Thursday, January 24, 2008

Hardware Unlock For 1.1.2 iPhone Firmware With the 4.6 Version Bootloader

Who is this for: Those with 1.1.2 iPhone firmware with the 4.6 version bootloader.
Who is this not for: Anyone with 1.1.3 firmware.

What you will need: magnifying glass, tools to open iPhone (Philips #00 screwdriver, guitar pick, spudger etc), needles or other probe.

Thanks to GeoHot, TA_Mobile, IMTH for figuring out this process, and to GeZuZZ for making the Installer application to further simplify this process and Mark for all the info.

You do this modification at your own risk! You have been warned. In the past many people foolishly rushed into this, and needlessly damaged their iPhones. Known issues that happened were:

  1. Starting fires by shorting the battery accidentally.

  2. Damaging the Bluetooth module.

  3. Damaging the Wi-Fi antenna.

  4. Disabling external button functionality.

Once you open your iPhone, your warranty is over. It's actually over when you purchase it and fail to sign up for service with an authorized carrier. It is no one's fault (certainly not Apple's or AT&T's) but your own if your iPhone is damaged in any way by following this tutorial.

This is a difficult and time consuming method for unlocking your iPhone to work with any GSM provider's SIM chip. Plan on a couple hours being spent without being able to use your iPhone. In fact you might want to remove your SIM card (initially you'll have to to disassemble the case) when you are getting ready to short the communications board. It could surprise you if the iPhone rang or vibrated while trying to place probes on the circuit path.

I do not offer any support whatsoever for this tutorial.

This tutorial is based on the original notes by GeoHot at his blog here.I will be brief in some steps. Some of these processes should be second nature to you. If you can't complete this task with this tutorial, you should seriously considering giving up before you damage your iPhone. You might want to read my tutorial on how to install one of those aftermarket SIMs that will allow you to use any GSM carrier's SIM you'd like in your iPhone. You won't have to open your iPhone to do this. If interested Read Here and Here.

I feel very few people will attempt this process. My greatest concern about this procedure is: will the iPhone allow an update to 1.1.3 with the 3.9 bootloader? If it does, will 1.1.3 firmware even run properly on the 3.9 bootloader? I realize we've seen that YouTube video showing proof of concept, but that is no proof of phone usage or long-term stability.

  1. Downgrade the iPhone firmware from 1.1.2 to 1.1.1. Plug your iPhone into your Mac and launch iTunes. Put the iPhone into DFU mode. Do this by pressing and holding the Home button, and the Sleep/Wake button.

  2. Hold the buttons 10 seconds and the screen will go black. Let go of the Sleep/Wake button. Continue holding the Home button for another 10 seconds and iTunes will detect that the iPhone is in recovery mode and display a pop up. Click OK.

  3. Now download the 1.1.1 iPhone firmware from Apple directly by clicking here. Do not allow your browser to decompress this file. When the download has finished you should see this icon on your desktop.

  4. Press Option and click Restore in iTunes. A file browser window will open. Navigate to where your 1.1.1 firmware file is that you just downloaded. Select it and click Open.

  5. Various messages will appear while the process continues. When the restore has finished you will get an error message pop up (click OK). Another pop up will appear. Click OK again. Eject the iPhone from iTunes and close iTunes.

  6. Download iNdependence 1.3.2 Beta here. or iBrickr here. Launch iNdependence or iBrickr. It will get the iPhone out of recovery mode (displaying this message with a spinning wheel initially), and send it to the activate iPhone screen.

  7. iNdependence or iBrickr will now display this a status. Close iNdependence or iBrickr. Note: if iNdependence or iBrickr does not get the iPhone out of recovery mode after one minute, then restore again to 1.1.1 and try again.

  8. Now it is time to jailbreak the 1.1.1 firmware. You should be at the activate iPhone screen. Slide the emergency slider. Enter the following into the keypad: *#307# then press Call.

  9. The iPhone will ring, press the X button at the top to delete all the characters you just entered. Now enter: 0 then press Call again while it is still ringing. Now press Answer.

  10. Press hold. Press Decline. You will now be at the iPhone's main keypad. Press the Contacts button below. You are now at the contacts screen. Press the + in the upper right corner to make a new contact. Press the First Last button. Enter A for the first name then press Save in the upper right corner. Now press the Add new URL button. Enter: prefs: then press Save in the upper right corner. It will take you back a screen. Press the Add new URL button. Enter Then press Save. Press the Save button.

