Unlock your iPhone for free without dissassembly
This is an old tutorial - new one at http://iphone.unlock.no/
First, thanks to everyone who made this possible. Iphone Dev team who made the executable used in the tutorial, geohot and his "crew", Iphonesimfree :P and all others. No need to disassemble your phone anymore, and no need to input commands manually.
This tutorial is meant for brand new untouched phones. If you have previously tried unlocking your phone, it might not work (but most likely it will). In addition to iOS5 firmware unlocking iphone iOS 5.1, this tutorial will also help you make YouTube work, and install a really nice third party application installer, so that you can easily expand the functionality of your phone!
WARNING! Apple have released a new iphone 4 unlock update, v1.1.1 - i recommend that you DO NOT update to this version, as a lot of stuff will be harder/not working as of know. In a few weeks it will probably be easier to work with this firmware.
UPDATE: IphoneSimFree.com have now released a paid unlock-solution that will let you unlock ALL iPhones, including v1.1.1. This can be done thanks to iPhone Dev Team's recent solution for jailbreaking an iPhone 3G on the new firmware. I'm sure there will be a free unlock soon also, but i think iphone unlock deserves some pay off for their hard work, so if you are in a hurry just buy a licence from them. I've also posted a comment about unlocking and how i think these solutions work on iPhone.
Read on only if your phone does not have latest firmware. To check firmware, (emergency) dial *3001#12345#* and tap Versions. Firware version should be 03.14.08_G. If it's 04.01.13_G you have v1.1.1 and can not unlock your phone using the instructions below.
Step 1: Open your phone's file system (jailbreak)
Download and install iTunes 7.3.2 (download).
Take your new phone out of the box, and connect it to your computer with the supplied USB-cable.
You need to modify ("jailbreak") the phone before it will be possible to upload third party files/applications. If you are on Windows, i highly recommend downloading iBrickr, which i will use as an example through this tutorial. Extract all files to a directory on your PC.
Important: If you have version 7.4.x or newer version of itunes (to check click Help -> about in iTunes), you need to download this file and put it in the same directory as iBrickr.
Run ibrickr.exe and follow the instructions on screen. For more info, and video tutorial visit Nate True's website. I noticed that after hitting the "Sweet" button, it wouldn't recognize the phone - if that happens to you just hit F5, or right click and Refresh. Now you should see 4 links like shown below:
Step 2: Bypass activation and YouTube lock
In iBrickr, click Files. On the right you should see the file system of the phone. Navigate to:
Click the upload button and select the lockdownd file you downloaded previously.
When done, navigate backwards two steps ("up" link on top), then go to:
Here you upload the three YouTube certificate files one by one (data_ark.plist, device_private_key.pem and device_public_key.pem). It will overwrite the ones already on your phone.
Step 3: Prepair phone for software installations
While still in iBrickr, go back to the start screen and click on Applications. Follow the instructions to configure your phone to install third party applications. During this process you will need to reboot a couple of times. When you are done, there should be a big button with the text Browse applications. Click that button, and click on "Installer" in the list of applications. When it's done installing your phone will soft restart. A new icon called Installer should be on your phone now, tap on it to start it.
If you are not already connected to internet using Wifi, the phone will prompt you to do that. When you are connected to internet tap the Refresh button in bottom right corner. On the top tap Update. You will find a new version of Installer there - tap on it and Update. When done, press the home button on the phone to return to the home screen (springboard) and tap on the Installer icon again. Now find Community Sources in the list and install it. When done, press the home button again.
Step 4: Install the unlock software and perform the unlock
In iBrickr, click the "Browse applications" button again, and select anySIM in the list to install it. When your phone refreshes, you should find an anySIM icon on your phone now.
Note: On my computer this does not work - no new icon appears. If that's the case for you too, click here to show/hide an alternative method.
From your phone, open Safari and visit the following website: http://i.unlock.no - a dialog will appear and ask if you want to add a new package source. Tap on Yes. The Installer application will now automaticly launch, and it will refresh the list (if it doesn't refresh, tap the refresh button).
In the list of applications, scroll down almost to the bottom. Under the category "Utilities" you should now have "anySIM" there. Tap on it and install it (hit yes on the warning dialog). When done, press the home key, and wait for the phone to refresh. Now you should see an anySIM icon on your phone.
Before you start anySIM, go to Settings → General → Autolock and set it to Never. Now you can press home button, and tap on the anySIM icon.
Slide to unlock, and read to the bottom and tap the red button. This process will take some time, so just sit back and relax. When it's done, you get a message telling the result. If it's an error make note of that error, but don't worry yet.
Insert a SIM from a carrier of your choice.
If you get signal, your phone is unlocked and you are done!
I you succeeded, please email me at unlock æ unlock.no or msg GeeZuZz on IRC.
If you don't get signal and got an error after unlocking, the error was probably real. Possible errors and solutions will be listed below.
