In my country the only way to use an export phone is exchanging it's imei with an local one. That was the way i use for my iPhone until today. After i pwned my phone by PwnageTool 2.0, no available IMEI changer (Ziphone, iLiberty etc.) works with my phone.
My base-band is unlocked but i cant make calls because of my carriers blockage.
I have to solve this problem because i don't want to downgrade to 1.1.4.

I need your help. Thank you.
Any help will highly appreciated.

Which country is that may I ask?.
This is the first time I hear you have to change IMEI with a local one.

Changing IMEI is illegal in many countries.

My country is Turkey. I should register it in the airport to be able to use it but i forgot.

So i found an old phone and use it's imei.

BTW changed my iphone 1.1.4 Imei by Ziphone.

FWIW, i think you should have the device registered correctly.
Ziphone is something you DON'T want to go near.

Registration is not that easy. You can only register 1 phone per passport per 2 years. I had to replace my comm-board and bam! I have to wait 1.5 years and than go abroad and back to register new imei..

I know it causes problems and Zibri is a shame for hacker community
but that was the tool which has an imei change feature so i've used it.
Now i have to find a tool or write my own to flash the newest baseband with the specific IMEI. If you know something about or have any idea, i appreciate it.

Wow I did not know of such registration limit in other countries ...
Thanks for sharing the story.

I hope someone can step in to create something to help you guy out.

bump......

Some random investigation into this. NOTE: I really don't know much about this, so PLEASE don't do anything I suggest below until you get confirmation from someone who does know.


I looked at the source code to ziphone (as it currently exists in svn - not sure how up-to-date this is). It appears that when you use the "-i IMEI" command-line argument, it ends up sending the following command to the iPhone console:

setenv imei IMEI_FROM_COMMAND_LINE

When I say the 'iPhone console', I believe this is the command line that is accessed via 'recovery mode' (part of iBoot?). He uses the function "sendCommandToDevice" from the "iTunesMobileDevice.dll" to send it.

This same function is used to send other things to the device - like "setenv boot-args ...".

I assume the "setenv" console command stores the item into flash (non-volatile storage) somewhere.

I know that once you are booted into the normal iPhone OS (at an ssh prompt), if you use the "nvram -p" command, you can see a "boot-args" item. Is this referencing the same non-volatile memory as the 'recovery mode' console?? I have NO idea.

If it *is*, then maybe "nvram imei=IMEI" from the ssh prompt, followed by a "reboot" would work?

If the non-volatile area used by the 'recovery mode' console is different than what is used by the 'nvram' command, then maybe a tool like 'iphuc' or something could be used to gain access to the 'recovery mode' console (and then you could issue "setenv imei IMEI")??

Just some ideas. Maybe someone with more complete knowledge can help further.

P.S. I'm just trying to help someone who seems to have a legitimate need for this in Turkey - I'm NOT suggesting that people use this illegally (although, I suppose the use in Turkey is probably a bit shady as well).


- Paulb

I could be wrong in the above post.

I google for "nvram imei", and found George Zhu's blog. In it, there's some sort of unlocking script that uses the output of "nvram imei" to pass as an argument to the "gunlock[23]" commands (these commands presumably talk to the baseband).

So, it's possible that Ziphone is just storing the imei in flash for later use by the "gunlock" command (just a convenient place to store it across the boot process).

This would mean that doing so now (without a subsequent gunlock command) would have no effect.

So, my suggestion of using "nvram imei=IMEI" likely would have no effect. I suppose I should have done some more Googling before I posted

- Paulb