Finalmente: Desbloqueo para iPhone 1.1.2 y 1.1.3

https://i0.wp.com/img337.imageshack.us/img337/5980/capt024d28060f9f4de7a60zb4.jpgDesde esta madrugada los iphone pueden ser desbloqueados. El mismo joven de 17 años que logró el desbloqueo original del iPhone en agosto del año pasado, George “Geohot” Hotz, pudo liberar las últimas versiones del teléfono de Apple que ya se vendían igual en Mercado Libre como desbloqueados.

iPhone

En la madrugada de hoy publicó su descubrimiento junto a herramientas para hacerlo. Son herramientas de línea de comando y debes entrar por SSH al equipo, algo que no es tan simple para la mayoría de los mortales. Pero no pasaron demasiadas horas y ya existe una forma simple y fácil de hacerlo en 15 pasos. Más abajo pueden ver la versión original en ingles y la metodología para desbloquear el Iphone.

Geohot 1.1.2 1.1.3

El desbloqueo funciona con cualquier equipo comprado que venga de fábrica con el firmware 1.1.2 ó 1.1.3 y el bootloader 4.6 — este último había sido declarado inviolable por varios otros hackers, ja. Cabe aclarar que si tu equipo vino de fábrica con el firmware 1.1.1 o anterior, tiene el bootloader 3.9 y no debes utilizar este desbloqueo. Para eso existen varios desbloqueos que funcionan perfecto, como anySIM.

Las instrucciones completas, con pantallazos paso a paso de todas las etapas necesarias, las puedes encontrar en la página de iClarified (aunque puede ser díficil de entrar ya que el servidor de ellos está siendo bombardeado por personas interesadas en utilizar su ladrillo).

En resumen, debes tener tu equipo previamente activado y con la aplicación Installer instalada, con el firmware 1.1.2 (o hacer un downgrade de 1.1.3 a 1.1.2), luego agregar http://installer.iclarified.com a la lista de sources de Installer, y finalmente instalar el desbloqueador “Geohot Unlock (1.1.2, 1.1.3)”. Advierten que debes tener tu iPhone configurado con Auto-Lock en “Never”.

Los analistas calculan que Apple ha dejado de percibir ingresos de entre US$300 a US$400 millones a raíz de los equipos desbloqueados. A nuestro parecer, si Apple hubiese decidido evitar los amarres con las operadoras celulares, estaría vendiendo el triple de equipos con ingresos muy superiores a lo que está dejando de percibir.

La leyenda cuenta que ayer George Hotz estaba enojado con la vida y decidió hacer algo productivo. Se sentó frente a su computador durante 24 horas consecutivas, durmiendo sólo 3 horas en dos tandas, hasta que logró descifrar el misterio. Definitivamente hay que aplaudir a este joven genio y apoyarlo para que siga entregando estos regalos a la comunidad. Geohot está aceptando donaciones via PayPal en su correo: geohot@gmail.com.

Link: How to Unlock Your 1.1.2, 1.1.3 OTB iPhone (gracias Cm!)

Friday, February 8, 2008

11246unlock, good enough for the prize

OMG Updated to be more idiot proof.

Full software unlock of 1.1.2; the impossible(or at least I said so) Here it is; instructions are in the package. I guess I really am becoming a good reverser ;-)

Yes, the impossible has been done. This has absolutely *nothing* to do with JerrySim or any elite/dev/zibri etc project. I’ll start with a little story. Yesterday I was really pissed off. So I figured I’d channel my anger toward something productive; I don’t know, something like a 1.1.2 software unlock. I knew the odds were against me, but I’d figured I try anyway. At about 1 last night, I hardware “upgraded” a 3.9 phone to 4.6 with the bootrom locations blank, the read command patched to work, and a 0x102 read arbitrary memory command.

The first exploit I found, at around 4 AM last night, was the -0x20000 exploit. Just like the -0x400 exploit, but -0x20000. Go figure. I guess Apple thought big numbers were harder to guess. I was really pumped, hence the blog post. But that wasn’t even half the battle.

Like I said in the “impossible” post, 0x3C0000 can’t have a valid secpack to allow booting. I spent the next 16 hours finding a way to do this. I can already write unsigned to the main fw section, all I need is a way to erase the secpack. My first idea was the eeprom secpack; upload the eeprom, endpack it, and the secpack is erased because the eeprom is “clean”. But you can’t upload a eeprom secpack until the 0x3C0000 is blank. My next idea was that the bl must erase the secpack before writing it. So a simple timing attack should do it. It turns out that no secpacks, even the same one, will write.

