The most important information about unlock (necessary for the beginners!) What is necessary for my iPhone works with any operator? As you, probably, know, all cellphones sold by the company Apple are referred to the definite operator. In the USA this is AT&T, in France – Orange, in Germany – T-Mobile. It is related to [...]
The most important information about unlock (necessary for the beginners!)
What is necessary for my iPhone works with any operator?
As you, probably, know, all cellphones sold by the company Apple are referred to the definite operator. In the USA this is AT&T, in France – Orange, in Germany – T-Mobile. It is related to the business model of the company Apple. According to the contract an operator must pay some certain percent from a profit got from the Apple’s subscriber. It is not known for certain, how much exactly, but the rumour says that it is up to 20%.
Therefore you can use a cellphone only with a sim-card of the above-stated operators. And no other variants. A plan for the “legal” user of iPhone looks like the following:
1. You buy a iPhone 4 in the brand-name shop or in the Apple Store.
2. A subscriber comes home and concludes a contract with an operator in the internet.
3. After the contract has been concluded, in a while a cellphone is activated and can be used.
So, in order to make the iPhone work in the network of any other operator it is necessary to do the followings actions:
1. To activate the cellphone.
2. To avoid the verification of your sim-card.
The first step, of course, is called activation. Its essence is that it is necessary to get the access to the basic functions of the device.
The second step is called unblocking, more known as unlock.
What is unlock (unblocking)?
Unlock is a modification of GSM-module software, that enables to use an Iphone, as a cellphone, with sim-card of any operator.
There are some methods of unlock:
1. Program (soft unlock)
when without the interference into the hardware component of the telephone there takes place a modification of the radio-modem, that removes the verification of the sim-card for its belonging to the operator. Usually for this purpose the programs AnySim (iUnlock) or iPhoneSimFree are used. How this process goes you can read in details in a paragraph: “Bootloader, secpack, OTB and everything-everything-everything”.
2. Hardware (hard unlock)
- when a cellphone is opened with the help of closing the Test Point and you will have an access to the modification of the software component of the radio-modem.
3. Sim Clone (MULTISIM) — in fact, it is not an “unlock”. This method uses some features of verification of the sim-card belonging to the operator which helps to “deceit” the cellphone — iPhone 4 or iPhone 5 considers that the sim-card belongs to the AT&T operator.
When this method is used the information necessary for authorizing in the GSM operator network (IMSI, ICCID and secret key Ki) is scanned and is written down on the special smart card which will emulate the work of SIM.
The main problem of this method is that the secret key Ki can be read only from the first generation of the sim-cards (SIMv1). It requires some special equipment, and takes a lot of time.
4. Sim Proxy (TURBOSIM, STEALTHSIM, NEXTSIM, X-SIM etc.) – logical continuation of the SimClone method. Only with the use of the hardware “layer” (proxy) between the telephone and sim-card. When a telephone inquires the information to verify its belonging to the operator, Sim Proxy gives the AT&T metric card, in other cases redirects the inquiries to the sim-card of the subscriber.
It is very simple in use — you just cut your sim-card and put on an adapter on it, then put this construction into your telephone. It does not require any the special equipment.
In an order to understand the essence of the process, let’s consider how the iPhone telephone is constructed.
How the iPhone is constructed
Telephone which you hold (or will hold) in your hands is not exclusive in its construction. Its only difference from the devices of the same class is the absence of the keyboard and display that recognizes two tacpoints simultaneously.
At the level of the device it is important to know that the telephone has two processors actually:
1. ARM-processor which controls the operating system.
2. Infineon SGOLD 2, which is responsible for working with GSM network (it is called radio-modem, baseband, gsm-modem, bb).
The first processor (we will call it CPU) is actually the heart of the telephone: it is responsible for work of the operating system (by the way, on your telephone almost a real MacOS X actually works), it is responsible for the work of absolutely all your applications.
The second processor (we will call it baseband, briefly BB) is responsible for the communication opportunities of the telephone: GSM, EDGE/GPRS, WiFi and Bluetooth. As well as CPU, it also has something similar to the operating system which consists of a few components: boot loader (loader), flash (firmware) and eeprom (information). All this stuff is kept good on the special memory module (Intel Wireless Flash Memory, separate chip on a card), it is also called NOR flash.
And now let’s talk about more close to us things — software. If you have a look at the previous part, you will understand, that the telephone has two types of the programs: for CPU and for BB.
All this stuff gets into the telephone with the help of the software pack, usually called the firmware. Here usually appears the first mess, so let’s consider this moment in details.
When there are enough of corrections, Apple produces an update — IPSW file of about 150 megabyte, containing the image of the operating system of the cellphone and sometimes the update for the GSM-part. Consequently, there can be two “firmware” in one update: for the software part of the cellphone (update of the applications) and for GSM-part.
