Let's take a closer look at what is iPhone baseband and how can it be unlocked. Baseband is short for baseband processor. Within a smartphone it can be a separate chip or a separate core. It can control interface with hardware such as audio, voice and mp3 codecs, video display, camera, USB, GPS, Wi-Fi, Bluetooth and so on. What-is-iPhone-Baseband The phone baseband is also called to provide the communication protocols which follow:
  • GSM
  • GPRS
  • Edge
  • UMTS
The older versions of iPhone basebands run small RTOS: iPhone, iPhone 3G, iPhone 3GS use Nucleus - a real-time operating system developed by Mentor Graphics. Uses C/C++ development environment using Code Sourcery tools. The source code of this software is closed and is available only for the clients.  It can be run on multiple CPUs and by the end of 2010 there were 2.84 billion devices running this RTOS. The newer models of iPhones such as iPhone 4 use ThreadX basebands. That type of RTOS uses various threads to run the various modules and operations. It uses multitasking kernel with advanced scheduling, fast interrupt response and very good memory management. Definitely the kernel of such OSes are hard to crash and thats why Apple used ThreadX to run the baseband of iPhone 4. Right now the software unlock can be made on iPhone 2 running baseband version 01.59.00 via ultrasn0w version 1.2.7. Hackers doesn't seem to have any other iPhone 4 baseband unlocking solution by now. What is an unlock from baseband's side? A carrier lock prevents phone' s use on other networks. The purpose of an unlock is to remove this restriction. Some phones require numeric password to unlock and other unlocks patch bootloader/firmware, removing checks. Those are called the software unlocks. Here's the list of iPhone/iPad software baseband unlocks available by now:
Unlock Baseband(s) Firmware Vector
yellowsnOw [1] 02.28.00 2.2 3G AT+STKPROF
ultrasnOw [1] 04.26.08 05.11.07 05.12.01 05.13.04 06.15.00 [3] 3.0,3.0.1 3G(S) 3.1,3.1.2 3G(S) 3.1.3 3G(S) 4.0-4.0.2 3G(S) 3.2-3.2.2 iPad1 AT+XLOCKAT+XAPPAT+XAPP AT+XAPP AT+XAPP
purplesnOw [2] 04.26.08 3.0,3.0.1 3G(S) AT+XLOCK
blacksnOw [2] 05.11.07 3.1,3.1.2 3G(S) AT+XEMM (heap)
  1. Unlock by iPhone dev team
  2. Unlock by Geohot
  3. iPad1 baseband. iPhone 3G(S) will lose GPS functionality
NOTE: Downgrades are generally not possible except for a specific early release 3G bootloader. As you can see, the baseband is just another embedded system. The use of unlocks allows for runtime access and combining runtime access with a development environment and existing RE methods allows for easy exploration.