Now you are done with the hardware changes for the hack. Now we will use a combination of software and hardware to downgrade the bootloader. The software part will involve running the commands ienew & iunew. The hardware part is to connect the testpoints while you run the iunew command. Lets go step by step. Even if you have wifi I would recommend you to run all the following commands from your iphone only.
The necessary files in this step are the following. I gave the source of them in my earlier post.
- toolpack provided by geohot(ienew, secpack...etc)
- nor file of 3.9 bootloader
- bbupdater (optional)
You have to put all these files into a directory something like /usr/bin or /112ootb or something else. If you have wifi you can transfer them with psftp or any other ftp-over-ssh utility. If you do not have wifi, use ibrickr to place files on the iphone. Once you kept all the files on the iphone, you have to give executable permission for all the files using the "chmod +x" command.
Now we have to run ienew. ienew is the new version of ieraser for 1.1.2ootb phones. Before running ienew, you should unload the commcenter with -w option. The -w option is very important. The exact command is "launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist". Instead of typing the command in terminal, you can use an application named 'UICtl' to start, unload, and stop different services in the iphone. Now run the ienew command as "./ienew", while you are in the directory where other files from the toolpack are located. If the command ran successfully, you will see some hex strings getting printed. At the end you will get a message saying
The necessary files in this step are the following. I gave the source of them in my earlier post.
- toolpack provided by geohot(ienew, secpack...etc)
- nor file of 3.9 bootloader
- bbupdater (optional)
You have to put all these files into a directory something like /usr/bin or /112ootb or something else. If you have wifi you can transfer them with psftp or any other ftp-over-ssh utility. If you do not have wifi, use ibrickr to place files on the iphone. Once you kept all the files on the iphone, you have to give executable permission for all the files using the "chmod +x" command.
Now we have to run ienew. ienew is the new version of ieraser for 1.1.2ootb phones. Before running ienew, you should unload the commcenter with -w option. The -w option is very important. The exact command is "launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist". Instead of typing the command in terminal, you can use an application named 'UICtl' to start, unload, and stop different services in the iphone. Now run the ienew command as "./ienew", while you are in the directory where other files from the toolpack are located. If the command ran successfully, you will see some hex strings getting printed. At the end you will get a message saying
Hopefully the main flash was erased, wait for the next step...
This command will modify the baseband in a controlled manner, for the testpoint to downgrade the bootloader. Mostly you will loose your wifi after this command. Do not panic. You will get your wifi back, when we restore to 1.1.2. You can now proceed to run iunew from the mobile terminal.
But not everyone is successfully able to run ienew. I see lot of complains on the forums. Most common of them are...
1. Command hanging at "Waiting for data.."
2. bus error
3. Error saying "Can't write"
For (1), retry the command. Also make sure that you unloaded the commcenter. Sometimes it hanged for me. But I was successful when I re-ran the command. Dont know any specific reason.
But not everyone is successfully able to run ienew. I see lot of complains on the forums. Most common of them are...
1. Command hanging at "Waiting for data.."
2. bus error
3. Error saying "Can't write"
For (1), retry the command. Also make sure that you unloaded the commcenter. Sometimes it hanged for me. But I was successful when I re-ran the command. Dont know any specific reason.
For(2), most probably, the place from where you are running is not same as the location where the rest of the files from the toolpack is located. Execute the command from appropriate directory. The testcode.bb file should be in the same directory from where the ienew command is run.
For(3), try stopping the lockdown service. Remember, it is stopping and not unloading. The exact command is "launchctl stop /System/Library/LaunchDaemons/com.apple.mobile.lockdown". This is not gauranteed to work in all the cases, but try your luck. Repeatedly try the ienew command a few times. You can also try rebooting the device. I used to get this "can't write" error. One day I did some changes and suddenly it worked. I dont remember what exactly did I change before running the command. But I am sure that I did stop lockdown service. You can use the 'UICtl' application to stop the service.
