GeoHot seems to have caught the bug again so to speak. He has recently taken on the challenge to unlock the iPhone 3G, and he is finding out that the new Infineon Chip is not going to make is easy. The first gen iPhone was a challenge, but this new 3G iPhone hardware is going to be allot tougher than anyone thought.
“The 3G bootloader is sig checked by the bootrom. So even removing the NOR and patching the bootloader (to remove main fw sig checks) and main firmware doesn’t work for an unlock. Big thanks to TA_Mobile for dumping the NOR and confirming this. You have some real skills.
The X-Gold 608 is the chip used. The lame “datasheet” infineon gives us shows the hardware RSA and the secure bootrom. So we have a real problem. Even if we find an unsigned code exploit, which wasn’t done for the previous two bootloaders in software (we found tricks to play with the nor), we still can’t unlock.”
It is clear that the old tricks that hackers like GeoHot and the Dev Team used are not goingot work on the new iPhoen 3G. Apple has added allot of hardware imporvements to try and stop hackers form even be able to access the hardware to get the info needed to successfully load an unlock to the device.
The first step to tackling this is dumping the bootrom. We need some exploit, I don’t care where, to dump arbitrary memory. Then we can dump 0×400000, which is the new “secure” bootrom.
There is no doubt that the iPhone 3G will eventually be unlocked via software, either by GeoHot, the Dev Team, Ta_Mobile or some other hot shot hacker. There are already spoof solutions using X-Sims and Yes Sims, but who wnats that? A real software solution is what is needed here.
How would anyone get one without a money sucking contract? And you would then have to try to unlock/jailbreak/activate, to then possibly be defeated with a new update from Apple.
George Hotz is famous for being the first to unlock the original iPhone and for his critical role in unlocking most if not all other firmwares. Thanks to GeoHotz, we did away with the whole idea of StealthSims, UltraSims etc. He wrote allot of the tools that are used to create the unlocking tools, virginizers and baseband restore tools etc. Most of all we need to thank him for GunLock which is still used in most popular unlocking tools today (YOU, ME, PWNED, ZIPHONE, iLIBERTY, INDEPENDANCE and iPLUS all need to thank - and do thank - GeoHotz)
So what does young George Hotz have to say about the iPhone 3G and unlocking it’s baseband?
Is it really worth it? I mean, aside from the technical challenge, who will really benefit from it? I hear the phone is sold unlocked for +$80 AUD in Australia. Here, the best way to get a phone is to buy one from AT&T then cancel it, $200+$35+175=$410. You are better off buying an old iPhone off eBay. With locate me, how much will a GPS really help? And here in the states, T-Mobile 3G won’t work.
I’m curious as to what amplifier chip the phone uses though. The number one question I got from people about the old iPhone unlock is “Will it work with Verizon?” Now it could be possible.
I still don’t know how I’m getting my hands on a device. And if I’m not sure, how will everyone else who wants one get one? Apple, this is really a step backward for the consumer. I’m disappointed in you.”
With George moving over to develop for Google’s Andriod Mobile OS, he may be giving up n the iPhone. I hope that without his effort, the Dev Team can create a iPhone 3G unlock, I am sure a 2.0 unlock will come around a few days (if not the same day) after the OS X iPhone 2.0 is released for 1st gen iPhones.
I too am dissappointed with Apple and the fact that some of the key people are walking away who were involved with the unlocking of the iPhone and the community that has been formed by the “unlocked community”
cmw has been hard at work porting PWNED from the dev team to the PC, it’s called WinPWN, more info can be found on the winpwn website, but here is the public release note:
This is winpwn-0.99.1.8BETA. I have disabled 2.0+ support since it’s still buggy. Hopefully with people beta testing i will get allthe bugs worked out within a few days and you will get a final release including 2.0+ support.
You WILL be able to flash custom ipsw’s made with mac pwnage if you wish to upgrade to 2.0 and can’t wait for final winpwn. For now i have also disabled most of the custom options including the applications (installer is still there) and the unlock base band features. Once i’m happy it’s stable i will enable those features for testing. I will post a more detailed breakdown of how it works (YES THAT IS QEMU) and why i choose to use qemu.
