I’ve just managed to give Zibri’s new jailbreak tool (ZiPhone) a try, Zibri claims this tool can jailbreak/activate all versions of firmwares, unlock BL4.6 phones, changing BL4.6 IMEIs, and even revive BL4.6 bricks. I’m only interested in its jailbreak/activation part because I don’t have a BL4.6 phone.
UPDATE: Now version 2.0 also unlocks BL3.9 phones.
ZiPhone version 1.0b: ZiPhone (Original: http://zibree.blogspot.com/)
ZiPhone version 1.1: ZiPhone 1.1
ZiPhone version 2.0: ZiPhone 2.0 GUI for OS X | ZiPhone 2.0 (Win GUI + OS X CLI)
ZiPhone version 2.1: ZiPhone 2.1 GUI for OS X | ZiPhone 2.1 (Win GUI + OS X CLI)
ZiPhone version 2.2: ZiPhone 2.2 GUI for OS X
ZiPhone version 2.3: ZiPhone 2.3b GUI for OS X | ZiPhone 2.3 (Win GUI + OS X CLI)
ZiPhone version 2.4: ZiPhone 2.4 GUI for OS X | ZiPhone 2.4 Windows GUI
UPDATE: I patched the zibri.dat ramdisk to add afc2 support so that I can use iPHUC and iBrickr right after the jailbreak:
ZiPhone 2.0 for Mac OS X Patched (Added AFC2, tested on 1.1.3 only)
ZiPhone 2.2 for Mac OS X Patched (Added AFC2, latest Installer, Home Screen Z removed, tested on 1.1.3 only)
UPDATE: I used the following method to extract and re-construct zibri.dat:
To extract ramdisk:
split -b 13377536 zibri.dat cat xab xac > zibri_ramdisk.dmgTo re-construct zibri.dat (after you have finished patching the ramdisk):
cat xaa zibri_ramdisk.dmg > zibri.dat rm -f xa[abc] zibri_ramdisk.dmg
UPDATE: Version 2.2 has a MD5 checksum so main executable needs to be patched as well.
UPDATE: Quotes from Arnaldo (an iPhone geek :) :
1. In the automatic recovery mode, timing is an issue and may cause the iPhone to hang with the “Apple Logo” (just like the connector image is shown). Some claim that if using the -v verbose option works (as it changes the timing). I think I know how to fix it and I’ve posted to Zibri’s blog (add a pause at the beginning of “Stage0() ” function to allow the phone to be in a stable condition.
2. Unlocking 4.03.13_G the “Zibri way” is risky.
a) He is using GeoHot code, patched to downgrade the bootloader by software and then using his patch on 04.03.13_G
b) Once the BL is downgraded, there is no way to revert it back to 4.6. But GeoHot new unlock, that he is working on (4.6_GEOMOD) will not be immediately usable for those with BL 3.9, since there is no known exploit to upgrade the bootloader in 3.9 (he will find one, but at this time there is none). So “downgraders” should know it.
UPDATE: If you wanna keep BL 4.6, better stay away from -Z but use -a -j -u instead. Usage:
ziphone -j = Jailbreak ziphone -a = Activate ziphone -u = Unlock (Works on both BL3.9 and BL4.6) ziphone -e = Erase Baseband (BL 3.9 only) ziphone -b = Downgrade Bootloader from 4.6 to 3.9, update baseband to 4.03.13 and patch the unlock. ziphone -D: Enter DFU Mode. ziphone -R: Enter Recovery Mode. ziphone -N: Exit Recovery Mode (normal boot). ziphone -C: Make coffee (checks MD5 sums on included DAT files) ziphone -Z Y : activates/jailbreaks/unlocks and downgrades bootloader ziphone -Z N : some people reported this unlocked the phone when it shouldn't
ZiPhone 2.0
I tried ZiPhone 2.0 for Mac OS X on Leopard, iTunes 7.5, attempted to jailbreak/activate my newly restored BL3.9 phone, the whole procedure was flawless, as it claimed, the jailbreak/activation procedure completed in approximately 45 seconds.
The new GUI application makes it very user friendly, even a new iPhone owner could succeed after some mouse clicks:
Attempt 1
First I tried to see if it worked on firmware 1.1.3, so I restored my phone to 1.1.3 + 04.03.13_G (locked), then checked:
Jailbreak
Activate
Verbose
iPhone was successfully activated after approximately 45 seconds.
Attempt 2
Then I tried to see if it can do all the job in one step, so I again restored my phone to 1.1.3 + 04.03.13_G (locked), then checked:
Jailbreak
Activate
Verbose
Unlock
iPhone successfuly activated and unlocked my iPhone (BL3.9) flawlessly, even though the info said it’s for BL4.6 only (I assume Zibri forgot to update the info). The script first fired geohot’s otb112 unlock and it failed because of BL3.9, then zibri’s otb113 unlock was called to finish the unlock. I didn’t try its unlock on BL4.6 because I didn’t have an OTB 1.1.2/1.1.3. The whole procedure took about 2 ~ 3 minutes. UPDATE: BTW, Zibri’s unlock is anySIM-alike, so you don’t have to send AT+CLCK command after every reboot on a 04.03.13_G.
Attempt 3
Later I tried to see if it can jailbreak/activate old firmwares, this time I restored my phone to 1.0.2 + 04.03.13_G (unlocked), then checked:
Jailbreak
Activate
Verbose
Once more my iPhone was activated without hassle, and the previous unlocked baseband immediately picked up my local carrier.
