Wednesday, February 13, 2008


There are two types of unlocking: "Firmware-patch" and "Direct unlock"
Firmware patch is simply patching the firmware in order to bypass the unlock. Phone is still "locked", firmware is just tricked into believing it's not. An example would be when phone startsup and runs code "if(phoneIsLocked == false) doStartphone();" - a patch would simply change "false" to "true", causing it to run doStatphone() even when it's locked. If firmware is upgraded/restored, this patch will of course be removed and were back to start again. This type is in the industry considered as a semi-unlock, and only accepted as a last resort if no other way is found (usually, it's just a temporary solution)

Direct-unlock is the real way of unlocking phones. Usually it involves just rebuilding the entire lockdata in EEPROM with "blank" unlocked data. Or the safest way is to get the phone itself to clear the data by making it unlock itself - which could be achieved by for example finding the unlock codes and feed it with them. This would leave absolutely no trace of "hacking" - it will be 100% correctly done, as intended by the manufacturer.

(SIM-cloning/Turbosim is not mentioned, because that's not considered unlocking.)
When a phone is unlocked (in a proper way), it will always be unlocked. Firmware upgrades never touches EEPROM, including lock data.

Here are my thought's on how iphone unlocking works - of course, it's just my thoughts based on my experience with other phones, and I may very well be wrong.

IPFS unlock solution is permanent, and will handle all future updates Yes, i'm fairly sure that a phone unlocked with IPFS is a proper unlock (not firmware patch), making it permanent. But of course, unlike other's, iphone needs activation and IPFS therefore completely dependent on activation, which is depending on jailbreak. But when it comes to the operator lock itself, IPFS's permanently unlocks it.

I'm not sure exactly how IPFS does unlock it, but i'm feeling very sure it's one of these:

1. IPFS reads data from the baseband/EEPROM, and rebuilds the lock area in EEPROM with proper data - without any lock. This is exactly the same done on almost all other phones.

2. IPFS patches the baseband, but only as a temporary step in order to achive the above. When it's finished, it doesn't matter if the patch is removed (bb upgraded), because phone is already unlocked.

AnySIM and the other solutions are fimware patch solutions and will never survive baseband flashing/upgrade. Unlike IPFS (if IPFS also patches firmware), AnySIM patches firmware in order to bypass the lock, not in order to unlock it - or at least it's not unlocking it properly. The fact that anysim unlocked phones are bricked after upgrading, must be caused by changes the anySIM solution does to EEPROM, which is not properly done, and makes it "corrupted" as seen from the new firmware.

In my opinion there's no reason to be so negative about IPFS. They did the real unlock and so far noone have been able to recreate their solution. So don't expect a free real solution for 1.1.1 appearing very soon either. A free patch-unlock though is probably already possible now that they have decrypted the ramdisk, i will try that tomorrow. Of course iphone dev team are doing the most important work, and let's hope they soon will be able to work out a direct unlock solution as well.