引用:
本文章的一切內容,由本人撰寫翻译的,一律以 姓名標示-非商業性-相同方式分享 2.5 (Attribution-NonCommercial-ShareAlike 2.5 ) 方式分享。
本文章如需转载,请以站内短讯的方式通知发布人,并注明“来源于weiphone.com”
本文中文版权:www.weiphone.com by Laoren
gethot周六要开学了,所以准备提前先公布一下拆机破解的方法。。
js同志们可以重点学习一下...用家就看看吧,,拆机还是有风险地...
捡关键的翻一下,详细的请看原文.
美国东部时间8点开始。北京时间晚上8点。。
Welcome to the final countdown. I am leaving for college Saturday, and have been busy lately with getting everything ready. And once I am there, I really won't have much time to work on the iPhone. But I don't want to leave being the only person with an unlocked iPhone :) So we have decided to release the hardware unlock. The hardware required is decently simple, and most people who have modded a game system have the soldering ability required to do it. This has been a great adventure, the "summer of the iPhone", and I finally achieved my goal of getting my phone working on T-Mobile. So its about time everyone else can do this too. <br />Here is the release plan. Last night, I went to the Apple store, and purchased a brand new 4GB iPhone. At 8AM EST sharp, I will begin unlocking a NIB iPhone step by step on the blog along with everyone who wants to come along. I'll be answering any questions on #iphone.unlock @ undernet. I'll be doing the hardware part first, so you can wait to see if you think the hardware is too complicated before diving in and taking apart the phone. But it really is only a wire that needs to be soldered. So see you all at 8 AM EST.
————————————————————1————————————————————
--First, an iPhone. Of the sshed and jailbroken variety. Also, kill commcenter by moving the LaunchDaemon plist out of the directory.
激活的iphone,开启了ssh,移走launchDaemon.plist
--Some trusty case opener tools(read: guitar picks) Read one of the many tutorials available online for taking apart your phone.
拆开iphone的工具
--A soldering iron. This should've cost you more than $10.
应该是锡焊吧
--Fine pitch wire. I used magnet wire salvaged from a little motor.
线头。
--An unlock switch. The bigger and more badass, the better. Or if you are cheap, wire cutters :-)
开关?
--A red bull. This requires concentration, something I don't have without Red Bull.
提神用的红牛。呵呵
————————————————————2————————————————————
This method is very similar to the method used to unlock the Siemens phones with the S-Gold2 chipset. The S-Gold2 has a bootrom which allows you to download a bit of unsigned code. This code is run if certain flash addresses are blank. Using a little hardware trick, which I'll explain later, we make them appear blank. Then once we have unsigned code running on the baseband, we can download a modified firmware, with the unlock patched in, to the nor flash. The signature checks only cover this region while it is being downloaded the first time. Once the code is on the NOR we can do whatever we want. So patch out the PN lock; Voila, unlocked iPhone.
大意,这个方法跟破解使用s-gold2的simens手机差不多. s-gold2有一个bootrom可以下载一些未签名的代码.如果当前内存地址是空的话,这些代码可以运行,使用一个硬件的技巧(?)稍后解释,可以让flash地址变空,当未签名的代码运行时,可以将编辑过的firmware下载到nor内存,躲过了签名验证.一旦这些代码在nor,破解就有可能了.
————————————————————第1步————————————————————
First, I would like to say thanks again to gray, iProof, dinopio, lazyc0der, anonymous,
the dev team, nightwatch, and everyone who donated. Without them, there would be no unlock today, and I surely wouldn't be up at 8AM.
Second, you may brick your iPhone using this tutorial. YOU ARE WARNED.
Okay on to the actual step. Remove the black part, the three screws, and the aluminum case. Do not remove anything else. Comment on these posts if you are with me so far. Once we get a good number of comments I'll move on.
拆掉背部的黑块,三个螺丝和铝壳.其它的不动.
————————————————————第2步————————————————————
Also remove the metal cover over the comm board. This is all the disassembly you have to do. If you feel like being safe, desolder the battery red lead. I didn't :)
移掉主板上的金属盖. 如果不放心的话,拆掉电池...
