1、下载工具 解压到一个目录中
2、还原Modem 用重刷Modem的方法清除之前的解锁,参见【教程】应对软件解锁失败。
3、准备软件 将解压得到的SimFree(IPSF)安装到iPhone上(需要手工上传),添加运行属性,同时安装BSD Subsystem和OpenSSH,参见【教程】用iBrickr安装软件。
4、准备网络 确保iPhone的WiFi可以访问Internet,并将WiFi的DNS设成 129.21.116.152 (geohot的服务器 ),参见【教程】WiFi的设置方法。
5、提取被破坏的seczone 将移动卡放入iPhone,运行SimFree,结束时会出现下面这个错误: Unlock failed. Unable to update token.这是正常的,如果出现其他错误就是不对的,请返回重新来过。
7、生成secloader 打开一个命令行窗口,进入前面解压的目录里面,输入命令:C:\revirgin\> geomaker 真实IMEI.bin 将生成一个新文件:真实IMEI.bin_loader,下面要用到这个生成的文件。Mac用户需要手工将seczone嵌入到secloader里面,这里就不介绍了。
8、准备修复文件 将解压得到的以下文件传到iPhone上,放到 /revirgin 目录里: 314fls_correct 314secpack eeprom.eep, bbupdater iUnlock 真实IMEI.bin_loader
9、修复seczone 用SSH登录到iPhone上(参见【教程】关于SSH、SCP及SFTP),输入命令: cd /revirgin chmod 755 bbupdater iUnlock launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist (关闭通讯中心) ./iUnlock 314secpack 真实IMEI.bin_loader (写入修复专用的secloader) ./bbupdater -v (这一步会报错,没关系,属于正常的,主要是要secloader运行并修复好seczone) ./iUnlock 314secpack 314fls_correct (重新写入正确的secloader) ./bbupdater -v (这一步应该显示正常的版本03.14.08_G) ./bbupdater -e eeprom.eep (恢复EEPROM,只是为了保险起见) launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist (打开通讯中心)以上命令也可以在MobileTerminal下完成。
10、重新启动 启动后机器已经修复,并且已经解锁,采用的是与anySIM 1.1类似的方法,由gray实现。
完整的实际操作及输出(格式略微修改了一下以便看得清楚各个步骤): -sh-3.2# launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist (关闭通讯中心) -sh-3.2# cd /reflash -sh-3.2# ./bbupdater -f *fls -e *eep (重刷Modem) Preparing to flash using /dev/tty.baseband at 750000 baud Please reset target Resetting target... ProcessDetailUpdated: Boot-loader is active ProcessDetailUpdated: EBL version: 3.9_M3S2 3..9 ProcessDetailUpdated: Boot mode is: CC ProcessDetailUpdated: Baud rate set to 750000 ProcessDetailUpdated: Get flash id. ProcessDetailUpdated: CFI stage 1 ProcessDetailUpdated: Flash ID is: 88620089 ProcessDetailUpdated: CFI stage 2 ProcessDetailUpdated: Boot process finished ProcessOutlineUpdated: Reading SW version data ProcessDetailUpdated: Receiving data. ProgressUpdated: 100 ProcessDetailUpdated: Upload OK ProcessOutlineUpdated: Process time was 132 msec. Upgrade from to Downloading EEP ProcessOutlineUpdated: Start downloading from file ICE03.14.08_G.eep. ProcessDetailUpdated: Sending sec-pack. ProcessDetailUpdated: Load region 0 ProcessDetailUpdated: Sending end-pack. ProcessDetailUpdated: Checksum OK. ProcessDetailUpdated: Verify OK ProcessOutlineUpdated: Process time was 1799 msec. Downloading FLS ProcessOutlineUpdated: Start downloading from file ICE03.14.08_G.fls. ProcessDetailUpdated: Erasing the dynamic eeprom area ProgressUpdated: 100 ProcessDetailUpdated: Sending sec-pack. ProcessDetailUpdated: Load region 0 ProcessDetailUpdated: Sending data. ProgressUpdated: 0 ProgressUpdated: 2 ProgressUpdated: 4 ......(省略) ProgressUpdated: 97 ProgressUpdated: 99 ProgressUpdated: 100 ProcessDetailUpdated: Load region 1 ProcessDetailUpdated: Sending data. ProgressUpdated: 0 ProgressUpdated: 1 ProgressUpdated: 2 ......