Riding the wave of JailbreakMe in the past couple days, the ultrasn0w project has been updated to enable a full carrier unlock for iPhone 4 running baseband version 01.59. This release also supports unlocking iPhone 3G and iPhone 3GS running basebands 04.26.08, 05.11.07 and 05.13.04.
The unlocking process requires a jailbroken iPhone, a process recently simplified by the browser-based process of jailbreakme.com which used a PDF font engine exploit to jailbreak the device. The ultrasn0w tool can be found within the Cydia application repository that is installed as part of the jailbreak. The unlock will now allow iPhone 4 devices to be used on any carrier.
David Wong (aka. planetbeing) from the iPhone Dev Team posted about the news on their blog. The video below by TechTechManTV shows an iPhone 4 being jailbroken and unlocked using jailbreakme.com and ultrasn0w:
[Update] JailbreakMe 3.0 for iOS 4.3.3 is out!
The technique works thanks to a specially-crafted PDF document which exploits a vulnerability in the font engine library (possibly libfreetype) used by Mobile Safari. Another local privilege escalation exploit (possibly in IOKit) is then used to gain root access on the device, allowing for the jailbreak to take place.
Depending on the device used to visit jailbreakme.com, the site will deliver one of its existing payloads, to perform the initial exploit. During the jailbreak it will download an additional 3.7MB bin file.
Although this may seem like a great ‘feature’ to potential jailbreakers, users should be aware that a severe underlying flaw exists which allows this remote jailbreaking to take place. Until Apple patches this, iPhone users should beware of visiting untrusted sites, as this same exploit could potentially be modified to carry out attacks on legitimate non-jailbroken iPhones.
Here’s a video of someone jailbreaking Apple Stores for fun.
[Update 4/8/10] ultrasn0w update brings iPhone 4 carrier unlock.
[Update 11/8/10] iOS 4.0.2/3.2.2 update patches these two vulnerabilities.
[Update 12/8/10] comex has released the source code for the jailbreak exploit.