  11. Press the home page prefs: button. You will now be at the Settings screen. Press General. Press the Auto-Lock button. Now press Never. Then go back to the Settings screen. Press the Wi-Fi button. Select your network from the list.Enter your password and press Join. You should now be connected to your Wi-Fi network.

  12. Press the Home button and you will be taken back to the activate iPhone screen. Slide the emergency slider again. Enter: 0 then press Call. Now press Answer. Press hold.Press Decline. You will now be at the contacts screen again. Press the A button. Press the home button. Here's the website. Scroll down the screen. Press the Install AppSnapp button. Safari should crash after a few seconds.

  13. Once Safari crashes it will send you back to the activate iPhone screen. Wait about 20 seconds and the slide to unlock animation should freeze, then the iPhone will reboot. You'll see the Apple logo, then you will be at the screen with the slide to unlock slider again. Slide it and you will be at the SpringBoard.

  14. You will now have access to the SpringBoard. The iPhone is now jailbroken and activated

  15. Go to Settings, press General, then press Auto-Lock. Set this to Never. Go back to the SpringBoard and launch the Installer and install Community Sources, BSD Subsystem, OpenSSH, and Term-vt100 (just in case).

  16. Add to your Installer Sources. Install the Bootloader Downgrade program which is found in the Unlocking Tools folder.

  17. Get your IP address from the iPhone.

You are now ready to disassemble the iPhone. If you should damage the iPhone, manyparts can be purchased from, and Cellular Nationwide Network.

Attention: The greater the care you practice in the disassembly of your iPhone, the better it will look and feel when it is put back together. It is easy to bend the case backing, strip the screws, sever the antenna cable, break the ribbon cables that control the home button and the headphone jack and the on and off switch, and damage the circuit boards. Consider the consequences before you continue. The iPhone wasn't designed to be opened and reassembled by consumers. Fit and finish may not compare to how your iPhone is right now.

At this time you should be made aware of electrostatic discharge, and how dangerous it can be. The following is paraphrased from Computer ElectroStatic Discharge, is one of the few things an individual can do to damage or destroy electronic devices when working on them. Much like the shock you receive when rubbing your feet on the carpet and touching something metal, ESD can occur when working on electronics and will cause components you touch to no longer work properly. ESD can occur without the user feeling a shock and will only occur while working on the inside of the device.

The best method of preventing ESD is to use an ESD wrist strap and/or use a grounding mat or table. However, because most users do not have access to such items, here are some steps to help reduce the chances of ESD as much as possible. Zero potential - Make sure you and the device are at zero potential by continuously touching an un-painted metal surface of the phone chassis or your MacBook Pro case (if using a laptop).

Standing - It is also very important that you are standing at all times when working on the device. Sitting on a chair can generate more electrostatic effects, depending on the material of the chair and whether or not it is on carpeting. Clothes - Make sure not to wear any clothing that conducts a lot of electrical charge buidup, such as a wool sweater, pants, or socks. It is also a good idea to remove all jewelry or watches.

Turn off the iPhone and remove the SIM card and the tray. There are several articles where you can get some insight on taking the iPhone apart.

  • Anandtech disassembled their iPhone, and documented it with many high resolution pictures.

  • ifixit has THE BEST disassembly guide with pictures. They don't provide enough information on how to initially open the iPhone, however.

  • Think Secret has a disassembly guide.

There are many methods for opening the iPhone, but this is what worked for me. I used electrical tape to secure the supplied screen wipe cloth to the iPhone to help prevent scratching. I positioned the tape as close as I could to the antenna cover panel to protect the metal. My method worked perfectly, I have no scratches.

I think it is critical you start from the right side of the black plastic piece (as you are looking at the back side of the iPhone in the upright position). The reason is, the left side has an antenna lead at the seam on the back, and you don't want to break any wires. I used the back side of a utility knife blade to loosen the black panel. I rocked it firmly on the plastic and metal seam where it curves. I felt something pop, and i was able to get my thumbnail between the metal frame and the black plastic at the bottom by the dock connector.

I put a guitar pick in this area to loosen it up some more. I then went to the backside of the case and gently tugged here, pulled there, and wiggled the plastic to loosen it up some more. I also worked the area by the dock connector with a guitar pick some more until I was over the connector itself. Then i went to the back side and tugged some more and the whole black part popped loose.

  • Now remove the three Philips #00 screws (preferably with a #00 screwdriver, lest you strip the heads). These screws secure the rear metal panel to the iPhone frame.

