iPhone Unlock and Version History

Views 333 Likes Comments Comment
Like if this guide is helpful

Apple iPhone Versions - the complete guide

This guide was primarily intending for UK users but there is information that will help other people too.
P.S. Please vote Yes if there was any useful info, its only 1 x click at the bottom of the guide :-)

Brief History:
The Apple iPhone first launched in the USA back in July 2007.

Apple has followed up with EU launches, starting with the UK & Germany with France to follow on November 29th.

To date all versions of the iPhone have been unlockable through varying techniques which are described below. Many of the earlier unlock's have been superseded,  so you need to be careful that you are not downloading or following old information if you are a newcomer to the iPhone scene.

Apple have updated the iPhones Operating System and Modem Flash in an effort to prevent the various unlocking hacks but there continues to be tools to exploit all versions. The longest period of time  where-by an unlock was not possible was when Apple started selling iPhones with a new bootloader. This coincided with the EU phone launches and all EU phones shipped with bootloader 4.06. This has however was compromised

Some people get confused with what all the versions numbers refer to, so I will explain this as they are crucial to your understanding of where you stand with a particular handset!

Operating System Firmware - the first phones shipped with 1.0 , this was quickly followed up by 1.0.1 , 1.0.2 , 1.1.1, 1.1.2, 1.1.3 and at the time of the last edit, the most up to date version is 1.1.4.
The Operating System is basically the part of the firmware update that contains bug fixes and updates to the core system, including new functionality like when the iTunes Music Store turned up in version 1.1.2. The main firmware update sometimes also contains a Modem Flash (see below).

Modem Flash - this is the part of the phone that is modified to get them unlocked. These are the versions so far ICE03.12.06_G ,  ICE03.14.08_G ,  ICE04.01.13_G , ICE04.02.13_G , ICE04.03.13_G and ICE04.04.05_13G.
All of these modem versions are unlockable!

BootLoader - this is the part of the phone that you need to access in order to re-flash the modem firmware. These are the versions so far BOOT03.01_M2S1 ,  BOOT03.08_M3S1 ,  BOOT03.09_M3S2 and BOOT04.06_M3S2.  There was a time when the unlocking tools only worked up to bootloader 3.09 but even Bootloader 4.06 has also been compromised by the excellent work from Geohot.
Currently (as of Mar '08) Apple has only changed the Bootloader at manufacturing stage, they haven't updated the Bootloader through a software update like the Modem Flash. Only the USA iPhones shipped with earlier 3.x Bootloaders, the EU iPhones started shipping with Bootloader 4.06.

Jailbreaking - This is the hackers term for gaining Read/Write access to the phones file system. This is the first step necessary so that other hacking can be done. When the iPhone is restored or updated with a firmware update, the first partition of the phone (where the O/S resides and files are executable) is R/O (Read Only).

Activation - A new out of the box iPhone is locked out of the main display (called the SpringBoard where all the applications reside) and you only have access to the "Emergency Calls" screen. On a legitimate account, activation is done through iTunes. When the phone is activated, it opens up the phone to the SpringBoard where all the phones applications are accessible.

Unlocking - So, in order, if you don't have a genuine iPhone Tariff, your phone needs to be jailbroken, activated and unlocked. The unlocking as with previous mobile phones refers to the modem part of the phone being unlocked to use other GSM networks. In its "Locked" state, you can only use the phone with the network provider the handset was originally locked down to (in the USA this was AT&T, in the UK, its o2). There have been various methods used to bypass the network lock on the iPhone. Some of the methods, in fact most of them to-date are not a true "unlock", they are means of either fooling the phone or bypassing the checks the phone makes!

Unlocking Method History Follows (in order):

SuperSIM
The first unlock method was through the "SuperSIM" method. This involved finding v1 Netwok SIM's (SIM's in the UK needed to be older than around 5 years). These SIM's could have the KI extracted and this method involved cloning the SIM (which is illegal). Whilst SIM cloning is illegal, the only reason the hackers cloned the SIM was so it could be used in a PIC Card which had an additonal program on board to achive the "SIM Proxy" type hack. This led onto the Bladox TurboSIM being utilised to achieve the same goal.

