The hardware for the iPhone unlocker is a simple test point pulling the NOR flash address line A17 to high basically fooling the bootloader checksum calculator into thinking that the baseband flash is blank (0xFFFFFFFF), therefore allowing the bbupdater to execute unsigned code which in turn loads the baseband flash (0x20000-0x304000) with the patched NCK disabled mod (04 00 a0 e1 -> 00 00 a0 e3).
Besides the test point, the following tools are also used for this process: NORdumper, IEraser, IUnlocker, Minicom, and Termcap.
And finally:
AT+CLCK="PN",0,"00000000" - to update the checksums
AT+CLCK="PN",2 - to check the unlock "0"
The baseband is an Infinion chip (S-Gold2) which has been used in Siemens phones hacked by the Martech team for a while now with a similar bootloader trick technique.
Ultimately it's not a permanent unlock because if you do a software update it will write back the NCK check routine and you'll have to do the entire unlock process over again.
The true unlock is when the NCK checksums have been properly calculated and stored.
Hope that helps to understand the basics behind this patch unlock method.
There's also another method by using a SIM proxy which always sends the phone the following MCCMNC's (310-150, 310-170, 310-410, 001-010, 311-180, 310-980) regardless what your SIM card's ICCID is, though it's not the most elegant solution.
Besides the test point, the following tools are also used for this process: NORdumper, IEraser, IUnlocker, Minicom, and Termcap.
And finally:
AT+CLCK="PN",0,"00000000" - to update the checksums
AT+CLCK="PN",2 - to check the unlock "0"
The baseband is an Infinion chip (S-Gold2) which has been used in Siemens phones hacked by the Martech team for a while now with a similar bootloader trick technique.
Ultimately it's not a permanent unlock because if you do a software update it will write back the NCK check routine and you'll have to do the entire unlock process over again.
The true unlock is when the NCK checksums have been properly calculated and stored.
Hope that helps to understand the basics behind this patch unlock method.
There's also another method by using a SIM proxy which always sends the phone the following MCCMNC's (310-150, 310-170, 310-410, 001-010, 311-180, 310-980) regardless what your SIM card's ICCID is, though it's not the most elegant solution.