Unlock iPhone and Jailbreak iPhone Tutorial
iphone unlock software for 3G, 3GS, 4how to unlock iphone
But if you insist, here's the old way:
How to downgrade bootloader on out of the box 1.1.2
This method is originally developed by George Hotz, as you can see in his blog. Big thanks to him, and the rest of the guys who helped him making this possible.
Before you start
Step 1: Prepair your phone and install software
Now, launch Installer and let it refresh it's sources. Then tap on Sources, Edit, Add: http://i.unlock.no/ Now tap on Done, then Install the following packages in the listed order:
- "BSD Subsystem" found in the System category
- "Term-vt100" found in the System category
- "Bootloader downgrade" found in the Unlocking Tools category
- Optional: "OpenSSH" found in the System category (if you want to use SSH)
The commands you will run during the bootloader downgrade process can be run either from the Terminal application on the phone, or on a computer using SSH over Wifi. But since people are reporting that Wifi is lost during erasing of baseband, i'm going to use phone terminal as example in this tutorial.
Step 2: The hardware part: Disassemble your phone
Removing the covers from the phone is by most people considered to be the hardest part of the entire unlock solution. There's no really obvious advices to give on this one, but here is a tutorial that shows some pictures (STOP AT PAGE 5/9!).
After you have removed the rear covers, you will see a metal shield/cover over the baseband. This one needs to be removed as well. Use a tiny screwdriver or similar to carefully lift it a little all way around (you could lift out the battery to reach the side facing it). There's two places the shield is glued, so you'll either need to heat it up, or just use force. You now have access to the testpoints which you will need to connect in Step 4.
Some pictures showing the two testpoints:
In the next step you are going to connect point A to B. Point B is a 1.8v power source which should be led to A which is the innermost trace on the board. The best way is to use two needles connected with a wire. If you have unlocked Nokia BB5/Siemens/Motorolas before you are already familiar with this. Since the area is pretty clear of components it's "impossible" to damage anything if you are just a little careful.
Below is a picture of the needles i used (coming from a professional unlocking device). They are spring loaded to make it easier to hold stable. But as the picture to the right demonstrates, some regular needles supported by corks from bulgarian wine will also do (thanks to nasko for pic)
But first, you'll need to expose a point in the trace (A). With something ultrasmall or thin, scratch VERY CAREFULLY on the wire until you see a golden surface. If you scratch too much, the trace will be cut and your phone is bricked (or maybe only the phone part?). Depending on what kind of needle you use, you might be able to just put the needle in it with a little pressure instead. You should not scratch the entire trace - only a tiny point to set the needle at!
Step 3: Erase baseband
Launch the terminal by tapping the Term-vt100 icon on your springboard.
Type these command:
launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist cd /usr/bin/ ienew
Some data is supposed to scroll through the screen (click here to show/hide expected result).
# ienew Resetting the Baseband...Done Opened: /dev/tty.baseband iEraser for 112OTB: tool by geohot Waiting for data... Got Header: 77 0b cc 02 00 85 00 02 00 FF FF 85 02 03 00 SECPACK 02 00 04 02 06 00 01 00 00 00 00 00 0B 02 03 00 Erase 02 00 05 08 02 00 00 00 07 08 03 00 02 00 06 08 06 00 01 00 00 00 A0 00 AD 08 03 00 Hopefully the main flash was erased, wait for the next step... #
Do not restart your phone after the flash is erased!
Step 4: Write the old bootloader
You'll need to connect the testpoints at the same time as the iunew executable is executed. Since both your hands are busy with the testpoints, here is a nice trick to run the command with a 20 second delay (or any delay you need to prepair the testpoint):
sleep 20; iunew
Right after you hit return, grab your needles, and set the first needle in point A. Then put the second needle on point B. Note: If you have troubles putting it stable on top of the capacitor, you could just put it right next to it, leaning onto the side of the capacitor. If you set the delay to 20 seconds, make sure it's been at least 25 seconds since you executed the command before you release the testpoint and check what the terminal outputs. It should say one of the following:
- TESTPOINT WORKS: 55 (click to show complete output) - If you got this message it worked and you just do what it tells you. It will "download" to 1FF00. When done it says to run bbupdater -v, but ignore that and go to next step.
- "Please connect the testpoint" (click to display complete output) - Sorry, you did not get the tespoint connected right. Don't worry, you will probably need some tries before you get it. So just try setting the testpoints again an run iunew after you have connected them.
# iunew Resetting the Baseband...Done Opened: /dev/tty.debug iUnlocker: tool by geohot uploads and runs testcode.bb in the same dir uploads the nor image in "nor" make sure your switch is on thanks to iProof and lazyc0der for finding this method thanks to the siemens guys for discovering it and thanks to nightwatch for the awesome toolchain Spamming AT, waiting for a response Attempting to read...c0 Connected established to bootrom File size: 1608 Checksum: 0x37 Attempting to read...c1 TESTPOINT WORKS: 55 Press any char, then hit enter after testpoint has been disconnected x Attempting to read...54 Downloading modified nor... Attempting to read...45 Erased Downloaded: 0 ..... Downloaded: 1FC00 Downloaded: 1FD00 Downloaded: 1FE00 Downloaded: 1FF00 Attempting to read...44 run bbupdater -v and pray if it worked, enjoy your unlocked iPhone!!!
[can someone confirm that this is correct output? email unlock æ unlock.no] # iunew Resetting the Baseband...Done Opened: /dev/tty.debug iUnlocker: tool by geohot uploads and runs testcode.bb in the same dir uploads the nor image in "nor" make sure your switch is on thanks to iProof and lazyc0der for finding this method thanks to the siemens guys for discovering it and thanks to nightwatch for the awesome toolchain Spamming AT, waiting for a response Attempting to read...c0 Connected established to bootrom File size: 1608 Checksum: 0x37 Attempting to read...c1 Attempting to read...c1 Please connect the testpoint
Step 5: Completing the downgrade and start unlocking
Congratulations, you have completed the hard parts. Right now the phone is missing baseband firmware, so you need to flash it. To flash the baseband, run these commands (first one takes a few minutes):
bbupdater -f 111.fls -e 111.eep bbupdater -v launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist
After you run "bbupdater -v" it should show current status of the baseband - if it says BOOTLOADER_VERSION:3.9_M3S2 everything is working.
If you are going to use 1.1.1, just install AnySIM found in Unlocking tools category and unlock it now.
If you are upgrading to 1.1.2 or 1.1.3, install Oktoprep found in Tweaks 1.1.1 category, and then perform a upgrade (NOT restore!) to 1.1.2 (hold shift/option key to manually select firmware). When upgrade is complete, jailbreak iphone 3g on your device using this java application, and unlock with AnySIM 1.2.1u found in the Utilities category. If you want to upgrade to 1.1.3, you install "Official 1.1.3 Upgrader" found in System category.
Troubleshooting and common problems
I get "Did you erase the flash first?" error
Make sure you have erased the baseband with ienew. If you already did that and still get this error you probably have 04.03.13 baseband firmware (1.1.3). To check this, type this command: bbupdater -v. If you have 04.03.13 you are lost and need to wait for the next firmware to be released.
I get a "Resource Busy" error - why?
You probably forgot to disable the baseband. Run the following command:
launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
To enable it again when you are done unlocking, use the following command:
launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist
I lost wifi - now it just says "No Wi-Fi"
Complete the procedure using the terminal on the phone. If you already finished writing nor you should just restore to 1.1.2.