Cognitive and Scientific Brainology

Security - consulting,assessment,research,solutions,penetration tests.
Face - detect,track,recognize,extract features,learn emotions,character animation.

Archives for: October 2008, 26

Change IMEI on iPhone, ZiPhone and gunlock2/gunlock2.c

10/26/08 | by zveriu | Categories: On the web, Software, iPhone, Hack

At present, the only iPhone exploit software I have seen that supports IMEI change function is ZiPhone.

I wasn’t quite interested in actually changing my IMEI, but rather in seeing the way it is done.

First, I have backed-up my original IMEI (and all other stuff displayed in Settings->General->About) and then tried simply:

Code:

ziphone.exe -i 0101010101010101

The IMEI “0101010101010101″ above is just illustrative example, in practice I have used a valid IMEI. You can also try searching for Advanced IMEI Generator.

After several times of retrying, it didn’t work and I wanted to see why. Basically, what I have found in ziphone.cpp is that this command-line argument simply sends the following command to the zibri.dat ramdisk environment:

Code:

setenv imei 0101010101010101

The same result you could have achieved by:

using iBooter and using the same command as above
using your iPhone with this command (in MobileTerminal or SSH console for example PuTTY)

Code:
nvram imei="0101010101010101"

However, this (NVRAM or flash) is just a temporary location in the environment where the IMEI is stored and from where it is taken for subsequent phases of the ZiPhone ramdisk.

So this is why just using the “-i 0101010101010101″ command is not enough for changing IMEI (or is it because my iPhone was already unlocked and subsequent phases

Now, the ZiPhone ramdisk has a profile.sh script, which mainly does this:

Code:

#if [ "`/usr/bin/nvram unlock 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then /bin/echo "Unlock pass 1..."; /zib/gunlock2 /zib/secpack /zib/ICE04.02.13_G.fls `/usr/bin/nvram imei 2>/dev/null|/bin/cut -f 2`; fi
#if [ "`/usr/bin/nvram unlock 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then /bin/echo "Unlock pass 2..."; /zib/gunlock3 /zib/secpack /zib/ICE04.03.13_G.fls `/usr/bin/nvram imei 2>/dev/null|/bin/cut -f 2`; fi
if [ "`/usr/bin/nvram unlock 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then /bin/echo "Unlocking 114..."; /zib/gunlock4 /zib/secpack114 /zib/ICE04.04.05_G.fls `/usr/bin/nvram imei 2>/dev/null|/bin/cut -f 2`; fi

It has 3 gunlock files, which are likely geohot’s gunlock.c modifications, but without any source distributed (Zibree - gunlock.c was released by geohot with GPL - release the sources!)

gunlock2 - is likely the gunlock for OTB 4.6 1.1.2 (gets ICE04.02.13_G.fls), modified to support IMEI change feature
gunlock3 - is likely the gunlock for OTB 4.6 1.1.3 (gets ICE04.03.13_G.fls), modified to support IMEI change feature
gunlock4 - is likely the gunlock for OTB 4.6 1.1.4 (gets ICE04.04.05_G.fls and seckpack114), modified to support IMEI change feature

I am having iPhone OTB 1.1.2 with BL 4.6, and it was unlocked by geohot’s original gunlock (using iClarified tutorial and repository, even though it can be done manually given you have binary gunlock - see attached zip archive), so I was interested first in gunlock2 and gunlock2.c source code (which is nowhere to be found… Zibree - release the GPLed sources!)

Spent one day, got an approximation of gunlock2.c by reverse engineering it and parallel comparison with gunlock.c. Happily, gunlock2.c (and perhaps gunlock3.c and gunlock4.c) are based on geohot’s original gunlock.c and is not very much modified, so execution blocks and logic can be compared even in disassembled views.

Basically, for 1.1.2 OTB BL 4.6 the steps to change IMEI without ZiPhone would be (use at your OWN risk and responsability, since gunlock2 as stated in gunlock2_zveriu_RevEng.c has potential problems):

Get gunlock2 binary (either from ZiPhone zibri.dat ramdisk, either from the archive below)
Get ICE04.02.13_G.fls (either from ZiPhone zibri.dat ramdisk, either from Georghe Zhu’s baseband page)
Get secpack for 1.1.2 (either from ZiPhone zibri.dat ramdisk, either from Georghe Zhu’s secpack page)

Put files gunlock2, ICE04.02.13_G.fls, secpackinto your iPhone’s /usr/bin and then:

Code:

/bin/chmod 777 /usr/bin/gunlock2
/bin/chmod 777 /usr/bin/ICE04.02.13_G.fls
/bin/chmod 777 /usr/bin/secpack
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
/bin/sleep 5
/usr/bin/gunlock2 /usr/bin/secpack /usr/bin/ICE04.02.13_G.fls <16digitsIMEI>
/bin/sleep 10
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

NOTE: if your IMEI is 15 digits long, prefix it with a 0. Example: your IMEI is 987654321012345, you should pass it as 0987654321012345 (at least in Zibree’s gunlock2/gunlock3/gunlock4 implementations)

Download gunlock2 files here

WARNING: Changing IMEI is illegial (at least the claims are like this - learn your country LEGALese language) in many countries. Check your country if you are “elligible” too. Do this on your own risk. I am not responsible on what you do with IMEI of your phones/iPhones.

TAGS: iPhone, IMEI, change iPhone IMEI, gunlock2, gunlock2 source code, gunlock2.c, gunlock3, gunlock3 source code, gunlock3.c, gunlock4, gunlock4 source code, gunlock4.c, ZiPhone, Zibree, ZiPhone IMEI, Ziphone IMEI change, zibri.dat, gunlock IMEI change

14 comments •

HIRE! - My Resume

Contact

Upcoming talks

AthCon
HITB-AMS
PHDays
Hack In Paris