————————————————————第3步————————————————————
The red line is covering the A17 trace. In order to trick the chip into thinking the flash is erased in the correct section, you will need to pull this high. Scrape away at the trace with something like a multimeter probe. Then solder a very thin wire to it. Be very careful. Only scrape away at that one trace. This is the hardest step in the whole process. Also solder a wire to the 1.8v line. Connect to wire coming from the trace and the wire coming from the 1.8v to your unlock switch. Be careful, you only get one chance to do this right.
红线盖着的是a17,刮掉这条,焊一条线在上面,,,然后焊一条线在1.8v这条线上,连接两条线到开关,,要非常 小心,这是最难的一步,,,只有一次机会...
我的理解是这样的,不知道有没有偏差,请仔细阅读.
————————————————————第4步————————————————————
Ok, time to test what you just soldered. First use the continuity checkon a multimeter to make sure the wires aren't shorting to ground or toeach other. Make sure your switch is in the off position. Power up youriPhone. Hopefully it didn't smoke :) Now go into minicom totty.baseband and send a few commands, AT a few times will do. It shouldrespond OK. Now flip your switch, the baseband should stop responding.Even when you flip it back, the baseband still shouldn't respond. Besure your switch is off, then open another ssh and run "bbupdater -v"You can get bbupdater off the ramdisk. This should reset the baseband,and minicom should start working again. If it did this, your solderingis most likely good, and you are ready to actually start unlocking yourphone!!!
用万用表测一下,保证两条线没有短路,接地或连在一起.开关在关的位置.打开iphone,希望没有冒烟. Now go into minicom totty.baseband and send a few commands, AT a few times will do. It shouldrespond OK.(应该是用下面的minicom),打开开关,baseband停止工作.关掉开关,baseband仍不工作,保持开关为关,打开ssh,运行bbupdate -v.这会重启baseband,minicom又开始工作,如果是这样的话,说明你的焊接正常.可以开始下一步了.
————————————————————第5步————————————————————
If it passed the checks in step 4, congratulate yourself. You are a prosolderer. Go eat lunch. If not, don't worry yet. I must've thought Ibricked my phone 100 times. First of all, to power up your phone youdon't need to reconnect the case with the power button. Just connect itwith USB, it'll power itself up. Secondly, don't waste time compilingminicom. Download the binary
here, and termcap
here.
如果通过了第四步的检查.连上usb,iphone会自己加电开机.下载minicom 和termcap.
————————————————————第6步————————————————————
Now, with the switch off, your baseband should be working perfectly.Here you should take a NOR dump of your phone. The dev team's
NORDumper is a great way to do this. This is good to have in case something goeswrong. You can extract the firmware from this as well, which we'll getto later.
保持开关为关,baseband应该工作正常,用nordumper下载nor备份,以防万一.稍后可以下载firmware.
————————————————————第7步————————————————————
鼓励一下.
下面开始软件解锁
So here is the first tool release,
iEraser.This erases the current firmware on your modem. Don't worry, you canalways put it back with bbupdater. Here how the bootrom check works; itreads from 0xA0000030 0xA000A5A0 0xA0015C58 0xA0017370 and all theseaddresses must read as blank, or 0xFFFFFFFF. When you erase flash, itbecoms 0xFFFFFFFF. But you can't erase those locations, because theyare in the bootloader. So thats where the testpoint comes in. PullingA17 high hardware OR's the address bus with 0x00040000(offset onebecause data bus is 16 bit) So the bootrom instead checks locations0xA0040030 0xA004A5A0 0xA0045C58 0xA0047370, which are in the mainfirmware and can be erased. Pretty genius :)
To use this tool, youneed the secpack from your modems version. The erase of this section isprotected. Check the modem version in Settings->About. It'll eitherbe 3.12(1.0) or 3.14(1.0.1 and 1.0.2). You need the ramdisk whichcooresponds to your version. Then go into"/usr/local/standalone/firmware" and get the ICE*.fls file. Extract0x1a4-0x9a4 and save it in a file called secpack and place it in thesame directory as the ieraser tool. Run ieraser. This should erase themodem firmware and leave you one more step on your way to unlocking.
