How To: Unlock your iPhone and install Android

Ever wanted to know how they jailbreak and iPhone?

Ever wanted to know how they jailbreak an iPhone? Below are a couple of articles that outline a couple of methods to unlock the popular smartphone device.

They centre on older versions of the iPhone but give you the knowledge to unlock the device and do what you want to do with it - including install the applications of your choice.

We've also included a run down on how to install the Google Android operating system on the iPhone - it's not a hack for the faint hearted.

How to Unlock your iPhone 3G

By David Murphy, PC World

The iPhone world has been clamoring for this one for awhile. And what better way to start the new year then by playing around with the Dev Team's newest creation--an official unlock for the iPhone 3G. We'll run through the basics of this wonderful little tool and show you exactly how you can jailbreak and unlock your phone. You'll be able to run as many third-party applications as you want on your device. And more importantly, you'll be able to use your iPhone on any cell phone carrier you want.

What's an Unlock?

Unlocking your phone allows you to use it on any carrier you want, not just AT&T. You'll pop out your AT&T SIM card and insert the SIM card of a different carrier. The iPhone doesn't allow you to do this normally, so a little bit of hacking is involved.

Is it safe? Will I break my iPhone?

Possibly. There's always the worry that the unlocking process will royally screw up your phone--but the only way to deal with that is to read the situations of others who have attempted the procedure before you. As long as you follow the instructions closely, you will greatly reduce your chances of bricking (screwing up) your iPhone. Beyond that, once you've unlocked your iPhone, you'll want to approach new iPhone updates with suspicion. Don't just click "update" in iTunes--wait for the various iPhone hackers to release (and safely test) new tools that will allow you to redo the same procedure on the new firmware. Is it easy to do? Hacking an iPhone sounds difficult! It is. It used to be difficult, but a number of one-button (or two-button) programs have emerged that greatly simplify the process of doing evil things to your iPhone. Don't worry. Even a cat could unlock an iPhone at this point.

How do I do it?

For the most part, unlocking a 3G iPhone is easy enough that we'll just need a few steps to tell you how to do it. Here we go!

1) Upgrade your iPhone to the 2.2 Firmware

This one's easy. Fire up iTunes and update your phone to the latest update, 2.2. If you've already done this, then you are one step ahead of the game. If not, you accomplish this task by clicking the "Update" button. Magic! Be sure to backup/sync your phone prior to doing so, and write down any note, programs, or settings you want to keep!

2) Pwn your Phone

Download Quickpwn. This is the application you'll use to jailbreak your phone prior to unlocking. Connect your iPhone to your PC all USB-style and fire up Quickpwn. The program is as self-explanatory as a jailbreaking application could be. Select your phone. Select your phone's firmware (which should appear naturally, as you did the update through iTunes). Install Cydia or Installer (we prefer the former). Follow the directions. Enjoy a hot cup of tea while you wait.

3) Install the application repositories

If you opted to install Cydia, fire up the application on your newly jailbroken iPhone and add the following application repository: If you went for Installer, add this repository: If you have no idea how to add a repository, fiddle around in each application's settings and options menus. It'll be there, trust us.

4) Install yellowsn0w

Use either Cydia or Installer to install yellowsn0w. Once the server finally lets you do so (it's getting hammered right now), run the application. Then turn off your iPhone. Grab a paper-clip and follow these instructions to pop out your SIM card. Slap in the SIM card from the new carrier you want to use. Turn on your iPhone. If the carrier doesn't pop up after a bit of a wait, repeat the process to remove the SIM and try doing it again.

5) Crazy Troubleshooting

Switching to T-Mobile? Turn off 3G on your iPhone settings (under Networking) before switching SIM cards. Turn off any PINs on your SIM card before making the switch. Make sure you're using the latest version of yellowsn0w. It should update in the Cydia/Installer menus automatically, but you can always make sure that the available version matches the newly released version by hitting up the official Dev Team blog. We'll be monitoring the 3G unlock all day, and we'll let you know if we come across anything else! And you can always leave comments about the success / destruction of your iPhone 3G below.

Next: Unlock an iPhone and Install Unofficial Apps

Page Break

Unlock an iPhone and Install Unofficial Apps

by Zack Stern, PC World

Difficulty: Hard; Time: 2.5 hours

Despite its coolness factor, the Apple iPhone comes with way too many restrictions. You're locked into AT&T service, for starters. On top of that, Apple says that it must approve all software before anyone can use the programs. But with this iPhone hack, you'll be able to swap in a different SIM from another provider. In addition, you'll have access to new software tools--such as one that gives you the ability to share the iPhone's mobile Internet connection with a laptop--that AT&T doesn't permit. As of this writing, you can hack both the original iPhone and the newer 3G iPhone to give them access to new software, but with this hack only the original handset can accept other SIM cards.

