啊哈...iPhone好象已经硬破解了:破解机器成功..

寂夜清风

这样的破解与前一段时间流传出来的破卡不同.这样搞定后.随便用任何一个卡都可以.不需要把卡交给别人去做卡了..

今天偶尔看到的.还没仔细翻.

原教程在这里
: y" I3 `2 m' b3 ]/ c+ KFinding JTAG on the iPhone
, r1 C8 U# X' i分别转一下
; i) U, F7 M/ v3 Y

Step 1

- \5 G8 |# g2 t; Y3 O/ d4 e8 o' DFirst, I would like to say thanks again to gray, iProof, dinopio, lazyc0der, anonymous, the dev team, nightwatch, and everyone who donated. Without them, there would be no unlock today, and I surely wouldn't be up at 8AM.
: H4 g1 R' [! S# C) a! FSecond, you may brick your iPhone using this tutorial. YOU ARE WARNED.
Okayon to the actual step. Remove the black part, the three screws, and thealuminum case. Disconnect the wire connecting the phone to the case. Donot remove anything else. Comment on these posts if you are with me sofar. Once we get a good number of comments I'll move on.
6 B; }6 h; `' B8 H
           
% h3 X0 {/ E5 A6 Y% Q/ D Posted by          George Hotz       at    7:50 AM                     

寂夜清风

Step 2                                    
$ X0 y% L* M( I$ f8 @. kAlso remove the metal cover over the comm board. This is all the disassemblyyou have to do. If you feel like being safe, desolder the battery redlead. I didn't :)
           

Posted by    George Hotz at   8:03 AM

寂夜清风

Step 3
% u' |8 w) j6 y. z4 VThe red line is covering the A17 trace. In order to trick the chip intothinking the flash is erased in the correct section, you will need topull this high. Scrape away at the trace with something like amultimeter probe. Then solder a very thin wire to it. Be very careful.Only scrape away at that solder mask above that one trace. YOU DO NOTWANT TO BREAK THE TRACE. This is the hardest step in the whole process;the rest is cake. Also solder a wire to the 1.8v line. Connect to wirecoming from the trace and the wire coming from the 1.8v to your unlockswitch. Be careful, you only get one chance to do this right. Thanksagain to Nick Chernyy for the picture.

寂夜清风

                       Step 4                                    
Ok,time to test what you just soldered. First use the continuity check ona multimeter to make sure the wires aren't shorting to ground or toeach other. Make sure your switch is in the off position. Power up youriPhone. Hopefully it didn't smoke :) Now go into minicom totty.baseband and send a few commands, AT a few times will do. It shouldrespond OK. Now flip your switch, the baseband should stop responding.Even when you flip it back, the baseband still shouldn't respond. Besure your switch is off, then open another ssh and run "bbupdater -v"You can get bbupdater off the ramdisk. This should reset the baseband,and minicom should start working again. If it did this, your solderingis most likely good, and you are ready to actually start unlocking yourphone!!!

寂夜清风

                       Step 5                                     Ifit passed the checks in step 4, congratulate yourself. You are a prosolderer. Go eat lunch. If not, don't worry yet. I must've thought Ibricked my phone 100 times. First of all, to power up your phone youdon't need to reconnect the case with the power button. Just connect itwith USB, it'll power itself up. Secondly, don't waste time compilingminicom. Download the binary here, and termcap here.

寂夜清风

Step 6
3 q; G) ?/ D! d- c6 Z4 d* X& KNow, with the switch off, your baseband should be working perfectly.Here you should take a NOR dump of your phone. The dev team's NORDumperis a great way to do this. This is good to have in case something goeswrong. You can extract the firmware from this as well, which we'll getto later.

: G- O1 e$ b4 B; V
3 @% ]+ k$ X5 ?+ I5 b7 u

Here is what we promised, the source code for "NORDumper"
We wanted to release this code along side some nicedocumentation (with the function addresses, and other useful info) butthis doc is not yet completed and we think someone might find thissource code useful in the meantime.
Of course, the source contains much more information (otherthan just the read command) but it is still missing some pieces. If youthink you can fill in those, feel free to contact us.
7 j6 Z  @+ }) uSo here it is, enjoy, and stay tuned!

寂夜清风

This is the world's second (outside super secret apple vault) unlocked iPhone.

寂夜清风

Think of how pretty it'll be...

寂夜清风

Step 7
& e! F% b8 ^( K6 I  @So here is the first tool release, iEraser.This erases the current firmware on your modem. Don't worry, you canalways put it back with bbupdater.
Here how the bootrom check works; itreads from 0xA0000030 0xA000A5A0 0xA0015C58 0xA0017370 and all theseaddresses must read as blank, or 0xFFFFFFFF.
When you erase flash, itbecoms 0xFFFFFFFF. But you can't erase those locations, because theyare in the bootloader. So thats where the testpoint comes in. PullingA17 high hardware OR's the address bus with 0x00040000(offset onebecause data bus is 16 bit) So the bootrom instead checks locations0xA0040030 0xA004A5A0 0xA0045C58 0xA0047370, which are in the mainfirmware and can be erased.
Pretty genius :)

To use this tool, youneed the secpack from your modems version. The erase of this section isprotected. Check the modem version in Settings->About. It'll eitherbe 3.12(1.0) or 3.14(1.0.1 and 1.0.2). You need the ramdisk whichcooresponds to your version. Then go into"/usr/local/standalone/firmware" and get the ICE*.fls file. Extract0x1a4-0x9a4 and save it in a file called secpack and place it in thesame directory as the ieraser tool. Run ieraser. This should erase themodem firmware and leave you one more step on your way to unlocking.

xyz1937

好消息！

KING

风往南吹

机器真漂亮啊 不是价格的因素我想很多人会弄一部玩玩的

wake

国外的厉害

melo

强人的说