Attempt 4
Then I tried to see if the unlock survives after baseband update, continued with the phone in step 3, I downgraded baseband (using bbupdater) to 03.14.08_G, after the downgrade, unlock was still in effect. I think I made a mistake here, because after comparing the seczone before and after the Zibri’s unlock, I found they’re the same, this indicated the unlock is an anySIM-alike method that only touches the baseband, not the lock table. So a baseband update will invalidate it for sure. My following experience proved it.
Then I updated to 1.1.3 + 04.03.13_G, phone seemed being locked again, since I thought it’s IPSF-alike unlock, I sent unlock command to baseband, I was wrong, after I sent several unlock commands to baseband, my phone was locked permanantly because the maximum unlock attempt count was reached. Fortunately I always keep a copy of my original seczone, so I recovered my seczone to bring it back.
UPDATE: For unknown reason (this happened occasionally) this post was truncated, so my earlier attempts on ZiPhone 1.0 was removed :( The following contents are re-added.
My Earlier Attempts
In my earlier attemps (using ZiPhone 1.0) I did some other checks after the jailbreak/activation (before extracting the ramdisk).
I first checked the kernel cache and confirmed it’s a real 1.1.3 jailbreak, earlier jailbreaks (Natetrue’s and DevTeams’) are both fake because kernel is 1.1.2’s.
Then I checked the lockdownd and found it’s the same as old 1.1.3 patched lockdownd.
Later I tried to sync with iTunes to check if the media is sync’d to mobile and it was successful.
And after I finished activation with ZiPhone, my 1.1.3 + 04.03.13_G worked perfectly with all functions (I think so) working, I checked the following items:
iPhone: Bootloader 3.9
1.1.3 Jailbreak/Activation with ZiPhone
04.03.13_G unlocked with IPSF-alike method
Call in/out: working
SMS in/out: working
EDGE/GPRS: working
WiFi: working
YouTube: working
iTunesStore: working
Map Location: working
Limitations
1. Earlier versions can’t run on Leopard, this was fixed since version 1.1.
2. Check the following nested IF statement in script:
if [ jailbreak ]; then if [ activate ]; then
So if you want to activate, you must check jailbreak as well.
3. No afc2 after jailbreak, so you can’t use iPHUC and iBrickr to access rootfs.
UPDATE: You may add afc2 support manually, edit the following file:
/System/Library/Lockdown/Services.plist
Add the following contents:
<key>com.apple.afc2</key> <dict> <key>AllowUnactivatedService</key> <true/> <key>Label</key> <string>com.apple.afc2</string> <key>ProgramArguments</key> <array> <string>/usr/libexec/afcd</string> <string>--lockdown</string> <string>-d</string> <string>/</string> </array> </dict>
before the line <key>com.apple.crashreportcopy</key> and restart your iPhone.
UPDATE: The script in version 2.2 (layout adjusted for easier reading):
# System-wide .profile for sh(1) PATH="/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin" export PATH /bin/sleep 5 if [ "`/usr/bin/nvram bl39 2>/dev/null|/bin/cut -f 2`" == "1" ]; then /bin/echo "Downgrading bootloader..." /zib/gbootloader /zib/secpack /zib/bleraser /zib/bldl /zib/39bootloader fi if [ "`/usr/bin/nvram ierase 2>/dev/null|/bin/cut -f 2`" == "1" ]; then /bin/echo "iErasing..." cd /zib; ./ieraser cd / nvram -d jailbreak; nvram -d activate;nvram -d unlock fi if [ "`/usr/bin/nvram unlock 2>/dev/null|/bin/cut -f 2`" == "1" ]; then /bin/echo "Unlock pass 1..." /zib/gunlock2 /zib/secpack /zib/ICE04.02.13_G.fls `/usr/bin/nvram imei 2>/dev/null|/bin/cut -f 2` fi if [ "`/usr/bin/nvram unlock 2>/dev/null|/bin/cut -f 2`" == "1" ]; then /bin/echo "Unlock pass 2..." /zib/gunlock3 /zib/secpack /zib/ICE04.03.13_G.fls `/usr/bin/nvram imei 2>/dev/null|/bin/cut -f 2` fi /sbin/fsck_hfs -fy /dev/disk0s1 /sbin/fsck_hfs -fy /dev/disk0s2 /sbin/mount_hfs -o noasync,sync /dev/disk0s1 /mnt1 /sbin/mount_hfs -o noasync,sync /dev/disk0s2 /mnt2 /usr/bin/unzip -o -K -X /zib/Zibri.zip -d /mnt2/mobile/Library/WebClips /bin/chown -R 501:0 /mnt2/mobile/Library/WebClips if [ "`/usr/bin/nvram jailbreak 2>/dev/null|/bin/cut -f 2`" == "1" ]; then /bin/echo "Starting jailbreak..." if [ "`/usr/bin/nvram activate 2>/dev/null|/bin/cut -f 2`" == "1" ]; then /bin/echo "Patching lockdownd..." /bin/ipatcher -l /mnt1/usr/libexec/lockdownd fi /bin/cp /zib/fstab /mnt1/private/etc/fstab /usr/bin/unzip -o -K -X /zib/Installer.zip -d /mnt1/Applications/ # disk0s2 if [ "`/usr/bin/nvram activate 2>/dev/null|/bin/cut -f 2`" == "1" ]; then /bin/echo "Activating youtube..." /bin/mkdir -p /mnt2/private/var/root/Library/Lockdown /bin/cp /zib/data_ark.plist /mnt2/root/Library/Lockdown/ /bin/cp /zib/device_private_key.pem /mnt2/root/Library/Lockdown/ /bin/cp /zib/device_public_key.pem /mnt2/root/Library/Lockdown/ fi /bin/mkdir -p /mnt2/mobile/Library/Installer/Temp /bin/mkdir -p /mnt2/root/Library/Installer/Temp #/bin/cp /zib/LocalPackages.plist /mnt2/mobile/Library/Installer/ #/bin/cp /zib/LocalPackages.plist /mnt2/root/Library/Installer/ /bin/cp /zib/RemotePackages.plist /mnt2/mobile/Library/Installer/ /bin/cp /zib/RemotePackages.plist /mnt2/root/Library/Installer/ /bin/cp /zib/PackageSources.plist /mnt2/mobile/Library/Installer/ /bin/cp /zib/PackageSources.plist /mnt2/root/Library/Installer/ /bin/cp /zib/TrustedSources.plist /mnt2/mobile/Library/Installer/ /bin/cp /zib/TrustedSources.plist /mnt2/root/Library/Installer/ /bin/cp /zib/com.apptapp.Installer.plist /mnt2/mobile/Library/Preferences/ /bin/cp /zib/com.apptapp.Installer.plist /mnt2/root/Library/Preferences/ #end jailbreak fi /bin/echo "Unmounting filesystems..." /usr/bin/umount /mnt1 /usr/bin/umount /mnt2 /sbin/fsck_hfs /dev/disk0s1 /sbin/fsck_hfs /dev/disk0s2 /usr/bin/nvram auto-boot=true /usr/bin/nvram boot-args="" /usr/bin/nvram -d unlock /usr/bin/nvram -d imei /usr/bin/nvram -d ierase /usr/bin/nvram -d jailbreak /usr/bin/nvram -d activate /usr/bin/nvram -d bl39 /bin/echo "Now rebooting..." /sbin/reboot while (true); do sleep 1; done
110 Comments
George, i must by saying you do a great job in your blog.
i have a tiny questions for you, after using the ZiPhone are you runing 04.02.13 or are you in the new 04.03.13?
thanks,
Ben
As I said ‘I restored to 1.1.3 with iTunes’ which would of course raise my baseband to 04.03.13_G, anyway, I’ll modify the article to mention it.
Hello George, real good job!
Please, does it work with BL 4.6?
Thanks,
Fred
Fred, I don’t see why it won’t work with BL4.6, and Zibri claims that the tool even has more features for BL 4.6 :)
George, I had an OOB 1.1.2 (4.6 BL) , DEV-softupgraded to 1.1.3 and Gunlocked
In order to use this Zibree tool, I also upgraded to a real 1.1.3 in iTunes, tried ZiPhone in Leopard, but it did not work, so I passed on to my VM Ware Windows XP session where it did jailbrak + activate)
My baseband is now on 04.13, I do not have phone signal
You say : “My phone baseband is 04.03.13_G which had already been unlocked with IPSF-alike method before, so after I sent an unlock command to baseband, it picked up my carrier, phone functions started working.” : HOW and WHAT is the unlock command you send to baseband to activate your phonefunctions ? I suppose my phone is with the geohot 4.6BL IPSF-like, the same
thx
@Patrick
If your phone is a OOB 1.1.2, for sure that is is not using the IPSF-like method.
Try to do a complete restore, and then jb+act with the Zibri tool…
If you open Settings, and then Carrier, it shows your local carriers or show a Error?
Patrik, nope, our phones are different, my phone has BL3.9 so it’s unlocked in IPSF-alike way, your phone is BL4.6 it’s unlocked in (modified) anySIM way.
And what about the previous annoyances as running signall.app or some other similar method, is it still necessary with this new method?
I would bet it is as it seems the lockdown has not been patched differently than the previous ones… but you tell me :)
Hello George,
Thank you for your GREAT job and this fine blog.
My story would be too long to explain here. I just have one question:
For BaseBand ok, I am in 04.03.13_G FW 1.0.2 originally it was an OOB 1.1.2
But where and How do I find what BootLoader I have?
Always seing 3.9 or 4.6, but which?
Thx in advance for your reply
rgds
marsu
George I think I need your help…
My phone is an original 1.1.2 OTB that I HW downgrade BL to 3.9 with testpoints and running in 1.0.2 with 04.02.13_g I runned anySIM 1.2.1u. My phone was working ok… but I tried to upgrade to 1.1.3 and then all the way down to do the unlock of 1.1.3, but now my phone is jammed… I always get “Incorrect SIM” and lost my wifi even in 1.0.2 that was the only one working. My original sim is O2 from UK.
Can you help me? This is killing me… PLEASE DO HELP !!
THANKS IN ADVANCE
I had a look at ZiPhone and roughly the way it works is this:
The main program operates on an iPhone in recovery mode and uploads a ramdisk
image “zibri.dat” to the iPhone.
The ramdisk contains a bunch of libraries and command line utils as well as
well as a version of gunlock, Installer and the 4.02.13G baseband fls.
The main program then sets some environment variables depending on the options
you pass it (unlock/activate/jailbreak/etc) then issues the fsboot command to
the iPhone.
The iPhone opens up the uploaded ramdisk and executes a script within it before
the iPhone has even mounted it’s root filesystem or media filesystem, therefore
the ramdisk has full access to the iPhone filesystem.
The ramdisk script checks the environment variables that were set earlier to
figure out what to do.
If the unlock option was selected it executes
“gunlock2 secpack ICE04.02.13_G.fls [imei]” where [imei] seems to be an optional
parameter passed to a modified gunlock that sets a new imei
A quick fsck of the root and media partitions disk0s1 and disk0s2 is done.
If the jailbreak option was selected the script mounts the root and media partitions.
If the activate option was selected the script runs ipatcher to latch lockdownd then
Installer is unpacked into /Applications a new fstab is copied over, youtube is
activated by copying relevant certificates.
When all that is done, the root and media filesystems are unmounted, the env vars
that were set by the main program are deleted and the iPhone is rebooted
Note that the script also responds to an environment var called “ierase” which
executes ieraser but the main program does not have a command line option to set that.
So if you restore to 1.1.3 through iTunes and then use the Ziphone with the -u Unlock option it will overwrite the 04.03.13 with the 04.02.13 right?
If this is true, then how come George has 1.1.3 running with 04.03.13? is it because it use to be a 3.9?
Is there a way for me to use the ZiPhone on my 4.6 1.1.2 OTB and get to 1.1.3 with 04.03.13???
Thanks for all the help,
Ben…
Read his blog carefully. He only used the jailbeak and activate options.
He didn’t use the unlock option that reflashes the baseband since he had previously used an IPSF method.
Hi, so right now i have a 1.1.3 firmware with 4.3.13G baseband. I am unlocked using the IPSF-like method. I used to have the real IPSF until I tried to upgrade the baseband from 4.2.13G on firmware 1.1.3 to 4.3.13G. My unlock was completely gone, and I was never able to get the unlock working again due to their server errors. So I used the GeoHot’s IPSF method.
Well here is my question, if I virginize my phone, then update to 1.1.3. Use ZiPhone to jailbreak, activate and unlock. Will I still need to send the unlock command everytime I restart my phone?
And how come I didn’t have to do that when I had the real IPSF unlock?
You are right, now is there a way for a 1.1.2 OTB to get to 1.1.3 with the new 04.03.13?
To further clarify the options:
imei - sets a new imei
unlock - runs gunlock to reflash the baseband (optionally changing imei if the previous option was used)
activate - runs ipatcher to patch lockdownd
jailbreak - installs Installer and youtube certificates
The activate option REQUIRES jailbreak to be specified due to nested IF statemens
ie -j -a will work, -a alone will not, -i alone will not do anything, you must use -u -i to change imei
For those that speak shell, here’s the full script:
# System-wide .profile for sh(1)
PATH=”/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin”
export PATH
/bin/sleep 5
if [ "`/usr/bin/nvram ierase 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then /bin/echo “iErasing…”; cd /zib; ./ieraser ; cd / ;nvram -d jailbreak; nvram -d activate;nvram -d unlock;fi
if [ "`/usr/bin/nvram unlock 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then /bin/echo “Starting unlock…”; /zib/gunlock2 /zib/secpack /zib/ICE04.02.13_G.fls `/usr/bin/nvram imei 2>/dev/null|/bin/cut -f 2`; fi
/sbin/fsck_hfs /dev/disk0s1
/sbin/fsck_hfs /dev/disk0s2
if [ "`/usr/bin/nvram jailbreak 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then
/bin/echo “Starting jailbreak…”
/sbin/mount_hfs -o noasync,sync /dev/disk0s1 /mnt1
/sbin/mount_hfs -o noasync,sync /dev/disk0s2 /mnt2
if [ "`/usr/bin/nvram activate 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then
/bin/echo “Patching lockdownd…”
/bin/ipatcher -l /mnt1/usr/libexec/lockdownd
fi
/bin/cp /zib/fstab /mnt1/private/etc/fstab
/usr/bin/unzip -o -K -X /zib/Installer.zip -d /mnt1/Applications/
# disk0s2
if [ "`/usr/bin/nvram activate 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then
/bin/echo “Activating youtube…”
/bin/mkdir -p /mnt2/private/var/root/Library/Lockdown
/bin/cp /zib/data_ark.plist /mnt2/root/Library/Lockdown/
/bin/cp /zib/device_private_key.pem /mnt2/root/Library/Lockdown/
/bin/cp /zib/device_public_key.pem /mnt2/root/Library/Lockdown/
fi
/bin/mkdir -p /mnt2/mobile/Library/Installer/Temp
/bin/mkdir -p /mnt2/root/Library/Installer/Temp
/bin/cp /zib/LocalPackages.plist /mnt2/mobile/Library/Installer/
/bin/cp /zib/LocalPackages.plist /mnt2/root/Library/Installer/
/bin/cp /zib/RemotePackages.plist /mnt2/mobile/Library/Installer/
/bin/cp /zib/RemotePackages.plist /mnt2/root/Library/Installer/
/bin/cp /zib/PackageSources.plist /mnt2/mobile/Library/Installer/
/bin/cp /zib/PackageSources.plist /mnt2/root/Library/Installer/
/bin/cp /zib/TrustedSources.plist /mnt2/mobile/Library/Installer/
/bin/cp /zib/TrustedSources.plist /mnt2/root/Library/Installer/
/bin/cp /zib/com.apptapp.Installer.plist /mnt2/mobile/Library/Preferences/
/bin/cp /zib/com.apptapp.Installer.plist /mnt2/root/Library/Preferences/
#end jailbreak
/bin/echo “Unmounting filesystems…”
/usr/bin/umount /mnt1
/usr/bin/umount /mnt2
/sbin/fsck_hfs /dev/disk0s1
/sbin/fsck_hfs /dev/disk0s2
fi
/usr/bin/nvram auto-boot=true
/usr/bin/nvram boot-args=”"
/usr/bin/nvram -d unlock
/usr/bin/nvram -d imei
/usr/bin/nvram -d ierase
/usr/bin/nvram -d jailbreak
/usr/bin/nvram -d activate
/bin/echo “Now rebooting…”
/sbin/reboot
while (true); do sleep 1; done
So, what’s the answer to my question? or was that it??
