the iPhone has been unlocked! ...KINDA! ~ Ask The Admin

Wednesday, July 18, 2007

the iPhone has been unlocked! ...KINDA!

Thanks to those amazing dudes @ the iPhone Dev Wiki you can now use prepaid ATT or Cingular sims in your phone. You don't need no stinking contract! And if you get those sweet corporate rates... Pop that sim in and save away. This might wind up being a huge security fiasco as I think originally the iPhone traffic was suppose to stay seperate from the rest of the network - either to make the iPhone seem faster or to protect the rest of the network you decide...

All problems with unlocking lie in the baseband, the radio chipset for the iPhone. The chipset is an S-Gold2, and don't come in the chat and give us links to PapaUtils, we can't use them. Now the iPhone only has one lock, a network personalization lock. This lock means the MCC(US=310) and the MNC(AT&T=410) must match the first six digits of the SIM cards IMSI. This check is done in the baseband firmware itself. I'm not really sure where yet, but that isn't really relevant. The only thing standing in the way of an unlock is the baseband. All the other sim checks are known and can be patched out. We even know the AT command to do the unlock. It's 'AT+CLCK="PN",0,"xxxxxxxx"'. But good luck finding those x's. They are called the NCK, or Network Control Key, and are believed to be unique in everyones phone. Forget brute force(time impractical) and the obvious entries. If you still think bruteforce is a good idea, read this. Further, there is a limit of 3-10 unlock attempts per phone, after which the firmware will "hard-lock" itself to AT&T. So why can't we just patch the firmware? The firmware, located in the ramdisk at /usr/local/standalone/firmware/ICE03.12.06_G.fls, is signed. See here for what is known about the file. The sig is checked in the baseband bootloader. The updater program, bbupdater, only checks a checksum, which can be changed. The update will take, but then the phone won't boot because the sigs don't match.
We worked two solid days on disasseming the radio fw. There are a few backdoors, but none that would lead to an unlock. If you are *good* with disassembling ARM, PM geohot for the idb. We've documented a lot of functions pretty well. Although, this firmware is very difficult to work through. I'm 90% sure the password check happens in the function called pwdcheck, but I haven't found it yet. For all we know there could be a simple algorithm to generate the NCKs that we've missed

If you can lend them a helping hand they are available @ #iPhone IRC channel.


Update: we got confirmation that prepaid cards using the AT&T network worked. At least it has been confirmed for 7-11 cards

We wanted to get some confirmations before announcing it, but it seems nearly impossible to find people to try what we wanted to try.

So, as many people already noticed, using iASign, you'll be able to activate existing AT&T and Cingular Sims without signing a new contract. We think it should work with virtual AT&T operators as well (i.e. the ones using the same network code), but we couldn't find someone to actually confirm it yet. You can get a list of those virtual operators at Please note that TracFone and Net10 won't work due to some technical details. If anyone could try it out on one of those prepaid cards, that would be great.

By the way, for those of you looking for this "DeviceID", on a Mac (so on _your computer_) it's the name of the .plist file in ~/Library/lockdown. We'll probably release a more automated tool later, once we find some time for those tasks.

As a side note, we'd like to clarify that we are not even close on giving up the full unlocking, as reported on some websites. We're still up and running, but we won't comment on a possible time line. If the unlocking is possible we'll eventually find it, so stay tuned.

Have fun,

-- the dev team

New release: iASign

We are releasing a small tool called iASign (click for more details) to generate a valid activation PLIST file based on the Device ID, IMEI and CCID of your iPhone. You can upload the generated PLIST to the iPhone using our activation tool. Note that in order for the iPhone to accept this PLIST, you must first replace the iPhoneActivation.pem on your iPhone with the one provided. See the README file for further details. We have had it working for quite a while, but we wanted to release it with a Windows binary, which apparently seems to be a problem to get. So we're releasing the Mac OS X binary and the source. Hopefully somebody will get us a working Windows binary.

-- the dev team

Check back frequently @ for more up to date information!