Troubleshooting and common problems
Possible errors with solutions
"The Flash succeeded but the unlocked failed"
First try restarting the phone and insert wanted sim and see if it was unlocked anyway. If it's still not unlocked, try reflashing the baseband firmware and run iunlock2 again: Download the correct firmware according to the firmware currently on your phone:
1.02 baseband firmware (or 1.00 and 1.01)
Use iBrickr to upload the three files to /usr/bin/. From the Terminal application on your phone run the following six commands:
cd /usr/bin chmod +x bbupdater launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist bbupdater -f 314.fls -e 314.eep launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist iunlock2
More possible errors will be added later...
My phone has 1.1.1 firmware - how can i downgrade it?
At the moment it's not possible to jailbreak phones with 1.1.1 firmware, and thus not possible to unlock them. If you have 1.1.1 fimrware and want to activate and jailbreak it in order to install third party applications, here is how: (thanks to Kmac1985):
- Download the iPhone1,1_1.0.2_1C28_Restore.ipsw from Apple.
- Connect phone to dock, and hold down home button and power button for about 10 seconds until phone turns off.
- When it turns off, release the power button, but continue holding the home button. After about 10 seconds the computer will detect the iphone in restore mode, and itunes should tell that the phone needs to be restored.
- Hold down SHIFT-key (Windows) or OPTION/ALT-key (Mac) when clicking the Restore button, and select the file you downloaded previously.
- Let the restore complete and ignore the error at the end. Now your phone should show a rectangle, but don't worry about it.
- Run AppTap (or iNdependence) to jailbreak your phone - it will fix it even though you get errors.
The OS firmware is now 1.0.2. But in order to unlock it, you need to downgrade the baseband firmware also, which does not seem to be possible at the moment. A few people claim it worked for them though, so if you want to try on your own risk, click here to show the instructions:
Baseband downgrade instructions (appearantly not working)
- Use Installer application to install Terminal and BSD Subsystem (or BinKit) on your phone
- Download the 03.14.08 baseband firmware (files renamed to 314)
- Upload the three files to /usr/bin/ (using iBrickr for instance).
- From the Terminal application on your phone run the following commands:
cd /usr/bin chmod +x bbupdater launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist bbupdater -f 314.fls -e 314.eep launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist
- If you get error, try restarting your phone, and then try again.
- When done, restarting your phone, and go to Settings → General → Modem Firmware to confirm it's 03.14.08_G
- If it was 03.14.08_G, You can proceed here to unlock your phone
- Please email me at unlock æ unlock.no if you succeed in downgrading baseband firmware, but don't contact me if you don't! (i can not help)
Is the unlock permanent? Can i restore my phone or upgrade it?
The unlock is not permanent. You can however upgrade/restore, as long as baseband is not updated. That means (as far as i know):
- If you have 1.00, phone will be locked when you upgrade to anything
- If you have 1.01, you can update to 1.02 since modem is not updated
- If you have 1.01 or 1.02 you can perform a restore in iTunes without locking it again
- If you upgrade to 1.1.1 phone will get "useless" since it's not possible to jailbreak/activate yet.
Note: These applies to the old method:
I get a "Resource Busy" error - why?
You probably forgot to disable the baseband. Run the following command:
launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
To enable it again when you are done unlocking, use the following command:
launchctl load -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
You could also just backup the file, and then delete it from your phone, then upload it again when you want to enable it, but that would require a restart in both cases to apply the change.
I lost wifi - now it just says "No Wi-Fi"
You probably restarted your phone after running ieraser. To restore Wi-Fi you could either do a restore in iTunes and start over again, or the much faster way, reflash only the baseband from a terminal directly from the phone, which i will explain.
You will need the file called "ICE03.14.08_G.fls" (ICE03.12.06_G.fls if you have 1.00 firmware). I will not link to this file because of copyright reasons, but you'll find it in /usr/local/standalone/firmware/ in the ramdisk image (i might explain this later). Using iBrickr or some other application, transfer this file to /usr/bin/. Also, you need to install a terminal application on the phone. Using iBrickr, click Applications → Reload app list → scroll down to you see MobileTerminal xxx and click it.
Launch the Terminal, and run the following commands:
cd /usr/bin/ bbupdater -f ICE03.14.08_G.fls
It will take a couple of minutes before it's done. When it's done, restart your phone and enjoy your Wi-Fi. And make sure you don't restart your phone after running ieraser! Thanks to ziel for telling me about this possibility.
I'm getting a "bus error"
This problem is usually caused by missing or incorrect files. If you get this error when running ieraser, make sure you have a correct secpack in the same directory. If you get this error when using iunlocker, before you get any testpoint message - make sure you have testcode.bb in the same directory as iunlocker. If you get the error after "Testpoint works" message, make sure nor file is correct and placed in same directory as iunlocker. All names should be lower case!
I get errors when using minicom
minicom: cannot open /dev/tty.baseband: Resource busy
See Resource busy question above
minicom: WARNING: configuration file not found, using defaults minicom: cannot open /dev/modem: No such file or directory
You probably forgot to upload minirc.dfl to /usr/local/etc/. You could also just start minicom with "minicom -s" and change serial port to "/dev/tty.baseband" manually.
Where can i find the iPhone firmware files?