  • The back cover is held in place by several interlocking tabs. The tabs are on the back cover, the depressions are on the rails of the iPhone's frame. An anonymous reader sent in this photo which nicely illustrates this.

  • To loosen the back cover, insert a sturdy plastic tool between the battery and the cover. If you can't find a plastic tool, then you could use a flat head screwdriver, you should however cover the tip with electrical tape, just to be extra safe. Start with the left hand side (the non button side), and gently push up on the screwdriver handle, and you will hear a pop when it loosens. Place a wedge in between the case you are lifting and the frame, then remove the screwdriver.

  • Now drag a guitar pick or tweaker tool through the gap between the case and the frame until you reach the top corner, then stop. Repeat this process on the right half of the case. Lift with your screwdriver gently, and a similar pop will be heard.

  • You should be able remove the cover without any tools. But be careful! There is a ribbon cable that attaches the back of the case to the other half. In the picture below is a blue plastic tool (sometimes called a spudger) that is pointing directly at the base where the ribbon cable attaches to a circuit board. Ensure you use something non conductive and with a dull end to gently lift this connector upward from the socket it is attached to. It must be detached at this time so it is not damaged when we remove the metal shielding from the exposed circuit board.

  • A metal shield must now be removed. There are a lot of sensitive components here, so use a non conductive tool with a dull end if you can. Don't try to get the cover off from just one location. Pry a little on one side and then some on the other. I started at the back, just above the battery, and then moved to the right side. When you are ready to remove the shield, be careful with the glue that is on the nearby battery terminals. You might want to scrape away at the glue on the shield and not on the battery terminals. Just apply constant pressure, and the glue will slowly stretch, and let go of the shield.

  • Now reconnect the ribbon cable from the back case to the circuit board, and lay the back case flat next to the rest of the iPhone. You need to do this because you must be able to turn on the iPhone.

  • Now it's time to make your unlocking tool. I built mine with two darning sewing needles, a couple inches of speaker wire, and electrical tape to secure the wire to the needles. Use whatever you have to, but it better have very sharp points and be electrically conductive. Check your continuity if you have to with a meter.

  • Unless you have exceptional vision, I recommend getting a magnifying glass and a small flashlight. I found this tool that I will now swear by. If you go to The Sharper Image website, and do a search for the term "magnify" you'll find a really nice magnifying glass that is somewhat bendable, has a built in stand, and has a built in light with an on and off switch. It's only $20.

  • The next thing you have to do is scrape the "trace" that you need to apply current to. This is labeled A17 in the photos below. Note, some have said they were able to just push the needle into the trace without scrapping. I chose the scrape method. I've never done this before, so I grabbed my Simpsons bottle cap opener (which plays an audio file when a bottle cap touches it), took it apart, and scraped one of the traces on it, used my unlocking tool, and completed the circuit causing the audio loop to play. I did this to ensure I knew how hard and how much I needed to scrape a trace to get to the conductive material in it. It doesn't take much pressure to do. I highly recommend practicing on a spare circuit board somewhere. I guarantee you the traces on the iPhone are ridiculously small and easy to break. If you break the trace, you could kill your phone, but traces can be repaired. In fact Radio Shack sells a trace repair pen for $6. Check their site. Here are pictures of the communications circuit board. The first picture below was taken by Nick Chernyy for GeoHot's blog. The path colored in red represents the trace that you must connect one end of your unlocking tool to. Pick anywhere on this trace to scrape away some of the insulation to get to the copper underneath. DO NOT break the trace, or damage anything else nearby. Go slowly, be patient, wear away the material a little at a time. You don't need to do much. I couldn't even see the copper underneath on mine. I do not know who took the second picture. The third picture was sent to me by an anonymous reader and demonstrates very well, the scale you are dealing with here. If the third picture doesn't scare you, then nothing will.

  • Log into the iPhone via SSH with the Terminal on your Mac. Enter the following:

  • launchctl unload /System/Library/LaunchDaemons/

  • cd /usr/bin/

  • ienew

  • Data will scroll by in the Terminal while this process executes. Do not turn off the iPhone for any reason.

  • You'll need to connect the testpoints at the same time you execute the next command in the Terminal. Since both your hands are busy with the testpoints, you can run the command with a delay (of any length) to have time to get your needles in place. The example below has a 10 second delay.

