Hi all,
I had the chance to have 2 iPhones 3G. One is from 3 Hong Kong, and one is from AT&T. The one from Hong Kong of course is SIM Free (unlocked) and another is stucked with AT&T.
I have dumped both the Intel NOR flash chips which are holding the basebands using a hardware programmer and carefully compared them with the hope to find some ways to unlock.
What I could found here are:
- The flash size is 4 times bigger than the old one (16Mb instead of 4Mb).
- The bootloader 5.8 size is 0x40000 bytes instead of 0x20000 bytes that of Bootloader 3.9 and 4.6. Baseband starts at 0x40000
- Both dumped files are identical from 0x000000 to 0xE40000 which is the end of basebands.
- I was not capable to find any bug but have done following: Wrote the whole unlocked baseband to the locked chip and soldered back. In the result, I got IMEI 0049xxx, it was predictable because of wrong IMEI and CHIPID. Next, I did the same but kept the seczone intact. In the result, I got IMEI, S/N, MAC address back but still got No Service. :(
So, The posibilities here are:
- The lock state is in the seczone, and its position depends on the combination of IMEI+NORID, wrong modification may cause to 0049xx IMEI.
- The lock state is in the Proccessor X-Gold 608 not in the Intel NOR flash. Taking it out of the board and read it is much harder than that with the Intel NOR flash.

Any one can help to find ways to unlock, feel free to contact me. I can give both dumped files, I can modify, patch these files, rewrite the NOR chip and solder them back with no problem.
Curious people please just wait for professionals
Thanks

haha, bro. Finally found 1 guy do the Dev's laughing things like me :D

I just done all you did and more, put in and out many time the X-Gold :D Same result but more information.

Pls contact me. We will share more information.

@Dev team: pls dont forget us.

PS: Tamagochi, dont you think 0xE80000 to the FCFC01 is insteresting ?

Nice work guys. Keep it up!

Hi all,
I had the chance to have 2 iPhones 3G. One is from 3 Hong Kong, and one is from AT&T. The one from Hong Kong of course is SIM Free (unlocked) and another is stucked with AT&T.
I have dumped both the Intel NOR flash chips which are holding the basebands using a hardware programmer and carefully compared them with the hope to find some ways to unlock.
What I could found here are:
- The flash size is 4 times bigger than the old one (16Mb instead of 4Mb).
- The bootloader 5.8 size is 0x40000 bytes instead of 0x20000 bytes that of Bootloader 3.9 and 4.6. Baseband starts at 0x40000
- Both dumped files are identical from 0x000000 to 0xE40000 which is the end of basebands.
- I was not capable to find any bug but have done following: Wrote the whole unlocked baseband to the locked chip and soldered back. In the result, I got IMEI 0049xxx, it was predictable because of wrong IMEI and CHIPID. Next, I did the same but kept the seczone intact. In the result, I got IMEI, S/N, MAC address back but still got No Service. :(
So, The posibilities here are:
- The lock state is in the seczone, and its position depends on the combination of IMEI+NORID, wrong modification may cause to 0049xx IMEI.
- The lock state is in the Proccessor X-Gold 608 not in the Intel NOR flash. Taking it out of the board and read it is much harder than that with the Intel NOR flash.

Any one can help to find ways to unlock, feel free to contact me. I can give both dumped files, I can modify, patch these files, rewrite the NOR chip and solder them back with no problem.
Curious people please just wait for professionals
Thanks

Lastest news: after making some modifications on the so called International phone BB, mine is seem to be locked forever even I made the backup full dumped and restored it. So you should be very carefull.

here is the proof.

http://gsm.com.vn/Admin/iPhone/IMG_0002.PNG

Anyone feel sorry to my 1400$ :D

ta

I hear you can get the fls files through the tmp when doing pwnage.

N41

ouch thats some sad money ta:(
thanks for everything tho, keep it coming and I'm sure we soon got an software-unlock:hack::hack:

i put up the 2.1 5f90 keys here if anyone wants them. you want the restore ramdisk one because the firmware is in there

http://www.theiphonewiki.com/wiki/index.php?title=IMG3_Keys_/_IVs

use 'xpwntool' to decrypt them if you use openssl its messy :P

@ta: I did not find anything interesting in 0xE80000:FCFC01, its out of the seczone and I had overwriten by the International version. I dont think it plays any important role.
In your case I think you have damaged some other parts in the commboard or did not solder the NOR chip properly. It cannot be "locked forever" since you can restore the original dump file. Lets try again man!

@ta: I did not find anything interesting in 0xE80000:FCFC01, its out of the seczone and I had overwriten by the International version. I dont think it plays any important role.
In your case I think you have damaged some other parts in the commboard or did not solder the NOR chip properly. It cannot be "locked forever" since you can restore the original dump file. Lets try again man!

Thanks. But you know or not with the inter-phone in 2 conditions: iTunes Active dumped and Pwned active dumped ? The area from 0xE8 to 0xFC will be changed bro. Isn't it interesting ?

And if you think my hw skill is not enough to sure about the block, u can try this and dont tell me I harm your phone: Put the pair X-Gold and Nor from 1 locked in the Inter-phone then restore DFU 2.0 origin, sync itunes... after that, put back the original. Tell me the result pls :D

Thanks. But you know or not with the inter-phone in 2 conditions: iTunes Active dumped and Pwned active dumped ? The area from 0xE8 to 0xFC will be changed bro. Isn't it interesting ?

And if you think my hw skill is not enough to sure about the block, u can try this and dont tell me I harm your phone: Put the pair X-Gold and Nor from 1 locked in the Inter-phone then restore DFU 2.0 origin, sync itunes... after that, put back the original. Tell me the result pls :D
@ta: I respect your hardware skill, yes I know not everyone can do that :D. I will try to do as your advice, dont tell me that my International 3G will become AT&T locked or locked forever ;). Actually, when you do a full restore there will be some log information in the NOR flash. In my opinion it does not effect any thing in the lock state.

@ta: I respect your hardware skill, yes I know not everyone can do that :D. I will try to do as your advice, dont tell me that my International 3G will become AT&T locked or locked forever ;). Actually, when you do a full restore there will be some log information in the NOR flash. In my opinion it does not effect any thing in the lock state.

Maybe the data in the area 0xE8 is just log but I dont know why my phone was pwned, then I changed that data with the Inter's one, it's been in Jail again with the emergency screan :D so that must be interesting right ? Sure it doesnot effect to the lock state but at least it effect to the jailbroken state right ?

BR

I can't wait until tamagochi try what you did TA. :-)
I don't think it's about the lock state (lock counter) that was in the 2G.
It's something else :-) .....

ok... TA have his theory here:
http://www.hackint0sh.org/forum/showthread.php?t=48772

Thank you :)