The files can be downloaded from the url's underneith. They are 91,2MB in size. Rename to .zip to extract the DMG images. The main firmware image is encrypted, while the modem firmware image should be possible to mount directly on Mac.
Tips and tricks
Configuring EDGE settings (internet)?
If you have firmware 1.01 or later you can go to Settings → General → Netword → EDGE to configure EDGE. Check your provider's website for settings.
Making the carrier name/logo fit without scrolling
Apple left a rather small space for operator name, so if it's above 7(?) characters, it will scroll, and display only first part (click picture at right). I found a way to decrease the font size, making it fit.
Load the following file in a Hex editor:
Font size should be at offset 7C176. In HxD, just click "Search → Goto" and set offset to 7C176 as shown in picture below. If the font size is not at this offset in your file, you can try a text string search for loopOperatorToBeginning, it should be right above that.
As you can see, you can also change the font type, and color of the text. Default is size 14. Changing it to 11 or 12 should do.
Update: Here is a way to set a permanent carrier logo. I have created a few logos for norwegian users (screenshot below): Telenor, Netcom, Tele2, Chess, OneCall. Download here. Remember that you will need to change pictures manually if you switch carrier.
Changing phone number formating: (123) 456-7890
Formatting is stored in:
Download this file from your phone. The file is stored in binary format, so you'll need to convert it to text. Now save this file and open it in a text editor. Change the formatting under us to look like you want (if you find your region in the file, just copy from your region to the us). There's probably some way to just make it use your language (instead of 'us'), but i don't know where you specify that. When you are done changing formatting, save the file and upload it to the iphone in same directory you found it. You don't need to convert i back to binary.
Disabling autocorrection when typing on keyboard
Read here until i write a more detailed way.
Adding international characters on the keyboard?
Read here until i write a more detailed way.
My comments about the iPhone unlocking solutions
I've been unlocking cell phones for more than 5 years, and even though i don't develope the solutions myself, i know pretty much how it works - and iPhone does not appear to be different from others, except for the fact that it needs activation in addition to unlocking.
There are two types of unlocking: "Firmware-patch" and "Direct unlock"
- Firmware patch is simply patching the firmware in order to bypass the unlock. Phone is still "locked", firmware is just tricked into believing it's not. An example would be when phone startsup and runs code "if(phoneIsLocked == false) doStartphone();" - a patch would simply change "false" to "true", causing it to run doStatphone() even when it's locked. If firmware is upgraded/restored, this patch will of course be removed and were back to start again. This type is in the industry considered as a semi-unlock, and only accepted as a last resort if no other way is found (usually, it's just a temporary solution)
- Direct-unlock is the real way of unlocking phones. Usually it involves just rebuilding the entire lockdata in EEPROM with "blank" unlocked data. Or the safest way is to get the phone itself to clear the data by making it unlock itself - which could be achieved by for example finding the unlock codes and feed it with them. This would leave absolutely no trace of "hacking" - it will be 100% correctly done, as intended by the manufacturer.
- (SIM-cloning/Turbosim is not mentioned, because that's not considered unlocking.)
When a phone is unlocked (in a proper way), it will always be unlocked. Firmware upgrades never touches EEPROM, including lock data.
Here are my thought's on how iphone unlocking works - of course, it's just my thoughts based on my experience with other phones, and i may very well be wrong.
IPFS unlock solution is permanent, and will handle all future updates Yes, i'm fairly sure that a phone unlocked with IPFS is a proper unlock (not firmware patch), making it permanent. But of course, unlike other's, iphone needs activation and IPFS therefore completely dependent on activation, which is depending on jailbreak. But when it comes to the operator lock itself, IPFS's permanently unlocks it.
I'm not sure exactly how IPFS does unlock it, but i'm feeling very sure it's one of these:
1. IPFS reads data from the baseband/EEPROM, and rebuilds the lock area in EEPROM with proper data - without any lock. This is exactly the same done on almost all other phones.
2. IPFS patches the baseband, but only as a temporary step in order to achive the above. When it's finished, it doesn't matter if the patch is removed (bb upgraded), because phone is already unlocked.
AnySIM and the other solutions are fimware patch solutions and will never survive baseband flashing/upgrade. Unlike IPFS (if IPFS also patches firmware), AnySIM patches firmware in order to bypass the lock, not in order to unlock it - or at least it's not unlocking it properly. The fact that anysim unlocked phones are bricked after upgrading, must be caused by changes the anySIM solution does to EEPROM, which is not properly done, and makes it "corrupted" as seen from the new firmware.
In my opinion there's no reason to be so negative about IPFS. They did the real unlock and so far noone have been able to recreate their solution. So don't expect a free real solution for 1.1.1 appearing very soon either. A free patch-unlock though is probably already possible now that they have decrypted the ramdisk, i will try that tomorrow. Of course iphone dev team are doing the most important work, and let's hope they soon will be able to work out a direct unlock solution as well.
Feel free to correct me, i already mentioned this is just how i think it works. (comments can be posted HERE.
- WinSCP (download/upload files from your phone)