iPhone: Breaking the Chains

Unlocking iPhone

Although people use the term 'Unlock' there are three parts to unlocking your iPhone: Jail Breaking, Activation and Unlocking. The Guide (link below) outlines all the steps. Here is just my understanding of what happens under the hood. Its always good to undertake a through research before attempting to mod expensive stuff!! Note: And, although the word iBrick is thrown around a lot on many forums its not the right word to use in most situations. An iBrick is a paperweight that will NEVER become an iPhone. Most people who mess up can recover their phones or wait until a way is discovered. A true iBrick is when there is NOTHING that can be done. Pic will follow soon..

The iPhones:

Arati's: OTB 1.1.1 Randa's: OTB 1.0.2, Upgraded to 1.1.1

The Guide:

http://hackint0sh.org/forum/showthread.php?t=11833 http://hackint0sh.org/forum/showthread.php?t=12817 (Same but possibly clearer/detailed instructions)

Things To Download:

- Install iTunes (7.4) from: http://www.apple.com/itunes/download/ - Install Microsoft .NET Framework 3.0 from: http://www.microsoft.com/downloads/details.aspx?FamilyID=10CC340B-F857-4A14-83F5-25634C3BF043&displaylang=en

Check the Phone Version!!:

Before you start make sure - You have the iPhone system software 1.1.1 pre-installed OTB (out of the box)
Turn on the phone and slide to unlock the keypad. The iPhone screen should show that only emergency calls is allowed. Enter the following key sequence: *3001#12345#* and then finish by pressing the Call button. Tap on Versions. The firmware version of iPhone will be shown on LCD screen.
  • 03.12.06_G = v 1.0.1
  • 03.14.08_G = v 1.0.2
  • 04.01.13_G = v 1.1.1
[ If you can get to the menu then check under Settings -> General -> About ]
- If you have version 1.0.2 then follow this:
Download the iPhone 1.1.1 firmware (152.3MB) - Hold down the Power and Home buttons until you hear the disconnect tone (that is the two tone sequence indicating that a USB device has disconnected). - Then release the power button and continue holding the home button until you hear a quick pair of connect and disconnect tones, then release the home button. Then iTunes will detect an Iphone that needs to be restored. - Press Shift key on the computer while you click on restore. It will show you a window to select the firmware. Select the 1.1.1 firmware file you downloaded before. - Let it restore/upgrade. This takes a while. Be Patient

The Process: Under The Hood


The iPhone system is sandboxed and doesn't allow installation of 3rd party applications or any outside code. Breaking into the iPhone and getting root access to the system is called 'JailBreaking'. How Jailbreaking is Acheived:The Safari Mobile browser has a TIFF exploit which causes the browser to crash leaving the user with root access. (Details: http://blog.metasploit.com/2007/10/cracking-iphone-part-2.html) If the phone had not been activated then you are not allowed to get to the menu, you are only allowed to make emergency calls. Besides that, even if we get to the browser, we need internet access to be able to deploy the exploit. But, there are always ways around things :) The guide outlines the steps to enable wi-fi so that we can visit the website that will deploy the exploit causing Safari to crash. Once the browser crashes we will be waiting in the wings to run TouchFree that will take advantage of the root access that the exploit left phone in. TouchFree recognises the iPhone connected to the computer the same way that iTunes does. It's IMPORTANT to make sure that iTunes can recognise the iPhone. Once you confirm that iTunes can recognise the iPhone then kill iTunes, iTunesHelper.exe and iPodService.exe services from the task manager and then run TouchFree. With the 1.0.2 iPone upgraded to 1.1.1 I was stuck on Step 2 and I had to re-run the 1.1.1 update to get iTunes to recognise the iPhone. After gaining root access 'TouchFree' also enables SSH and SFTP, installs AppTapp Installer, Trip1Pogostick, and an alpha version of SummerBoard. (TouchFree: http://www.slovix.com/touchfree/) Once we have access to the phone system, we can go ahead with Unlocking and Activation. The guide does the unlocking first and then activation.


Thanks to TouchFree we can use Putty or WinSCP to SSH into the phone and muck around the phone system. Using SSH the SIM Unlocking program 'AnySIM 1.1' can be copied over and the run. At this point you need to ensure you have your new SIM (non-AT&T SIM) put in the phone. (How To Change SIM: http://docs.info.apple.com/article.html?artnum=305746) AnySim will 'unlock' the phone and allow us to use other network carries like Rogers, etc. instead of AT&T. When the guide says CHMOD something to some number they mean: In WinSCP, right click the file > properties and enter 0755 (or the specified number) in the 'Permissions: Octal box' [NOTE: chmod 0755 file – equivalent to u=rwx (4+2+1),go=rx (4+1 & 4+1). The 0 specifies no special modes.]


The contract between AT&T and Apple states that the phone will be used only with that carrier. So we need to fool the phone into thinking that this SIM has been verified and activated by AT&T. We use iASign to fake an AT&T activation of the phone. We need to overwrite the public certificate on the iPhone with the one provided with iAsign and then run iASign from the Command Prompt. Thats It! Stay Tuned for Setting up the iPhone with Rogers settings