  • sleep 10; iunew

  • After you hit enter, grab your needles, and set the first needle on the A17 trace. Then put the second needle on the capacitor. Hold the needles stable until iunew outputs a message. You'll either receive one of two messages: (screenshot below is simulated output)

  • "TESTPOINT WORKS: 55" Remove your needles, and do what it tells you. If eveything is OK, it should start uploading the NOR and will output addresses it's writing to. It will take about 10 minutes to complete. OR."Please connect the testpoint." You didn't place the needles or probe correctly on the circuit board. run iunew and try again.

  • When the process completes, type this:

  • bbupdater -v

  • You should now see this in the output:


  • Note: If you get a message about the baseband being unresponsive to pinging and have no Wi-Fi address, or ICCID and no Modem Version displaying in your Settings, General, About screen, then you need to put the iPhone into DFU mode and restore it to 1.1.2 firmware. Continue below .

  • Launch iTunes. Put the iPhone into DFU mode again, and then press Option and click Restore and use 1.1.1 firmware. Once it has completed close iTunes.

  • Use the website again to jailbreak and activate the iPhone.

  • Launch the Installer. Click the Install icon and scroll down the list of folders to Tweaks (1.1.1). Press it.

  • Press OktoPrep and install it. You'll get this message once it has been installed. Press the Home button when done.

  • Launch iTunes and connect your iPhone. Since 1.1.3 firmware (or even newer) is available, you must ensure that you have already downloaded 1.1.2 firmware and saved it on your computer. This is an .ipsw file. Download 1.1.2 restore firmware here. Press the Option button on your keyboard and click Update.

  • A file browser window will appear. Navigate to where your 1.1.2 firmware file is, select it and click Open.

  • If you did this correctly you will see an updating message, and not a restoring message. Various messages will appear as the process continues. Note: if you get an Error 6 message, try restoring to 1.1.1 firmware, and try again.

  • When the update completes, you'll see this screen in iTunes. You'll see this on the iPhone. Eject the iPhone from iTunes, then close iTunes.

  • Download the 1.1.2 jailbreak program here. Double click the jailbreak.jar file.

  • This is the 1.1.2 jailbreak program. Make sure you check the box for installing SSH (if you want SSH installed on your iPhone). You could add this later with the Installer. Note: If installing SSH this is the best time to set your root password on the iPhone. The program is showing alpine (by default), you can set this to your own password now. When you are ready, click the Jailbreak! button.

  • A pop up will appear with a status bar, and several messages will appear. It will take about 6 minutes to read, patch and write data back to the iPhone.

  • A pop up will appear telling you to reboot the iPhone. It will reboot once on its own.

  • iTunes should recognize your iPhone.

  • Press Settings, General, Auto-Lock and select Never.

  • Launch Installer and install Community Sources and BSD Subsystem next Press the Sources button. Press Edit, then press Add.

  • Add: to sources. Then press refresh and refresh again.

  • Scroll down to unlocking toolds and Press anySIM 1.2.1u. Install the program. When it has finished, press the Home button to relaunch the SpringBoard and you will see anySIM on it.

  • Press the Settings button and turn on Airplane Mode.

  • Launch anySIM (I did this with my Cingular SIM in already which was recognized as AT&T). Press OK. Slide to unlock.

  • Read this screen or not. Scroll down to the bottom and press the big red button.

  • Various messages will go by. This process should take 5 minutes to complete. If the stars are aligned correctly you will get the success message.

  • Press the Settings button and turn off Airplane Mode.

  • Restart the iPhone (I find the carrier logo won't display unless you do) and test your SIMs.

Attention - iPhone owners in "non-supported" countriesIf you use an iPhone in a country where the iPhone is not for sale, you will have a problem with the phone ( and with SMS ( crashing when you try to call/send to someone. This is specific to 1.1.2 firmware. I live in America, so I don't have this problem. More importantly, I can't test the solution I am about to present to you. This is a challenge that you, the reader, must take on. Launch the Installer program. Press the Install icon at the bottom. Scroll down the list of folders to Tweaks (1.1.2) and press it. Next install iWorld.

  • Now select your country from the list and hope for the best. If you still have issues, I recommend the usual modding forums like

1 comment:

Anonymous said...

Once you hold this device on your hands, you will definitely never want to let go of it due to its remarkable features. However, there are times when everything just went out of control and you lost all the pleasure there is with just one drop. Breaking your most treasured device will bring disappointment and depression unless you consulted the finest Denver Colorado's iPhone 5 service. There is no great place to send your phone other than the Premier iPhone5 repair.