iPhone’s been hacked! Not really news anymore. In fact, there is more than one way to do the job. Our guest, a senior software developer from motoyard.com, will walk you through the options and tell you how he hacked his iPhone and the improvements he came up with along the way. Now that he’s hacked an iPhone, I guess we can start calling him a hacker and what does every hacker need? That’s right, a handle. His is stikyy. Read on…
How to unlock the iPhone to work on any GSM provider
There are several methods out there:
1. Use the TurboSim by Bladox – this is a sim card that goes on top of your sim card to fake the AT&T IMSI ID. It fools your phone into thinking that you have an AT&T sim card. This would probably be the easiest of all methods but the problem is you cannot find these TurboSims anywhere. The manufacturer site is sold out http://www.bladox.com/ with no further information. Maybe Apple got to them?
2. Use the SIM cloning method – This is a bit harder, but the general idea is you make a copy of your SIM card but the new copy still looks like the AT&T card to the iPhone, even though it has your carrier ID and phone number. This method is a bit expensive since you need a blank SIM card (called SilverCard – sold on European sites) and a SIM card programmer. I was actually able to use my old Absolute 1 programmer (once used to test Dish Network cards) to read my T-Mobile card’s IMSI, ICC, and KI, but it didn’t work on any other cards. From what I understand the best programmer out there for this is the “Dynamite”. I haven’t tried this method personally, but it seems like it will work with the right tools. A good guide on this (and the only one I found is at http://www.pqdvd.com/blog/iphone/unlock-iphone/iphone-is-fully-unlocked-for-european-use/)
3. The hardware method – this requires you to open the iPhone and connect two points on the board, in addition to having some tech knowledge to reprogram the phone. If you have bad vision don’t try this (you’ll know why when you see this board ? ). This method is pretty involved, but it is the cheapest (almost free), and it works. This is the method I used, and as you can see from the photo it did the job.
The Hardware Method
There are a lot of good guides out there but a lot of them are missing important things… I will try to fill in the blanks, while going through it.
There are some sites out there (and all over the news) that claim they are going to come out with a software hack.. its possible, but I don’t think its coming for a while and they are going to charge you money. I am a bit skeptical about this site anyway, since their video on YouTube shows their screen with the T-Mobile logo and there are tons of tools out there that you can use to change the logo. They also mention the hardware hack, but say they will create a software one. I am sure it can be done (software), as you will see by the end of this, that there is got to be a way to save all this work ? into an image and just upgrade with iTunes. In either case, its not available yet, so this is what I did…
Supplies you will need:
1 Paper Clip
1 Tiny Phillips screwdriver
1 Utility knife
1 Guitar pick
2 Needles (yes the ones you saw with)
1 Piece of wire
1 Tiny knife / razor blade (to scrape the board)
First thing I did when I got the iPhone is activate it (fake) using iTunes. There is a good and pretty simple method for this on http://www.hacktheiphone.net/iphone_bypass_activation.html . To summarize it you install iTunes (has to be version 7.0.354 available here). You then modify itunes executable with a hex editor as describe in the above manual. If you know anything about hex – this is all you need to know:
Magic iTunes 22.214.171.124 numbers:
Offset 2048912: 33C0C3
Offset 257074: 28
Offset 257013: 33C9B1
After you are done modifying the iTunes.exe, you need to modify your “hosts” file. On Windows XP its located in Windows\System32\drivers\etc. Just add a line the says
This obviously redirects any requests to albert.apple.com (the apple activation domain) to your PC. Then you run the “fake” activation server on your PC (found here). I haven’t spent too much time thinking about how it works, but I assume it mimics the responses from Apple that iTunes is looking for. Its written in .NET so you do need the .NET framework installed to run this. I used my laptop for this (so I can keep my desktop iTunes at the latest version and not mess around with it). Activating it took literally 5 seconds. Just plug it in and its activated. No more messages about the phone needing activation. At this point you can actually have a $600 iPod (albeit WiFi, web browser and wide screen). The included SIM card will say it needs activating (since its brand new) and your other SIM card (I used T-Mobile – the only other GSM provider in the US ), you will get a message saying “Invalid SIM”. Taking out the SIM card is super simple… just take a paper clip, straighten it out and put it in the small whole on top of your iPhone. A little tray will pop out and your SIM card will be in it. After this step I just kept the SIM card out until the very end. Next I hooked up my iPhone to my PC which had the latest and real version of iTunes on it. I was asked if I want to upgrade my iPhone (if you are not asked, go to Help -> Check for Updates). I said yes and installed the latest firmware for iPhone 1.0.2. You should do this because after you do the hack, you cannot upgrade… well you could if you want to redo everything again ?. Of course if you like your iPhone with 1.0.2 on it you should never really need to upgrade – it already works, but I am sure there will be some fixes out there for bugs not yet discovered…
First things you need to do to your phone is “Jailbreak” it. Jailbreak is a tool that has been out for a while now that allows you to fully access your iPhone. Its pretty simple to use if you follow all the instructions. There are many good guides out there for this, this one is pretty good (http://www.hacktheiphone.net/iphone_first_ten_steps_to_modding_windows.html). This is a pretty standard thing now so I am not going to go into it. One thing they don’t mention anywhere is… don’t put other folders in this folder you create. If you do your phone will probably hang during the “Rebooting iPhone” step – something I found out the hard way.
