Monday, December 13, 2010

Unlocking the iPhone (and lessons learned)

Phone: iPhone 3GS

Started: iOS 4.1 / Baseband ??.??.?? / Jailbroken & not unlocked

Finished Product: iOS 3.1.3 / Baseband 6.15.0 / Jailbroken & unlocked running T-Mobile

Tools: iReb-4.0.x-4.1, redsn0w 0.9.6b, iTunes 9.2.1 & 10.1, ultrasn0w 1.2, TinyUmbrella, XP & 7

Picked up a iPhone 3GS on Craigslist for my dad in India this weekend. It was jailbroken on iOS 4.1 but not unlocked which meant it couldn't be used outside AT&T in the US. What started out as a quick hack to do the carrier unlock turned into a dedicated weekend project resulting in the phone being nearly bricked.


The Cult of saurik
For those who have never jailbroken an iPhone before (like me), it is a challenging and a very good learning experience. Unlike the first iPhones which needed a hardware unlock, today's jailbreak and unlock is just a software hack. All the tools that you need are available on Web (and free). Unless you have no idea what you're doing, there shouldn't be a need to pay someone to unlock one.


The basics: Jailbreaking is done to run any code on the iPhone, not just authorized software from Apple over iTunes. Unlocking an iPhone is the process by which you can run the phone on any carrier, not just AT&T (in the US). Jailbreaking affects the iOS by patching the phone firmware whereas unlocking is done by exploiting vulnerabilities in the baseband or the modem firmware. However, to unlock an iPhone it is necessary to first jailbreak it and install Cydia, the rogue app store. Once Cydia is setup, ultrasn0w can be downloaded to unlock the iPhone.

Current State: iOS 4.1 / Baseband ??.??.?? / Activated / Jailbroken & not unlocked


Rookie Mistakes & Panic Attack #1
After getting the iPhone home the I immediately noticed that it was jailbroken and running ultrasn0w but couldn't figure out why it wouldn't accept my T-Mobile SIM card. The reason, I found out later, is that ultrasn0w does not unlock all versions of the baseband. Figuring that jailbreaking again couldn't harm the phone, I downloaded redsn0w 0.9.6b and tried unlocking the phone. My source so far was just Youtube videos made by 13 year olds. I must've not done the process correctly as my iPhone went into recovery mode showing only the Apple logo on the screen.


Not knowing what happened, I googled this and it took me to a website which suggested that I reboot the phone and let iTunes restore it from recovery mode. Here's where I made my first mistake - letting iTunes download the latest version of iOS (4.2.1) and install that on the phone. Once that happened, the phone went into the unactivated state and would only accept an AT&T SIM to activate it.


Current State: iOS 4.2.1 / Baseband 5.14.04 / Un-activated


Saturday morning, I went to the AT&T store to see if I could get a pre-paid SIM to activate the phone. The rep informed me that pre-paid SIM could not be used to activate an iPhone and I'd need a new 2 year plan (which I believe is untrue). I decided to make the $25 investment on the pre-paid SIM as the last resort and see if could hacktivate the phone in any other way.


Here's where I learnt something very interesting. You can download all the versions of iPhone's firmware from Apple's website to be used by redsn0w to jailbreak your phone. But jailbreaking without activating the phone is useless. Also, once iOS 4.2.1 is setup on the phone, Apple will NOT allow you to downgrade to a lower version. To do that, you will need a software called TinyUmbrella which fools iTunes to authenticating locally instead of the downgrade getting rejected by Apple's servers. I could go on for hours about I had to resurrect an old machine running XP to use TinyUmbrella, but I will spare you that for now.


Even after downgrading to iOS 4.1, the phone would not activate without an official Apple SIM. After some additional research, I found a website with an activated version of iOS 3.1.3. To get this firmware on the iPhone, I needed to have TinyUmbrella for the Apple server caching and iTunes 9.2.1. It took a while but it worked! I had an activated & jailbroken iPhone running iOS 3.1.3. But Apple doesn't give up that easily. When I first upgraded to iOS 4.2.1 I must've unwittingly upgraded my baseband to 5.14.04 which is not unlockable by ultrasn0w.

Current State: iOS 3.1.3 / Baseband 5.14.04 / Activated but locked


Bricks and stones may break my iPhone ...
The only way out now was to upgrade to the iPad baseband 6.15.0. The iPhone dev team has big warnings about this - do not upgrade to this version yet as there is no way to come back to v5. Also, this voids the warranty on the phone (doesn't concern me). Still, there wouldn't be a good story to tell if I didn't do it. But somewhere along the process, everything froze and all I got was the iPhone back in the recovery mode. Restoring to iOS 3.1.3 firmware again, I realized that the iPad baseband did not get patched correctly and my Wi-Fi, bluetooth and cellular functions were all disabled. I was running a glorified iPod touch.


Current State: iOS 3.1.3 / Baseband **Broken**

Upgrading back to the factory 4.2.1 was not helpful. The phone would not even show the activation screen and stayed on the Apple logo. Now, I had a semi-bricked iPhone in my hands. iReb could not put the phone on DFU mode for some iTunes could not restore the phone even to the unactivated state. Rebooting everything helped but iOS could be restored to its original state.


Current State: Bricked?

Finally after some research, I found a custom 4.2.1 firmware which worked and brought the iPhone back to the activation screen. It still wouldn't show the IMEI number which meant that the baseband was still messed up. Next, jailbreaking using redsn0w and restoring the iPad baseband back to 6.15.0 (it worked this time) got me to the activation screen showing the IMEI number. The only thing that would hacktivate my iPhone at this point was downgrading to 3.1.3 which I did as outlined before. Finally, installing ultrasn0w unlocked the 6.15.0 baseband and voila! I had an iPhone 3GS running on T-Mobile.


Current State: iOS 3.1.3 / Baseband 6.15.0 / Jailbroken & unlocked running T-Mobile (Yay!)

For now, I'm going to stick with iOS 3.1.3. Hacktivated iOS 4.1 is supposed to have battery drain issues and I don't think my father will miss multi-tasking too much.


Lessons learnt:
1. Learn thy jargon. I'm usually pretty thorough about this but before I started toying with the iPhone, I had no idea that the firmware was different from the baseband. I did not know which which basebands could be restored by ultrasn0w. I also did not know that you could do a custom restore of the iOS by clicking Shift + Restore on iTunes. Had I known these things, the unlock process would have gone much smootly.

2. Trust the hackers. When the iPhone dev team advises you to not upgrade to the 6.15.0, DON'T UPGRADE TO 6.15.0. At the same time, I had no choice given that the phone had already upgraded to baseband 5.14.04 for which there is no known unlock.

3. Know thy tools. I was surprised to see that there are dozens of tools out there depending on what you want. iReb, limera1n, purplera1n, blackra1n, TinyUmbrella, redsn0w, ultrasn0w, sn0wbreeze ... the list goes on. Most of them are pretty easy to use.

4. Youtube is the new Google. There are dozens of videos on Youtube showing you how to unlock the iPhone. Produced by 13 year olds and wannabe R&B artists, they're the next best thing to iPhone forums.

Update (12/26/2010): Got Backgrounder from Cydia. Bye Bye iOS 4.1

No comments: