Group successfully details hardware-based iPhone unlocking

Calling their project Finding JTAG after the Joint Test Action Group standard used to test access ports on circuit boards, the hobbyists claim to have refined a surefire but dangerous ten-step process that allows the iPhone to use an unmodified SIM card from T-Mobile or other GSM cellular networks.

The technique requires an iPhone that has already been "jailbroken," or derestricted to allow third-party programs, as well as soldering tools and wiring. Similar to the process for unlocking a Siemens phone from Europe, the process involves forcing the read-only boot memory on the iPhone to accept unsigned code on the phone's built-in NOR flash storage that controls some of the most essential functions. This permits the code to change the iPhone's default behavior, which normally bars all but specially approved SIM cards from placing and receiving calls.

"Once the code is on the NOR [memory] we can do whatever we want," said Finding JTAG's public representative, George Hotz. "So patch out the [carrier] lock; voila, unlocked iPhone."

While the summary appears straightforward, however, the actual process is potentially complicated — and also potentially fatal to the phone for novice hackers. In addition to removing the back cover of the phone and exposing the circuit board, the procedure requires cleaning and then resoldering a single trace on the board to a power line and an unlock switch; a failure could render the whole phone unusable. "You only get one chance to do this right," Hotz warned.

Once this is accomplished, a reset of the phone's baseband frequencies and then selectively erasing and reloading firmware with special software that lets users send the needed code and a final instruction that removes the carrier lock, permanently unlocking calling service and allowing the phone to receive new code more easily in the future.

Despite of the team's success, the experiment would not immediately result in an easily reproduced means of derestricting the iPhone, Hotz added. Although it was apparent that a hardware modification would work, the goal was still to develop a completely software-driven equivalent, which he and Finding JTAG believed was possible but still relatively distant and would likely demand superior reverse engineering skills.

"If anyone finds a way to erase the [Apple-made] bootloader from software, this becomes a software unlock," according to Hotz. "I'm sorry about how hard [the instructions] are to follow, but someone will get them to work, and simplify them, and simplify them more. Hopefully a software unlock will be found in the near future."