iPhone 3G Unlock Status Update - Not so good so far
By Aaron Besson at 13 August, 2008, 12:51 pm
Update
Yellowsn0w from the iPhone Dev Team unlocks the iPhone 3G for firmware 2.2 - Apple has released 2.2.1 which breaks yellowsn0w. If you have not updated to 2.2.1 via itunes yet, you can unlock your iPhone 3G with yellowsn0w on firmware 2.2.
Everyone that has an iPhone 3G that is either not on a supported carrier or not authorized to be unlocked (like those sold in Belgium, Italy, and Hong Kong) is sitting there/here with one eye on the iPhone 3G waiting for it to unlock itself magically and the other eye is on the iPhone Dev Team waiting for them to pull a rabbit out their hat. If you are like me, your third eye trying to contact GeoHot via telekinesis to find out if he is making any progress with the 3G unlock.
The following I pieced together from Hakcint0sh, the iPhone Wiki, the Dev Team Blog and GeoHot’s blog.
The iPhone 3G Software Unlock
The iPhone Dev Team are obviously working hard on a software unlock for the iPhone 3G to include in their new PWNAGE Tool, but their latest update posted earlier today doesn’t seem too encouraging at the moment for some of us. -
“we are making slow, but steady progress and we have no estimation of when, or even if we’ll be able to unlock the 3G iPhone”
Well, that sucks. I can deal with when, but it’s the if that has got me down. But I have faith. Meanwhile over on the iPhone Wiki (the Encyclopedia for the iPhone), the discussion of unlocking the iPhone 3G is ongoing and major discoveries have been made that unlocking the iPhone 3G is much different and harder than unlocking it’s older sibling.
“Currently, the 3G (software) unlock is the biggest missing piece of the iPhone community. It is more difficult than the previous unlocks due to the fact that the baseband bootloader is signature checked. The Dev team has successfully flashed an official, but older (and therefore not allowed) baseband firmware (1.45.00 to 1.43.00 downgrade) on the 3G. See also discussion. Currently, unlocking the 2.0 firmware is available only for the first generation iPhone.”
Possible Methods
Class 1
- Find an exploit in the bootrom to break the chain of trust
- Improve by several orders of magnitude the NCK brute forcer, and find a way to extract the CHIPID and NORID
- Find the theorized algorithm of NCK generation
Class 2
- Use a SIM hack such as the TurboSIM Unlock
- Find a way to patch running memory to “unlock” the phone on every bootup“
The Dev Team are working hard on Class 1 above and have gotten low level write access and were able to flash an older baseband on the iPhone 3G, but as they said, they are making slow progress with unlocking the current baseband and can’t guarantee a date or even being bale to deliver.
Sim Hacks
Until then, those of us with iPhone 3G’s, are stuck with Class 2 - purchasing/testing the various Sim Hacks like TurboSim and cheaper clones like StealthSim, RebelSim, XSIM, YesSim, FuriousSim - for the iPhone 3G as a solution until the Dev Team can unlock the iPhone 3G baseband.
How the old Sim Hacks Worked on iPhone 2G
“This relies on the fact that the IMSI is read twice, once to validate the IMSI and once to connect to the network. So the SIM card spoofs the first IMSI read to trick the device into thinking it is operating on the AT&T network, or whatever network the device is locked to. The second time it allows the IMSI to be read properly from the SIM card, and this IMSI is used for the network login…”
The latest bunch of Sim Hacks that supposedly unlock the iPhone 3G are frowned upon by the Dev Team because in some cases they are highly illegal because of the “trickery of the GSM and UMTS network”,
Also in some cases they simply do NOT work. If they do work, they stop after a few days, or don’t allow any sort of data transfer (EDGE nor 3G) and eventually the local carrier realizes something is wrong and bumps the sim card off the network. Try too many times to spoof the network and your IMEI may get blocked by your local carrier. Here are some results from some of the Sim hack solutions posted on the iPhone Wiki.
“iPhonix / Juma
MacBug.de reports only 2G mode (data mode not clear) works with this. MacBug.de seems to be distancing itself from the product.
RebelSim
The company video demonstrates 2G but mentions no 3G function at this stage. The RebelSim website claims it has tested iPhone 3G operation. More information is required.
StealthSim
The most expensive variant of the SIM hacks on sale now. More formal reports indicate that this method is just as unstable as the rest. It fakes IMSI like the rest, but eventually gets kicked off the network. Don’t buy.
TurboSim
Indications are that no stable TurboSIM exploit is available at this time. For some providers in Germany there appears to be some success, see TurboSIM Unlock.
Yessim / Furiousim
Overall, there are conflicting reports on whether this works on various SIMs and networks. Samples have been provided to various users on Hackint0sh Forums. Initial challenges faced because of a RJ45 type connector that is needed to set “Boost Mode”. It is recommended that if ordering, the USB “YesUP” or “FuriousUP” cable is used. The company mentions that unfortunately instead of USB cables, RJ45 cables were provided to testers due to a “shipping error”. Initial testing of Yessim with stock configurations shows problems after several hours or a few days.”
