About a year ago today, I found the at+stkprof exploit. Back then, I struggled for 3 days to write a payload. No luck, I just wasn't a good enough reverser. So I stashed the exploit away until December, when I gave it to dev for use in yellowsn0w.
Now a year later, I wrote a payload and delivery system in a day. And it's an awesome payload. Ideally we'd like to patch the lock out of flash, but with the apparently proper sig checks, that isn't going to happen. So purplesn0w is the next best thing. I copy the page I want to patch to an unused region of memory. In memory I patch it. Then, using the MMU, I map the flash page out and remap the patched memory page in it's place.
No new iPhones are really unlocked, activation creates a ticket allowing the baseband to be used with that sim. The lockstate of the phone really lies on apples servers. Unlocked is auth all sims. Locked is auth AT&T sims only. Fortunately this ticket system provides an easy way to deliver the payload and reexecute the patched code all in one. And since the ticket is already delivered on baseband resets, theres no need to write another daemon to hog battery. I use the daemon already designed for this, lockdownd. A patch to commcenter gets it to run the payload on ticket delivery. And a patch to your activation record contains the payload. So using existing apple machinery, I unlock when needed.
In retrospect, I should've just patched commcenter to send the payload. Then hacktivation would work no problem. Oh well, tomorrow is another day.
Here is the source. And I mean all of it.