CAUTION: For bootloader 3.9 only. OTB 1.1.2 & 1.1.3 owners, please check Unlock OTB 1.1.2 & 1.1.3.
UPDATE: As long as Apple doesn’t update the bootloader (looks like Apple will never do so, but who knows), this unlock may be the best solution so far. But please keep your original seczone in a safe place, just in case you need it in the future.
Yesterday, I tried the manual unlocking method published by Geohot, and successfully unlocked my 04.03.13_G (bootloader 3.9) modem. The whole process is flawless. I even tried to retore the modem to see if it’s update resistant.
The manual unlocking method comes with a script, but to be sure everything is working as expected, I chose to execute each command manually so I can take full control in case something’s wrong.
To be easier to control the phone, I chose to do this on 1.0.2 because it won’t cut the WiFi during the reflashing process. So I updated my iPhone to 1.1.3 with iTunes, then enter DFU mode, and downgraded the firmware to 1.0.2. This way I have got a 1.0.2 + 04.03.13_G combination.
The following are the steps I took to unlock my 04.03.13_G (BL3.9) iPhone. The whole procedure was done through SSH, please notice that the firmware 1.0.2 is a must to keep WiFi working during the process.
Unlock It
Make sure the following requirements are fullfilled:
iPhone is running firmware 1.0.2, modem is 04.03.13_G, bootloader is 3.9
BSD Subsystem installed
OpenSSH installed
Term-vt100 installed (in case we lost WiFi which is unlikely to happen though)
Then upload all the needed files to /unlock113 on iPhone:
Geohot Unlock for 04.03.13_G (Bootloader 3.9 Only)
ICE04.03.13_G.fls
ICE04.03.13_G.eep
Step 1: Download Elite Virginizor in Debug Mode
Stop the communication center as usual:
launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
Then issue the following to download the elite virginizor in debug mode:
cd /unlock113 chmod 755 * ./iUnlock secpack debugvirgin
Step 2: Dump seczone
Issue the following command to dump the current seczone:
./norz seczone 0x3FA000 0x2000
A file named seczone will be created. This file is vital, please save it in a safe place, you need this file in case your seczone is ruined for whatever reason.
Step 3: Dump the KEYA
./norz keya 0x3E0000 0x400
The KEYA will be dumped into a file named keya.
Step 4: Run Exploit
Enter the following command to run the exploit utilized in IPSF:
Check if the exploit works. If there’s a file named seczoneout being created, then the exploit has worked, go ahead. I got this file without problem.
Step 5: Create Seczone Loader
Enter the following command to combine the two files into a seczone lodaer:
cat secloader seczoneout > fsecloader
This creates the lodaer in file fsecloader.
Step 6: Upload Seczone Loader
./iUnlock secpack fsecloader
Step 7: Write Patched Seczone
Since iUnlock doesn’t reset baseband, use norz to do a dump, it’ll reset the baseband at the end, and this activates the loader to write the patched seczone.
./norz seczone.same 0x3FA000 0x2000
Step 8: Dump New Seczone
./norz seczone.patched 0x3FA000 0x2000
Step 9: Reflash Baseband
./bbupdater -f ICE04.03.13_G.fls -e ICE04.03.13_G.eep
Step 10: Unlock
Now send the command AT+CLCK=”PN”,0,”00000000″ to modem. I chose to use a nifty tool igsm (details can be found HERE, check the updates at the end of that article) so that I didn’t have to use minicom. I put igsm into /usr/bin and entered:
/usr/bin/igsm -c "AT+CLCK=\"PN\",0,\"00000000\""
To be sure it worked, I read the lock state back:
/usr/bin/igsm -c "AT+CLCK=\"PN\",2"
It returned 0, so the unlock was successful.
Step 11: Start Communication Center
launchctl load -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
My phone didn’t login to my local carrier immediately, so I turned Airplane Mode ON and OFF to trigger a new carrier search, and it finally picked up my local carrier, everything’s fine now.
Since Geohot claimed this is an IPSF-alike unlock, I thought I’d give it a try and see if it survives after the iTunes update. So I downgraded my baseband to 03.14.08_G, then updated to 1.1.3 with iTunes, then issued an unlock command. Again, my iPhone picked up my local carrier without problem, looked like it really did the same trick as IPSF.