(省略) ProgressUpdated: 99 ProgressUpdated: 100 ProcessDetailUpdated: Sending end-pack. ProcessDetailUpdated: Checksum OK. ProcessDetailUpdated: Verify OK ProcessOutlineUpdated: Process time was 1 min 52 sec. Resetting target... pinging the baseband... issuing +cpwroff... Done -sh-3.2# launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist (启动通讯中心) (在这里省略了使用SimFree,得到seczone,生成secloader后放进/revirgin目录中的过程) -sh-3.2# launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist (关闭通讯中心) -sh-3.2# cd /revirgin/ -sh-3.2# ./iUnlock 314secpack XXXXXXXXXXXXXXX.bin_loader (写入secloader) iUnlock v43.hiBaud -- Copyright 2007 The dev team Credits: Daeken, Darkmen, guest184, gray, iZsh, pytey, roxfan, Sam, uns, Zappaz, Zf Sending baudrate command speed 921600 Sending Begin Secpack command Sending Erase command Waiting For Erase Completion... OK Flashing 20% 40% 61% 81% OK Sending End Secpack command Validating the write command FW are equal! Completed. Enjoy! -sh-3.2# ./bbupdater -v (激活secloader修复seczone) Resetting target... pinging the baseband... baseband unresponsive to pinging Done -sh-3.2# ./iUnlock 314secpack 314fls_correct (恢复原始的secloader) iUnlock v43.hiBaud -- Copyright 2007 The dev team Credits: Daeken, Darkmen, guest184, gray, iZsh, pytey, roxfan, Sam, uns, Zappaz, Zf Sending baudrate command speed 921600 Sending Begin Secpack command Sending Erase command Waiting For Erase Completion... OK Flashing 01% 02% ......(省略) 98% 99% OK Sending End Secpack command Validating the write command FW are equal! Completed. Enjoy! -sh-3.2# ./bbupdater -v (确认secloader恢复成功) Resetting target... pinging the baseband... issuing +xgendata... firmware: DEV_ICE_MODEM_03.14.08_G eep version: EEP_VERSION:207 eep revision: EEP_REVISION:7 bootloader: BOOTLOADER_VERSION:3.9_M3S2 Done -sh-3.2# ./bbupdater -e eeprom.eep (恢复EEPROM) Preparing to flash using /dev/tty.baseband at 750000 baud Please reset target Resetting target... ProcessDetailUpdated: Boot-loader is active ProcessDetailUpdated: EBL version: 3.9_M3S2 3..9 ProcessDetailUpdated: Boot mode is: CC ProcessDetailUpdated: Baud rate set to 750000 ProcessDetailUpdated: Get flash id. ProcessDetailUpdated: CFI stage 1 ProcessDetailUpdated: Flash ID is: 88620089 ProcessDetailUpdated: CFI stage 2 ProcessDetailUpdated: Boot process finished ProcessOutlineUpdated: Reading SW version data Error: couldn't retrieve version information: File not found. Upgrade from 饾? to ?/ Downloading EEP ProcessOutlineUpdated: Start downloading from file eeprom.eep. ProcessDetailUpdated: Sending sec-pack. ProcessDetailUpdated: Load region 0 ProcessDetailUpdated: Sending end-pack. ProcessDetailUpdated: Checksum OK. ProcessDetailUpdated: Verify OK ProcessOutlineUpdated: Process time was 1782 msec. Resetting target... Done -sh-3.2# launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist (启动通讯中心)END