Cognitive and Scientific Brainology

Security - consulting,assessment,research,solutions,penetration tests.
Face - detect,track,recognize,extract features,learn emotions,character animation.

Change IMEI on iPhone, ZiPhone and gunlock2/gunlock2.c

10/26/08 | by zveriu | Categories: On the web, Software, iPhone, Hack

At present, the only iPhone exploit software I have seen that supports IMEI change function is ZiPhone.

I wasn’t quite interested in actually changing my IMEI, but rather in seeing the way it is done.

First, I have backed-up my original IMEI (and all other stuff displayed in Settings->General->About) and then tried simply:

Code:

ziphone.exe -i 0101010101010101

The IMEI “0101010101010101″ above is just illustrative example, in practice I have used a valid IMEI. You can also try searching for Advanced IMEI Generator.

After several times of retrying, it didn’t work and I wanted to see why. Basically, what I have found in ziphone.cpp is that this command-line argument simply sends the following command to the zibri.dat ramdisk environment:

Code:

setenv imei 0101010101010101

The same result you could have achieved by:

using iBooter and using the same command as above
using your iPhone with this command (in MobileTerminal or SSH console for example PuTTY)

Code:
nvram imei="0101010101010101"

However, this (NVRAM or flash) is just a temporary location in the environment where the IMEI is stored and from where it is taken for subsequent phases of the ZiPhone ramdisk.

So this is why just using the “-i 0101010101010101″ command is not enough for changing IMEI (or is it because my iPhone was already unlocked and subsequent phases

Now, the ZiPhone ramdisk has a profile.sh script, which mainly does this:

Code:

#if [ "`/usr/bin/nvram unlock 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then /bin/echo "Unlock pass 1..."; /zib/gunlock2 /zib/secpack /zib/ICE04.02.13_G.fls `/usr/bin/nvram imei 2>/dev/null|/bin/cut -f 2`; fi
#if [ "`/usr/bin/nvram unlock 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then /bin/echo "Unlock pass 2..."; /zib/gunlock3 /zib/secpack /zib/ICE04.03.13_G.fls `/usr/bin/nvram imei 2>/dev/null|/bin/cut -f 2`; fi
if [ "`/usr/bin/nvram unlock 2>/dev/null|/bin/cut -f 2`" == "1" ] ; then /bin/echo "Unlocking 114..."; /zib/gunlock4 /zib/secpack114 /zib/ICE04.04.05_G.fls `/usr/bin/nvram imei 2>/dev/null|/bin/cut -f 2`; fi

It has 3 gunlock files, which are likely geohot’s gunlock.c modifications, but without any source distributed (Zibree - gunlock.c was released by geohot with GPL - release the sources!)

gunlock2 - is likely the gunlock for OTB 4.6 1.1.2 (gets ICE04.02.13_G.fls), modified to support IMEI change feature
gunlock3 - is likely the gunlock for OTB 4.6 1.1.3 (gets ICE04.03.13_G.fls), modified to support IMEI change feature
gunlock4 - is likely the gunlock for OTB 4.6 1.1.4 (gets ICE04.04.05_G.fls and seckpack114), modified to support IMEI change feature

I am having iPhone OTB 1.1.2 with BL 4.6, and it was unlocked by geohot’s original gunlock (using iClarified tutorial and repository, even though it can be done manually given you have binary gunlock - see attached zip archive), so I was interested first in gunlock2 and gunlock2.c source code (which is nowhere to be found… Zibree - release the GPLed sources!)

Spent one day, got an approximation of gunlock2.c by reverse engineering it and parallel comparison with gunlock.c. Happily, gunlock2.c (and perhaps gunlock3.c and gunlock4.c) are based on geohot’s original gunlock.c and is not very much modified, so execution blocks and logic can be compared even in disassembled views.

