The iPhone VirginMaker (LONG WAY)

THESE STEPS WORK ONLY ON 1.0.2 PHONES THAT WERE UNLOCKED WITH ANYSIM OR iUNLOCK

thanks to gray for reversing the iphone crypto, without him this server wouldn't work
thanks to ipsf for writing a really well designed software program
and thanks to everyone who gave me seczones to play with
(revised by sunnyDlite)


Instructions

Files you need, and files you might need if something goes wrong:

Revirginizer files
(contains bbupdater, iUnlock, 314secpack, 314fls_correct, eeprom.eep, geomaker.exe, SimFree.app,
readme.txt (older, and not as helpful as the one you are reading now).

Baseband (Needed for Flashing the Baseband)
(this package includes ICE03.14.08_G.eep, ICE03.14.08_G.fls)

Apptap
http://iphone.nullriver.com/beta/

Transmit (Needed to SFTP into the iPhone)
http://www.panic.com/transmit/

Terminal (Already installed in OSX, you don't need to download it)


PREPARING FOR VIRGINIZING
0. Flash the 102 Baseband (for folks with and without WiFi)

If you have unlocked a 102 phone, you need to flash the baseband (modem). AnySim and iUnlock modify the baseband by writing code to it, and an iTunes restore does not update the baseband if you restore to the same version of the firmware. Re-flashing will allow us to write a new baseband to the phone that we can use for virginizing.
Please note, however, that YOU CANNOT flash a 1.0.2 baseband if you already updated to 1.1.1.


USING WiFi (For Mac)
a. Install AppTap using the installer you downloaded
b. On the phone, run Installer app and get Community Sources, BSD Subsytem, and OpenSSH
(These apps will let you SSH into the phone using Terminal, and let you add files with Transmit)
c. Using Terminal, SSH to the phone by typing "ssh -l root x.x.x.x" using your IP# for the x's.
The password is "dottie"
d. Using Transmit, SFTP to the phone (user "root", password "dottie").
Create a folder called "flash" and upload bbupdater, ICE03.14.08_G.eep, and ICE03.14.08_G.fls
e. Using Terminal,
type "launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist"
f. In Terminal, type "cd /flash" then hit enter
g. In Terminal, type "chmod +x bbupdater" hit enter
h. Then type ./bbupdater -f *.fls -e *.eep and hit enter
CONGRATS, YOUR BASEBAND IS NOW FLASHED. GO TO STEP 1 of VIRGINIZING



VIRGINIZING STEPS
1. Download ipsf, the version doesn't really matter (or use the one in the virginizer pack)
a. Using Transmit, upload SimFree.app to /Applications
b. Using Terminal, cd into the SimFree.app directory
c. Then, chmod +x bbsimfree kill rm sh

2. In iPhone Settings, change your DNS server in Wi-Fi settings to 216.252.80.8 (required)

3. Run IPSF; it won't work if your flash isn't original so bbupdate first(the fw version doesn't matter)
a. it will say invalid token/error update token, this is normal
b. if it says something else, that isn't normal

4. Go to http://kakaroto.homelinux.net/seczones/(your imei).bin after IPSF finishes
a. use your real imei, not 0049..., example http://kakaroto.homelinux.net/seczones/011245000012345.bin
b. this file is your restored seczone, file size is 4096 bytes at time of writing.

5. original geohotz gloader contained a bug which prevented it from working.
This program generates a personal gloader.
In Terminal, type "geomaker 011245000012345.bin",
you will receive "011245000012345.bin_loader" - THAT IS YOUR LOADER.

6. now time to restore seczone. further instructions situable only for fw ver 1.0.2.
assuming that you installed bsd subsystem and openssh packages.

Using Transmit, SFTP the following files on your iphone (better make some dir like /usr/u)
314fls_correct,314secpack,eeprom.eep,
bbupdater,iUnlock, 011245000012345.bin_loader (not .bin from server, but generated loader)

Using Terminal, SSH into the phone,
chdir to /usr/u
chmod +x bbupdater
chmod +x iUnlock

now execute
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist

that will unload commcenter

now execute
./iUnlock 314secpack 011245000012345.bin_loader

that will write seczone loader to phone.

now execute
./bbupdater -v

YOU WILL GET ERROR "CAN'T PING TARGET", THAT IS NORMAL !!!! MOST IMPORTANT THAT SECLOADER IS RUN AND RESTORES SECZONE

to be sure, execute again ./bbupdater -v

finally, write patched firmware in phone

./iUnlock 314secpack 314fls_correct

now execute
./bbupdater -v

it MUST show correct version !

and finally, just to be sure:

execute
./bbupdater -e eeprom.eep

that will write correct eeprom.

now execute
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

OR
reboot your phone now - it is VIRGIN and UNLOCKED with gray's "ignore mnc/mcc" method (used in anysim11)

thx goes to geohot for server, gray for all research and code.


