apple.update.plist. Replace it with com.apple.update.plist.hacked renaming it to com.apple.update.plist.
8. Restart twice by holding down power (on top) for 3 secs and then sliding to the right. This will make chmod and ssh executable upon reboot.
9. Restore original copies of /usr/sbin/update and /System/Library/LaunchDaemons/com.apple.update.plist.
10. Connect to your wireless network by tapping wireless and entering your network's password.
11. Get your iPhone's IP address by tapping on preferences->wireless->network_name where network_name is the name of your wireless connection.
12. Test ssh by opening terminal and entering ssh root@ip_address where ip_address is the IP address you got from your iPhone. The factory pass is dottie.
13. Generate a new password by executing perl -e 'print crypt("MYPASSWORD", "XX");' in terminal. XX is a random character. Replace the password in /etc/master.passwd. Note the factory root password is dottie and you can leave it if you wish. Personally I'd hate to be in Starbucks and have someone pick off root access to my phone.
14. Login to iPhone using ssh and chmod +x /usr/bin/minicom
15. Setup minicom by executing "minicom -s /dev/tty.baseband". Save the setup as "dfl".
16. Test minicom by typing AT and pressing enter. The phone should respond with "OK".
17. Use NORDumper to dump the NOR rom. "NORDumper dump.bin".
18. Run iEraser to erase the modem's firmware.
19. Run iUnlocker and have your needle ready. It will tell you if the needle is not connected.
20. Run "bbupdater -v".
21. Open minicom and execute AT+CLCK="PN",0,"00000000". Confirm with AT+CLCK="PN",2 which should bring back a 0.
22. Put your T-Mobile sim in the phone.
23. Get your IMEI and CCID # by tapping the info button on the activate popup.
23. Run iActivator to activate your sim.
24. Reassemble the phone.
Q: How do I get the iPhone open?
A: Use guitar picks and collar stays. Watch the video by the PDA parts people.
P: I watched the video and this phone is a bitch to get open. It looked so easy.
A: Yes, it took me two hours to open it. You have to use Herculean force. You might order a case opener tool from the PDA Parts people.
Q: Where do I get secpack?
A: You have to extract 0x1a4-0x9a4 from the ICE03.14.08_G.fls file from Geohot. You can use Hexedit to do this.
Q: Where do I get nor?
A: From your NORDump. Nor is the modified nor rom 0x20000-0x304000 with the following mods:
3.14 (firmware 1.0.2): (215148): 04 00 a0 e1 becomes 00 00 a0 e3
P: I can't sync in iTunes. I get that stupid AT&T invalid sim message.
A: Trash the commcenter.plist in /system/launchdaemons. Note you will lose all sound until you put it back. One plus is you will lose those stupid activation pop-ups on the phone.
P: While I was hacking I lost all my sound!
A: You need to replace the commcenter.plist.
Q: Where does minicom go?
A: In /usr/bin
Q: Where does termcap go?
A: In /etc
P: When I kick off minicom I get the error "No termcap database present!"
A: Drop the termcap into /etc.
Q: Do I need to make termcap executable?
A: Nope.
P: Minicom kicks out the message "WARNING: configuration file not found, using defaults"
A: Forget about it, it's a warning.
P: When I kick off minicom I get the error "Exec format error. Wrong Architecture."
A: You need a minicom compiled for the correct platform. Try this one.
P: When I kick off minicom I get the error "cannot execute binary file"
A: You need a minicom compiled for the correct platform.
Q: How long does the unlocker tool run for?
A: Forever. You can break it with Ctrl+C after 2e4000 scrolls by.
Q: What does minicom look like?
A:
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x A - Serial Device : /dev/tty.baseband x
x B - Lockfile Location : /var/tmp/ x
x C - Callin Program : x
x D - Callout Program : x
x E - Bps/Par/Bits : 115200 8N1 x
x F - Hardware Flow Control : Yes x
x G - Software Flow Control : No x
x x
x Change which setting? x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
x Screen and keyboard x
x Save setup as _dev_tty.baseband x
x Save setup as.. x
x Exit x
x Exit from Minicom x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
Q: Why didn't someone write a script for all this?
A: See below, I've started on one.
P: I bricked my phone monkeying around with it. It's not responding! $500 down the toilet!
A: I thought I bricked mine also. Plug it into the wall. It should boot.
Q: I got all the way to the end and it still is not activated. What happened?
A: You have to activate the phone using iActivator by keying in your MEI and CCID #s from the phone. You also have to restore the com.apple.CommCenter.plist or the phone won't work.
Q: What happens if I upgrade my iPhone from v1.0.2 to a newer release later on?
A: It breaks your phone and you start all over again. You don't want to do that. 12 more hours!
Q: How do I get photos off my iPhone to my Mac?
A: Use iPhoto, click import.
P: My Bluetooth is totally dead.
A: Delete the termcap file you dropped on the phone.
I've started working on a script to automate all this. It's very limited but I will definitely be using it the next time I do this.
The script does the following:
It should just be a matter of adding on to the iPHUC_script.txt file. You should be able to reduce your time from 12 hours down to maybe two hours. Wait it takes two hours to open the phone, make that three hours. You'll still have to use the needle of course. Type i to kick it off from Terminal.
Warning: mysql_connect() [function.mysql-connect]: Access denied for user: 'colin05@208.109.78.139' (Using password: YES) in /home/content/c/o/l/colin05/html/iphone_hack/hits.php on line 3
Could not connect: Access denied for user: 'colin05@208.109.78.139' (Using password: YES)