• Your favorite








    , and
  • FREE IT. Software Unlock iPhone 1.1.2 OTB and 1.1.3 OTB! (yes the 4.6 bootloader)
    geohotz has discovered the secrets to unlocking 1.1.3 + 1.1.2 out of the box!!! Whats more this doesnt even destroy your seczone!!

    I haven't had a chance to try it out yet but when has gehotz failed us before?

    If any of you are feeling up to it give it a shot. First grab his gunlock.rar MIRROR and his instructions are as follows:

    geohot's 1.1.2 software unlock
    yes, this is what you have all been waiting for

    1. Download these:
    gunlock and the secpack from http://iphonejtag.blogspot.com/ or the blog
    the 4.02.13 fls from http://george.zjlotto.com/index.php/baseband/ MIRROR

    2. Downgrade your phone to 1.0.2. See all the great tutorials online to do this.
    Your baseband won't be downgraded, this is normal.
    This will probably work on other versions too, but 1.1.2 doesn't lose wifi on bb access.

    3. Kill CommCenter and run "gunlock secpack ICE04.02.13_G.fls"

    4. Reload CommCenter. For some reason my phone was in brick mode. Use the elite team bricktool to get out.

    5. Enjoy your 1.1.2 OTB unlocked iPhone

    Now who'd have thought it'd be this easy

    This release is no thanks to elite/dev
    I wish they would share like the old days.
    I don't believe everyone in the team is like this, but come on guys.

    If you want to contribute to me, the person who discovered these exploits and wrote this tool
    paypal [email protected]
    This article was originally published in forum thread: FREE IT. Software Unlock iPhone 1.1.2 OTB and 1.1.3 OTB! (yes the 4.6 bootloader) started by Cody Overcash View original post
    Comments 281 Comments
    1. geovass's Avatar
      geovass -
      R you sure it works on 1.1.3 OTB as well?
    1. cosmoLV's Avatar
      cosmoLV -
      great news, let's test
    1. w9cae's Avatar
      w9cae -
      Its been updated now for OTB 1.1.3

      these are the instructions I have been given:

      its 1.1.2 otb, here is a brief noobs guide

      Download these:
      gunlock and the secpack from http://iphonejtag.blogspot.com/ or the blog
      the 4.02.13 fls from http://george.zjlotto.com/index.php/baseband/

      2. Downgrade your phone to 1.0.2.
      irrespective of wher u are 1.1.1/1.1.2 otb not otb
      press and hold power and home button untill u see the screen go blank , leave the power button as soon as the screen turns black, (set up the speaker volume on ur pc to high) as soon as the screen goes black u'l hear a sound, now after abt 10 secs holding down the home button u'll hear another sound , now in itunes it will say phone in recovery mode and all, in itunes, hold the shift key (alt key in mac) and downgrade sequentially to 1.1.1 if you were in 1.1.2 or from 1.1.1 to 1.02 (some will say go directly to 1.02 I prefer this) once ur on 1.02
      jailbreak and activate it , use ibrickr or watever u like.
      install installer.app through ibrickr or watever, update it, install
      community sources,bsd subsystems,open ssh, mobile terminal, etc etc
      now use win scp/ibrickr and upload all files to usr/bin
      files are gunlock/secpack/fls file for 1.1.2/gunlock.c

      use putty or mobile terminal to execute the following commands

      launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist

      gunlock secpack ICE04.02.13_G.fls"

      launchctl load -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist

      5. Enjoy your 1.1.2 OTB unlocked iPhone

      This explains the video I was shown today of a 16 gig unlocked
    1. zivilipirati's Avatar
      zivilipirati -
      Geohost you are JEBENO Awesome (Serbin)


    1. jasonm253's Avatar
      jasonm253 -
      this is for bootloader 4.6 plz say yes plz say yes?
    1. Cody Overcash's Avatar
      Cody Overcash -
    1. cosmoLV's Avatar
      cosmoLV -
      Database Error for this http://george.zjlotto.com/index.php/baseband/
    1. mopplecrump's Avatar
      mopplecrump -
      His site is down, but this is what he said:

      11246unlock, good enough for the prize
      OMG NOW supports 1.1.3 TOO

      Full software unlock of 1.1.2; the impossible(or at least I said so) Here it is; instructions are in the package. I guess I really am becoming a good reverser ;-)

      Yes, the impossible has been done. This has absolutely *nothing* to do with JerrySim or any elite/dev/zibri etc project. I'll start with a little story. Yesterday I was really pissed off. So I figured I'd channel my anger toward something productive; I don't know, something like a 1.1.2 software unlock. I knew the odds were against me, but I'd figured I try anyway. At about 1 last night, I hardware "upgraded" a 3.9 phone to 4.6 with the bootrom locations blank, the read command patched to work, and a 0x102 read arbitrary memory command.