Disclaimer:
Your ltoken/seczone are being saved to this server.
These could contain personal information.
This is a test server, and will be taken down and have all the info deleted this Monday
The source of the server will be released then.


EXAMPLE OUTPUT of all process on iPhone:

Using username "root".
root@192.168.3.3's password:
# cd /usr/u
# chmod +x *
# ls
000000000000000.bin_loader 314secpack eeprom.eep
314fls_correct bbupdater iUnlock
# /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
# ./iUnlock 314secpack 000000000000000.bin_loader
iUnlock v43.hiBaud -- Copyright 2007 The dev team


Credits: Daeken, Darkmen, guest184, gray, iZsh, pytey, roxfan, Sam, uns, Zappaz, Zf

Sending baudrate command speed 921600
Sending Begin Secpack command
Sending Erase command
Waiting For Erase Completion...
OK
Flashing
20%
40%
61%
81%
OK
Sending End Secpack command
Validating the write command
FW are equal!
Completed.
Enjoy!
# ./bbupdater -v
Resetting target...
pinging the baseband...
baseband unresponsive to pinging
Done
# ./bbupdater -v
Resetting target...
pinging the baseband...
baseband unresponsive to pinging
Done
# ./iUnlock 314secpack 314fls_correct
iUnlock v43.hiBaud -- Copyright 2007 The dev team


Credits: Daeken, Darkmen, guest184, gray, iZsh, pytey, roxfan, Sam, uns, Zappaz, Zf

Sending baudrate command speed 921600
Sending Begin Secpack command
Sending Erase command
Waiting For Erase Completion...
OK
Flashing
01%
02%
03%
04%
05%
06%
07%
08%
09%
10%
11%
12%
13%
14%
15%
16%
17%
18%
19%
20%
21%
22%
23%
24%
25%
26%
27%
28%
29%
30%
31%
32%
33%
34%
35%
36%
37%
38%
39%
40%
41%
42%
43%
44%
45%
46%
47%
48%
49%
50%
51%
52%
53%
54%
55%
56%
57%
58%
59%
60%
61%
62%
63%
64%
65%
66%
67%
68%
69%
70%
71%
72%
73%
74%
75%
76%
77%
78%
79%
80%
81%
82%
83%
84%
85%
86%
87%
88%
89%
90%
91%
92%
93%
94%
95%
96%
97%
98%
99%
OK
Sending End Secpack command
Validating the write command
FW are equal!
Completed.
Enjoy!
# ./bbupdater -v
Resetting target...
pinging the baseband...
issuing +xgendata...
firmware: DEV_ICE_MODEM_03.14.08_G
eep version: EEP_VERSION:207
eep revision: EEP_REVISION:7
bootloader: BOOTLOADER_VERSION:3.9_M3S2
Done
# ./bbupdater -e eeprom.eep
Preparing to flash using /dev/tty.baseband at 750000 baud
Please reset target
Resetting target...
ProcessDetailUpdated: Boot-loader is active
ProcessDetailUpdated: EBL version: 3.9_M3S2 3..9
ProcessDetailUpdated: Boot mode is: CC
ProcessDetailUpdated: Baud rate set to 750000
ProcessDetailUpdated: Get flash id.
ProcessDetailUpdated: CFI stage 1
ProcessDetailUpdated: Flash ID is: 88620089
ProcessDetailUpdated: CFI stage 2
ProcessDetailUpdated: Boot process finished
ProcessOutlineUpdated: Reading SW version data
Error: couldn't retrieve version information: File not found.
Upgrade from è?û/ to ôö/
Downloading EEP
ProcessOutlineUpdated: Start downloading from file eeprom.eep.
ProcessDetailUpdated: Sending sec-pack.
ProcessDetailUpdated: Load region 0
ProcessDetailUpdated: Sending end-pack.
ProcessDetailUpdated: Checksum OK.
ProcessDetailUpdated: Verify OK
ProcessOutlineUpdated: Process time was 1730 msec.
Resetting target...
Done
# ./bbupdater -v
Resetting target...
pinging the baseband...
issuing +xgendata...
firmware: DEV_ICE_MODEM_03.14.08_G
eep version: EEP_VERSION:207
eep revision: EEP_REVISION:7
bootloader: BOOTLOADER_VERSION:3.9_M3S2
Done
# /sbin/reboot