The hardware for the iPhone unlocker is a simple test point pulling the NOR flash address line A17 to high basically fooling the bootloader checksum calculator into thinking that the baseband flash is blank (0xFFFFFFFF), therefore allowing the bbupdater to execute unsigned code which in turn loads the baseband flash (0x20000-0x304000) with the patched NCK disabled mod (04 00 a0 e1 -> 00 00 a0 e3).

Besides the test point, the following tools are also used for this process: NORdumper, IEraser, IUnlocker, Minicom, and Termcap.

And finally:
AT+CLCK="PN",0,"00000000" - to update the checksums
AT+CLCK="PN",2 - to check the unlock "0"

The baseband is an Infinion chip (S-Gold2) which has been used in Siemens phones hacked by the Martech team for a while now with a similar bootloader trick technique.

Ultimately it's not a permanent unlock because if you do a software update it will write back the NCK check routine and you'll have to do the entire unlock process over again.

The true unlock is when the NCK checksums have been properly calculated and stored.

Hope that helps to understand the basics behind this patch unlock method.

There's also another method by using a SIM proxy which always sends the phone the following MCCMNC's (310-150, 310-170, 310-410, 001-010, 311-180, 310-980) regardless what your SIM card's ICCID is, though it's not the most elegant solution.

p.s. Credits goes to GeoHot and the DevTeam!

The hardware for the iPhone unlocker is a simple test point pulling the NOR flash address line A17 to high basically fooling the bootloader checksum calculator into thinking that the baseband flash is blank (0xFFFFFFFF), therefore allowing the bbupdater to execute unsigned code which in turn loads the baseband flash (0x20000-0x304000) with the patched NCK disabled mod (04 00 a0 e1 -> 00 00 a0 e3).

Besides the test point, the following tools are also used for this process: NORdumper, IEraser, IUnlocker, Minicom, and Termcap.

And finally:
AT+CLCK="PN",0,"00000000" - to update the checksums
AT+CLCK="PN",2 - to check the unlock "0"

The baseband is an Infinion chip (S-Gold2) which has been used in Siemens phones hacked by the Martech team for a while now with a similar bootloader trick technique.

Ultimately it's not a permanent unlock because if you do a software update it will write back the NCK check routine and you'll have to do the entire unlock process over again.

The true unlock is when the NCK checksums have been properly calculated and stored.

Hope that helps to understand the basics behind this patch unlock method.

There's also another method by using a SIM proxy which always sends the phone the following MCCMNC's (310-150, 310-170, 310-410, 001-010, 311-180, 310-980) regardless what your SIM card's ICCID is, though it's not the most elegant solution.

p.s. Credits goes to GeoHot and the DevTeam!



Check this out www.iPhoneSimFree.com they have solution I think.

Check this out www.iPhoneSimFree.com they have solution I think.


Yeah, too bad you won't be able to learn much from buying license codes from simfree. Plus if they use the patched firmware method then good luck reunlocking after a software upgrade.

The ultimate goal of a true unlock is to recover the actual NCK and unlock all the checksums.

BillA

Panasonic 705P from Softbank is also Sgold2.