Hi all,

yesterday i was upgrading my unlocked iPhone from version 1.0 to version 1.0.2. During the upgrade something went wrong, so iTunes let me restore the phone, after which the phone was SIM-locked again.

Today, i openend and unlocked the bugger a second time, using Cracker's needle tutorial (I didn't want to solder again, because soldering these tiny little PCB tracks and components is a real pain in the ass).

At the end of the unlock process, before the AT+CLCK="PN",0,"00000000" is issued, i entered a AT+CLCK="PN",2 just to see if the modem is responding to minicom.

Surprise surprise: The modem was already unlocked, because it returned +CLCK: 0.

So my understanding, that the locks are saved in the permanent memory of the phone has been proofed. I'm now able to draw some important conclusions:

1. AT+CLCK removes the locks - but not all of them. The status of the locks is saved in the permanent memory of the modem, and is most likely surviving a restore or upgrade operation.
2. Because not all locks are removed, GeoHots firmware patch is still needed during operation of the modem.
3. Any further firmware update to a newer version than 03.14.08_G is most likely to lock the phone again, because the patch is removed.

This might also be true for Turbo-SIM-unlocked phones, as Apple might issue an upgrade of the modem firmware which is periodically re-evaluating the IMSI to check for a valid AT&T SIM card. The TurboSIM-trick to fake the IMSI for the first couple of validity checks - and to switch to the non-AT&T-SIM for normal operation - wouldn't work anymore.


BOTTOMLINE:

NEVER EVER UPGRADE YOUR GEOHOT-UNLOCKED PHONE TO A NEWER SOFTWARE VERSION, IF THE UPGRADE CONTAINS AN UPGRADE OF THE MODEM FIRMWARE, OR YOUR PHONE WILL BE SIM-LOCKED AGAIN. BE ALSO CAREFUL IF YOU ARE USING A TURBOSIM.



Sorry for the bad news!

cu/

Sergeij

thanks for the detailed description of the "problem" but I think this was already clear: if there is a newer modem firmware the baseband firmware will be overwritten.
the interesting point will be to find out if a update contains a new modem firmware or if not ...
to avoid another opening of the iPhone I'll install a reed contact that can be operated by a small magnet from outside as already discussed in the hardware subforum.

That the FW will be overwritten by a newer version was indeed clear. But the usage of the official unlock command AT+CLCK="PN",0,"00000000" with a bogus unlock code was giving me the impression that all locks are removed, that the FW patch is only used to bypass the validation of the unlock code - and that the firmware can be upgraded once the unlock has been done.

There is a way to find out if an upgrade contains a new modem software:

When iTunes announces a new update, download the restore-image (start the restore and disconnect the iPhone as soon as the download begins) and grab the image from your 'Library/iTunes/iPhone Software Updates' folder.

Change the extension from ipsw to zip, and unzip the image. You will find two .dmg-files, one containing the RAM-disk, the other one containing the OS (which is much larger than the RAM-disk).

Convert the smaller dmg:

dd if=<name_of_smaller_dmg> of=ramdisk.dmg bs=512 skip=4 conv=sync

and mount the converted disk image ramdisk.dmg.

Locate the directory /usr/local/standalone/firmware. The file with the extension .fls contains the modem firmware, the name of the file contains the version number. If you see something different from ICE03.14.08_G.fls, the update most likely contains a new version of the modem firmware.

cu/

Sergeij

cu/

Sergeij

Surely this is the key to software unlocking?

If a new BB firmware can reverse unlocking, surely a modified BB firmware will unlock it? We would just need to trick the updater into re-flashing?

This must be it. Anyone able to include the patched firmware file in the existing itunes restore image? Then force full-restore of your phone using the adjusted firmware package. anyone?

The dmgs in the software package are digitally signed. Nobody was able to crack the signature yet. It's quite easy to apply the patches to the content of the RAM-disk dmg file - and zip the whole thing back into an ipsw. But the iPhone is not accepting the patched files, because the signature is wrong.

cu/

Sergeij

How about faking newer baseband updates with the old ICE03.14.08_G.fls? Open the restore image, open ramdisk, delete newer baseband, copy & rename old baseband to new name, store in restore image and restore the iphone.

You'll get a new firmware and the old baseband, do you?

__________________
dragon-tmd

It won't work because bbupdater is comparing versions before flashing.

And perhaps even the bootloader is doing that - so I don't want to patch it in bbupdater and end up with a dead baseband before I'm sure

Otherwise my daily spam for all your update needs http://iphone.fiveforty.net/wiki/ind...Update_Service

If you already have 1.02, restoring through iTunes should be fine though, yeah? I'm too scared to even try after all that work unlocking it.

As far as i know it's possible to upgrade from 1.0.1 to 1.0.2. Some people told me that the actual version of the modem is checked - and that the modem firmware is not upgraded if it has the same versioin like the upgrade-image.

But if something fails during the update - and you need a full restore - i really don't know what is happening. I personally will wait until somebody else walked through the mine field of doing the restore

cu/

Sergeij