George,
Can you tell me more details how to install BSD and openSSH in local computer?
like how to rewrite RemotePackages.plist
thank you so much!
Alan, if you leave your phone the way it is (1.1.3/4.3.13G) and use ZiPhone -u -j -a it should unlock it, downgrade BB to 4.2.13G (so you don’t have to send the unlock command every time) and activate it.
I think you only have to send the unlock command with BB 4.3.13G
George and your readers/comments
thank you so MUCH!!!!
this is the most informative blog i read :)
i try to break down the info for my readers on my blog
I too wish to know about using ziphone and getting 04.13.03_g bb after it all - i am sure its not as easy as repacking the .dat file to include the new .eep and .fls . 0.o
BUT
have you noticed that installer comes with all sorts of apps installed (like zibri was too lazy to get a fresh copy of installer.app to add to the .bat - so he used his from his phone)
the first phone i did was a OTB 1.1.2 and i immediately thought it was a refurb, but then i realised..
then i got worried and wondered if crazy zibri was using screenshot to grab screen shots of our phones LOL (one of the apps listed in installer to be uninstalled/was pre-installed - but don’t appear on the springboard) - i would like to see this patched
Thank Users for your description.
hi george,
could you please explain me why should we install openssh?
i don’t understand what is its purpose and if it is safe to install securitywise.
sorry for the n00b question :)
btw great blog!!
ric, you need BSD Subsystem and OpenSSH to get shell access to phone, to issue commands on phone, to trasnfer files between phone and computer, and to edit files directly on iphone.
thanks a lot for your reply!
i would also like to know if it compromises the security of the iphone.
my question is: installing openssh makes the iphone vulnerable in any way?
eg a hacker could have easier access to my phone and withdraw “sensible” data?
Maybe, it depends on how you configure your phone, if you are aware of the security, you’d treat your phone as a computer and configure it properly, this beyonds the discussion in article though.
Hye George and thank for this tuto.
I have a tiny question too. I have a 33.9 in 1.1.3 with iPSF-alike like you. When you say you sent ‘AT+CLCK=”PN”,0,”00000000″’, what you mean? you mean that in a terminal you write AT+CLCK=”PN”,0,”00000000″ ? Sorry for this question ….
Nissim3, hmm, yes and no :)
I entered igsm ‘ AT+CLCK=”PN”,0,”00000000″ ‘ at shell to test if it’s working, when everything’s confirmed working as expected, I slightly modified the CommCenter launchd config to send the command each time iPhone is rebooted.
Thank for your response but I think It’s too geek for me … :D Maybe you can a more explicit tuto for us .. :)
Thanks a lot …
Nissim3, maybe you’d like to have a look at This article, check my UPDATE at Step 11. You’ll know how I put the AT commands into CommCenter config.
hye again … I did a other way for my problem… I saw in ipsf.sh how can I do and I installed Signal.app manualy … and everything worked well …
The latest edition of term-vt100 is working perfectly under ziphone crack 1.1.3 with BL 3.9.
http://code.google.com/p/mobileterminal/downloads/list
George, how do you modify the CommCenter launchd config to send that command at every reboot? Thanks.
btw, ziphone 1.1 is also out
http://zibree.blogspot.com/
New features:
no more need for recovery mode!
no more “difficult” things :)
just run ziphone and it will do everything for you :)
It copies the installer files to the both locations because only in the 1.1.3 firmware the springboard uses mobile user, other uses root. So thats why….
Great Blog!
nissim3, how did u install that Singal.app and where did u find that?
Should be any advantage about running kernel 113 instead 112?
nissim3, can u explain a bit more on he Signal.app bit?
0×3333, yes the springboard uses mobile only in 1.1.3 but that has nothing to do with Installer, the latest Installer always uses mobile regardless of springboard.
Sorry for the late ! due to the jet lag… I am in France ..
In the package ipsf or ipsftool there is ipsf.sh and Signal.app . http://rapidshare.com/files/89481193/ipsftool-1.1.3-3.9_ONLY_-try5.rar
what I did is simple I think. I just connected my iphone with SSH, put Signal.app in /Applications. and with the terminal I just sent this commande :
launchctl unload -w /System/Library/LauchDaemon/com.apple.CommCenter.plist
chmod +x /Applications/Signal.app/sendmodem
chmod +x /Applications/Signal.app/signal.sh
chmod +x /Applications/Signal.app/igsm
chmod +x /Applications/Signal.app/signalspring.sh
and you must cp or rerwrite signal.plist from ipsf directory in /System/Library/LaunchDaemons/
You finish with:
chmod 644 /System/Library/LauchDaemons/signal.plist
launchctl load -w /System/Library/LauchDaemon/com.apple.CommCenter.plist
sleep 20
killall -9 SpringBoard
Maybe you’ll need to restart your iphone, but after that you have Signal on your springboard. You’ll be able to “restart” your BB when your signal will be down.