After you are successful with Jailbreak, you need to install Nate True’s iPhone SSH kit. This will allow you to access your iPhone with a FTP like program (SCP). Its an SSH server for your iPhone. You will need a SCP client. I used WinSCP – its free and you can get it here. Once you download the SSH kit, unzip it somewhere on your hard drive (Create a folder on C:\ like SSH). I found it that it works smoother on local drives – some of these utilities don’t run from a network drive… Once you unzip run the “sshify-windows.bat” this will do everything just follow the instructions – very simple. Once installed you should go to your Settings -> General menu on your iPhone and set the Auto-Lock to never for the time being. You don’t want it to keep disconnecting and probably getting a different IP from your wireless router. And yes you do need a wireless router, the only way you can SCP to your phone is through the wireless. Once you enable your iPhone’s wireless, your router should assign an IP address. You can make it static if you like, just make sure the static address is one that’s not going to get assigned to another DHCP client. This way you always know what your iPhone’s IP is. Its not required though, dynamic works fine. Just go to your Settings -> WiFi on the iPhone and expand you network. You will see the IP address there – that is what you are going to use in WinSCP to connect.
Host name: your iPhone’s IP address
You should change your password after you are done, since anyone who knows this default password can log into your iPhone and break it… It’s a bit tricky to do, but worth it if you don’t want anyone hacking into your iPhone.
Now you need the “binkit”. These are linux binaries compiled for the iPhone – Makes your iPhone into almost a fully capable linux system. The binkit is available here, just download it unzip it (I used WinRAR to do it on Windows). Put it into a some folder on your computer. You will need to copy these files (mimicking the directory structure) to your iPhone using WinSCP. A good guide is here http://www.hacktheiphone.net/iphone_installing_binkit_mac.html – its for a Mac but essentially it’s the same process. Just make sure (and they don’t mention this) you set the permissions properly. You need to give root execute permissions or everything else won’t work. I missed this (since its not mentioned anywhere), and had to go back and figure out why I can’t run these tools later. Just set the Execute permissions for root user. You can right click and go to properties in WinSCP once the files are copied to set this.
You can also install the “Installer”, you don’t really need it at this point but it’s a cool thing to have and I think (not sure) some packages you’ll need are there (like binkit). Its available here http://iphone.nullriver.com/beta/. Installing is easy – just like any other application, just copy the Installer.app folder to your Applications directory on the iPhone using WinSCP and you will see the shortcut for it on the home screen (aka Springboard).
Reboot your iPhone…
Get and install a Hex Editor tool like HexEdit. Available as part of this RAR http://rapidshare.com/files/51207171/Geohack.rar . You will need almost all the files in this RAR. So keep it. If you already activated using the Hex hack you will have a hex tool installed already.
Get and install Putty. This is a client you can use to “Telnet” to your iPhone and execute commands. Download here. For connection info it’s the same. Your iPhone’s IP, username = root, password = dottie (unless you already changed it).
Unrar this folder somewhere – make a directory called GeoHack RAR. Copy the files from bin folder to your iPhone’s /bin folder. A lot of these will already be there since you installed the binkit.