Bladox TurboSIM
The SuperSIM method above required programming hardware, PIC Cards, a version 1 SIM etc. Not possible for everyone to find or use. So the "SIM Proxy" software was re-created to work in a Software Development Tool that already existed called the Bladox TurboSIM. This is an ingenious product that was made some years ago for the legitimate SIM Toolkit that is supported by most of the GSM phone industry. Back when phones were not so sophisticated,  the SIM toolkit gave companies other than the phone manufacturer the ability to add applications to a phone handset (accessible through the phones menu's). The "SIM Proxy" software was written for the Bladox TurboSIM and called "applesaft". The Bladox TurboSIM sits inside the phones SIM tray along with your network SIM. The chip on the TurboSIM allows code to run within the phones SIM Toolkit interface. All "applesaft" does is when the phone boots up and checks the SIM in the phone is a legitimate SIM (for the network lock), the applesaft program replies with the correct details to satisfy the phone. From then on , the applesaft program lets your network SIM communicate as per normal.

Original Baseband Hardware Unlock
The first true unlock of the iPhone was the hardware unlock. This method involved opening the phone up and manipulating the memory address lines whilst running some software tools to fool the phone into allowing the baseband to be re-written. The memory address line manipulation caused the phones software to read from higher point of memory (that was erased) thus allowing the phones security measures to allow a re-write of a modified baseband with an NCK of "00000000". The NCK is a secret code only Apple knows to allow an official baseband unlock. By flashing a modified baseband with a known NCK, you were able to use the official unlock routines and supply the known NCK to unlock the phone.
This was a bit short sighted though and it was later discovered that although this hack worked, not all of the usual unlock security information was updated as it would be through an official unlock. This resulted in the issue where-by if you updated later on, you would end up with an IMEI starting "0049" and your phone would need "re-virginising".

First Software Unlock
The first software based unlock came from a company abbreviated to IPSF. They managed to find an exploit in the phones RSA security that would allow the baseband to be modified without the need for the address line manipulation that the hardware unlock relied on. They wrote an application that would basically zero out certain information in the phones Seczone to accomplish a similar unlock to the baseband, making the phone "unlocked" and not "lockable".

First Free Software Unlock
All of the above methods rely heavily on the excellent work of the iPhone Dev Team community. This is a team of people working on tools and manipulations to give the public access to the iPhone through getting access to the phones operating system (jailbreaking) and bypassing the network locks to use the phone functionality (unlocking). The Dev Team produced a free software utility that re-flashed the baseband in a similar way to the hardware unlock. It started out with various names but ultimately ended up becoming the AnySIM GUI application. The first version of this tool has the same problems as the hardware unlock, not all of the security measures were met which caused IMEI problems when Apple released updated versions of the phones operating system (version 1.1.1 upwards). Fortunately, other members of a second Dev Team called "Elite" wrote tools to correct the problems and this method of correction became known as "Virginising the phone" (putting the baseband back to a virgin state).

Second Free Software Unlock
The Dev Team refined the AnySIM application to use a completely different method to unlock the phone. Instead of manipulating the NCK routines, they simply bypass the network lock check so the phone is never really unlocked in the true sense of the word. In fact this method bears a much closer resemblance to the "SIM Proxy" method than it does to unlocking the phones baseband!
AnySIM version 1.1 and above is considered safe but is only usable on phones with baseband 3.x.