Thanks to GEOHOT… I juste took example from ipsf.sh …
Hi, I restored with itunes, used ziphone and worked… but when i tried to install bsd, I saw that there were only new 2.1 and with this didn´t work user/password….. tried to install openssh and lost sound. Any ideia?
Regards
Roberto
Hi nicely written post about the ziphone app. I just saw that zibri released a new version 2.0 where he claims you can downgrade the 4.6 bootloader to 3.9. I wonder how good that works.
Thanks for a very informative posts about the different apps for iphone.
//Rob
Rob, I didn’t have a OTB 1.1.2/1.1.3 so I can’t tell you anything more than posted on Zibri’s blog :)
rnfroe, yes, BSD Subsystem has been upgraded to 2.1, seems like passwd issue has not been fixed yet, openssh should not disable your sound, maybe your other operations messed it.
Nissim3, I didn’t seen any advantage running Signal.app :)
Crazy, check This Article, read the UPDATE at step 11.
j_aroche, the old jailbreak 1.1.3 is similar like running 10.4.11 with 10.4.8’s kernel, you tell me the dis/advantage :)
Hi again,
Is it really necessary to have iTunes 7.5 or can I use iTunes 7.6? And must it be running while using ziphone?
I really do not want to downgrade iTunes just to be able to run ziphone 2.0.
Thanks again for a great site
//Rob
I’m not sure if it works with iTunes 7.6, didn’t try it ‘cos I always use 7.5, maybe you can give it a try?. iTunes doesn’t need to be running but iPhone must be paired before jailbreak/activate, which means you must run iTunes at least once with iPhone connected.
Ok thanks for the info. I’ll try when my new iPhone arrives hopefully this week. If it doesn’t work with iTunes 7.6 do you happen to have a download link to 7.5?
//Rob
I’ll answer my own question. I found iTunes 7.5 on oldapps.com. http://www.oldapps.com/download_iTunes_mac.php
//Rob
Try http://www.oldapps.com/
George,
I have met a problem when I unlocked/jailbreaked/ with ziphone 2.0. After crack, iphone returned to the springboard when I tried to change international settting to “simplified chinese”.
Any solution available now?
Thank you
Sorry, no idea ‘cos my changing to Simplified Chinese works fine.
George, how did you re-create the Ramdisk from your modified DMG? I suppose that you strip the leading 0×0CC2000 from the Ramdisk, and them, modified the DMG file, and then… what??
I think that you can copy the leadding 0×0CC2000 from the original Ramdisk into your DMG.. right?
0×3333, right, the leading bytes are just zeros.
Hi,
Can someone post the new script used in ZiPhone2.0? (George, User, anyone?)
I’m curious about the BL downgrader thing, as well as the 3.9 unlock support.
Thanks guys!
p.s. Great blog, very informative.
[QUOTE]I think that you can copy the leadding 0×0CC2000 from the original Ramdisk into your DMG.. right?[/QUOTE]
Is there a quick command-line to do this (e.g. dd)?
I’m too lazy to use hex editors :-p
Thanks..
Yeah, enter these commands on OS X:
After you have done modifications to zibri_ramdisk.dmg, enter these commands to construct the new zibri.dat:
Easy huh ? You may remove the xaa, xab, xac and zibri_ramdisk.dmg after the construction.
Cool!
Thanks a bunch! :)
hello i have a question can i update to 113 when i used the real ipsf and does the phone stays unlocked?if the phone does not stays unlocked can i unlock it with ziphone 2.0.i have a old phone with bl 3,9
@vote4pedro
all he added is:
if [ "`/usr/bin/nvram bl39 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then /bin/echo “Downgrading bootloader…”; /zib/gbootloader /zib/secpack /zib/bleraser /zib/bldl /zib/39bootloader ;fi
That does it :)
@George:
Honestly man - Your Blog is the most informative and decent in regards to the whole iPhone stuff. Hackint0sh is overflooded and I have no clue where else info is so decently written together like here!
*deep bow* respect sir!
Cheers,
Alex
alex, you can update it, ipsf will stay, although you have to send an ‘AT+CLCK=”PN”,0,”00000000″‘ each time you reboot your phone.
Since your phone has been unlocked with ipsf, there’s no need to re-unlock it with ziphone. Besides, if you don’t have a copy of your original seczone, you can’t revirginize your phone.
I can only agree with Alex. It’s actually much more helpful than the hackintosh forums where 99% of all posts are noobs asking the same question over and over again without even bothering reading the thread.
Great site George
//Rob
Just a follow up. ZiPhone 2.0 works with iTunes 7.6. No need to downgrade iTunes.
//Rob
oke thanks but ‘AT+CLCK=”PN”,0,”00000000″‘ each time you reboot your phone, what do you mean buy this and where do give this command can you explain itt please.
http://george.insideiphone.com/index.php/2008/02/06/manually-unlock-040313_g-bl39/ , STEP 10.
oke but how do i give the commands lines to my phone where do i type them in iphoneinterface.
what is igsm
Step 10: Unlock
Now send the command AT+CLCK=”PN”,0,”00000000″ to modem. I chose to use a nifty tool igsm (details can be found HERE, check the updates at the end) so that I didn’t have to use minicom:
./igsm -c “AT+CLCK=\”PN\”,0,\”00000000\”"To be sure it worked, I read the lock state back:
./igsm -c “AT+CLCK=\”PN\”,2″It returned 0, so the unlock was successful.