      The first exploit I found, at around 4 AM last night, was the -0x20000 exploit. Just like the -0x400 exploit, but -0x20000. Go figure. I guess Apple thought big numbers were harder to guess. I was really pumped, hence the blog post. But that wasn't even half the battle.

      Like I said in the "impossible" post, 0x3C0000 can't have a valid secpack to allow booting. I spent the next 16 hours finding a way to do this. I can already write unsigned to the main fw section, all I need is a way to erase the secpack. My first idea was the eeprom secpack; upload the eeprom, endpack it, and the secpack is erased because the eeprom is "clean". But you can't upload a eeprom secpack until the 0x3C0000 is blank. My next idea was that the bl must erase the secpack before writing it. So a simple timing attack should do it. It turns out that no secpacks, even the same one, will write.

      I finally found a working exploit about 23 hours into my search for the software unlock. The explict addresses 0xA03D0000-0xA03F0000 will always erase. This exploit relied on two things, the secaddrs are copied before the secpack is validated(stupid), and the erase command extends the range to whatever is in the secpack. So I tell it to erase 0xA03D0000-0xA03F0000, the erase command sees 0xA03C0000 to 0xA03F0000 in the secpack; BOOM secpack erased.

      The third minor concern was the full range check of 1.1.3. So use 1.1.2 This allows full unsigned code execution, it is a relatively simple matter of patching the bootloader to skip the range check. And while you are at it, patch the bootloader to validate all tokens. IPSF style unlock w/o touching the seczone.

      So, thats 24hrs to a software unlock; with about 3hrs of sleep in two segments. I am disappointed in the elite/dev team for not finding this; or even looking here. I know not everyone in elite/dev is so closed, and I feel bad for those people. Why don't we all just share everything? Apple will patch it anyway. They always have the upper hand. And whetever happened to the dev wiki?

      If you were giving money to the "dev team" for this software unlock, why not give it to the guy who actually found the exploits and exploited them?

      files available here: (fls file included)

    1. beezink's Avatar
      beezink -
      woot! life is good geohotz rox!
    1. wraith1138's Avatar
      wraith1138 -
      I think we killed the second site, keep getting a database error.
      Anyone run into the same problem or an alternative site to dl from?
    1. sampat4's Avatar
      sampat4 -
      Can't download the 4.02.13 fls from the URL, it must be a broken link or something. Is there any other way to get it? Anybody knows?

    1. roymseafood's Avatar
      roymseafood -
      I've been trying so many times. Stuck with this error. Anyone got the same problem like me? Thanks.

      # gunlock secpack ICE.04.02.13_G.fls
      geohot's 112 otb unlocker...
      Waiting for data...
      Got Header: 77 0b cc
      Bootloader version: 4.6_M3S2
      Increasing baud rate...
      02 00 82 00 04 00 00 10 0E 00 A4 00 03 00
      CFI Stage 1
      CFI Stage 2
      zsh: bus error gunlock secpack ICE.04.02.13_G.fls
    1. hubriz70's Avatar
      hubriz70 -
      Maybe if more of us had it someone can help you...could someone please upload it to rapidshare or something PLEASE!!!!
    1. mopplecrump's Avatar
      mopplecrump -
      Quote Originally Posted by hubriz70 View Post
      Maybe if more of us had it someone can help you...could someone please upload it to rapidshare or something PLEASE!!!!
      see my post above
    1. geovass's Avatar
      geovass -
      See mopplecrump's post.
    1. Adamos's Avatar
      Adamos -
      I guess most of us will (or at least should) wait for a couple dozen confirmations of this here, and maybe a decent guide as well. I mean many of us have been waiting for this with our otb 112 phones, but some (more) patience won't hurt anybody right?
    1. hubriz70's Avatar
      hubriz70 -
      Here you go guys, alt link:

    1. jasonm253's Avatar
      jasonm253 -
      3. Kill CommCenter and run "gunlock secpack ICE04.02.13_G.fls"

      whats this all bout and how do u do this process?
    1. geovass's Avatar
      geovass -
      does anyone have the 1.1.3 baseband ?

      @jasonm253 - launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist