Purplesn0w

purplesn0w is geohot's unlock which used the AT+XLOG Vulnerability. Its implementation of the vulnerability differs from ultrasn0w's, and requires a legitimately activated iPhone.

How it works
purplesn0w copies the page that needs patching to an unused region of memory. It gets patched in RAM. Using the MMU, the flash page is mapped out and the patched memory page is remapped in its place. No new iPhones are really unlocked; activation creates a ticket allowing the baseband to be used with that SIM. The lockstate of the phone really lies on Apple's servers. Being unlocked means all SIMs are authorized, and being locked means only certain carriers' SIMs are authorized (for instance, AT&T). Fortunately, this ticket system provides an easy way to deliver the payload and re-execute the patched code all in one. And since the ticket is already delivered on baseband resets, there's no need to write another daemon to use the battery. Instead the daemon already designed for this, lockdownd, is used. A patch to CommCenter gets it to run the payload on ticket delivery. And a patch to your activation record contains the payload.

Installation notes

 * Be sure to have a legitimately activated iPhone.
 * Disable 3G if you don't have it (like T-Mobile in the US).
 * Watch for success output in Cydia (actually do this step)
 * Wait for signal, and enjoy your unlocked iPhone (no reboot required)

purplesn0w RC2 payload with comments
ROM:00000000                LDR     R4, =0x201436C8 ; /* copy the page*/ ROM:00000004                MOV     R0, #0x40000000 ROM:00000008                LDR     R1, =0x203C1000 ROM:0000000C                MOV     R2, #0x1000 ROM:00000010                BLX     R4 ROM:00000014                 LDR     R5, =0x4000082C ; /*at 4000083C or 203C183C ROM:00000014                                        ; put the code to branch to 0x404F0980*/ ROM:00000018                ADD     R0, R5, #0x10 ROM:0000001C                ADR     R1, loc_D4 ROM:00000020                MOV     R2, #0xC ROM:00000024                BLX     R4 ROM:00000028                 MOV     R7, #0          ; /* interrupt disable */ ROM:0000002C                MRS     R0, CPSR ROM:00000030                ORR     R0, R0, #0xC0 ROM:00000034                MSR     CPSR_c, R0 ROM:00000038                 MRC     p15, 0, R6,c1,c0 ; /* MMU disable */ ROM:0000003C                BIC     R0, R6, #0xFF ROM:00000040                MCR     p15, 0, R0,c1,c0 ROM:00000044                NOP ROM:00000048                NOP ROM:0000004C                LDR     R0, =0x2030055E ROM:00000050                LDR     R1, =0x40001000 ROM:00000054                ADD     R2, R1, #0x400 ROM:00000058 ROM:00000058 loop                                   ; CODE XREF: ROM:00000064�j ROM:00000058                STR     R0, [R1],#4     ; build a page table in memory ROM:00000058                                        ; increments of 0x1000 ROM:00000058                                        ; from 0x2030055E to 0x2040055E ROM:00000058                                        ; ROM:00000058                                        ; put 0x2030055E in [0x40001000] ROM:00000058                                        ; 0x40001000 + 0x4 ROM:00000058                                        ; 0x2030055E + 0x1000 ROM:00000058                                        ; cmp 0x40001004 to 0x40001400 ROM:00000058                                        ; ... ROM:00000058                                        ; ROM:00000058                                        ; ROM:0000005C                ADD     R0, R0, #0x1000 ROM:00000060                CMP     R1, R2 ROM:00000064                 BNE     loop ROM:00000068                LDR     R1, =0x4000055E ; put 0x4000055E in [0x40001400 - 0xFC] ROM:00000068                                        ; where 203C155E put 4000055E ROM:00000068                                        ; i.e point 0x203C1000 pagetable entry to ram 0x40000000 ROM:0000006C                STR     R1, [R2,#-0xFC] ROM:00000070                LDR     R0, =0x40001011 ; this section points the 0x203 mmu mapping to built page table ROM:00000070                                        ; at 0x40001000. ROM:00000070                                        ; ROM:00000070                                        ; when this code runs again it returns the mapping the way it ROM:00000070                                         ; was that i.e no trace left behind. ROM:00000070                                        ; ROM:00000070                                        ; put [0x800 + 0x8] + 0x100000 at [0x800 + 0xC] ROM:00000070                                        ; if what was at [0x800 + 0xC] = 0x40001011 then break ROM:00000070                                        ; else put 0x40001011 at [0x800 + 0xC] ROM:00000074                MOV     R1, #0x800 ROM:00000078                LDR     R2, [R1,#0xC] ROM:0000007C                LDR     R3, [R1,#8] ROM:00000080                ADD     R3, R3, #0x100000 ROM:00000084                STR     R3, [R1,#0xC] ROM:00000088                CMP     R2, R0 ROM:0000008C                 BEQ     break ROM:00000090                STR     R0, [R1,#0xC] ROM:00000094 ROM:00000094 break                                  ; CODE XREF: ROM:0000008C�j ROM:00000094                MCR     p15, 0, R7,c8,c7 ; /* invalidate TLB */ ROM:00000098                MCR     p15, 0, R6,c1,c0 ; /* MMU enable */ ROM:0000009C                MCR     p15, 0, R7,c7,c5 ; /* flush ICache */ ROM:000000A0                NOP ROM:000000A4                NOP ROM:000000A8                NOP ROM:000000AC                MRS     R0, CPSR        ; /* interrupt enable */ ROM:000000B0                BIC     R0, R0, #0xC0 ROM:000000B4                MSR     CPSR_c, R0 ROM:000000B8                 LDR     R4, =0x20525359 ; /* go home */ ROM:000000BC                LDR     R1, =0x203C1830 ROM:000000C0                ADR     R0, dword_D0 ROM:000000C4                STR     R1, [R0] ROM:000000C8                MOV     R0, #0 ROM:000000CC                BX      R4 ROM:000000CC ; --- ROM:000000D0 dword_D0       DCD 0x20525359          ; DATA XREF: ROM:000000B8�r ROM:000000D0                                        ; ROM:000000C0�o ROM:000000D4 ; --- ROM:000000D4 ROM:000000D4 loc_D4                                 ; DATA XREF: ROM:0000001C�o ROM:000000D4                LDR     R4, =0x404F0980 ROM:000000D8                BX      R4 ROM:000000D8 ; --- ROM:000000DC dword_DC       DCD 0x404F0980          ; DATA XREF: ROM:loc_D4�r ROM:000000E0 dword_E0       DCD 0x201436C8          ; DATA XREF: ROM:00000000�r ROM:000000E4 dword_E4       DCD 0x203C1000          ; DATA XREF: ROM:00000008�r ROM:000000E8 dword_E8       DCD 0x4000082C          ; DATA XREF: ROM:00000014�r ROM:000000EC dword_EC       DCD 0x2030055E          ; DATA XREF: ROM:0000004C�r ROM:000000F0 dword_F0       DCD 0x40001000          ; DATA XREF: ROM:00000050�r ROM:000000F4 dword_F4       DCD 0x4000055E          ; DATA XREF: ROM:00000068�r ROM:000000F8 dword_F8       DCD 0x40001011          ; DATA XREF: ROM:00000070�r ROM:000000FC dword_FC       DCD 0x203C1830          ; DATA XREF: ROM:000000BC�r ROM:000000FC ; ROM          ends

Links

 * Cydia repo (http://apt.geohot.com/)
 * Source code