Cómo desbloquear el iPhone…

Esta es una muy buena noticia para todos aquellos afortunados en tener un iPhone.

Leo en Apple Weblog y FayerWayer que se ha logrado desbloquear parcialmente el aparatito.
Con esto, ya no se necesita un contrato de dos años con AT&T, puesto que se le puede poner cualquier SIM de la misma empresa. Así, la gente con tarjetas de empresa, podrán utilizarlas en el iPhone, entre otras cosas.

Parece ser que no se puede lograr el desbloqueo total, ya que el firmware del iPhone comprueba los primeros dígitos del IMSI, corroborando que los valores correspondan a USA como país y a AT&T como operadora.
La mala noticia es que aunque se conoce el comando que habría que utilizar para desbloquear el teléfono, hay un parámetro cuyo valor se desconoce, y se supone que es único para cada iPhone, y no se puede utilizar la fuerza bruta, porque se tardaría demasiado.
Así que habrá que seguir esperando por ese parámetro… un leak tal vez ayudaría…?

Copio textualmente el post de los chicos de iPhoneDevWiki, quienes están detrás del desbloqueo…

All problems with unlocking lie in the baseband, the radio chipset for the iPhone. The chipset is an S-Gold2, and don’t come in the chat and give us links to PapaUtils, we can’t use them. Now the iPhone only has one lock, a network personalization lock. This lock means the MCC(US=310) and the MNC(AT&T=410) must match the first six digits of the SIM cards IMSI. This check is done in the baseband firmware itself. I’m not really sure where yet, but that isn’t really relevant. The only thing standing in the way of an unlock is the baseband. All the other sim checks are known and can be patched out. We even know the AT command to do the unlock. It’s ‘AT+CLCK=”PN”,0,”xxxxxxxx”‘. But good luck finding those x’s. They are called the NCK, or Network Control Key, and are believed to be unique in everyones phone. Forget brute force(time impractical) and the obvious entries. If you still think bruteforce is a good idea, read this. Further, there is a limit of 3-10 unlock attempts per phone, after which the firmware will “hard-lock” itself to AT&T. So why can’t we just patch the firmware? The firmware, located in the ramdisk at /usr/local/standalone/firmware/ICE03.12.06_G.fls, is signed. See here for what is known about the file. The sig is checked in the baseband bootloader. The updater program, bbupdater, only checks a checksum, which can be changed. The update will take, but then the phone won’t boot because the sigs don’t match.

We worked two solid days on disasseming the radio fw. There are a few backdoors, but none that would lead to an unlock. If you are *good* with disassembling ARM, PM geohot for the idb. We’ve documented a lot of functions pretty well. Although, this firmware is very difficult to work through. I’m 90% sure the password check happens in the function called pwdcheck, but I haven’t found it yet. For all we know there could be a simple algorithm to generate the NCKs that we’ve missed.

Other popular articles

Comments (3)

  1. mauriciomartinez — August 17, 2010 at 3:25 pm

    el iPhone no mas sale la manzana y el circulo dando bueltas no se cual es el problema que no se desbloquea me pueden alludar gratis


  2. jorge galvan — September 22, 2010 at 5:10 pm

    amigos tengo un iPhone de at&t como lo puedo usar sin contrato de la operadora porfavor ayudemen latargeta que tiene esta bloquiada puk


Leave a response