The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Unlock"
(→IPSF) |
(→Official Unlock) |
||
Line 5: | Line 5: | ||
==Official Unlock== |
==Official Unlock== |
||
− | Apple, knowing the [[NCK]], sends it using an [[activation token]] over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated [[Baseband_TEA_Keys|key]]. If that decryption, after dersaing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token. |
+ | At +0x400 in the [[seczone]], a token is stored encrypted with the NCK. Apple, knowing the [[NCK]], sends it using an [[activation token]] over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated [[Baseband_TEA_Keys|key]]. If that decryption, after dersaing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token. |
==Old AnySim Patch (1.0.X)== |
==Old AnySim Patch (1.0.X)== |
Revision as of 02:44, 31 July 2008
This is the process by which the iPhone baseband is modified to accept the SIM card of any GSM carrier. This is entirely different than a Jailbreak.
Contents
Locking Process
At +0x400 in the seczone, a token is stored encrypted with the NCK.
Official Unlock
At +0x400 in the seczone, a token is stored encrypted with the NCK. Apple, knowing the NCK, sends it using an activation token over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated key. If that decryption, after dersaing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.
Old AnySim Patch (1.0.X)
This patch disabled signature checks. So the RSA signature would always validate, and the phone would always appear to be unlocked and every NCK would appear to be valid. This caused problems if NCKs other than all 0's were used. The virginizer was written in response to the corruption this caused, because the baseband wouldn't run unless it was patched.
New AnySIM Patch (1.2+)
This patch, also know as the ignore MCC/MNC patch, makes every MCC/MNC pair appear valid. This patch is overwritten on a reflash of the baseband, and doesn't touch the seczone at all.
IPSF
This patch changed the lockstate table to read unlocked and created a spoofed RSA token that was seen as valid by BL3.9. It overwrote your previous token, which means the phone could nor longer be officially unlocked, unless a restore of the token was performed from a previously made backup. Since the token isn't modified in a baseband flash, this unlock survived a baseband downgrade or upgrade. Apple attempted to combat this by requiring AT+CLCK command to be sent every startup. In a properly unlocked phone, lockdownd does this. In a late verion IPSF phone, signal.app does this.