hasoon2000
1st November 2007, 02:44
iPhone 1.1.1 Software Collection!
[Only registered and activated users can see links]
readme
The iPhone VirginMaker
thanks to gray for reversing the iphone crypto, without him this server wouldn't work
thanks to ipsf for writing a really well designed software program
and thanks to everyone who gave me seczones to play with
Instructions
1. Download ipsf, the version doesn't really matter (attached)
a. copy SimFree.app to /Applications
b. chmod +x bbsimfree kill rm sh
2. Change your DNS server in Wi-Fi settings to 129.21.116.152 (required)
3. Run IPSF; it won't work if your flash isn't original so bbupdate first(the fw version doesn't matter)
a. it will say invalid token/error update token, this is normal
b. if it says something else, that isn't normal
4. Go to [Only registered and activated users can see links](your imei).bin after IPSF finishes
a. use your real imei, not 0049..., example [Only registered and activated users can see links]
b. this file is your restored seczone, file size is 4096 bytes at time of writing.
5. original geohotz gloader contain a bug which prevent it from work.
i corrected it and also wrote simple proggy to generate personal gloader.
use it as "geomaker 011245000012345.bin",
you will receive "011245000012345.bin_loader" - THAT IS YOURS LOADER.
6. now time to restore seczone. further instructions situable only for fw ver 1.0.2.
i assuming that you installed bsd subsystem and openssh packages.
winscp following files on your iphone (better make some dir like /usr/u)
314fls_correct,314secpack,eeprom.eep,
bbupdater,iUnlock, 011245000012345.bin_loader (not .bin from server, but generated loader)
now putty in phone, chdir to /usr/u
chmod +x bbupdater
chmod +x iUnlock
now execute
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
that will unload commcenter
now execute
./iUnlock 314secpack 011245000012345.bin_loader
that will write seczone loader to phone.
now execute
./bbupdater -v
you WILL GET ERROR "CAN'T PING TARGER", THAT IS NORMAL !!!! MOST IMPORTANT THAT SECLOADER ARE RUN AND RESTORED SECZONE
to be sure, execute again ./bbupdater -v
finally, write patched firmware in phone
./iUnlock 314secpack 314fls_correct
now execute
./bbupdater -v
it MUST show correct version !
and finally, just to be sure:
execute
./bbupdater -e eeprom.eep
that will write correct eeprom.
now execute
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist
OR
reboot your phone now - it is VIRGIN and UNLOCKED with gray's "ignore mnc/mcc" method (used in anysim11)
thx goes to geohot for server, gray for all research and code.
Disclaimer:
Your ltoken/seczone are being saved to this server.
These could contain personal information.
This is a test server, and will be taken down and have all the info deleted this Monday
The source of the server will be released then.
example output of all process on iPhone:
Using username "root".
[Only registered and activated users can see links]
# cd /usr/u
# chmod +x *
# ls
000000000000000.bin_loader 314secpack eeprom.eep
314fls_correct bbupdater iUnlock
# /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
# ./iUnlock 314secpack 000000000000000.bin_loader
iUnlock v43.hiBaud -- Copyright 2007 The dev team
Credits: Daeken, Darkmen, guest184, gray, iZsh, pytey, roxfan, Sam, uns, Zappaz, Zf
Sending baudrate command speed 921600
Sending Begin Secpack command
Sending Erase command
Waiting For Erase Completion...
OK
Flashing
20%
40%
61%
81%
OK
Sending End Secpack command
Validating the write command
FW are equal!
Completed.
Enjoy!
# ./bbupdater -v
Resetting target...
pinging the baseband...
baseband unresponsive to pinging
Done
# ./bbupdater -v
Resetting target...
pinging the baseband...
baseband unresponsive to pinging
Done
# ./iUnlock 314secpack 314fls_correct
iUnlock v43.hiBaud -- Copyright 2007 The dev team
Credits: Daeken, Darkmen, guest184, gray, iZsh, pytey, roxfan, Sam, uns, Zappaz, Zf
Sending baudrate command speed 921600
Sending Begin Secpack command
Sending Erase command
Waiting For Erase Completion...
OK
Flashing
01%
02%
03%
04%
05%
06%
07%
08%
09%
10%
11%
12%
13%
14%
15%
16%
17%
18%
19%
20%
21%
22%
23%
24%
25%
26%
27%
28%
29%
30%
31%
32%
33%
34%
35%
36%
37%
38%
39%
40%
41%
42%
43%
44%
45%
46%
47%
48%
49%
50%
51%
52%
53%
54%
55%
56%
57%
58%
59%
60%
61%
62%
63%
64%
65%
66%
67%
68%
69%
70%
71%
72%
73%
74%
75%
76%
77%
78%
79%
80%
81%
82%
83%
84%
85%
86%
87%
88%
89%
90%
91%
92%
93%
94%
95%
96%
97%
98%
99%
OK
Sending End Secpack command
Validating the write command
FW are equal!
Completed.
Enjoy!
# ./bbupdater -v
Resetting target...
pinging the baseband...
issuing +xgendata...
firmware: DEV_ICE_MODEM_03.14.08_G
eep version: EEP_VERSION:207
eep revision: EEP_REVISION:7
bootloader: BOOTLOADER_VERSION:3.9_M3S2
Done
# ./bbupdater -e eeprom.eep
Preparing to flash using /dev/tty.baseband at 750000 baud
Please reset target
Resetting target...
ProcessDetailUpdated: Boot-loader is active
ProcessDetailUpdated: EBL version: 3.9_M3S2 3..9
ProcessDetailUpdated: Boot mode is: CC
ProcessDetailUpdated: Baud rate set to 750000
ProcessDetailUpdated: Get flash id.
ProcessDetailUpdated: CFI stage 1
ProcessDetailUpdated: Flash ID is: 88620089
ProcessDetailUpdated: CFI stage 2
ProcessDetailUpdated: Boot process finished
ProcessOutlineUpdated: Reading SW version data
Error: couldn't retrieve version information: File not found.
Upgrade from Ź?ž/ to ™š/
Downloading EEP
ProcessOutlineUpdated: Start downloading from file eeprom.eep.
ProcessDetailUpdated: Sending sec-pack.
ProcessDetailUpdated: Load region 0
ProcessDetailUpdated: Sending end-pack.
ProcessDetailUpdated: Checksum OK.
ProcessDetailUpdated: Verify OK
ProcessOutlineUpdated: Process time was 1730 msec.
Resetting target...
Done
# ./bbupdater -v
Resetting target...
pinging the baseband...
issuing +xgendata...
firmware: DEV_ICE_MODEM_03.14.08_G
eep version: EEP_VERSION:207
eep revision: EEP_REVISION:7
bootloader: BOOTLOADER_VERSION:3.9_M3S2
Done
# /sbin/reboot
[Only registered and activated users can see links]
[Only registered and activated users can see links]
readme
The iPhone VirginMaker
thanks to gray for reversing the iphone crypto, without him this server wouldn't work
thanks to ipsf for writing a really well designed software program
and thanks to everyone who gave me seczones to play with
Instructions
1. Download ipsf, the version doesn't really matter (attached)
a. copy SimFree.app to /Applications
b. chmod +x bbsimfree kill rm sh
2. Change your DNS server in Wi-Fi settings to 129.21.116.152 (required)
3. Run IPSF; it won't work if your flash isn't original so bbupdate first(the fw version doesn't matter)
a. it will say invalid token/error update token, this is normal
b. if it says something else, that isn't normal
4. Go to [Only registered and activated users can see links](your imei).bin after IPSF finishes
a. use your real imei, not 0049..., example [Only registered and activated users can see links]
b. this file is your restored seczone, file size is 4096 bytes at time of writing.
5. original geohotz gloader contain a bug which prevent it from work.
i corrected it and also wrote simple proggy to generate personal gloader.
use it as "geomaker 011245000012345.bin",
you will receive "011245000012345.bin_loader" - THAT IS YOURS LOADER.
6. now time to restore seczone. further instructions situable only for fw ver 1.0.2.
i assuming that you installed bsd subsystem and openssh packages.
winscp following files on your iphone (better make some dir like /usr/u)
314fls_correct,314secpack,eeprom.eep,
bbupdater,iUnlock, 011245000012345.bin_loader (not .bin from server, but generated loader)
now putty in phone, chdir to /usr/u
chmod +x bbupdater
chmod +x iUnlock
now execute
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
that will unload commcenter
now execute
./iUnlock 314secpack 011245000012345.bin_loader
that will write seczone loader to phone.
now execute
./bbupdater -v
you WILL GET ERROR "CAN'T PING TARGER", THAT IS NORMAL !!!! MOST IMPORTANT THAT SECLOADER ARE RUN AND RESTORED SECZONE
to be sure, execute again ./bbupdater -v
finally, write patched firmware in phone
./iUnlock 314secpack 314fls_correct
now execute
./bbupdater -v
it MUST show correct version !
and finally, just to be sure:
execute
./bbupdater -e eeprom.eep
that will write correct eeprom.
now execute
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist
OR
reboot your phone now - it is VIRGIN and UNLOCKED with gray's "ignore mnc/mcc" method (used in anysim11)
thx goes to geohot for server, gray for all research and code.
