In an effort to keep up with Apple’s changes at a faster speed, the iPhone Dev Team
is considering open sourcing AnySIM, the free unlocking solution for the iPhone.
In an exclusive talk with Gizmodo, iPhone Dev Team member Sam said that this move
could “open a lot of possibilities for the future,” mainly in terms of the speed of the
updates and avoiding sloppy and possibly dangerous binary patches.
If you are impatient and can’t wait a software unlock for your 1.1.2 OTB iPhone,
you can still unlock your iPhone with the TurboSim method.
It has been confirmed, it works for the 1.1.2 iPhone OTB !!!
BUT don’t expect it to be the eternal unlock solution for further firwmare updates!
TurboSim unlocking method is based on a firmware exploit that could be fixed by Apple.
TurboSim is available at Bladox.com for 59 EUR
You will need a piece of software for this unlock method.
You have probably heard that the Dev Team needs a 1.1.3 firmware update
for hacking 1.1.2 OTB. This could not be the case anymore!
2 theoretical exploits have been found on the new bootloader 4.6 !!
And you know what it means! 1.1.2 OTB Software unlock coming very soon!
Geohot reported that there are 2 possible exploits, hardware and software.
The next coming days should be decisive!
In the meantime, read this great tutorial for 1.1.2 OTB activation: click here
Read about the exploits in the extended post…
Hardware exploit:
The version check reads from 0xA0021000 and 0xA0021004 to get the version
of the main firmware. It then compares the values [0xA0021000]==~[0xA0021004].
If that check fails it ignores the version check. It is also the only bootloader access
into high flash. So when A16 goes high, pull any data line high or low.
That will cause the check to fail, and hence the version check to be skipped.
And they shouldn’t be any memory accesses in the bootloader, so it’ll be fine.
Software exploit:
This exploit is in the the way the secpack signature is padded.
They did a lot to remove the really bad signature checking of the old bootloader
that IPSF exploited. Although the secpack still has 0×28 bytes of data at the end
that isn’t checked for normal secpack sigs. The secpack sig is(0×30 header/padding,
0×14 main fw sha, 0×14 secpack sha, 0×28 unchecked padding).
So by spoofing the first 0×58 of the RSA, you can set any secpack and main fw sha hash
you want. It is very easy in exponent 3 RSA cryptosystems to spoof the first 1/3 of the
message bytes. With some clever math and brute force, the whole 0×58 can be spoofed.
Those findings have been reported by Geohot.
The German operator Deutsche Telekom announced today that it was going
to sell the iPhone without contract, at the cost of 999 euros, following a decision
of the magistrates’ court of Hamburg.
Deustche Telekom will also propose to the customers having already acquired
an iPhone with a contract to UNLOCK their phone, it indicated in an official statement.
I’m curious about the unlock method they will use as there is no unlock for 1.1.2 yet!
Maybe an official unlock will leak soon!
You gotta love Europe!
Some more interesting news in the battle against out-of-the-box 1.1.2 iPhones!
Here is a small clarification of the problem, and the current status.
All the US iPhones that came on week 45 and after have the 1.1.2 firmeware,
with the new bootloader version 4.6. Those phones can still be jailbroken and activated,
but there is no software sim unlock solution yet.
The new 4.6 bootloader has fixed the exploit allowing to run unsigned code,
reflash modem baseband firmware. This new bootloader must be analysed, so it
has to be dumped!
TA_MOBILE from Vietnam has successfully dumped it!
Files are available!
link
Expect Leopard x86 release soon