For more information about Sim Hacks and testing of these and more sim cards please check out this thread on Hackint0sh. Most testers are reporting that it works for Calls/SMS for a while and limited data depending on the Sim hack card used. These cards cost between $20-$100 USD (and more in the case of the TurboSim when it is in high demand) and usually cost an arm and leg ($30-$50 USD) to ship something that weighs the same as a paperclip. Testing or replacing these cards can get expensive.
More recent Sim Hacks like RebelSim, FuriouSim and a couple others now come with USB reader/writers that can update the software on the chip as a means of increasing reliability and usage. This is similar to TurboSims which need to be programmed to work properly. There are instructions on the iPhone Wiki on how to do the TurboSIM Unlock. I am trying to get my hands on a TurboSim and will report any success with this method.
Videos are popping up all over with users testing these Sim Hacks with varied results. I tested the old X-Sims which look identical to the newer X-Sims being used for the 3G, after testing quite a few I was advised the new one has a new Chip on the XSim, so they obviously didn’t work. I have ordered a couple of the new Sim Hacks mentioned above and will post my results during the testing.
What about a Hardware Unlock?
Due to the new hardware configuration of the iPhone 3G, a hardware unlock is not as “easy” as the old hardware unlock was for the first gen iPhone. Saying that the first gen iPhone hardware unlock discovered by GeoHot and others was easy is a BIG joke as it took a skilled technician or someone with the skill, patience and steady hands of one to do it.
Ta_Mobile and others have made some remarkable discoveries about the iPhone 3G’s hardware and it’s relation to an unlock recently posted in this thread on Hackint0sh. He managed to dump the bootlaoder for the iPhone 3G via hardware a few weeks ago (allowing allot of the new discoveries mentioned above) and since then has been taking apart a couple iPhone 3G’s and swapping IC’s to see what is the differnece between those locked and those authorized to be unlocked.
He found that switching around the IC’s between one authorized unlocked iPhone 3G with another locked iPhone 3G, resulted in iTunes blocking the authorized unlocked chip in the locked phone form being activated, meaning the unlocked IC in the locked phone didnt work. He states that - “THE LOCKED STATE IS CONTROL BY: ITUNES SERVER + MODEL + SERIAL + IMEI AND IT STAY IN THE OS DISK WHEN THE PHONE SYNC WITH ITUNES. - NO MORE TRYING TO HACK THE X-GOLD.” Meaning iTunes (Apple) decides which phones are authorized to be unlocked based on Seriel Number, Model Number and IMEI all matching the iTunes server then activates and authorizes the phone to work with other sims/carriers (the actual unlock takes place in the iPhone’s baseband).
This theory is tested somewhat when authorized unlocked (sim free) phones sold in Italy that are activated during the PWNAGE process. They are locked one activated, meaning they no longer work with other sim cards. So why not hack iTunes? Well that’s the easiest target and not where the unlock resides, it’s merely the messenger. Some speculate that the unlock resides deep in the Baseband and Seczone, which contains NCK, IMEI, S/N, MAC addresses and of course all of them are encrypted. Wrong modification may lead to IMEI 0049. All of these must be matching for iTunes to authorize an unlock. Look at when T-Mobile had to unlock iPhones in Germany, they had to send in the seriel/IMEI numbers for each phone Apple for them to then be entered into the iTunes database for an authorized unlock upon activation. Check out the thread on Hackint0sh for a more in depth technical look at all of this.
What about Cloning Officially Unlocked Phones
This has been suggested by many people, however it has been well investigated and virtually ruled out for these reasons:
- Replacing the baseband bootloader or firmware of a locked phone with that of an officially unlocked phone does not unlock the phone, as the unlock information resides in a different flash area, known as the seczone and is unique to each phone.
- Cloning the seczone would duplicate IMEIs which would be illegal in most places and would likely result in a ban of these.
- Phones with cloned seczones would not even be unlocked by the NCKs of the phone they were cloned from as the CHIPID and NORID is concatenated with the NCK to produce the decryption key used on the RSA seczone token. The only way to make this work is to change the NORID and CHIPID which is not possible at this time.
What about George?
What about GeoHot? He has done it in the past when all hope was lost with bootloader 4.6. The question is if he can or will do it again?. George has psoted on his blog that unlocking the 3G is not going to be easy.
“Even if we find an unsigned code exploit, which wasn’t done for the previous two bootloaders in software(we found tricks to play with the nor), we still can’t unlock.
…
The first step to tackling this is dumping the bootrom. We need some exploit, I don’t care where, to dump arbitrary memory. Then we can dump 0×400000, which is the new “secure” bootrom”
Since that post GeoHot has been hard at work getting the iPhone Wiki Started and working at Google, hopefully he will get either enraged or inspired and crack out a crude code driven unlock for the iPhone 3G that others will then massage into a BootNeuter
So… where does that leave us?
Me I am personally going to wait on a software solution, but I will test/use the new Sim Hacks that are coming out, and will continue to monitor the forums and feedback from users on their success/fail rate. IF they work, I’ll use them until a true software (or even hardware) unlock is available.
I am hoping that as usual GeoHot or the Dev Team will pull an Ace from their sleve and our iPhone 3G’s are free someday soon.
Join the forum discussion on this post - (1) Posts
 Print This Post
|
 |
|