Basically, for 1.1.2 OTB BL 4.6 the steps to change IMEI without ZiPhone would be (use at your OWN risk and responsability, since gunlock2 as stated in gunlock2_zveriu_RevEng.c has potential problems):

Get gunlock2 binary (either from ZiPhone zibri.dat ramdisk, either from the archive below)
Get ICE04.02.13_G.fls (either from ZiPhone zibri.dat ramdisk, either from Georghe Zhu’s baseband page)
Get secpack for 1.1.2 (either from ZiPhone zibri.dat ramdisk, either from Georghe Zhu’s secpack page)

Put files gunlock2, ICE04.02.13_G.fls, secpackinto your iPhone’s /usr/bin and then:

Code:

/bin/chmod 777 /usr/bin/gunlock2
/bin/chmod 777 /usr/bin/ICE04.02.13_G.fls
/bin/chmod 777 /usr/bin/secpack
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
/bin/sleep 5
/usr/bin/gunlock2 /usr/bin/secpack /usr/bin/ICE04.02.13_G.fls <16digitsIMEI>
/bin/sleep 10
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

NOTE: if your IMEI is 15 digits long, prefix it with a 0. Example: your IMEI is 987654321012345, you should pass it as 0987654321012345 (at least in Zibree’s gunlock2/gunlock3/gunlock4 implementations)

Download gunlock2 files here

WARNING: Changing IMEI is illegial (at least the claims are like this - learn your country LEGALese language) in many countries. Check your country if you are “elligible” too. Do this on your own risk. I am not responsible on what you do with IMEI of your phones/iPhones.

TAGS: iPhone, IMEI, change iPhone IMEI, gunlock2, gunlock2 source code, gunlock2.c, gunlock3, gunlock3 source code, gunlock3.c, gunlock4, gunlock4 source code, gunlock4.c, ZiPhone, Zibree, ZiPhone IMEI, Ziphone IMEI change, zibri.dat, gunlock IMEI change

13 comments •

Comments, Pingbacks:

Comment from: Agilurso [Visitor]

Would this method likely work for iPhone O.S. 3.0 once the baseband file/secpack is available, or would an updated gunlock2 binary probably be necessary? I'd imagine 04.28.06 will be made available very soon.

Permalink 06/25/09 @ 11:09

Comment from: zveriu [Member] · http://www.andreicostin.com

Really - don't know yet. Need do grab a 3G or 3GS to play around in order to find out.

Permalink 07/20/09 @ 00:41

Comment from: King [Visitor]

Hi

Have you found any way to change the Imei yet?

Permalink 07/29/09 @ 15:34

Comment from: zootcool [Visitor]

· http://www.zootcool.pe.kr

Hi, Is this method possible for iphone 3G? I desperately need to change IMEI code, not for hacking but for using iphone in S.Korea. Please help me..

Permalink 08/05/09 @ 16:24

Comment from: zveriu [Member] · http://www.andreicostin.com

@King , @zootcool :

Really - don't know yet. Need do grab a 3G or 3GS to play around in order to find out.

Permalink 08/06/09 @ 16:44

Comment from: Jay [Visitor]

Hi, i was wondering if you'd had a chance to play around with a 3G as yet and managed to get this to work??
Regards,
Jay

Permalink 09/03/09 @ 04:30

Comment from: www.englandpokerplayers.co.uk/ [Visitor]

I was searching on the web for the same thing, found..but couldn’t figure out how to run..I did have problems with this so plz solve my problem..

Permalink 01/05/10 @ 15:41

Comment from: Houston apartment locator [Visitor]

I am still up in the air about jail breaking my phone, but I think in the end I will have to do it, because not using it's full potential would be really annoying.

Permalink 01/09/10 @ 00:34

Comment from: learningdavid [Visitor]

wow...great information.but i afraid to jail break my phone.

Permalink 02/08/10 @ 17:43

Comment from: College Research Papers [Visitor]

This is a fantastic presentation ! Great series. A bit out of my league, but I’m learning stuff each step of the way.

Permalink 02/23/10 @ 11:09

Comment from: web design london [Visitor]

Hello is this method worked on i phone 3GS.

Permalink 05/05/10 @ 12:06

Comment from: zveriu [Member] · http://www.andreicostin.com

@web design london:
don't know since I never had an iPhone 3GS to try it out. noone reported back as well.

Permalink 05/05/10 @ 14:51

Comment from: James Edward [Visitor]

Is this method possible for iphone 3G?

Permalink 08/04/10 @ 20:14

This post has 2 feedbacks awaiting moderation...

HIRE! - My Resume

Contact