Detailed steps for iPhone full-featured hardware cracking

(Compile this content for your reference only. It does not ensure that the tutorial is complete and reliable, and does not assume any legal liability)

The tools you need:

First, you have to have an iPhone. You need to enable SSH and remove launchdeamon. plist.

Then, you also need tools to enable the button, such as shrapnel for playing the guitar.

Next is an electric soldering iron, which is not very expensive.

A good lacquer wire was removed from a waste motor.

A switch. The larger the switch, the better.

Red Bull drinks, because the whole process requires high concentration, not red bull. (^_^)

First open the iPhone, start from the black area on the back, twist three screws, and finally remove the aluminum shell. Remove the wires of the Connection Phone and shell, and then do not remove anything. If you think there is something unsafe, try removing the battery. This should eventually be the case:

Next is the most difficult step. Be careful. The red line in the figure is the A17 line. In order to make the security chip feel that the flash Address has been cleared, we need to pull it out. Use a tool to scrape the outer coating and weld it online, but never cut the A17 wire. Then weld another wire at the place indicated by the arrow.

Connect the two wires to the switch. This step is complete.

Use A multimeter to test whether the two wires just welded are short-circuited or connected together. Then confirm that the switch is closed. If you open your iPhone, the previous operations are correct without smoke.

Now we use minicom to do some software work, connect to TTY. baseband, and send some commands. An OK command should be returned. Next, turn on the switch. baseband should stop returning information. Even if it is switched off, no information will be returned.

Confirm that your switch is disabled. Open another SSH window and enter the command "bbupdater-V" to remove bbupdater from the flash memory. Baseband will be restarted, and minicom will also start to work.

If you can do this, it will prove that your welding is correct. Next, let's unlock the iPhone.

If it fails, don't be discouraged. There is a way to recover it. Otherwise, the iPhone will be changed one hundred times in my hands. You only need to connect it to the USB and it will start on its own. Then use the compiled minicom and termcap to restore the code. You can also download the compiled code directly.Program.

Now make sure that the switch is off and your baseband is running properly. Use the nordumper software to back up the nor and leave an emergency exit for the iPhone. You can also work out the firmware of the iPhone, which will be used later.

The first tool is used, ieraser. It will erase the firmware of the current modem. Don't worry, this firmware can be restored with bbupdater at any time. Let's analyze the bootrom check principle. bootrom reads four addresses: oxa0000030, 0xa000a5a0, 0xa0015c58, and 0xa0017370. All values of these addresses must be null or 0xffffffff. When you delete the flash memory, these values will change to 0 xffffff, but the address information is not lost. They exist in the bootloader. This is the test point. We can use hardware to forcibly locate the A17 line as "or" to offset the address from 0x00040000. In this way, bootrom detects the four addresses: 0xa0040030, 0xa004a5a0, 0xa0045c58, and 0xa0047370. The four new addresses are in the primary firmware. You can clear these four addresses.

If you want to use this software, you need a secpack suitable for your iPhone modem version. Check your modem version first. The "about" in the "Settings" menu should be 3.12 (not upgraded) Or 3.14 (upgraded to 1.0.1 or 1.0.2 ). In the "/usr/local/standalone/firmware" directory, you can find the ice *. FLS file and extract its 0x1a4-0x9a4, Which is saved in the secpack file.

Put the secpack file and ieraser together and run it to erase the firmware of the modem. We are only one step away from unlocking.

Next we start to patch firmware. First, extract firmware from the nor backup. The range you need starts from 0x20000 and ends with 0x304000. Save it as a "nor" file. Select a patch based on your modem version:
3.12: (213740): 04 00 A0 E1-> 00 00 A0 E3
3.14: (215148): 04 00 A0 E1-> 00 00 A0 E3

Save. It will be used later.

We use the last tool to handle the iPhone: iunlocker. It will use the bootrom vulnerability to upload a small program named "testcode. BB" to baseband. Iunlocker only needs the nor file generated in the previous step. Remember to put it under the same directory. Turn on your cracking switch, and testcode. BB will be downloaded to the iPhone. After the download is complete, the program stops and prompts you to turn off the cracking switch. After the preparation is complete, enter any characters and press Enter. Nor will start downloading immediately. When the counter reaches 0x2e4000, this is done. Finally, Run "bbupdater-V". If everything is normal, it will return xgendata.

Connect to "/dev/tty. baseband" Through minicom. If you have used up the number of attempts, the phone number should have been unlocked. If not, run this command: At + clck = "PN", 0, "00000000"
If you use this command: At + clck = "PN", 2, it should return 0.

Last step: Exit minicom, copy commcenter. plist back, restart, and use iasign to activate it. So far, your iPhone has been completely unlocked. Congratulations.

Author of this tutorial: George huates

Address: http://iphonejtag.blogspot.com/2007/08/its-release-time.html

Cause: It took five hundred hours for a 17-year-old high school student to successfully unlock the iPhone

ArticleCopyright from http://iphone.tgbus.com owned by original author