George Hotz (alias Geohot) has released yet another tool for the iPhone 3GS. As most of you probably know, he was the first one to release a semi-jailbreak for the iPhone 3GS, Purplera1n, followed by the Dev-Team’s release of an improved version of Redsn0w, compatible with the iPhone 3GS. The Dev-Team had also released Ultrasn0w as a jailbreak tool for the 3GS. Geohot has released his own version of the unlock, named Purplesn0w. He claims it’s better overall than Ultrasn0w with fewer problems.
Quote (via Geohot’s Blog):
Wifi fails? Battery fails? Unlock fails? You need purplesn0w, the geohot 3GS unlock solution. Now I know you here a lot about different colors of sn0w, but I’m here to tell you why purplesn0w is the best. First off, what is purplesn0w? It’s a soft unlock for your 3GS that I’d actually use day to day. It’s not a daemon that takes any resources, and it doesn’t add a task to your baseband. It’s very close to a true unlock. All it does is patch three files, CommCenter, lockdownd, and your wildcard activation plist(which you need, activate w at&t sim first, no hacktivation support yet). That’s it, no other files are installed. Props to Oranav for the at+xlog exploit!
A full explanation is coming soon, but I think you clever reversers out there will see what it does, and see why it’s so pristine The payload is radically different from other varieties of sn0w. beta as usual, back up first.
Be sure to have legit activated 3GS
Disable 3G if you don’t have it(like T-Mobile).
Add apt.geohot.com to Cydia
Watch for success output in Cydia
Reboot, and enjoy your unlocked iPhone
About a year ago today, I found the at+stkprof exploit. Back then, I struggled for 3 days to write a payload. No luck, I just wasn’t a good enough reverser. So I stashed the exploit away until December, when I gave it to dev for use in yellowsn0w.
Now a year later, I wrote a payload and delivery system in a day. And it’s an awesome payload. Ideally we’d like to patch the lock out of flash, but with the apparently proper sig checks, that isn’t going to happen. So purplesn0w is the next best thing. I copy the page I want to patch to an unused region of memory. In memory I patch it. Then, using the MMU, I map the flash page out and remap the patched memory page in it’s place.
No new iPhones are really unlocked, activation creates a ticket allowing the baseband to be used with that sim. The lockstate of the phone really lies on apples servers. Unlocked is auth all sims. Locked is auth AT&T sims only. Fortunately this ticket system provides an easy way to deliver the payload and reexecute the patched code all in one. And since the ticket is already delivered on baseband resets, theres no need to write another daemon to hog battery. I use the daemon already designed for this, lockdownd. A patch to commcenter gets it to run the payload on ticket delivery. And a patch to your activation record contains the payload. So using existing apple machinery, I unlock when needed.
In retrospect, I should’ve just patched commcenter to send the payload. Then hacktivation would work no problem. Oh well, tomorrow is another day. I’ll add hacktivation support then.
Here is the source. And I mean all of it.