So far, everything’s just fine, now I only need to send an unlock command each time iPhone is restarted (this step is required for real IPSF as well), but for now, I don’t feel inconvenient sending this unlock command after each reboot.
UPDATE: My temporary solution is like the following:
1. Rename the old CommCenter to CommCenter_org
2. Write a script to load the original CommCenter:
#!/bin/bash /usr/bin/igsm -c "AT+CLCK=\"PN\",2" /usr/bin/igsm -c "AT+CLCK=\"PN\",0,\"00000000\"" exec /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter_orgput it at /System/Library/Frameworks/CoreTelephony.framework/Support/, rename it to CommCenter, and give it permission 755.
UPDATE: I have to add an extra AT command in front of the the unlock command because sometimes igsm may fail for the first time, but it’ll work after the first failure.
Thanks Arnaldo who pointed out that it’d be better to send the unlock before CommCenter instead of lockdownd.
UPDATE: After comparing the seczones dumped before and after the unlock, I noticed that the NCK token starting from 0×400 was zero’d out, so this is indeed an IPSF clone, a free IPSF :) It has the benefit that IPSF has and it has the issues IPSF has as well.
Revert to Original
After playing around with the new unlock, I felt I need to give it a try to revert it. So I took the following steps and it worked.
Step 1: Prepare to Revert
Make sure all the files in the previous unlock procedures are uploaded to iPhone, put it into a folder, say, /revert113. NOTE: actually you don’t have to copy all files, but it’s easy to copy them all other than to select the needed files one by one).
Step 2: Revert Seczone
Now take these steps to turn off CommCenter, then revert the seczone (NOTE: the original seczone has been dumped into a file named seczone during your previous unlock procedures):
launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist cd /revert113 chmod 755 *./processcat secloader seczone > fselector_revert ./iUnlock secpack fselector_revert ./norz seczone.ignore 0x3FA000 0x2000 ./norz seczone.revert 0x3FA000 0x2000
The seczone is now reverted to the original. Copy the seczone.revert to your computer, and compare it with your original seczone file using a binary tool (I use WinHex), they should be exactly the same except the last 2 bytes.
Step 3: Reflash Modem
Now the usual way to reflash the modem and turn on CommCenter after the flash:
./bbupdater -f ICE04.03.13_G.fls -e ICE04.03.13_G.eep launchctl load -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
Reboot and everything’s back to the original.
NOTICE: If you didn’t reflash the modem and rebooted the phone directly, your phone would report “Repair Needed”, don’t panic, use iTunes to do a restore, it’ll be fixed, and this was what I did, I forgot to reflash the modem (sometimes I am just absent-minded), LOL.
76 Comments
Isn’t possible to use the directory LaunchDaemons to launch the command on startup ?
Like opensshd.plist for example.
I haven’t tried yet
Maybe, but you have to find a way to make it load BEFORE lockdownd, otherwise you may need to do a manual ‘Airplane Mode’ ON/OFF cycle.
Oh well… Funny as I did just the same to see if I would run into any unexpected issue with the, let’s say, roughly put together script, and it worked 100% as well.
On all this patching the lockdown… too much of a hassle if you ask me so I just wrote this simple plist to run Signal.app at every reboot. Works as a charm for me… maybe you can give it a spin.
Label
signal
ProgramArguments
/Applications/Signal.app/signal.sh
RunAtLoad
Well… your blog just ate my code ;)
Try this: http://rapidhare.de/files/38416336/signal.plist.zip.htm
Mr. Me, thanks, I’ve had a solution but I don’t like its implementation though, I still prefer a patched lockdownd. My solution is like this:
replace /usr/libexec/lockdownd with a script:It wraps the original lockdownd into a script so the unlock command gets sent before lockdownd, and the send_unlock.sh does a bit more task, it checks if the command has been sent, this ensures the command is sent only once per reboot.I re-write a very simple script to do the unlock before CommCenter startup, a temporary solution though.
Hum… if you could post it that would be supper dupper ;)
And if I could *read* the whole article before asking stupid questions it would be even better hehehe sorry…
Today I tried the reverting process and all went fine (you don’t need to run process again to revert, since you are not patching your seczone with ipsf)
The only thing I found is that the last 2 bytes of my seczone were changed. 0×1FFE-0×1FFF are now zeroes.