The hack requires a Mac in order to work. The process will void your warranty, and there's a small chance that you'll damage the phone in a way that prevents your restoring the handset from a backup. At the very least, before you dive in, sync your iPhone with iTunes and then Ctrl-click the phone name to create a software backup. A program called PwnageTool performs the hack. You'll also need original firmware for the iPhone. If you're lucky, you'll have a recent version of it in Users, Username, Library, iTunes, iPhone Software Updates. Otherwise, click your phone, and select the Restore button in iTunes to download the latest file to that location. Next, search online for "bl39.bin and bl46bin iPhone boot-loader download" and grab copies of those two files. Now verify that the .ipsw and .bin files you downloaded will work, by checking the list on the PwnageTool Web site.

Launch PwnageTool and choose your iPhone. Click the right arrow for the next page. PwnageTool should find the .ipsw file automatically (if it doesn't, browse to the file manually). Select the file and click the right arrow. It'll ask for the bootloaders; click No to skip the search, and enter where they're stored locally. Then click Yes to create the new iPhone .ipsw firmware file. You will be prompted for your admin password. After the tool tells you to connect the phone, follow the on-screen instructions to turn it off, push the power button followed by the home button, and then release the buttons in that order.

Back in iTunes, hold down the Option key and click Restore. Choose the new, PwnageTool-created firmware on your desktop, and click Open. After several minutes, iTunes will restart the phone and will prompt you for a backup file to restore your old data on the hacked phone. Choose one if you want, or skip the prompt to start fresh. A utility called Cydia will have been installed on the iPhone. It downloads unapproved software directly to the handset, but you'll still be able to buy programs through the App Store. And if you've hacked an original iPhone, you can now make calls on it with any active GSM SIM card.

Unlock Almost Any Mobile Phone

Difficulty: Easy; Time: 20 minutes

If you travel internationally, you can save money by buying a local, prepaid SIM card and swapping it into your phone, instead of paying high roaming rates to your U.S. cellular provider. Most U.S. phones, however, are locked to a single carrier and function only with SIM cards from that company. Here's how to unlock your mobile handset for use on any GSM network.

Enter your phone's unlock code exactly as shown to free it for use on any GSM carrier.First try to find a free code online that might unlock the phone. You can visit or, or you can begin by searching for your phone model online, using terms such as “Nokia 6820b free unlock code.” You'll be prompted on such sites to enter the phone's unique IMEI number (usually found under the battery), the model, and your carrier. With that data, the site will generate several codes and instructions for typing them into the handset. I recommend trying the first code returned at a few sites (since they can generate different results), instead of running though a full list of codes at one site.

If you're unsuccessful, try following the same process at a for-pay site, such as

Next: How to Install Android on Your iPhone

Page Break

How to Install Android on Your iPhone

Here's how to install Google's Android OS on your iPhone. Be forewarned, though: This hack isn't for the faint of heart.

by David Wang, PC World

(Editor's note: David Wang is an accomplished iPhone hacker and member of the iPhone Dev Team. Tinker with your gadgets at your own peril--we're not responsible for what happens if you brick your iPhone, however unlikely that may be.) Maybe you want to liberate your iPhone from Apple's clutches. Maybe you just want to tinker with something new. Either way, you've seen Android running on the iPhone, and you want to try it for yourself.

Still a Work in Progress

Although this port does everything that you expect your smartphone to be able to do, it isn't usable for day-to-day activities just yet--I haven't implemented any power-management functions, so a fully charged iPhone running Android will last only an hour or so. A few bugs and performance issues remain, too, so while the phone will be usable, it won't be fast. If you do something unexpected (such as forcing the iPhone off), there is a small chance that you may end up restoring your device. However, it is impossible for any bugs to brick or disable your iPhone permanently. Finally, media syncing is not working, so loading your media onto your phone is kind of a pain. I'm working as hard as I can, though, and I expect to fix these issues soon.