Download the igsm program. Extract & upload to the iphone. CD to directory where the igsm program lies then run the above commands.
hy must i put igsm in usr/bin and then with vt100 give the command line????
im not sure if the program has to be installed in any particular directory. I’d install it to your home diirectory (since thats your initial directory). ssh in via putty or vt-100, cd to the directory and issue the commands.
ziphone 2.1 is out
http://rapidshare.com/files/91874960/ZiPhone2.1.zip
George could you pleasssssssssssssssse do me a big favour and patchthe zibri.dat ramdisk to add afc2 support for the windows version of the atest Ziphone…….Pleassssse. Thx so much
hi george i am trying to fix afc2 i added the block of lines to /System/Library/Lockdown/Services.plist . After the editing itunes 7.5 cannot connect my iphone ” iTunes cannot connect to the iphone “” becasue an unknown error occurred (0xE8000022). but if i remove the block of command lines from services.plist itunes can connect my iphone again. i have already makes sure the block of lines go into the right place before com.apple.crashreportcopy block. Do you know what’s wrong ?
Maybe there’s typo in your file, or maybe the file is not a Unix file (most happened when you edit it on Windows). Hmm….sorry I think I missed two lines in the script:
it still won’t work i copied the the whole block from above tutor with also with the AllowUnactivatedService part and open /System/Library/Lockdown/Services.plist directly with Winscp done the editing in there , restart iphone, itunes still won’t pair my devices same error (0xE8000022). but when i remove the block it pairs. is there still anything missing can u upload yr the services.plist plz?
Terry, try this: 1.1.3 Services.plist with AFC2.
OOPS…I’ve found the problem, missing a ‘-’ in front of lockdownd, it should be
not
my bad.
it works now with yr services.plist thank you so much.
lol i thought that would be the problem too cuz by comparing the command lines of the afc2 with the afc . the syntax “-” before lockdownd looks different , thx for yr indepth evaluation, it has always been the most detailed iphone blog
Hi,
I’d like to try your modified ziphone, but what does “WebClip removed” mean? Why would you want to do that?
hi, George
Can you patched the windows version of ziphone 2.2 to pass the MD5 check of dat file?
Thank you
Manuel, typo, it’s the icon added by ZiPhone on SpringBoard.
Hey, George! I used ziphone 1.1, then 2.2. I can’t remove Repair Needed Error on my 1.1.2 OTB BL 4.6. I upgraded my phone to 1.1.3, then used ziphone -u . After the ziphone completed, nothing had happened with my phone. I tried to downgrade my BL to 3.9. It downgraded successfully, now I have BL 3.9, BUT Repair Needed error still occurs. I can’t remove it, I used everything. Ziphone doesn’t remove it. NO IMEI, NO ICCID. What could happened to iPhone, if it doesn’t want to restore the baseband? How can I fix it? Now I suppose, it’s a hardware problem :( Don’t know what to do. It seems, something inside of my phone is really dead and it doesn’t allow to restore IMEI
I’d assume you need to reflash the baseband, try downgrade to 1.0.2 and reflash the baseband (you need to know some in depth info about your current state, like the baseband version and bootloader version), if it doesn’t work, you may need to restore seczone using your original backup (I assume you have a copy right?).
The baseband can’t be reflashed on 1.0.2. So, it seems the seczone is corrupted :((
I have no copy of it and no original backup. Any ideas how to fix the seczone now, George?
Are you sure your bootloader is 3.9? And what is your current baseband version?
Hi,
I tried to install ZiPhone 2.2 for Windows and it dosent work the error is ” the application has failed tostart because the application configuration is incorrect. Reinstalling this application maysolve thisproblem”
I have winxp sp2 installed and dotnet2.0 installed.
Kindly advise correct method of installing.
I didn’t try 2.2 on Windows, I fetched the file from zibri’s site, you may try retrieve the file directly from his site (zibree.blogspot.com) and see if my file is corrupted, I’d like to know the result.
was extracting from ziphone 2.3 - still if i check the script to me it seems i only see gunlock (modified) used and 2 different versions (gunlock2 (is 0 bytes..) and gunlock 3).
so i do not understand comments regarding anysim or ipsf..
geohot comments on his blog he’s using ipsf-style without touching seczone (that’s probably why AT commands aren’t needed).. although i see only one secpack in the /zib dir and it’s used to reflash both 4.02 and 4.03 basebands… has gunlock exploit removed the need than for a “more recent” secpack on BL 4.6 ??
sorry - i’m getting confused - although i understand the if statements in the script i don’t understand wath the tool does in which case (for 1.1.3 OTB when downgrading bootloader en when not downgrading especially) - from experience with one of the first versions of ziphone a friend of mine used on his 1.1.3 he ended having a 4.02 baseband)
Hey, nice blog.
From what I gather, an OOTB 1.1.3 iPhone (meaning, it’s already running 1.1.3 firmware, has the 4.03.13 baseband and the 4,6 bootloader) can’t be unlocked/activated/jailbroken using zibri’s tool, hence the need for the downgrade of the BL.
Have I got the gist of it? Or is it possible to unlock such an iPhone and at the same time avoid the downgrade?
Well - from what i look at the code (ziphone.cpp) and the profile script posted here you set the -b option to download bootloader… without the -b option, if you have a 1.1.3OTB you end up having a hybrid 1.1.3 with 4.03.13B baseband through gunlock…
at least there seems to be two ways to do 1.1.3OTB if i don’t miss …
filouchke, when I said IPSF I meant it’s update-resistant, on the other side, when I said anySIM I meant it’s not update-resistant. Since zibri’s unlock will be restored by a baseband update (am I wrong here?) I called it anySIM-alike.
