Download: ultrasn0w v0.9 hack to unlock iPhone 3G / 3GS (firmware v3.0)

The iPhone Dev Team have released a new v0.9 version of ultrasn0w, their free unlock hack for iPhone 3G/3GS devices.

Here’s what it can do, according to the Dev Team:

* Works on both 3G and 3GS
* Works on hacktivated devices
* Works regardless of how you jailbroke your device
* Doesn’t patch any mach-o binary whatsoever. (Doesn’t require a separate patch as each new firmware comes out).
* Doesn’t install any additional daemon
* Has no race conditions, no popups about “Missing SIM”, no network issues
* Is almost 7000 times smaller than its nearest competition
* Is available now via Cydia. Source repo is http://repo666.ultrasn0w.com (that last “0” in ultrasn0w is a zero!)

To run this program you need to download it via Cydia, which means that first you need to jailbreak your iPhone 3G/3GS and install this program. You can do that using the latest version (v0.8) of redsn0w (which you can download here).

UPDATE: There’s some new tips from the iPhone Dev Team regarding Ultrasn0w, check them out here.

Also some additional notes from the iPhone Dev Team can be found below.

Installation instructions:
1. Ensure you have upgraded to iPhone OS v3.0 (only if you’re an iPhone 3G owner — iPhone 3GS owners already have v3.0 installed by default so they skip this step and go directly to #2).
2. Jailbreak your iPhone 3G using redsn0w. Make sure you’ve installed Cydia while doing that.
3. Run Cydia in Hacker mode on your iPhone.
4. Add the repo repo666.ultrasn0w.com to your sources list. That last “o” is actually the number zero “0”! If you use the letter “o” you’ll get an error.
5. Search for ‘ultrasn0w’ in cydia and install it (once again, that “o” is actually a “0″ = zero)
6. Reboot your iPhone
7. T-Mobile USA users should disable 3G before using ultrasn0w
8. Enjoy

ADDITIONAL NOTES FROM THE IPHONE DEV TEAM:

Long version:

The day before yesterday, some fellow named geohot released a program called “purplesn0w” which claims to be a better unlock than our ultrasn0w unlock released last month, and our yellowsn0w unlock released 7 months ago. He was kind enough to provide source, which we naturally took apart to try to validate his claims.

We’ve found he had come up with two pretty neat ideas, one more pragmatic than the other for the iPhone. The first is a way of patching the actual text of the baseband code by copying it over to RAM and then using the MMU and page tables to have the baseband pretend it is part of the original bootrom. Of course, like yellowsn0w and ultrasn0w, this code has to be reloaded with every reboot of the baseband. However, the advantage of this is that developing unlocking payloads is a lot simpler… in fact, geohot used the same payload in AnySim and BootNeuter. We kicked around this idea ourselves before, but eventually found a work-around for the same problem with the yellowsn0w/ultrasn0w payload. The two pieces of code have the exact same effect on the baseband… with the difference that geohot’s exploit overwrites an arbitrary block of memory one megabyte in size. The baseband has a total of eight megabytes of memory and every bit of it is earmarked for use (except for 485212 bytes of it which we haven’t accounted for yet, but that’s still less than 1 MB). This means that eventually the area of memory geohot is using will be corrupted and 1 MB of baseband code will be corrupted (until the next reboot). How soon will this happen? Will it even matter in day-to-day use? We don’t know, because we haven’t spent much time looking. However, why take the risk when the yellowsn0w/ultrasn0w payload accomplishes the same job with no corruption?

To put it into perspective, ultrasn0w uses 152 bytes of properly malloc’d baseband RAM, which is 0.015% of what purplesn0w uses. Put another way, purplesn0w uses 6900 times more RAM than ultrasn0w (and doesn’t let the O/S know that it’s using it, so the O/S still thinks it’s free to use. When it does use it, the baseband will crash).

Now, the second new idea he had was to patch CommCenter rather than use a daemon. At first, this idea seemed pretty distasteful to us. Binary patches are messy and difficult to maintain (we figure it’s partly why he only made a version for 3G S and not 3G as well). In addition, the stated reason of reduced battery life with a daemon is factually incorrect, since any computer science student who’s taken a course in operating systems will tell you that a sleeping task takes up exactly NO CPU resources and NO power (it’s merely skipped over during context switches). That’s right: not “only a little” power, but absolutely NO power. However, ultrasn0w 0.6 did have a problem where the STK refresh command it used crashed the baseband in 3G S. This caused the baseband to continually come up and then restart. That DOES take power and so may explain the issues that people have been seeing. ultrasn0w 0.8 was supposed to have fixed this issue, but perhaps not completely. This is because the STK refreshes we used are inherently unreliable… but we thought they were necessary to avoid people having to reinsert their SIM. Turns out we were wrong on that score. geohot’s method shows that we can perform the unlock before CommCenter polls for lock state. When we do it before (instead of after), the STK refreshs are no longer necessary! The only way to do it before the polling, however, is to modify CommCenter.

We’ve tried to make the best of a bad situation by using MobileSubstrate to perform the modification. This lets us modify the behavior of CommCenter without touching the actual binary. We also used a method to dynamically locate the patch location so that it should work on both 3G and 3G S (and should need to be updated less frequently). We also do it in a different way so that hactivated phones will work with the unlock (unlike purplesn0w). You’ll find that this update is now available through Cydia as ultrasn0w 0.9 We thank geohot for contributing to the scene once again. We don’t think purplesn0w is the right path, but it has certainly helped us improve ultrasn0w!

P.S. geohot, seriously, stop ****ing around and look at the bootrom instead kthx. =P

Tags: app, hack, iPhone, iPhone 3GS, iTouch, jailbreak, Mac, News, OS, redsn0w, unlock, USA, Yellowsn0w

Related posts:

1. Ultrasn0w: iPhone 3G firmware v3.0 unlock hack now available
2. Download: ultrasn0w to unlock iPhone 3G / 3GS (firmware v3.0)
3. Jailbreak / Unlock iPhone (2G / 3G / 3GS) v3.0.1 firmware with redsn0w / ultrasn0w

Sign up to receive latest iPhone World news and updates via e-mail, RSS, Twitter or Facebook!