Required Reading

Start by brushing up on the fundamentals of iPhone maintenance: how to get your iPhone into Recovery Mode, how to put it into DFU Mode, and how to perform a firmware restore from those modes. The iPhone is a well-engineered device, and it is virtually impossible to brick if you know these techniques. If all else fails, remember that you can always restore using DFU Mode. You'll also need to be reasonably comfortable working in a command-line interface, and unless you're confident in trying to compile your own binaries, you'll need a PC running Linux (or a Linux virtual machine).

What You Need

1. A first-generation iPhone or an iPhone 3G with firmware versions between 2.0 and 3.1.2, jailbroken with Redsn0w, Blacksn0w, or PwnageTool. If you already updated your handset to 3.1.3 or to a 4.0 beta, you must use PwnageTool to create a jailbroken 3.1.2 .ipsw file to restore down to. Note that I am explicitly excluding the iPhone 3GS, all iPod Touch models, and the iPad. This hack will not work with those devices (yet). I am also explicitly excluding iPhone OS 3.1.3 and all of the 4.0 betas. It will not work with the Spirit jailbreak, either. If you haven't yet jailbroken your iPhone, don't worry--it's a simple process that consists mainly of pressing buttons on the device when prompted and clicking the next button in a wizard. I humbly recommend Redsn0w, since I wrote much of the code for that program.

2. A 32-bit Linux system or virtual machine (I recommend Ubuntu). See "How to Easily Install Ubuntu Linux on Any PC" for instructions if you don't already have Ubuntu. Although much of the process can be conducted on any machine, one of the tools involved (called 'oibc') has not yet been ported to Windows. In addition, the binaries I provide are compiled on a 32-bit Ubuntu machine. All of the utilities compile for Linux and Mac, however, so if you're feeling adventurous, compile the sources at and instead of using the binaries.

3. The prebuilt images and binaries; the exact files you use depend on whether you have a first-generation iPhone or an iPhone 3G.

4. The iPhone OS 3.1.2 .ipsw file for your device, namely either iPhone1,1_3.1.2_7D11_Restore.ipsw or iPhone1,2_3.1.2_7D11_Restore.ipsw. Chances are, you already have this file somewhere on your computer, but if you need it, you can download it.

5. The firmware for the Marvell WLAN chip inside the iPhone. Go to the URL, and on the right side of the page you should see a drop-down menu labeled 'Choose your platform'. Select Linux 2.6 - Fedora from the drop-down menu and click the Search button underneath. Download the file labeled SD-8686-LINUX26-SYSKT-9.70.3.p24-26409.P45-GPL. You'll get a file called

Android on iPhone, Step-by-Step

The first steps collect the multitouch and WLAN firmware for the iPhone. We cannot legally redistribute these binary blobs, so it is necessary for you to extract them from the .ipsw file and Marvell's Website.

1. On the Linux machine, create a folder named firmware in your home directory.

2. Extract SD-8686-FEDORA26FC6-SYSKT-GPL-9.70.3.p24-26409.P45.tar from SD-8686-LINUX26-SYSKT- to a temporary folder.

3. Extract FwImage/helper_sd.bin and FwImage/sd8686.bin from SD-8686-FEDORA26FC6-SYSKT-GPL-9.70.3.p24-26409.P45.tar and put them inside your 'firmware' folder.

4. Rename helper_sd.bin to sd8686_helper.bin. You have your WLAN firmware at this point. Now for the multitouch firmware.

5. On the Linux machine, create a folder named idroid in your home directory and extract utils/dripwn from the prebuilt tarball (.tar archive) you downloaded into it.

6. Copy or move the 3.1.2 .ipsw file you obtained from Apple's Website into the same 'idroid' folder as dripwn.

7. Start a command-line shell (Terminal under Ubuntu) and navigate to the 'idroid' folder you created. You can type cd ~/idroid to do this.

8. Go to this page if you have an iPhone 3G or this page if you have an older iPhone. Copy the VFDecrypt key.

9. In the shell you started earlier, if you have a first-generation iPhone, type the following:

./dripwn iPhone1,1_3.1.2_7D11_Restore.ipsw [the VFDecrypt key you copied] If you have a iPhone 3G, type the following:

./dripwn iPhone1,2_3.1.2_7D11_Restore.ipsw [the VFDecrypt key you copied]

10. After a while, the command will finish and you will have zephyr_main.bin, zephyr_aspeed.bin, and zephyr2.bin in your 'idroid' folder. Move these files into the 'firmware' folder. You now have all the files needed for Android, and you can begin installing it.

