This page has been robot translated, sorry for typos if any. Original content here.

1.1.2 OTB UNLOCKED

YOU VERY WELL MAY BRICK YOUR PHONE WITH THIS. Be careful. I have done it sucessfully on two phones, and have never bricked an iPhone in my life.
So lets get down to business. It is a hardware method to downgrade the bootloader, and I am assuming you are familiar with the old hardware method, so I will not repeat steps. You need to have a 1.1.2 4.6 phone for this to work. If you upgraded to 1.1.3, have fun waiting for 1.1.4!

First download

112otb.rar [ завантажити ] [ завантажити ] [ завантажити ]

, You will need these files. This includes the NEW secpack, a new ieraser, a new testcode.bb, and a new iunlocker.

1. Copy all the files to a directory on your phone. It is imperative you do not shut off the phone after ieraser, or you can not restore wifi, since the only fls which works on 4.6 is 1.1.3 Install mobileterminal before you begin, in case you lose wifi. Also I advise doing this on 1.0.2, since resetting the baseband does not cause problems.

2. Run ienew. This is ieraser, and it erases your 1.1.2 firmware to allow the testpoint to work.

3. Find an old 3.9 nor dump and create a file called "nor" with the first 0x20000 bytes of the old nor dump. This is the 3.9 bootloader.

4. Copy "nor" into the folder and run iunew. This is iunlocker and runs just like the old one. You will need the A17 testpoint on before running this. See Step 3 for info on this testpoint. If you restarted and lost wi-fi, it is fine. Just run it from mobileterminal.

Note: "bbupdater -v" should not work at this point, since your phone has no firmware, just a bootloader.

5. The bootloader is now 3.9 !!! Run bbupdater -f or restore phone with the AnySimmable firmware of your choice. It seems people are having the most luck with the firmware from 1.1.2

6. Run AnySim and, as usual, enjoy your unlocked iPhone.

PS. The secpack was the only obstacle to the unlock.


The red line is covering the A17 trace. In order to trick the chip into thinking the flash is erased in the correct section, you will need to pull this high. Scrape away at the trace with something like a multimeter probe. Then solder a very thin wire to it. Be very careful. Only scrape away at that solder mask above that one trace. YOU DO NOT WANT TO BREAK THE TRACE. This is the hardest step in the whole process; the rest is cake. Also solder a wire to the 1.8v line. Connect to wire coming from the trace and the wire coming from the 1.8v to your unlock switch. Be careful, you only get one chance to do this right.