第一个工具iEraser.这个工具擦除当前modem的firmware.不用担心,你可以随时用bbupdater恢复.下面是bootrom工作原理: bootrom读取oxa0000030,0xA000A5A0 0xA0015C58 0xA0017370,所有这些地址必须为空或0xFFFFFFFF.当擦除flash,会变为0xFFFFFFFF,但不能擦除这些地址,因为它们位于bootloader.PullingA17 high hardware OR's the address bus with 0x00040000(offset onebecause data bus is 16 bit) So the bootrom instead checks locations0xA0040030 0xA004A5A0 0xA0045C58 0xA0047370, which are in the mainfirmware and can be erased. Pretty genius :)一个小技巧,没搞明白.
检查modem版本.从iphone的设置-关于,应该是3.12(1.0)或3.14(1.0.1and 1.0.2).进到/usr/local/standalone/firmware得到ICE*.fls文件, 解出0x1a4-0x9a4,保存一个叫specpack的文件,放到和iEraser 一个目录.运行iEraser,这一步会擦掉modem的firmware.差一步就可以解锁了.
————————————————————第8步————————————————————
Now its time to patch the firmware. Thanks to gray for finding thesepatches, this required some very complicated reversing. First, you needto extract the firmware from your nor dump. The range you need is0x20000-0x304000. Save this file as "nor". The patches you need toapply are as follows. These are offsets from the begininning of thefile to saved as "nor". Choose your version, and patch.
3.12: (213740): 04 00 a0 e1 -> 00 00 a0 e3
3.14: (215148): 04 00 a0 e1 -> 00 00 a0 e3
Resave the file nor, you'll need it soon...
从nor dump中分离出firmware.范围从0x20000-0x304000.保存为nor 不同版本如下:
3.12: (213740): 04 00 a0 e1 -> 00 00 a0 e3
3.14: (215148): 04 00 a0 e1 -> 00 00 a0 e3
重新保存.
————————————————————第9步————————————————————
The final tool is
iUnlocker.This tool uploads a small program, "testcode.bb", to the baseband usingthe bootrom exploit. This program needs to be in a dir with "nor", thefile you obtained in the last step. You need to have the switch on whenrunning this program. This will download and run the code in"testcode.bb" Then the program will stop and ask to to turn off theswitch. Do so. You type any character then hit enter. The nor downloadstarts right away. When the counter reaches 0x2E4000, it is done. Run"bbupdater -v". Hopefully it will return the xgendata. If is does, thenor upload was successful.
最后一个工具iUnlocker,将上传一个小程序testcode.bb. 这个程序应该和上一步的nor文件在一个目录,运行程序时应打开开关,这将下载并运行testcode.bb, 然后程序会停下来要示关掉开关,照做.输入任何字符,打回车.nor下载(?应该是上传?)开始,当计数器到oxwE4000,就完成了.运行bbupdater -v.但愿会返回xgendata.如果这样的话,表示nor上传成功.
————————————————————第10步————————————————————
minicominto /dev/tty.baseband. If you already used up your attempt counter,the phone should already be unlocked. If not just run'AT+CLCK="PN",0,"00000000". That will unlock the phone for sure. Run'AT+CLCK="PN",2'. It should finally return 0!!!
Your phone is nowunlocked. Exit minicom and copy the CommCenter plist back to its place.Reboot. iASign. And enjoy your unlocked iPhone.
用minicom联到 /dev/tty.baseband.运行'AT+CLCK="PN",0,"00000000".解锁.
运行'AT+CLCK="PN",2',应该返回0.
好了,iphone已经解开.退出minicom,拷贝commcenter plist到原来的位置.
重启.iASign.大功告成.
____________________________________总结_____________________________________
必备条件ssh正常工作.否则后面的工作没法进行.
一定的焊接技术...心细..
附件是所需工具
深公网安备案证字第 4403101901155 号