Next copy the termcap extracted from this RAR to /usr/local/etc (you might need to create the directory structure)
Next copy bbupdater from RAR to your iPhone’s /bin directory. Make sure you give Execute permissions to root.
Copy the files from NORDumper from the rar to /usr/bin on your iPhone. Make sure you give Execute permissions to root.
Copy the contents of the folder ieraser from the rar also to /usr/bin on your iPhone. Make sure you give Execute permissions to root.
Copy the files in the folder iunlocker from ther rar to /usr/bin. Make sure you give Execute permissions to root.
Next go to /System/Library/LaunchDaemons on your phone. Copy the com.apple.CommCenter.plist from your iPhone to your computer (don’t loose this file). Note the permissions this file has and then delete it from the iPhone. If you can’t delete, check the permissions. You need to delete this file to complete this hack.
Reboot your iPhone…
Start Putty, connect to your iPhone.
minicom – s
This won’t run if you didn’t copy termcap. Make sure root has permissions to read it. You can just set it for everyone to be safe. Once in minicom,
Select serial port and type A
Press Escape, Select “Save setup as dfl”, select “Exit to minicom”
Once here, type “AT” no quotes and hit enter… you should get an “OK”
Now all your setup is done…
Open the iPhone. Yes, take it apart. There are some good instructions here. The short story, push down the black cover, unscrew 3 screws and popup the silver back cover. I made it sound simple than it is – it does take some time if you want your iPhone undamaged. Use the guitar pick to pry it open (or a credit card). I had my iPhone on the whole time, so if you do be careful not to short out anything.
Once the covers are off take off the metal cover above the battery, just use a utility knife or something sharp, but be careful.
This will expose the board
Now construct your “unlock tool” take the two needles and connect them with a piece of wire. If you have a tester, check for continuity.
Now scrape the top layer off the board to expose the red line drawn above. Be carefull, if you scrape too hard you might cut it and mess up your brand new toy… I guess it can be re-soldered back but you will see how tiny this thing is – it’s not that simple.
Once you have these two points on the board touch them with the needles. One on the capacitor (1.8v), and one somewhere on the red line in the picture above. At this point you should still have minicom open. All you have to do is touch and release. To see if you did it right, type AT again in minicom and you should not get an OK, it will actually look like its hanging. Now you can exit minicom. Press Ctrl+A, then X.
Now back at the prompt type:
Now go back to minicom (just type minicom, no –s). Try AT again, you should get an OK. If you got it then your needles were done right… It took me a couple of tries so don’t get discouraged.
Exit minicom and go back to the prompt. Type:
This step will take a while – 10-20 minutes, so go take a break now…
After NorDumper is done
Start the Hex Editor and open the file ICE03.14.08_G.fls (included in the rar)
Select the range from 000001A4-000009a4. In the taskbar the selection should show 1A4-9A4.
Goto menu edit–> select copy to file. name the file : secpack
Upload this file to /usr/bin on the iPhone
Back at the prompt type:
copy the dump.bin from /usr/bin to your PC
Open this file with the Hex Editor
Select the range 00020000-00304000
In the taskbar it should show 20000-304000 (if not do the selection again)
Goto menu edit–> select copy to file. name the file : nor
Open this file (nor) with the hexeditor.
Find the row 215148 and change 04 00 A0 E1 to 00 00 A0 E3
Save the file, and upload it to /usr/bin
You should still be in /usr/bin at this point. Now you will need to touch the needles together again. This time you have to keep them in place, while going to the prompt again and typing:
Iunlocker will stop/hand at some point (if it doesn’t your needles are not touching the right spots). When it halts, release the needles, type in any character and hit enter. You will see a bunch of hex numbers scrolling – this will take a while.
After that’s done on the prompt type:
It should show some happy message…
Now the last steps. Open minicom again. Type:
In minicom type:
This should give you a response 0.
Congratulations, now you are AT&T free.
Now remember that com.apple.CommCenter.plist file you saved earlier? You need to put it back to /System/Library/LaunchDeamons and set the correct permissions.
That’s it. Remember if the iunlocker step does not hang just try again. No problem.
You can also always restore your iPhone from iTunes, just reboot (same as you do for jailbreak, but have iTunes open instead of jailbreak) this should completely restore your phone. Just remember this will wipe out all you’ve done.
Check out www.hacktheiphone.net they have a lot of good guides.