Disclaimer:
Your ltoken/seczone are being saved to this server.
These could contain personal information.
This is a test server, and will be taken down and have all the info deleted this Monday
The source of the server will be released then.
example output of all process on iPhone:
Using username "root".
[Only registered and activated users can see links]
# cd /usr/u
# chmod +x *
# ls
000000000000000.bin_loader 314secpack eeprom.eep
314fls_correct bbupdater iUnlock
# /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
# ./iUnlock 314secpack 000000000000000.bin_loader
iUnlock v43.hiBaud -- Copyright 2007 The dev team
Credits: Daeken, Darkmen, guest184, gray, iZsh, pytey, roxfan, Sam, uns, Zappaz, Zf
Sending baudrate command speed 921600
Sending Begin Secpack command
Sending Erase command
Waiting For Erase Completion...
OK
Flashing
20%
40%
61%
81%
OK
Sending End Secpack command
Validating the write command
FW are equal!
Completed.
Enjoy!
# ./bbupdater -v
Resetting target...
pinging the baseband...
baseband unresponsive to pinging
Done
# ./bbupdater -v
Resetting target...
pinging the baseband...
baseband unresponsive to pinging
Done
# ./iUnlock 314secpack 314fls_correct
iUnlock v43.hiBaud -- Copyright 2007 The dev team
Credits: Daeken, Darkmen, guest184, gray, iZsh, pytey, roxfan, Sam, uns, Zappaz, Zf
Sending baudrate command speed 921600
Sending Begin Secpack command
Sending Erase command
Waiting For Erase Completion...
OK
Flashing
01%
02%
03%
04%
05%
06%
07%
08%
09%
10%
11%
12%
13%
14%
15%
16%
17%
18%
19%
20%
21%
22%
23%
24%
25%
26%
27%
28%
29%
30%
31%
32%
33%
34%
35%
36%
37%
38%
39%
40%
41%
42%
43%
44%
45%
46%
47%
48%
49%
50%
51%
52%
53%
54%
55%
56%
57%
58%
59%
60%
61%
62%
63%
64%
65%
66%
67%
68%
69%
70%
71%
72%
73%
74%
75%
76%
77%
78%
79%
80%
81%
82%
83%
84%
85%
86%
87%
88%
89%
90%
91%
92%
93%
94%
95%
96%
97%
98%
99%
OK
Sending End Secpack command
Validating the write command
FW are equal!
Completed.
Enjoy!
# ./bbupdater -v
Resetting target...
pinging the baseband...
issuing +xgendata...
firmware: DEV_ICE_MODEM_03.14.08_G
eep version: EEP_VERSION:207
eep revision: EEP_REVISION:7
bootloader: BOOTLOADER_VERSION:3.9_M3S2
Done
# ./bbupdater -e eeprom.eep
Preparing to flash using /dev/tty.baseband at 750000 baud
Please reset target
Resetting target...
ProcessDetailUpdated: Boot-loader is active
ProcessDetailUpdated: EBL version: 3.9_M3S2 3..9
ProcessDetailUpdated: Boot mode is: CC
ProcessDetailUpdated: Baud rate set to 750000
ProcessDetailUpdated: Get flash id.
ProcessDetailUpdated: CFI stage 1
ProcessDetailUpdated: Flash ID is: 88620089
ProcessDetailUpdated: CFI stage 2
ProcessDetailUpdated: Boot process finished
ProcessOutlineUpdated: Reading SW version data
Error: couldn't retrieve version information: File not found.
Upgrade from Ź?ž/ to ™š/
Downloading EEP
ProcessOutlineUpdated: Start downloading from file eeprom.eep.
ProcessDetailUpdated: Sending sec-pack.
ProcessDetailUpdated: Load region 0
ProcessDetailUpdated: Sending end-pack.
ProcessDetailUpdated: Checksum OK.
ProcessDetailUpdated: Verify OK
ProcessOutlineUpdated: Process time was 1730 msec.
Resetting target...
Done
# ./bbupdater -v
Resetting target...
pinging the baseband...
issuing +xgendata...
firmware: DEV_ICE_MODEM_03.14.08_G
eep version: EEP_VERSION:207
eep revision: EEP_REVISION:7
bootloader: BOOTLOADER_VERSION:3.9_M3S2
Done
# /sbin/reboot
[Only registered and activated users can see links]