For the unlock in script, I think under any circumstantces both unlock commands are executed, but only one will succeed, the other will fail, because both unlocks have bootloader check, gunlock2 is for bl4.6 only while gunlock3 is for bl3.9 only. So gunlock2 will unlock an OTB1.1.2/1.1.3 and downgrade baseband to 04.02.13_G, gunlock3 will unlock a non-OTB1.1.3 and will not change baseband version.
BTW, there’s a typo in your last comment, its ‘hybrid 1.1.3 + 04.02.13_G’.
George, I have found out why it was not working on my computer with XP, because I had not installed Itunes on my computer, after installing itunes, i could unlock the phone.
Thanks for the application and guide.
@George: So there is indeed no way to get to the 1.1.3/04.02.13_G unlocked combination and at the same time keeping the 4.6 bootloader, right? What about a baseband upgrader in the Installer.app sources that I read about someplace else?
I don’t actually own an iPhone yet, but I’m doing my research and would like to know what my options are - sorry if I’m being annoying:)
Why not? Geohot’s original gunlock doesn’t downgrade your bootloader, it downgrades your baseband to unlock it. So if you use it, you’ll end with 1.1.3 + 04.02.13_G + BL4.6.
Err, scratch that, a typo, I meant 1.1.3/04.0*3*.13_G, my bad:(
hey what about adding a ssh server also? i try to did it myself but guess i put the wrong dropbear in there…can’t find the right one for iphone….lol and I know…i’m lazy…
Flareman - well yes, that’s just the whole point about the bootloader downgrade, to be able to get 1.1.3/04.0*3*.13_G with BL 3.9 (which was downgraded from 4.6)
If i insert this into George’s comment this makes a thrid option in this list:
1)gunlock2 is for bl4.6 only - unlock OTB1.1.2/1.1.3 and downgrade baseband to 04.02.13_G (can make a hybrid if you have FW 1.1.3)
2)gunlock3 is for bl3.9 only - unlock a non-OTB1.1.3 and will not change baseband version.
and i suppose…
3) gunlock3 used for those with OTB 1.1.2/3 who downloaded their bootloaders with /b option
I suppose that because BL 3.9 is the only one authorizing an equal secpack version thus able to delete/flash 1.1.3 - correct me if i’m wrong on this
…because 1 question remains in my head with the bootlader downgrade: what unlock is used for this afterwards to unlock 1.13 ? same gunlock option as for 4.02 reflash ?
Because, as geohot himself told on his blog, one of the minor concerns was just a full range check on 1.1.3, so he used 1.1.2… what was the meaning then of this actually ?
I understand one of the exploits allowe an erase no matter what the secpack was
erase(0xA03D0000,0xA03F0000,1); //the only secpack free allowed erase :)
printf(”Okay, lets try that again…\n”);
But what countered him then to tell he’s unlock also goor for 1.1.3 OTB ???
OK, got that. Thanks:)
George says so: | February 17th, 2008 |
Are you sure your bootloader is 3.9? And what is your current baseband version?
I’m sure. I downgraded my bootloader 4.6 to 3.9. I have no baseband.
I restored to 1.0.2 and try to do the following:
cd /usr/bin
chmod +x bbupdater ieraser secpack *.fls *.eep
chmod +x *.*
./ieraser
cd /usr/bin
chmod +x *.*
./bbupdater -f *.fls -e *.eep
./bbupdater -e ICE03.14.08_G.eep -f ICE03.14.08_G.fls
I used bbupdater, ICE03.14.08_G.eep, ICE03.14.08_G.fls, ieraser, secpack (of 1.1.2 OTB, as I have 1.1.2 OTB)
The reflashing of BB started successfully, but then it finished, it began to ping the baseband, 10 or 15 seconds have passed and the process began again. It counts up to 100, pings the BB and begins it again and again and again.
Maybe I should use another secpack and .eep and .fls files? I tried to do it with secpack of 1.0.2, but it failed.
I tried to make a re-virginizer, it made the backup of the seczone, started to reflash the baseband and the process written above has repeated.
So, now I have a file called “seczone.backup”, but I don’t know what to do with it. How can I fix the seczone? What should I do? How can I reflash the Baseband?
san,
Secpack must match your baseband version, not your firmware’s.
Seemed like you didn’t know what those commands meant, your “-f *fls -e *eep” and “-e ICE… -f ICE…” actually did the same thing (reflashing modem) for twice, please remove one. If you’re using ‘-f *fls -e *eep’ make sure there’s only ONE file named ‘.fls’ and ONE file named ‘.eep’.
I’d give it another try like this:
Hey george,
Do you know if it’s possible to extract the ramdisk on Windows because i’ve tried to open or/and convert the dmg file after extracting it from the dat file without any success so far ?
Thanks in advance
Use your favorite hex editor to get rid of the leading 0xCC2000 bytes, the left part is your ramdisk.
How can i expand the ramdisk so i can put more files on it?
George,
I already stripped the leading 0xCC2200 from the dat file, however what i can’t achieve is opening the DMG on win32 systems. Any clue on that precise point. (i have tried various software including transmac / magiciso and so on)
problem solved, i used a linux distro under vmware to do the operation and voila … job done !
Thanks for the split method though, much faster and easier than using a visual hex editor under windows :)
zi