Everything seems to work as it should, but I would like to know what those sectors are and if it is bad that they are changed. Are yours changed too? Or were they zeroes from the beginning?
Nope, my reverted seczone is exactly the same as it was before the unlock, 0xFF at the end.
I meant FF’s not 00’s. It’s all good then.
Hey guys,
I’ve got a problem! Is it possible that this: ” ./bbupdater -f ICE04.03.13_G.fls -e ICE04.03.13_G.eep” have to say this “./unlock113 -f ICE04.03.13_G.fls -e ICE04.03.13_G.eep” ?? But everytime i type one of both this error appears:
“zsh: permission denied: ./unlock113″
has anyone an idea cause of what? permissions are set to 755!!
thanks for help x0r3
x0r3:
do:
cd /unlock113
and then:
./bbupdater -f ICE04.03.13_G.fls -e ICE04.03.13_G.eep
unlock113 is a directory
bbupdater is a binary that you can run
If you get permission errors do:
chmod +x bbupdater
and try again.
I’m on 1.0.2 with 04.02.13G jailbreaked and unlocked with bootload 3.9. (I did HW unlock this is original 1.1.2 OTB)
What path should I take? Upgrade baseband them issue your commands to unlock it? and after that upgrade to 1.1.3? will it be ok? Then how to jailbreak in 1.1.3?
Please help me… Thanks in advance.
Hey guys, got two questions:
1) I finally got this to work. It was my understanding that if I downgraded firmware and baseband to 1.1.1, it should still be unlocked. Doesn’t work for me. Even tried signal.app. Any suggestions? I upgraded both again back to 1.1.3 and it works without having to do this again. I just thought it would work on any firmware/baseband combo.
2) Also, I had tried this twice before, none worked. Then I tried a “revert”. Then I tried this a 3rd time and it works. Thing is, all my seczone backups are different. When I reverted after the two failed attempts, my seczone from try #1 and seczone.revert from my revert attempt were a bit different. How do I know which seczone is the one to keep?
Thanks in advance!
hey i am planning to buy iPhone i am in India and will get it after a month or so…… i think i will get iPhone with 1.1.3v now…..
SO WHICH IS THE BEST WAY TO UNLOCK 1.1.3 phone….. i really was not able to understand the above method…….
Please help me!!!
FYI. Actually, the seczone.reverted is NOT equal… the last bytes are different!! If you do a diff, it will say it is different!
Great blog!!!
When I try to revert, I got stuck at the ./process command:
When I enter that, it responds:
Running process
zsh: bus error ./process
#
Any idea how to solve this ?
Why this IPSF like needs to send AT command to baseband and not the ‘real’ IPSF?
BTW Step 10 you’re missing a ” at the end of the igsm command
Step 11 it says ./gsm instead of ./igsm
Great work for others but somehow this didn’t work for me. I upgraded to 113 downgraded to 111 and it started to complain that I need to put an approved SIM card (it says that even with an ATT card). I can’t figure out what to do now (I tried to virginize and this doesn’t work). Any idea?
两处笔误,请更正:
./igsm -c “AT+CLCK=\”PN\”,0,\”00000000\” To
./igsm -c “AT+CLCK=\”PN\”,0,\”00000000\”" 缺个引号”,不注意的话可挺要命!
./gsm -c “AT+CLCK=\”PN\”,2″ To
./igsm -c “AT+CLCK=\”PN\”,2″ 缺个i,倒好看出来.
TheSMG, for *real* IPSF, you also need to send this unlock command, thanks for pointing out the typo.
Jinsoon, thanks.
FYI. You can also send the unlock command via the CTSIMSupportNetworkPersonalizationUnlock function. Download “Framework Tool” from http://users.skynet.be/ra045246/ and run “Framework CoreTelephony CTSIMSupportNetworkPersonalizationUnlock 00000000″ on your iPhone.
… and the status can be checked by running “Framework CoreTelephony CTSIMSupportGetSIMStatus”. It should return “kCTSIMSupportSIMStatusReady” after having issued the unlock command.
NumberSix, yeah I’ve been using it to check my carrier etc.
