Simple Unlock

From the S-Gold's perspective, here are the fundamentals of unlocking basebands. A simple byte sequence search combined with a neutered baseband are all you need. (The s5l8900 CPU imposes other restrictions beyond this discussion.)

  • The secpack is at ICE*.fls offset 0x1a4 (0x800 bytes long)
  • The baseband is at ICE*.fls offset 0x209a4
  • The baseband length is at ICE*.fls offset 0x20 (subtract 0x20000)

Due to gray's initial RCE of the baseband, and combined with a neutered bootloader, unlocking recent and future basebands has been reduced to a simple byte search.

Search for the byte sequence “ff 90 a0 e3 ff 00 00 e2 02 00 50 e3” in the baseband. You should find just once such sequence, and the next four bytes will be “02 00 00 1a”. Change these four bytes to all zeros to unlock your baseband.

Firmware    Baseband  fls offset
1.1.3       4.03.13   0x9a4+0x238150 = 0x238af4 (2329332)
1.1.4       4.04.05   0x9a4+0x2395cc = 0x239f70 (2334576)
2.0 beta1   4.05.00   0x9a4+0x239884 = 0x23a228 (2335272)
2.0 beta2   4.05.01   0x9a4+0x238f38 = 0x2398dc (2332892)
2.0 beta3   4.05.01   0x9a4+0x238f38 = 0x2398dc (2332892)
2.0 beta4   4.05.02   0x9a4+0x239194 = 0x239b38 (2333496)
2.0 beta5   4.05.03   0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta6   4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta7   4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta8   4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)
2.0 release 4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)
2.1 beta1   4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)
2.1 beta2   4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)
2.1 beta3   4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)
2.1 beta4   4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)
2.2 beta1   4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)
2.2 beta2   4.05.04   0x9a4+0x23925c = 0x239c00 (2333696)

If you have a neutered bootloader, the following patches achieve the anySIM unlock. Just patch the .fls and feed both the .fls and .eep to the bbupdater that gets installed in /Applications/ by the Dev Team IPSW Builder.

dd if=/dev/zero of=ICE04.03.13_G.fls bs=1 seek=2329332 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.04.05_G.fls bs=1 seek=2334576 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.00_G.fls bs=1 seek=2335272 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.01_G.fls bs=1 seek=2332892 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.02_G.fls bs=1 seek=2333496 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.03_G.fls bs=1 seek=2333696 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.04_G.fls bs=1 seek=2333696 count=4 conv=notrunc

Until the new release of PwnageTool and BootNeuter for 2.0, one way to achieve this unlock is to edit the ramdisk (with the above patch) before creating a custom 2.0 ipsw via Pwnage and then just send your custom ipsw to a bootneutered iPhone 1G. But for most people it's better to just wait for the official PwnageTool and BootNeuter 2.0 release. By the way, when the release does come the unlock will be quicker if you already have a neutered bootloader at 1.1.4.

sgold_bootrom/simple_unlock.txt · Last modified: 2008/10/30 08:46 (external edit)
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki