[[Simple Unlock]]
 
You are here: iPhone Dev Team Portal » S-Gold Bootrom » Simple Unlock

Simple Unlock

From the S-Gold's perspective, here are the fundamentals of unlocking basebands. A simple byte sequence search combined with a neutered baseband are all you need. (The s5l8900 CPU imposes other restrictions beyond this discussion.)

  • The secpack is at ICE*.fls offset 0x1a4 (0×800 bytes long)
  • The baseband is at ICE*.fls offset 0x209a4
  • The baseband length is at ICE*.fls offset 0×20 (subtract 0×20000)

Due to gray's initial RCE of the baseband, and combined with a neutered bootloader, unlocking recent and future basebands has been reduced to a simple byte search.

Search for the byte sequence “ff 90 a0 e3 ff 00 00 e2 02 00 50 e3” in the baseband. You should find just once such sequence, and the next four bytes will be “02 00 00 1a”. Change these four bytes to all zeros to unlock your baseband. 

Firmware  Baseband  fls offset
1.1.3     4.03.13   0x9a4+0x238150 = 0x238af4 (2329332)
1.1.4     4.04.05   0x9a4+0x2395cc = 0x239f70 (2334576)
2.0 beta1 4.05.00   0x9a4+0x239884 = 0x23a228 (2335272)
2.0 beta2 4.05.01   0x9a4+0x238f38 = 0x2398dc (2332892)
2.0 beta3 4.05.01   0x9a4+0x238f38 = 0x2398dc (2332892)
2.0 beta4 4.05.02   0x9a4+0x239194 = 0x239b38 (2333496)
2.0 beta5 4.05.03   0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta6 4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta7 4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)

If you have a neutered bootloader, the following patches achieve the anySIM unlock. Just patch the .fls and feed both the .fls and .eep to the bbupdater that gets installed in /Applications/BootNeuter.app/bin by the Dev Team IPSW Builder. 

dd if=/dev/zero of=ICE04.03.13_G.fls bs=1 seek=2329332 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.04.05_G.fls bs=1 seek=2334576 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.00_G.fls bs=1 seek=2335272 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.01_G.fls bs=1 seek=2332892 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.02_G.fls bs=1 seek=2333496 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.03_G.fls bs=1 seek=2333696 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.04_G.fls bs=1 seek=2333696 count=4 conv=notrunc









Here's an example. This iPhone was pwned at 1.1.4, then the ICE04.05.01_G.fls patch above was applied and bbupdater was run. Then a 2.0beta3 PwnageTool ipsw was used and the result is an unlocked 04.05.01 baseband under 2.0beta3.

Another way to do it is to edit the ramdisk image before feeding it to PwnageTool. Search for the same byte sequence discussed above.

If you don't want to do these steps, the Dev Team PwnageTool will simply keep you at an unlocked 1.1.4 baseband if you use it to get to 1.2.0 or 2.0. These steps illustrate how simple it now is to go beyond unlocked 1.1.4.

 
sgold_bootrom/simple_unlock.txt · Last modified: 2008/06/09 22:01 by musclenerd
 
Recent changes RSS feed