Blog Archives

iPhone 3GS T-Mobile Hack

Much is written about T-Mobile and the iPhone models.  The tough thing is how many times do you have to reboot that phone in order to test everyone’s theory out there on what cellular setting you should use.  I spent hours working on this from the 2G model, 3G and the 3GS.  I have never set up a hack yet on the 4 series but it can also be done.  I have included a few notes here on the 4.   What I found difficult was that Cydia had a lot of packges out there but none for IOS 5+.  Nevertheless, you can edit the plist manually, by enabling SSH or you can type the values I put in below in the system settings.  Before you put in these settings, turn off 3G, Apple is missing the WCDMA 1700/2100 band, and cannot function on the T-Mobile 3G network.  Turn on Data Roaming, turn off Wi-Fi so that you can accurately test the T-Mobile data plan, verify that MMS messaging is turned on, VPN not connected.  Disable location services.  If any of the above isn’t set, you will experience long search times for a cell tower, as well as dropped calls, and SIM resets after photos taken and/or MMS attempts.  Lastly I set the 3GS to not use iMessage.  I have had it working with the values I mention below but it seemed buggy when sending MMS.  Sometimes it worked and sometimes it didn’t.

Prerequisites:  iPhone 3GS with IOS 5.0.1, Jailbroken with iPad baseband via redsn0w, baseband 6.15.00, old bootrom 359.3 and below, ultrasn0w cydia package

After many variations I found these settings to work.

Celluar Data

APN:  WAP.VOICESTREAM.COM, epc.tmobile.com didn’t work

blank

blank

MMS

internet2.voicestream.com, epc.tmobile.com didn’t work for me

blank

blank

http://mms.msg.eng.t-mobile.com/mms/wapenc

MMS Proxy: 216.155.165.50:8080  (Leave Blank for 4S)

MMS Max Message Size: 1048576  (Leave Blank for 4S)

MMS UA Prof URL: http://www.apple.com/mms/uaprof.rdf

Optional tip:  You can try a Cydia package to add some of the above values:
Open Cydia and add this source: http://cydia.pushfix.info/

Once source is added, find the package T-Mobile US MMS Fix. Executing that app after the download and install will populate the fields for ya.  May require some tweaking of the values to what I have shown above.

I recommend a full reboot of the device to have the settings apply.  You can alternately edit the plist file and the pac file for the above settings, requires SSH to your phone, default pw is alpine set by apple.  Change this please… passwd is the command in terminal to do so.

**if you experience long delays in finding service then try the alternate values I posted above.

**there are plenty of links out there to JB this device for T-Mobile use.  They are not straight forward! They omit steps and lead you wrong.  A full working knowledge of redsn0w is strongly suggested and the knowledge of putting the iPhone devices nto DFU mode (black screen), not the recovery screen which shows an icon to connect to iTunes.

You will have to have the original restore image for 5.0.1, and clear your hosts file of any references to GS.apple.com.  I used Tiny Umbrella to manipulate the host file as well as save the SHSHs down.  It was also useful to run in order to simply exit recovery mode in case you got there.   The JB requires iPad baseband files so you can utilize 5.0.1, otherwise you wouldn’t need the iPad baseband files if you use an older IOS.  You will have to install Cydia last, *not* on the first JB or else the phone will fail the JB.  Cydia then gets installed via DFU mode and choosing a IPSW file *PRIOR* to launching the 2nd jailbreak.  I used a custom IPSW I created with redsn0w to do a restore (itunes, then option click restore to choose your own IPSW) after I did the iPad baseband hack.  This seemed to finalize the whole JB process.  It preserved the Baseband at 6.15.00.  You need to know your bootrom value, you can find out via DFU mode and using About This Mac (more info) button on Lion, or System Profiler prior to Lion.  Look at the USB hub and look for the keyword DFU mode, and you’ll see the bootrom value.  Mine was at 359.3 which is the old boot rom.  Search google to translate any other numbers, it has to do with the serial number of the phone, decode that and you’ll find your production run (old or new).

All of the above can be done on a windows OS, you just need equivalent tools.