Gunlock
Short for Geohot Unlock. Following on from Geo's original Hardware unlock method, Gunlock was a major breakthrough by the iPhone hacker Geohot. Originally kicked out from the iPhone dev team for being a bit too free with information, Geohot has worked worked closely with others to develop tools which are still used today in varying forms to manipulate the phones baseband. Whilst Geohot is not officially on the Dev Teams member list, there is a mutual respect and they do talk and collaborate behind the scenes. The tools behind Geohot's Gunlock were the first to exploit Bootloader 4.06 and are currently being used to unlock nearly every iPhone at the time of writing. Other people have put command line and GUI wrappers around Gunlock but dep down this is what is being used to unlock your phones in the majority of cases today!

ZiPhone
This is a typical example of a wrapper of Gunlock. Ziphone is written by another iPhone hacker that goes by the name of Zibri. Ziphone basically wraps up a number of things into one package. It loads a temporary bootable Ramdisk onto the phone that includes a script and files that jailbreaks, activates and unlocks the phone. Its a nice tool for novices but the Ramdisk concept it is heavily based on is likely to be addressed in a future update. This shouldn't affect phones already unlocked but might mean Ziphone's days are numbered if Apple prevents unsigned Ramdisk's being used, although this may only be possible through Apple making hardware modifications.

Coming up
The iPhone Dev Team have managed to put together a customised ipsw. This is the file that is a packaged up version of the iPhones Firmware Update. When you update the iPhone through iTunes, it downloads an ipsw from Apple and deploys it to the iPhone. Being able to push a customised version of the ipsw to the iPhone through iTunes has been on the cards (or a wish-list shall we say) since day one, but Apples security measures only allowed their own signed firmwares to be used. It has been several months since the hacking started and with the majority of information being public, hackers have been able to bounce off each other and I firmly believe that this latest development is only now possible through all of the previous hacking developments and progress made since last July.

The iPhone Dev Team have promised to make the customised ipsw hack available after the next Apple software release (imminent in March '08) which should coincide with Apple's own Software Development Kit for the iPhone.


Un-Sung Hero's
There are so many people that were/still are involved with the various tools used today to complete an iPhone Jailbreak, Activation & Unlock. There is one guy that has been pinnical to all the methods mentions above. He speaks to few and tries to keep as anonymous as he can. He goes by the nick of "Gray", anyone who has been able to make use of an Apple iPhone without being tied to the official contract (that they may well be unable to afford) has a lot to thank this guy for. Gray & Geohot have worked together on the baseband with Gray doing a lot of the original reversing and Geohot releasing the software tools!!


Deciphering the iPhone Serial Number:

The iPhone serial number is made up of of 4 parts.

An example (but made up) Serial Number:  7T739ABCWH8

Using the above example:

Digits 1,2 & 3 "7T7" are the year and batch number.
Digits 4 & 5 "39" are the week number.
Digits 6,7 & 8 "ABC" are the unique part of the serial number for each phone.
Digits 9,10 & 11 "WH8" refer to the model, WH8 being the 8Gb model.


Identifying versions through the Serial Number:

The Serial Number is visible on the bottom of the box through the shrink wrap. Since the launch, importers like myself relied on the Week Number to identify what versions might be on the phones. When the OS version 1.1.1 first came out, we were tracking what week numbers would still be 1.0.2 and which would be likely to have 1.1.1 out of the box (OTB). The switch over in this example was around week 39.

Another time when checking the serial number was crucial was when the USA phones started shipping with Bootloader 4.06. This was around week number 45. Again this is not a concern at the moment now that BL 4.06 has been exploited.

The EU phones started shipping with week numbers earlier than 45 but remember all phones outside of the USA had bootloader 4.06 from the start so checking the week number and hence bootloader versions is only necessary for the USA phones.

Alternative way's to identify:
If you have an opened box, iPhones shipped with 1.1.2 or higher scroll the "Emergency Call' message in different languages. Previous versions had a static "Emergency Call" message, just in English.



Footnote:

I will try and add more details as things change.

The data in this guide was correct at the time of writing November 2007.

Updated January 24th 2008.

Updated March 4th 2008.



Have something to share, create your own guide... Write a guide
Explore more guides