You will require the iTunesMobileDevice.dll and you will have to put it inside the winpwn program files dir. iBooter support has been disabled since i haven’t tested it yet. So you are stuck with iTunes for beta release. NOTE: YOU MAY NEED TO USE REGULAR RECOVERY MODE MANUALLY IF WINPWN DOESNT DO IT ITSELF.
REMINDER YOUR IPHONE/IPOD MUST BE ON 1.1.4 TO USE WINPWN AND YOU MUST LOAD 1.1.4 TO PWN OR TO BUILD A CUSTOM IPSW Links
Once again the guys over at iClarified have put together a great tutorial, this time for using PWNED to load custom Boot and Restore images on your iPhone. NOTE***: There are stringent requirements for these files. They must be 24bit PNGs, 100KB or less, have an alpha layer, RGB or Greyscale, and 320×480 or less in size.
HINT***: If you want to use a solid image as your background. Create a new transparent image in photoshop just slightly bigger then your original image. Copy your original image onto the new transparent image you just created. Make sure you can see some of the transparency layer on the sides. Then select Save for Web from the File Menu. Make sure you save it as PNG24 with transparency enabled
Greetings! The Dev’s have been working hard at it again and as promised the update is out for the new beloved PWNED that chock full of great updates and new features and will unlock your precious iPhone:
I can’t wait to load up some wacky startup screen and trick out my new custom 1.1.4 firmware. The ability to remove BootNeuter after unlocking etc would help settle allot of nervous users staring at it after opening it up by mistake or something, and selecting apps to be pre-installed like iLiberty+ and iPlus is a dream
There is also the new beta firmware 2.0 support included in this update, but unless you are a developer or just willing to go through the steps to get 2.0 working correctly on any carrier, and in the event you want to revert to sanity, the patience and know how to get back to 1.1.4 safely, I wouldn’t recommend trying out 2.0 just yet.
This is for OS X only so far and the Dev’s advise that cmw is working hard to make the wondows version, and his winpwn tool is independent of the Dev Team and they can’t comment on when that will be ready, but with this update and other possibilities on the horizon, things are looking great.
All iHail the Dev Team, for they have cometh to free the iPhone. Wow, I awoke this morning to my lil pitbull Layla making noise which is very uncommon, stumbled into the office to see that PWNED had been released, I looked at her and then realized that’s what all the noise was about.
Currently only the Mac Version has been released, I am currently fumbling around with it, Personally tested and working perfectly on a 4.6bl that was downgraded to 3.9bl with iPlus, built a custom 1.1.4 firmware that included an upgraede back 4.6bl and restored with itunes! - worked PERFECT!! After the restore the phone was jailbreaked, unlocked, activated and using 4.6 bootloader and 1.1.4 baseband - sweeeet!
The PC version will be released within days if not hours as its almost complete. I am not going to babble much more about this, but will quote the Dev’s so that you can a good idea of whats going on:
PwnageTool 1.0 release
The “DevTeam” would like to announce the release of the OS X version of the PwnageTool application.
The team (and especially Wizdaz) have been working hard to bring you this release in as short a time as possible.
The plan (4 weeks ago) was to release a Mac tool only. This was decided because of the lack of reliable Mac filesystem tools on Windows, and the fact that the task of porting them would be too time consuming.
With that in mind the genius that is “cmw” stepped up to the plate and offered his services to the DevTeam. He proposed to provide a tool that would give the same functionality and User Interface as the Mac tool.
cmw has done an almost unthinkable task and ported the almost complete Pwnage Tool to Windows in a little under a week, and we would like to thank him for this unbelievable work. He is currently in the final test stages and hopefully this should be finished within the next 24 hours (but even he needs sleep and family time occasionally!) We’ll post a link as soon as the testing has finished.
