January 15, 2025

iPhone Unlocking Secret Revealed

The iPhone unlocking story took its next logical turn this week, with the release of a free iPhone unlocking program. Previously, unlocking required buying a commercial program or following a scary sequence of documented hardware and software tweaks.

How this happened is interesting in itself. (Caveat: This is based on the stories I’m hearing; I haven’t confirmed it all myself.) The biggest technical barrier to a software-only unlock procedure was figuring out the unlocking program, once installed on the iPhone, could modify the machine’s innermost configuration information – something that Apple’s iPhone operating system software was trying to prevent. A company called iPhoneSimFree figured out a way to do this, and used it to develop easy-to-use iPhone unlocking software, which they started selling.

Somebody bought a copy of the iPhoneSimFree software and reverse engineered it, to figure out how it could get at the iPhone’s internal configuration. The trick, once discovered, was easy to replicate, which eliminated the last remaining barrier to the development and release of free iPhone unlocking software.

It’s a commonplace in computer security that physical control over a device can almost always be leveraged to control it. (This iceberg has sunk many DRM Titanics.) This principle was the basis for iPhoneSimFree’s business model – helping users control their iPhones – but it boomeranged on them when a reverse engineer applied the same principle to iPhoneSimFree’s own product. Once the secret was out, anyone could make iPhone unlocking software, and the price of that software would inevitably be driven down to its marginal cost of zero.

Intellectual property law had little to offer iPhoneSimFree. The trick turned out to be a fact about how Apple’s software worked – not copyrightable by iPhoneSimFree, and not patentable in practice. Trade secret law didn’t help either, because trade secrets are not shielded against reverse engineering (for good reason). They could have attached a license agreement to their product, making customers promise not to reverse engineer their product, but that would not be effective either. And it might not have been the smartest thing to rely on, given that their own product was surely based on reverse engineering of the iPhone.

Now that the unlocking software is out, the ball is in Apple’s court. Will they try to cram the toothpaste back into the tube? Will they object publicly but accept that the iPhone unlocking battle is essentially over? Will they try to play another round, by modifying the iPhone software? Apple tends to be clever about these things, so their strategy, whatever it is, will have something to teach us.

Comments

  1. If you want to Buy Unlocked iPhone 3G then BuyUnlockediPhone3G.com is the site for you. We supply unlocked 8gb and 16gb iPhones, brand new ready to purchase and ship worldwide.

  2. Great post,
    Thanks for the great info guys.

  3. Michael Donnelly says

    This should be very exciting to see what happens in Europe now, where the competition for GSM service is much greater than North America.

    Clearly, the gouge of paying full retail for a phone *AND* locking into a contract will not fly. The contract lock-in is there to subsidize the phone, so the carriers can sell locked phones on the cheap. The approach by AT&T and Apple in USA was a bit much.

    So if Apple goes into an exclusive with T-Mobile or Vodafone or any other firm, what’s the incentive? If the phone is retail price with a contract, people will simply unlock a phone and use it with their existing providers. If the phone is cheaper and subsidized by the contract, then you’ll have a nightmare of cheap unlocked phones floating around.

    This is all assuming that the unlock cannot be somehow prevented, which is a very safe assumption. The folks working on the phone are very talented reversers and there is a great deal of incentive out there for them to continue. I don’t believe it’s technically possible to keep that device locked while you put it in the hands of an attacker. As Ed mentioned, it’s a problem similar to (although not exactly the same as) DRM.

    Any way you cut it, there are lost dollars for Apple on the carrier side. Of course, they probably expected this to happen – and there is a big opportunity on the pure sales of the device now, since they suddenly have a huge number of potential device customers. If the margin is enough and Steve’s distaste for AT&T is real, I wouldn’t be surprised if they just let it roll and keep shipping the phones.

    I know I would.

  4. Actually, it’s most likely iPhoneSimFree themselves used the code of dev team’s NOR dumper to talk to baseband’s bootloader. After dev team got their binaries they quickly discovered the way iPhoneSimFree’s app patches the firmware – this approach was considered before but not tried due to the possibility of bricking the phone.

  5. I R A Darth Aggie says

    Apple tends to be clever about these things, so their strategy, whatever it is, will have something to teach us.

    I’m sure they’ll employ a two prong strategy: a forced iPhone update, followed by additional legal intimidation.

  6. Mike Schiraldi says

    Your link to iphone.fiveforty.net has a big banner message specifically asking people not to link to it. It’d probably be good netizenship to disable the link.

    That said, i’m reading through the wiki trying to find the part where they explain iPhoneSimFree’s big innovation / discovery. Anybody got a link? 🙂

  7. If anybody has a real technical description of how the unlocking works I would like to know. The source code is available but it is uncommented and difficult to decipher, especially without knowing what the offsets correspond to.

  8. I think the iPhone unlocking community was so quick to reverse engineer this software because it used many tactics that the had been developed and shared freely with everyone. By making everyone pay because you solved a small part of the equation would be greedy. iPhoneSimFree had it coming to them and they should have expected this type of response.

  9. I heard that the software relies on a buffer overflow. ( http://daringfireball.net/linked/2007/september#wed-12-free_unlock ) as Gruber says if true Apple will release an update squashing this bug.