This pack has its own version (1.1.1, 1.1.2, 1.1.3, 1.1.4, 2.0 and etc.), but at the same time GSM-part has its own numeration (03.01_13G, 04.02_13G etc). It turned out that the programs installed in the cellphone are characterized by the version of the updates pack (for example, the last has a version 1.1.4). It is nice to call it the “version of the iPhone 4 firmware”.
It happened that any of now existing updates can be installed on the iPhone 5, at the same time the version of sewing of GSM-part will not change. You can have firmware of the GSM-part of the 04.03_13G version and the firmware of the cellphone 1.0.2.
Now several times re-read the previous 2 pragraphs. We got two main terms from them: cellphone firmware and GSM-part firmware. From their versions a lot depends.
But in the light of the recent events, another term appears: bootloader version. This question deserves a separate discussion.
Bootloader, secpack, OTB, unlock and everything-everything-everything
When the update 1.1.2 appeared, one very unpleasant fact was revealed. All the cellphones appeared on the sale with this firmware (as they say 1.1.2 out the box , OTB) have a different from the previous one bootloader. The version of the new bootloader is 4.6, when the previous had a version 3.9.
In this version Apple improved the great number of vulnerabilities and changed the algorithm of the secpack check.
Secpack is the area that is situated in the update pack and which has digital signatures to the certain version of the firmware of the GSM-part of the telephone. It is necessary for modification of the GSM-modem software.
If in a bootloader version 3.9 it was possible to accomplish the operations with GSM-part having secpack from the current or next version of the firmware (>=), in bootloader 4.6 such operations are possible only with secpack from the next version of firmware (>). Besides the record into the zone where the bootloader is situated, after its initializing, became impossible, that makes its “undo” impossible.
This small nuance spoiled everybody’s life. Why? Let’s now have a look what the unlock is.
How does unlock work?
In the GSM firmware there is verification for the sim-card belonging to the certain operator. If to be exact, the unique IMSI card code is verified. This code consists of MCC (Mobile Country Code, country code), MNC (Mobile Network Code, operator code) and an identifier MSIN subscriber. In the GSM- modem there is a verification of MCCMNC number, if it is in the chart of the permitted ones (this list is called lockstate table), then the cellphone is registered in the network of the operator, if not then the work of GSM part is blocked.
Therefore to use a cellphone with any operator this verification is necessary to be avoid. The only method is to find a place on the firmware of the GSM part and to modify it so, that regardless which MCCMNC code is contained in ICCID, the verification always should be successful.
Therefore, the complete copy of the firmware of the GSM-part (dump), which offloads and there is a zone in it which is necessary to be modified, this zone is modified. After that the existing firmware is removed, and the modified one is recorded, saved back.
OK, and the cellphone is unlocked.
It would seem, what is the role of bootloader here?
The key moments in the process of unlock are elimination of the old version and the record of the new one. If in the past it was possible to do using secpack from the present one, but now it is necessary to have secpack from the next version. That means unlock will always be one step backward.
By the way, there is one more obvious blow: the modem firmware update makes impossible its unlock. That is if you had a working 1.1.2, and suddenly updated to 1.1.3, to make calls you will have to wait until the next update with the updated GSM-modem releases.
Yes, by the way, there is the “good” news: The pioneer of the unlock movement Geohot produced the detailed instruction how to reduce the bootloader version. This is a very risky operation, I would say. On the quite known forum hackint0sh.org, there are a lot of stories about unsuccessful attempt. On the results of the last voting every third one was not successful.
Well, teaching the main concepts can be finished. There are a few moments left to be covered.
Applications. Probably, you noticed that in the previous paragraphs we were talking only about “native” cellphone applications. As you probably know the native applications are not the whole matter.
Of course, Steve Jobs gave the opportunity to write applications for a cellphone, but only within the Safari browser. But it was not enough.
Rather quickly the iPhone hackers community found the opportunity to write their own applications for a cellphone. Only a few months passed and the amount of the applications can be measured hundreds, and is increasing every day.
And the life of other applications is impossible without jailbreak.
Jailbreak is a process of receiving of complete access to the file system of the cellphone.
Initially, a user has an access for a record only in the directory /var/root/ (where all the adjustments and media-content of a user are kept) on a telephone. Everything could be well, but besides all the rest, in this directory it is forbidden to start the applications.
Jailbreak enables to get a complete access to all the folders and files on a cellphone (reading, recording and execution).
Now, with the release of every update all the users (including “legal”) follow the news and wait, when the jailbreak will become possible.
By the way, the application Installer became a de facto standard; its name speaks for itself, it is an installer of different extra applications. No doubt, the most popular and demanded application for iPhone 3Gs iPhone 4, iPhone 5that has ever been created outside Apple.