Now you are ready to run iunew. iunew is the new version of iunlocker for 1.1.2ootb phones. Before running iunew, you have to make sure that ienew ran successfully atleast once. iunew uses data in some areas written by ienew. So, it is necessary that ienew successfully ran once, for the iunew to work. Also make sure that you are running the command from a location where the other files from the toolpack are present. You have to connect the two testpoints while the iunew command is run. If you have a friend, you two people can co-ordinate to run the command exactly when the testpoint was connected. Or else, induce a delay before running iunew, using the sleep command. The command will look something like "sleep 20; ./iunew", where 20 represents the delay in seconds. After issuing the command you can turnonver the phone and connect the testpoints. Take a deep breath and have a stable hand when you connect the testpoint. It is enough to hold for about 5 seconds, after the actual iunew command ran. If the testpoint was held connected at the required time, you will get a message saying
TESTPOINT WORKS: 55
Press any char, then hit enter after testpoint has been disconnected
Now you can remove the connecting wire. Type any character and press any key to proceed. You will see some more messages flowing after this. At the end you will get a message saying
Now you are ready to run iunew. iunew is the new version of iunlocker for 1.1.2ootb phones. Before running iunew, you have to make sure that ienew ran successfully atleast once. iunew uses data in some areas written by ienew. So, it is necessary that ienew successfully ran once, for the iunew to work. Also make sure that you are running the command from a location where the other files from the toolpack are present. You have to connect the two testpoints while the iunew command is run. If you have a friend, you two people can co-ordinate to run the command exactly when the testpoint was connected. Or else, induce a delay before running iunew, using the sleep command. The command will look something like "sleep 20; ./iunew", where 20 represents the delay in seconds. After issuing the command you can turnonver the phone and connect the testpoints. Take a deep breath and have a stable hand when you connect the testpoint. It is enough to hold for about 5 seconds, after the actual iunew command ran. If the testpoint was held connected at the required time, you will get a message saying
TESTPOINT WORKS: 55
Press any char, then hit enter after testpoint has been disconnected
Now you can remove the connecting wire. Type any character and press any key to proceed. You will see some more messages flowing after this. At the end you will get a message saying
run bbupdater -v and pray
if it worked, enjoy your unlocked iPhone!!!
But if you run "bbupdater -v" at this stage, it will fail. Do not worry. You succeeded in downgrading the bootloader. Everything else is a piece of cake going forward.
The iunew command might throw an error saying...
The iunew command might throw an error saying...
Please connect the testpoint
This means the testpoint was not held connected when required. It is quite likely that you moved you hand a bit and the testpoint got disconnected. Try over multiple times. I did not succeed in first attempt. After trying a few times, if you are sure that you are holding the testpoint correctly, check other things.
- Make sure that you scratched the A17 line enough. You might have left some plastic coating over it which is acting as insulation. Scratch a little more to expose the gold line properly. Be careful not to overdo the scratching and snap the line. Then you will be in big trouble.
- Make sure the connecting wire is insulated properly, especially over the place when you hold the wire. Or else, the power coming from the capacitor will be grounded through your body.
One more problem which lot of people faced is that the iunew command hangs at "Spamming AT, waiting for a response". You can try killing the command and then retrying the same. This worked for lot of people. If nothing works, try rebooting your phone and then retrying this comamnd.
At the end of this whole process, your bootloader will be downgraded to 3.9 version. But your baseband will be in unusable stage. So, you will not have any wifi. You cannot make calls yet. The next step is to correct your baseband.
Next Step: Restore baseband & unlock
Previous Step: Scratching A17 line
One more problem which lot of people faced is that the iunew command hangs at "Spamming AT, waiting for a response". You can try killing the command and then retrying the same. This worked for lot of people. If nothing works, try rebooting your phone and then retrying this comamnd.
At the end of this whole process, your bootloader will be downgraded to 3.9 version. But your baseband will be in unusable stage. So, you will not have any wifi. You cannot make calls yet. The next step is to correct your baseband.
Next Step: Restore baseband & unlock
Previous Step: Scratching A17 line
No comments:
Post a Comment