Please remember to Donate to the Dev for this new found freedom, this will bring a new world of iPhone customization and freedom never found or experienced before and it would only be right to donate and show your appreciation for the hard work done by all here:
There are lots of custom payloads,and I am sure lots more to come, including the highly requested payload to restore your 3.9FB bootloader to the stock 4.6, that will also flash the baseband to the stock 04.04.05_G (1.1.4). - sweet.
iLiberty+ implements a so-called 2-pass procedure:
Pass 1: boot a customized ramdisk to setup a tiny BSD environment
This pass does very limited things. In order to make pass 2 running flawlessly, there must be a usable BSD environment to load in and execute the master script and to do the real jobs, pass 1 does this initialization. It also checks payload archive to make sure pass 2 is going to run without hassle, for efficiency purpose, if pass 1 detects no payload archive, there’ll be no pass 2 at all. Since all jobs in pass 2 require a jailbroken iPhone, pass 1 has implied the jailbreak and AFC setup.
Pass 2: boot into normal system and finish the real tricks
After pass 1, the basic environment has been setup on iPhone, when iPhone reboots, a special service is launched by launchd to trigger our pass 2 master script. The master script extracts payloads from the compressed archive, then call the included payload script one by one until all payload scripts are processed, then it does housekeeping to remove all the footprint that are left during the pass 1 and pass 2. When all these are done, it boots iPhone into normal mode. Everything’s done.
iLiberty has integrated the iPlus core and is now renamed to iLiberty+ (and iLibertyX for Mac OS X). This release is mainly a re-design in many areas:
1. Workflow is optimized and now integrates the iPlus core
2. Payloads are totally irrelevant to the ramdisk core
3. Customizing payloads is pretty easy (Here’s the Payload Howto)
4. iPod Touch jailbreak is now supported
5. New update system to offer better online update experience”
Who’s George? Well he is not George Hotz (GeoHotz) the famous wonder kid who was the first to hardware unlock the iPhone and later brought the first software unlocks for the new 4.6 Bootloaders. NO, this is George Zhu aka George Zjlotto, a brilliant programmer and blogger, that has been solving and reworking apps and their hiccups from firmware to firmware and unlock to unlock for a few months now.
Now he has finally released his personal Jailbreaking and Activating tool for public use. It’s called iLiberty, it’s for PC only at the moment. It allows you to obviously jailbreak and activate your iPhone but also allows you to install custom payloads (a seemingly common new trait of all iPhone tools/utilities these days) - unfortunately there is no Unlock feature at the moment either…
George has provided a link to the custom payloads and the executables so you can customize the tool to suit your needs and only install the apps you want.. sweet. Here are some notes about iLiberty:
Introduction
————
iLiberty is a pure Win32 GUI designed for iPhone jailbreak, activation, unlock as well as application installtion.
iLiberty currently lacks the ability to unlock because I need some time to category all those unlocking methods. NOTE: This tools is firstly designed for my personal use, hence some features (like unlock) might not be put into the first place, it’s all based on my needs.
Features
——–
Jailbreak from 1.0.2 to 1.1.4
Activate from 1.0.2 to 1.1.4
Kick iPhone out of recovery mode
Push iPhone into DFU mode
Online update (can auto check)
Mirror and Proxy support
Debug mode
If you prefer download the executable first, then only download those needed payloads, here it is: iLiberty 1.1.2.16 Main Executable (MD5: ae80720466bfa8dbd5ee3093ed08eae9)
Get payloads here: http://iphone.zjlotto.com/iLiberty/Payload/, NOTE: Some payloads have 2 files (a .zip and a .sh) and you need to download both of them.
Another great app for us all, unfortunately this is only for PC at the moment and does NOT unlock you iPhone, BUT it certainly can be very useful and I am sure an unlock will be intergrated to it by time it reaches my MacMini Please check out his blog and feel free to donate to him, he deserves it.
GeoHot seems to have caught the bug again so to speak. He has recently taken on the challenge to unlock the iPhone 3G, and he is finding out that the new Infineon Chip is not going to make is easy. The first gen iPhone was a challenge, but this new 3G iPhone hardware is going to be allot tougher than anyone thought.
Is it really worth it?