11. If you haven't already, install the OpenSSH tool on your iPhone via Cydia.

12. If you just installed OpenSSH, connect to your iPhone via SSH, log in as root with the password alpine, and type passwd root to change the password for root. Then, enter passwd mobile to change the password for the mobile user. Don't skip this step. All of the iPhone worms out there affect you only if you haven't changed the SSH password from the default.

13. Extract prebuilt/android.img.gz, prebuilt/cache.img, prebuilt/ramdisk.img, prebuilt/system.img, prebuilt/userdata.img, and zImage from the prebuilt tarball.

14. Use the 'scp' command or an SFTP client to upload all of these files into the /private/var folder on the iPhone. You can use these commands on Linux, if you wish to use scp instead of an SFTP graphical-interface client. Assuming you're in the same folder as the files, enter:

scp android.img.gz root@[ip address of iPhone]:/private/var/

scp cache.img root@[ip address of iPhone]:/private/var/

scp ramdisk.img root@[ip address of iPhone]:/private/var/

scp system.img root@[ip address of iPhone]:/private/var/

scp userdata.img root@[ip address of iPhone]:/private/var/

scp zImage root@[ip address of iPhone]:/private/var/

15. Using the SFTP client or scp, create a folder called firmware in the /private/var folder on the iPhone; afterward, upload all the files from the 'firmware' folder you created earlier to it. If the 'firmware' folder you created earlier is inside your home directory, you can use the following command:

scp -r ~/firmware/ root@[ip address of iPhone]:/private/var/firmware

16. Reboot your iPhone. As a safety precaution, check to make sure that the files are still present after the reboot and that they all have the right sizes. An incorrect file size is one that does not exactly match the source file size (for example, system.img is not 71327744 bytes, android.img.gz is not 2161556 bytes, or zImage is not 2364280 bytes on the 3G or not 2356044 bytes on the older iPhone). Many people have trouble with this process because not all of the files reached their iPhone in one piece.

17. Extract utils/oibc, utils/loadibec, and prebuilt/openiboot.img3 from the prebuilt tarball into your 'idroid' folder.

18. Shut down the iPhone and place it into Recovery Mode: With the iPhone powered off and plugged into the computer via USB, push Hold and Home simultaneously, and then let go of Hold after the backlight turns on. Continue holding Home until the 'Connect to iTunes' image appears on the screen.

19. Run the following commands in Terminal (you'll need to install libusb-0.1-4 with Synaptics or 'apt-get' if you haven't already):

cd ~/idroid

sudo ./loadibec openiboot.img3 If all goes well, the 'openiboot' boot menu should now appear!

20. Use either the volume-control buttons or the Hold button to select the second menu option, Console. Tap the Home button to launch it. A text-mode console should start running on your screen, ending with a 'Welcome to openiboot' message.

21. Type sudo ./oibc in Terminal. The same messages that appeared on the iPhone screen should now appear in Terminal. You should next make a backup of the NOR (the device on which the iPhone's bootloader is stored) in case something goes wrong, so you don't brick your iPhone.

22. Type nor_read 0x09000000 0x0 1048576 in Terminal/oibc. This will read the entire NOR into main memory.

23. Type ~norbackup.bin@0x09000000:1048576 in Terminal/oibc. A file will appear in the 'idroid' folder called norbackup.bin. Keep this somewhere safe. The command uploads the NOR to the computer. After you make this backup, you are now free to modify the NOR. The next step installs OpeniBoot onto the NOR, supplanting the existing Apple iBoot bootloader.

24. Type install in Terminal/oibc. This process may take a few minutes. Wait until the installation-complete message appears.

25. Type reboot in Terminal/oibc and then exit out of it by pressing Ctrl-C. The OpeniBoot menu should now come up whenever you boot your iPhone. Note that you can uninstall OpeniBoot from oibc with the 'uninstall' command. Type help for a list of all OpeniBoot commands. You can still get into the iPhone OS's recovery mode by holding down Home on the iPhone OS option in the menu until the 'Connect to iTunes' image appears (instead of just tapping Home).

You should be finished! Use the OpeniBoot menu to boot Android by selecting that OS from the menu whenever you wish. Unfortunately, no good method to shut down Android exists yet, so the only way to turn it off is to hold down the Hold and Home buttons until you've forced the phone off. Check out iDroidWiki for more tutorials and tips on what you can do with your new Android iPhone.

David Wang is a hobbyist hacker better known as "planetbeing." For the latest developments, visit his blog, Linux on the iPhone.