George,
For starters, thank you for your well organized, and very informative site… it’s very well done. That said, I would like to ask you a question regarding the secpack:
What happens if the original(backup) seczone file is lost? For some reason, I am still unclear on why one cannot simply restore firmware, or reflash the baseband with apple’s original files. Does it have something to do with each individual iPhone/IMEI#? Let’s say someone performed the ipsf method above, and for whatever reasons, lost the seczone backup file…. what would then happen to that iPhone? and why would it be a problem? and is there any other way to recover in the event of a lost backup?
Thank you,
Eric Jarvies
Some very important data (yes, including IMEI) stored in seczone, which is a highly protected area in every mobile phone. These data are not changed during a firmware update (including baseband update).
IPSF style unlock used an exploit and wiped your NCK token which is vital, if Apple updates bootloader, without your original seczone backup, you’ll be totally locked out of the phone functionalities. From what we have seen so far, seems like Apple doesn’t want to do that, but who knows what Jobs is thinking.
Seczone is encrypted, you can’t recover it withouth Apple’s key, so if you lost your original seczone copy, you’re totally lost in case bad things happen to your seczone.
So if I have the secpack & ICE 4.02.13 can I do this unlock on a 1.1.2 version and not have to upgrade to 1.1.3.
Thanks
George,
Very nice Blog. I was hoping you can help me with my “no service” issue. This is the story:
* 1.0.2 OTB unlocked with anysim. Works fine for 4 months. Then one day “no service”
* Try 1.1.1, 1.1.2, 1.1.3 with anysim, ipsf geohot, bricktool, you name it.
* Now when I try the manual unlock you post here I notice that when I send this command: ./igsm -c “AT+CLCK=\”PN\”,0,\”00000000\”", the first time I ger error, but the second time is ok (I think).
My question is: Is this means that my phone is still lock? and Is that why I have “no service”? Or is just “no service” another problem? If so, can I test something else? Thanks for you time!
This is the output:
./igsm -c “AT+CLCK=\”PN\”,0,\”00000000\”"
Opened: /dev/tty.baseband
> ATE0 - set echo OFF
[E] error
Done
# ./igsm -c “AT+CLCK=\”PN\”,0,\”00000000\”"
Opened: /dev/tty.baseband
> ATE0 - set echo OFF
AT
AT+CPIN? - SIM requires PIN ?
< +CPIN: READY
AT+CLCK=”PN”,0,”00000000″
ATE0 - set echo OFF
AT
AT+CPIN? - SIM requires PIN ?
< +CPIN: READY
AT+CLCK=”PN”,2
< +CLCK: 0
< OK
Done
igsm might fail for the first time, but it’ll work fine after that, so I always send a AT+CLCK=”PN”,2 before the real unlock command is sent. Since you got a 0 after the AT+CLCK=”PN”,2, I’d think it’s unlocked.
P.S. I never had signal on 1.1.1 + 04.03.13_G, I can use 1.0.2, 1.1.2 and 1.1.3 with 04.03.13_G, but not 1.1.1.
Thanks for the reply. I have two more question. :) Is there a way to make a complete and true virginization for the iphone? I want to set it to factory state (no unlocks, no unlocks counters, etc).
As I was telling you I have a “no service” issue. Bunch of people are saying that this is a hardware problem (could be), but is you go to settungs, carrier (at least in my case) I can see the names of the carriers. Sometime, I also get signal, but I can make a call. And yesterday I was trying a different sim from another carrier, and the iPhone got full signal for a long time. I couldn’t make a call too, but the question is this: If this was a hardware problem like the antenna thing, Can I do all this thing I describe above? I don’t think so.
For me this is a software issue!
Thanks
If you still have a copy of original seczone, I’d suggest you downgrade to 1.0.2 and restore the seczone from there. I once had No IMEI, No Service etc problems because my baseband was corrupted, and everything’s back to normal after I restored the seczone.
Wow! that was fast :D Yes a have the copy. Do I have to follow your reverse guide for this?
If a go to 1.0.2 I will still have a 04.03.13_g BB no? Is this ok? Or I have to downgrade this too?
Thanks
I’ve used anysim before, I virginized it before trying this method, yet when running “process” it says “Your phone is probably Old AnySIMed”
anyways, it looks like an information only, because seczoneout is created. then I went through end of process without any errors.
