How iPhone Unlocking Works

And what to expect from Apple

Apple’s iPhone has been a huge hit around the world, even though it’s only sold in the US and only works with American telecoms company AT&T. How can it be in used in dozens of countries?

Because the iPhone has been thoroughly hacked and unlocked, despite Apple’s efforts to keep it “closed.” CEO Steve Jobs says Apple will fight back – “It’s a cat and mouse game” – and a new version of iPhone software expected imminently will throw the hackers a curve.

Here is how the current iPhone unlock works, with a look ahead at the future.

The iPhone is a mobile phone plus a pocket-sized computer. The computer part is a fast, low-power CPU running a version of Apple’s OS X, which is a unix with clever software on top. The phone part is a second CPU that handles voice and data communications and sound, plus some other tasks. The second CPU is generally referred to as the “baseband,” though many references to it mean just the part of the chip that holds the phone’s “firmware.”

Firmware, neither hard nor soft, is data and instructions stored inside the chip in a semi-permanent way. In the iPhone, as with many other devices, the firmware is stored in flash memory, a different type of memory than used to hold programs or your files. The contents of flash memory are not lost when the device is powered down or even if you delete everything on the device. However, a special process can change the firmware. Companies like Apple use firmware updates to fix problems in their devices and provide new features.

Unlocking an iPhone involves modifying the firmware.

Preliminaries

Apple intended the iPhone to work only with one specific telecoms company in each country, a process referred to as subsidy locking. Several barriers were put in place to prevent iPhone owners from using the device on other networks. In order to unlock the iPhone, The “Dev Team”, a self-named group of iPhone hackers, had to get around each of barriers in turn.

The initial barriers were “computer-ish” – Apple delivers the iPhone such that it can’t be read from or written to by any software except Apple’s iTunes, and the phone needs to be activated, again by iTunes, before it will do anything except dial an emergency number.

Getting over those was a big problem for a few days, but once solved, those steps now just form the preliminaries. Jailbreaking, as the process of getting into the phone is called, and activation without iTunes can new be done by a variety of software tools for both Windows and Mac computers.

A jail-broken and activated iPhone is almost the same as an iPod Touch: It surfs the web on Wifi networks and is a great iPod, but without an AT&T SIM chip and AT&T contract, it won’t make calls, send or receive SMS messages or voicemail, and it can’t access the internet via the telecoms’ data networks, called GPRS (the basic version) and EDGE (a faster version).

The unlock “magic”

The true unlock for an iPhone is to be able to put any SIM chip from any GSM network into the phone and use it. People in the US and Canada have few options, but in most of the world, there are multiple GSM carriers in each country, and vigorous competition.

Unlocking the iPhone for any SIM chip is an altogether more complicated matter than jailbreak and activation. Those involve the computer side of the iPhone, and were circumvented in a few days. The SIM unlock involves the other CPU, the baseband chip. That is where Apple put the most effort into keeping the iPhone locked. Data loaded into the baseband chip has to be “signed” with an Apple key that is unbreakable for all practical purposes. There are layers of encryption, and the actual computer instructions, when uncovered, are complicated by several techniques. All of that took time to decipher.

The first unlock came 60 days after the iPhone shipped, and it required partial disassembly of the phone and shorting-out tiny points on the baseband circuit board while running custom software. That was step nine of the procedure: All in all not a job for the fainthearted. A few hundred people around the world did the hardware unlock. Most succeeded, but quite a few destroyed their iPhones instead.

A software-only unlock was announced the following day by a commercial company with shadowy origins, but wasn’t released until two weeks later. It was based on the hardware hack but used a new trick, which was reverse-engineered quickly. The Dev Team with others released a free (but much more complicated) version of the software unlock shortly after the commercial version. That was refined and eventually turned into a free click-and-go application for the iPhone.

It’s all the same process, however you do it

All the iPhone unlocks, hardware or software, manual steps or click-and-go, do essentially the same thing. To understand it, we need to know a little more about the baseband chip, and especially it’s firmware.

There are three sections of the baseband chip’s firmware. They collectively became known as the nor, a name originating from the way information is written to the semi-permanent memory. A crucial and time-consuming hacking step was to get access to the nor, to understand how it was organized, and to relate that to the software files Apple distributes for the iPhone. When the Dev Team was finally able to dump the baseband firmware, they discovered three parts.

At the beginning of the nor is a boot loader, basic software to load other things. It is unmodifiable. There is a main firmware section following that, which handles most functions, and then finally a section called the eeprom, a separate bit of instructions that handle sensitive parts of the programming, including SIM chips.

With this, there were two clear objectives: find out what to change to render an iPhone unlocked and find out how to write to this write-protected firmware. When those two converged, there was an unlock.

Boom!

Initially a Russian hacker and the New Jersey teenager we all heard about figured out how to do that, respectively by changing two bytes in the eeprom and by using a hardware short to trick the chip into using a different boot loader, one that he wrote, which, in turn, loaded the two-byte patch. An unlock command was then sent manually to the patched baseband software.

The software unlock capitalized on that, but its developers figured out how to overwrite the sensitive part of the nor, the baseband firmware, by starting from an unprotected location. No disassembly or shorting required. The free unlock from the Dev Team uses the same exploit.

All iPhone unlocks use some implementation of the trick of editing the iPhone’s eeprom software, putting it back into the phone, and then sending an unlock command. There’s no reason to break open a phone to do it now, but whether someone uses a manual method or a graphical click-and-go application, the process is the same.

What happens during an unlock

The iPhone has to be jail-broken and activated before unlocking, and it should be at the current software version, 1.0.2.

Then either individual files or a package incorporating all the of them has to be put on the phone. And finally, a manual process or an application has to do these things:

  • Stop the Apple software that normally controls the baseband Dump the firmware and make the edit
  • Rewrite the modified firmware
  • Execute a command to unlock, and
  • Restart the Apple software
  • With that, the phone can be activated with any SIM chip, and all voice and data services except visual voicemail, an AT&T exclusive for now, will work.

    Problems

    Even with click-and-go tools, there are things that can go wrong. Almost all of them can be corrected, but that requires still more knowledge that is technical. Only tech-savvy people should even be thinking about unlocking an iPhone.

    The Future

    Apple’s determination to fight back and a warning from the company that software updates may put unlocked iPhones into an unusable state should also give would-be unlockers pause. The coming update will almost certainly rewrite the baseband flash memory, and that will re-lock hacked iPhones, or perhaps kill them altogether. The iPhone Dev Team hackers have already said that they will provide software to return an unlocked iPhone to a state that the update can be safely applied, but that step may be only the start of their problems.

    The iPhone-without-the-phone, the iPod Touch, uses a different access lock method than the current iPhone. So far, it has not been jail-broken, and at least some of the hackers working on the process are pessimistic about the prospects. If Apple brings this “maximum security” to the iPhone in the next release, or if they close the loophole that allows overwriting the firmware, unlocking an updated phone may be very difficult.

    Jailbroken iPhone

    Bottom line: The cat will be back on top, at least for a while. If you want an iPhone and live in the US or in the three European countries, where the it will soon be available, save yourself a lot of headaches and just sign up with the locked-in telecoms company. If you do choose to hack and unlock an iPhone, remember that you are voiding the warranty and risking turning that gorgeous piece of technology into an expensive paperweight. A jailbroken iphone may not be such a good thing!