Unlock

From The iPhone Wiki
Revision as of 02:31, 31 July 2008 by Drg (talk | contribs) (Proper Unlock)
Jump to: navigation, search

This is the process by which the iPhone baseband is modified to accept the SIM card of any GSM carrier. This is entirely different than a Jailbreak. Unlocked iPhones may be relocked while updating the baseband firmware.

Locking Process

At +0x400 in the seczone, a token is stored encrypted with the NCK.

Official Unlock

Apple, knowing the NCK, sends it using an activation token over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated key. If that decryption, after dersaing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.

Old AnySim Patch

This patch disabled signature checks. So the RSA signature would always validate, and the phone would always appear to be unlocked and every NCK would appear to be valid. This caused problems if NCKs other than all 0's were used. The virginizer was written in response to the corruption this caused, because the baseband wouldn't run unless it was patched.

MNC Patch

This patch, also the new AnySim patch, doesn't technically unlock the phone. It makes every MCC/MNC appear valid. This patch is overwritten on a reflash of the baseband, and doesn't touch the seczone at all.

IPSF

This patch changed the lockstate table to read unlocked and created a spoofed RSA token that was valid. It deleted your previous token, which means the phone can't be unlocked properly anymore. Since the RSA validation routine is in the bootloader, this unlock stays around after the baseband has been reflashed. Apple attempted to combat this by requiring CLCK to be sent every startup. In a properly unlocked phone, lockdownd does this. In a late verion IPSF phone, signal.app does this.