Now when I try AT+CLCK=”PN”,0,”00000000″ it returns ERROR, and AT+CLCK=”PN”,2 returns 1
what should I do ?
Hi guy I’ll look like a dummy but how to I put all this file on my iphone, I have updated by mistake to 1.1.3 version 04.03.13_G now I cannot activate therefore cannot get to wifi setting, how do I get the the iphone files then I cannot use winSCP because I cannot get to the wifi settings and see my ip adress, Please someone help Thanks
Download ziphone and run it like this: ziphone -a -j This will activate a jailbreak your phone. Then you can choose how to unlock it.
I’ll try thanks.
It does not work my iphone as a bootloader 3.9 the ziphone won’t even start. Still stuck
The ziphone works with 3.9bl. Only the unlock dosent work for you!
Ok i’ve been trying to run it from the cmd but it won’t work or I double click on ziphone.exe nothing would you have a tutorail link or something please that’d be great. Thanks.
I got it I downloaded the latest ziphone and it worked all perfect, Thanks for the hint mate.
Could some one provide me with a scripted CommCenter. Because I can’t create scripts :) Thanks
Now I’m on 1.1.3 Geohot IPSF unlock, but have a question, I have a backup copy of my seczone from when my phone was 1.0.2, and the only difference between the one generated before the unlock of this time and the one generated when I was 1.0.2 are the last two bytes, on the old seczone I have 0×1FFE and 0×1FFFF with values different than FF FF, and on my seczone generated before this unlock I have FF FF, which one should I use to revert my seczone?
I used the one before IPSF-alike unlock which worked.
Thanks for the advice, will try with that, after reverting to the initial state, how should I proceed to go back to 1.1.1? DFU->1.1.1->Activate->Jailbreak->SSH and virginize to 04.01.13? what do you suggest?
I really need your help. I have an otb 4.6 bootloader iphone that i downgraded to 3.9 using the method released by geohot. I then did this unlock which you have posted, but when it came to the backup stage i couldn’t access my phone to back-up the seczone files. Then the at… command wouldn’t owkr so i virginized the baseband and restored and tried again, and i have tried several times and cannot get my phone network function working. Please can you tell me how i can restore my seczone without a backup or some things i could try to fix this.
Thanks, i know it was stupid of me not to backup the files,
james
James,
Are you running firmware 1.1.x during the unlock? If so you must turn on Airplane Mode, and use Term-vt100, because WiFi will be shutdown during the unlock on 1.1.x. BTW, you can’t re-create your seczone from scratch, only Apple can, you need to have a copy of your original seczone.
Topgunpilot,
Put the phone to DFU mode, restore to 1.1.1 directly. If it can’t get out of recovery mode by iNdependece or iBrickr, do a 1.1.1 restore again, it’ll be able to get out.
Yes i was running 1.1.1, but i did do the unlock in terminal on my iphone, because at first i tried through wifi and once i entered the command winscp crashed, so i decided to do it on terminal. I never turned on airplane mode though. Is there anything you can suggest to help?
Thanks,
james
What was your last successful command?
the last successful command was chmod 755 *
i do have a seczone backup but this backup is the latest one. Because i have run the unlock a few times trying to sort the problem of not being able to run the AT command. So first i tried, it modified the seczone and everythng and the at command would work. So then i reflashed the baseband and restored, ran the unlock again and it still wouldn’t work. So i assume this backup i have is the backup of the patched seczone so is no use to me.
If you failed at the iUnlock right after chmod, there’s nothing to worry about. You may want to give other method a try.
well i failed on wifi. But then i went to terminal and did the unlock and it all went fine. Until i got to entering the AT+CLCK=”PN”,0,”00000000″ which just failed and said error. And so after this i tried running the process many time, with it all going fine until i get to that last AT command.
Check your seczone backup, at offset starting from 0×400, if it’s zero, your NCK token has been zero’d, otherwise it’s okay.
igsm sometimes fail at the first run, but it works after the first failure, so you may give it another try. I suggest you use ‘ AT+CLCK=”PN”,2 ‘ first, then ‘ AT+CLCK=”PN”,0….”, this way even if igsm failed at the first command, there’s nothing to worry about.
