The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Tutorial:Re-Provisioning iPhone 4 using file system (Incomplete)
Contents
Prerequisites
You need:
- Jailbroken iPhone 4G CDMA with OpenSSH installed.
- SSH client.
- pList Editor
- In order to obtain 3G(EVDO)/MMS on the CDMA iPhone, the Carrier and PRI Signatures must be bypassed either by patching the commcenter or in other methods. As of right now the 4.2.6 Firmware for iPhone CDMA Commcenter has been patched to bypass Carrier Signatures. Still looking/figuring out how to bypass the PRI Signature.
- To BE clear Re-provisioning your iPhone is in NO WAY illegal. Sense you do NOT have to rewrite/modify/change the MEID on the phone because carriers such as, Cricket, MetroPCS, Pageplus, Pocket and a few other carriers. AGAIN TO BE CLEAR IT IS 100% LEGAL TO RE-PROVISION YOUR CDMA iPhone TO OTHER CARRIERS AS LONG AS YOUR CARRIER IS WILLING TO ACCEPT THE iPhone's MEID.
- I DO NOT condone illegal rewriting/modifying/changing of any ESN/MEID on any phone, this post WILL NOT teach you how to do that, and WILL NOT ever get you close to doing anything of the sort. If that is your intentions then you have come to the wrong place. This posting is 100% for legal unlocking of the CDMA iPhone for carrier's willing to accept the iPhone's ESN/MEID into their database.
Setting UP Windows
1. Download Tunnelier, WINSCP, or PUTTY. In this guide we will be using Tunnelier.
Download Tunnelier Here
2. In order to connect via SSH you must have a Wi-Fi connection setup. Turn on your phone and your phone's Wi-Fi by going to Settings, Wi-Fi, and connect to your networks Wi-Fi connection.
File:Example.jpg
3. In this example will connect to linksys. Once connected you will have the Wi-Fi icon in the status bar at the top. Click on the blue > icon to show details about the connection. Write down or remember the "IP Address". In this example mine is 192.168.1.103, yours might be similar.
File:Example.jpg
4. Install Tunnelier and launch it. Setup your settings similar to this, remember to use your "IP Address" and not mine, this was just an example. See screen shoot.
Username: root
Password: alpine
File:Example.jpg
5. Press the login button, and you will be presented with two new windows. A "Shell" window and an "Explorer" window.
File:Example.jpg
6. You are now connected to the iPhone4 CDMA using Tunnelier and SSH.
Manually Updating PRL
1. Using the explorer window in Tunnelier browse to "/System/Library/Carrier Bundles/iPhone/Zeppelin_US.bundle".
File Contents / Size 310VZW.dmu 260bytes 310VZW.pri ***bytes 310VZW.prl ***bytes carrier.plist ***bytes ERI.plist ***bytes info.plist ***bytes
2. Backup all the files to your HDD and make another backup of them. This is so you don't have to restore the phone in case something goes wrong.
3. To manually update the PRL to your new carrier's PRL. Get or obtain your carriers PRL from google. In this example I will be using the Cricket_42500.prl
4. Rename your PRL to 310VZW.prl and upload it to "/System/Library/Carrier Bundles/iPhone/Zeppelin_US.bundle" making sure to overwrite the original 310VZW.prl
5. Open carrier.plist in a pList editor. For Windows I use "pList Editor" Look for "PRL Push Flag" and enable "True".
Normally <key>PrlPushFlag</key> <false/>
Switch to True <key>PrlPushFlag</key> <true/>
6. Save the newly edited "carrier.plist" MAKE SURE NOT TO CHANGE ANYTHING ELSE. You will break the sign if you do. After you save upload and overwrite the old "carrier.plist" found in "/System/Library/Carrier Bundles/iPhone/Zeppelin_US.bundle". Reboot your phone.
7. Once the phone completes rebooting you "WILL NOT" have service. Thats normal. You will now need to "SSH" back into the phone and edit the "carrier.plist" boolean to say "false" like it originally was.
8. After you have uploaded the new "carrier.plist" with the boolean as "false" this time. Reboot the phone again.
9. Once your phone powers on check the PRL version by dailing *#5005*4357#, send. Your carriers new PRL should now be installed.
10. After the new PRL is loaded you must contact your carrier to add the phone to your account. As of right now there is no know method to manually program the MDN, MIN or SYSID into the phone like most other CDMA phones. So you must do a OTA activation to program these features. Please NOTE: if OTA does not work in your area even after manually loading the PRL you will not be able to currently program the iPhone onto your plan until a method for writing the MDN and MIN at least has been found.
Modifying The PRI
First thing's first. As of right now the PRI needs to be signed. There is no way of getting the phone to write the PRI back to the phone until the signature is either figured out or bypassed.
You can open the PRI using a "pList" editor. In my case for windows I use "pList Editor". The PRI contains information about the carriers, ERI, EVDO, NAM, OTA Features, and Other Misc stuff.
1. Will write more.
2. For those wondering after they edit the PRI you need to incremint it in "carrier.plist" by 1. Where it shows "PRI Version".
Original <key>PriVersion</key> <string>00.01.023</string> New <key>PriVersion</key> <string>00.01.024</string>
3. Once you change file version to 1 number higher, just restart the phone. You check that it tries to write by enabling "syslog". Problem is because it needs to be signed. It just currently crashes the baseband untill you revert the PRI version back to the 00.01.023.
Modifying The ERI
Reserved...
Hidden Dialer Codes
1. *#5005*4357#, Send [4357 = help] Displays the PRL and PRI verison
2. *#5005*74663#, Send [74663 = phone] Displays your current MDN
3. *#5005*25327#, Send [Unknown] Just flashes the screen
4. *#5005*274#, Send [Unknown] Displays nothing but has a dismiss button.
5. *#5005*7828#, Send [Unknown] Just flashes the screen
6. *#5005*78283#, Send [Unknown] Looks like debugging log.
7. ##2539, Send [2539 = Akey] SPC Password = 0's. Allows you to enter a new Akey.
8. *#5005*342444#, Send [342444 = Diag mybe] Displays, Enabled: Flase, Enabled During Sleep: Flase, History: 131072KB
9. *#5005*3424255#, Send [3424255 = Diag All] Displays, Enabled: Flase, Enabled During Sleep: Flase, History: 131072KB
10. *#5005*3424#, Send [3424 = Diag] Displays, Enabled: Flase, Enabled During Sleep: Flase, History: 131072KB
11. *#5005*5667#, Send [5667 = Loop] Displays LoopBack Call UI Enabled=false
Possible other codes, unable to figure out how to get them to work.
74663* 62255* 62* 22* 7672* 86* 75337278# 7533762# 778# 2267# 5264# 22# 7672# 86# 2673# 27844# 278255# 278# 6244# 62255# 62#