geohot_20070824.jpg

George Hotz spent his summer hacking the iPhone, blew a hole through the Apple/AT&T carrier restriction and has single-handedly put the positive form of the word “hacker” in more popular media channels than I’ve ever before seen. Excellent!

The hack is brilliant:

Here how the bootrom check works; it reads from 0xA0000030 0xA000A5A0 0xA0015C58 0xA0017370 and all these addresses must read as blank, or 0xFFFFFFFF. When you erase flash, it becoms 0xFFFFFFFF. But you can’t erase those locations, because they are in the bootloader. So thats where the testpoint comes in. Pulling A17 high hardware OR’s the address bus with 0x00040000(offset one because data bus is 16 bit) So the bootrom instead checks locations 0xA0040030 0xA004A5A0 0xA0045C58 0xA0047370, which are in the main firmware and can be erased.

You’ll need to do a little tight soldering and get familiar with a hex editor. Engadget is reporting that there’s a working, though not released, all-software tool that will accomplish the same, but George’s hack can executed done today, and there’s a full set of instructions on his blog.

Links:
New Jersey teen cracks iPhone network lock – [via Chris Hartgraves] Link
George Hotz’ iPhone unlocking HOWTO – Link
Engadget verifies iPhone software unlock utility – Link
iPhone unlocked using SIM cloning – Link