Is this what you mean? I tried a search for the offset but it wouldnt accept it, i know nothing about hex apart from how to use the search function.
[URL=http://allyoucanupload.webshots.com/v/2001180876387095801][IMG]http://aycu06.webshots.com/image/44365/2001180876387095801_th.jpg[/IMG][/URL]
Thanks,
james
Image not visible, connection rejected. Please make sure you have a copy of seczone before taking further operations, if your phone was not unlocked by IPSF method, sending several unlock commands to baseband will lock it forever and need to revert seczone using backup copy.
Sorry try this link i just tried and it worked fine:
http://allyoucanupload.webshots.com/v/2001180876387095801
James
Please check your mail.
Ok thank you
Hi, sorry but is there any chance you could email me at:
jibz232@aol.co.uk
as i have had problems recieving some emails on the address i registered at first. And i haven’t recieved any emails yet.
Thanks,
james
Oh and by the way i have tried what you suggested with igsm and i have also tried doing the commands with minicom. But the command starts but when it gets to the part where it actually does the AT+CLCK=”PN”,0….” bit it says ERROR.
james
Please STOP trying! You may lock your phone permanantly and the only way to get around it is restore seczone and you still are not sure if you have a original backup.
Sorry but you must have misunderstood. I have not done any new commands, i am just saying that yesterday when i was doing the unlock i tried all the methods with igsm and minicom.
Thanks,
james
Sorry, I can’t send mail to you, AOL rejected my mail:
I’ll try google mail.
I got your email thanks, and have sent the image.
James
By the way this is just like the problem i have had:
I’ve used anysim before, I virginized it before trying this method, yet when running “process” it says “Your phone is probably Old AnySIMed”
anyways, it looks like an information only, because seczoneout is created. then I went through end of process without any errors.
Now when I try AT+CLCK=”PN”,0,”00000000″ it returns ERROR, and AT+CLCK=”PN”,2 returns 1
However it didn’t continue after saying the bit about AnySIMed so i ran the script instead of doing it manually and it went through the whole process with no problems.
But i had never used anysim before on this baseband, i had only done the geohot OTB 4.6 unlock.
James
Hi George,
I tried to restore the seczone, but I always got the 2048 bytes seczone.revert. It should be 8192 bytes. Is’nt it? What’s the file size of your seczone.revert? I tried the process under both iphone 1.1.3 and 1.0.2, and I got the same result. Thanks.
George,
Sorry to ask this again, If I want to revert to 1.1.1 firmware, should I revert but instead of using the 1.1.3 secpack should I use the 1.1.1 secpack to recreate my seczone? so I can then reflash the 1.1.1 modem files? of just before flashing the 1.1.3 modem files I should just DFU my iphone and restore to 1.1.1?
Please advise!
Best regards
hello there,
if i used this IPSF and now i have 04.04.05 BB
and i want to D\G the BB to 04.02.13
what should i do? need to revert the IPSF?
or i just use ieraser and bbupdater with secpack040405, ice040213_geep, ice040213_gfls?
thanks for the answer..
If you want to revert IPSF, then you need to recover seczone (use your original seczone backup), baseband upgrade/downgrade won’t affect your seczone.
i have a nother question,
i did the GeoIPSF, i had 1.1.3.
now i restore to 1.1.2 and used Ziphone to unlock it.
(i didn’t install signal)
waht about my IPSF is still there? i mean when i’ll do a restore again and use
ziphone without unlock, it should work again? (after i’ll install signal)?
thanks
Please help me,if i want to downgrade my iPhone to 1.0.2,iTunes stucks during the step “Waiting für iPhone…” I don’t know what to do,please help!
Hi,
I have used GeoIPSF style unlock when I was on 1.1.3. Since then I have upgraded to 1.1.4 and want to reverse the process. So I got the 1.1.4 secpack and tried the steps outlined above (to reverse it) but when I run iUnlock it tells me “Error while reading secpack”.
Can anyone help?
@Hassnain, use the secpack supplied by geohot.
@George, I did… downloaded it from this site…
@George, unless you mean the secpack included in the original unlock (given above) at this URL: http://george.insideiphone.com/wp-content/uploads/2008/02/goehot_unlock_113.zip?