I finally found a working exploit about 23 hours into my search for the software unlock. The explict addresses 0xA03D0000-0xA03F0000 will always erase. This exploit relied on two things, the secaddrs are copied before the secpack is validated(stupid), and the erase command extends the range to whatever is in the secpack. So I tell it to erase 0xA03D0000-0xA03F0000, the erase command sees 0xA03C0000 to 0xA03F0000 in the secpack; BOOM secpack erased.

The third minor concern was the full range check of 1.1.3. So use 1.1.2 :) This allows full unsigned code execution, it is a relatively simple matter of patching the bootloader to skip the range check. And while you are at it, patch the bootloader to validate all tokens. IPSF style unlock w/o touching the seczone.

So, thats 24hrs to a software unlock; with about 3hrs of sleep in two segments. I am disappointed in the elite/dev team for not finding this; or even looking here. I know not everyone in elite/dev is so closed, and I feel bad for those people. Why don’t we all just share everything? Apple will patch it anyway. They always have the upper hand. And whetever happened to the dev wiki?

If you were giving money to the “dev team” for this software unlock, why not give it to the guy who actually found the exploits and exploited them?

iPhone | How to Unlock Your 1.1.2, 1.1.3 OTB iPhone
Friday, 8th February 2008, 11:02 am
Instructions on how to unlock your 1.1.2 OTB and 1.1.3 OTB iPhone!These instructions assume that you have already jailbroken the particular firmware you would like to be on. This works from 1.1.2 or 1.1.3 firmware! You can find instructions on how to do that here:Jailbreak 1.1.2: Windows, Mac
Jailbreak 1.1.3: Installer, Windows, Mac
Downgrade 1.1.3: Windows, MacAlso, you can only follow these instructions if you are on a 4.6 BL iPhone. This means that your iPhone came with 1.1.2 or 1.1.3 Out of the Box. PLEASE MAKE SURE YOU DON’T DO THIS ON A 3.9 BL IPHONE!IMPORTANT*: You must have enough disk space free on your iPhone to install this package. Otherwise Installer may display a beach ball and then crash to the Springboard. You need space free on your ROOT file system. Your root file system is about 267M-300M in size. Its NOT the 7.3G file system! A tutorial on how to do this can be found hereFinally, you need BSD Subsystem Installed from Installer app (System Category). This most likely will already be installed especially if you did the 1.1.3 soft update…

If you have 1.1.3 OTB follow the downgrade link above to downgrade and jailbreak your iPhone.

Step One
Add iClarified to your Installer sources. You can find instructions on how to do that: here

Step Two
Press the Settings icon on your Springboard.

Step Three
Press to select General from the Settings list.

Step Four
Press to select Auto-Lock from the General Menu.

Step Five
Press to select Never from the Auto-Lock Menu.

Step Six
Press the Home button to return to your Springboard. Press the Installer icon to launch Installer app.

Step Seven
Press to select the Install tab at the bottom of the screen.

Step Eight
Press to select iClarified from the list of Categories.

Step Nine
Press to select Geohot Unlock(1.1.2, 1.1.3) from the list of Packages.

Step Ten
Press the Install button at the top right hand corner.

Step Eleven
Press the large red Install button that appears.

Step Twelve
You will receive notice that process will take 5 minutes and you must have Auto-Lock set to Never. If you have already done this then you can press the large OK button.

Step Thirteen
You will see a status of Starting the unlock…. You will also lose Wi-Fi during this time. The phone will stay on this status for a few minutes.

Step Fourteen
You will then receive a Notice saying “Your iPhone has now been unlocked!”. Press the large OK button!

Step Fifteen
You will be returned to the Categories Menu. Press the Home button to return to your Springboard.

You are done! Unlocked iPhone :) Huge thanks go to Geohot for developing this. He truely is a genius. You can donate to him: here.

NOTES**: I personally tested this on my 1.1.2 OTB iPhone which was DEV updated to 1.1.3! Also it has been tested on 1.1.3 OTB by Viper! (Thanks!).

Also, if you are having a problem with your dialer crashing after this tutorial, it is likely that you are in an unsupported country. Either install iWorld from Installer or preferably add your country to AppSupport. You can do this by following this tutorial: http://www.iclarified.com/entry/index.php?enid=565

Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s