14 July 2019

Unlock iPad Apple ID Guide - How to unlock iPad Pro Cellular

First of all, if you found any lost device, please return to the owner.

If for some reason, you need help, but Apple doesn't help you.
Then you can find us to do a factory unlock.

If you want a cheap or bypass method, it's not in here. Here we talk about how to factory unlock it and without any side-effect.

iPad Pro 12.9 4G
NOTE: Cellular version of iPad and WiFi Version iPad are NOT unlock the same method.

Now this is about a real case of "How to unlock an iPad Pro 12.9 Cellular version".

First of all, you need to know how the Apple ID lock works.

How the activation server works

The device locked status is not stored inside the memory or the hard disk. This is mean no matter how you reformat or erase the software, it's still unable to activate because the Apple server requires you to sign in the previous Apple ID that logged into the device. 

So the lock status is based on the Apple Server. 

We need to know what kind of information the server is reading from our device

For sure the Apple Server is recognizing our device through unique info that is programmed on our devices.

So the expert like us will do the experiment by editing the device info to fool the server. Below is what we found out so far...

  • If the device is a Cellular version (SIM card), the server will check the IMEI, Serial Number, WiFi Address, and Bluetooth Address. 

  • If the device has no SIM function, the server only checks the Serial Number, WiFi Address, and Bluetooth Address.

This 3 data must be the same set, no mixing, or randomly typed in. This means the whole set of data info must be exactly from a device the same as what they sold.

Or else their server won't be allowed the device to be activated and saying there is a problem in your device as the screenshot below.

Methods to unlock Apple ID / Bypass Activation available so far...

  1. Hack their server - If you are a pro hacker, then hack their server, but I don't think a super hacker will bother to do a small job like this. 

  2. Jailbreak - Use a third-party app to bypass the activation page. But this method is available for certain iOS version only. Usually this option is not supported for the latest iOS and it will be locked if you update the iOS.

  3. Apple Center Unlock for you - Yes, as long you have the receipt of the purchase to prove you're the owner.
    Don't expect you can pay someone in Apple and they do for you. Because there will be a record of which technician logged out the ID of the customer device.
    Apple already fired a bunch of technicians because of it. Especially the customers reported seeing their lost device is not in the iCloud list suddenly.

  4. Reprogram the device to fool the server - Yes, this is today's topic. 

We can edit the IMEI and Serial Number to fool the server?

Yes. But as I said before, the server is comparing the info of your device with their record.

But to reprogram the IMEI is NOT possible. Because the IMEI is stored inside the Baseband CPU and it's designed to be unprogrammable.
"Baseband CPU is a long story to explain, I might write another article for it"

But the info such as Serial Number, WiFi Address and Bluetooth Address can be edited through a hard disk programer machine. It's the same method that I wrote an article about upgrading storage before. 

Because the SN is stored on the hard disk. But technically the hard disk they used is NAND flash. So we should say it's the NAND.

Why we have the tool to reprogram the NAND? 

Because Apple doesn't own any factory to make the NAND flash. All the iPhone and iPad are using NAND flash memory.
The major NAND manufacturers are Samsung, Hynix, Toshiba, and Sandisk. Apple bought the NAND from them.

This is why we can easily to get NAND programming tools. 

Back to today's topic - Unlocking a cellular of iPad 

If we just changed SN, but the IMEI is still there, the server will still be blocking us to activate. 
Remember, the devices that have IMEI are those devices with supported the SIM cards (
iPad Cellular version and the iPhone).

So if a device doesn't have IMEI (iPad WiFi Version), they are all can be unlocked easily by just reprogramming the SN, WIFI, and BT.

Here is the video of how to unlock the iPad WiFi version.

What about the iPads Cellular version? Can it still be unlocked?

Yes, but we need to disable the IMEI. (SIM cellular function / Baseband). So the iPad Cellular will become an iPad WiFi version. But we still need to change the SN, Wifi, and BT.

If so, then the iPhone can unlock?

No. It's because if you disable the IMEI (Baseband) on the iPhone, then Apple Server recognizes it's a brick and having a hardware problem. It will say there is a problem with your device and tell you to send it to Apple Center. 

Let's continue to read how to unlock the Cellular of the iPads.

How to Unlock the Cellular version iPad Pro

The first step is we need to disable the IMEI of the iPad. 
It's simple. We just remove a specific resistor on the motherboard, and then the iPad will become a WiFi version.
Literally, we are converting the Cellular iPad to a Wifi iPad.
How to convert iPad Pro 12.9 4G to WiFi

After the steps above, the iPad will be stuck into DFU mode. But DO NOT restore it yet.

iPad Pro 12.9 4G logicboard
Take the whole board out of the housing.
Because some models need to take out the NAND to program it. 
This NAND removal is done by using a "hot air soldering station".
So you need to be well trained in micro-soldering and heat control, or else you're be killing the board.

Tips: Be careful when removing the NAND IC, you sure don't want overheat to affected the RAM or CPU. It can end up unable to power on or keep getting a 4014 error.  If you get into that kind of situation, only a trained professional like us can do the re-ball the CPU and RAM.

If you're a newcomer who wants to learn this, I advise you to cut the shield that will absorb the heat away. The shield will be causing you to take a long time to remove it.
DO NOT PUT any thermal tape or coin. Those shit will only cause you more time to take it out.
Long time heating = High Risk
Come to my school and I'll teach you how to master the heat station. You won't be fear in any job, especially the iPhone.

After you removed the NAND, put it into the NAND into a programming tool to write a new SN, WiFi, and BT address.
The Apple Activation Server will check this info, make sure the info you got is from a legit Apple iPad and it has no Apple ID lock.

If one of the info is mistyped or incorrect then it will be unable to activate.

In the programming tool, we need to click the "Unbind the WiFi" also. Because the NAND is paired with the specific WiFi IC. Unbind the WiFi can let us use any WiFi IC.

Now the NAND is ready to be solder back into the logic board. 

You think you're done?
No, not yet.

Because once you activated,  you notice the iPad WiFI isn't working!

Yes, even you already click unbind WiFi. We still need to replace the correct WiFi chipset for it. 

Because of the Cellular model and WiFi model's WiFi chipset is NOT the same. 
So the WiFi won't be working at all. The WiFi button will be grey out and unable to turn on.

But this problem is only happening on the iPad that is A9 CPU and newer. Older iPads don't have this kind of problem.

So the last step of this unlocking, we need to replace the correct version of the WiFi chipset. 

iPad Pro 12.9 WiFi IC code
We need to buy the WiFi model's WiFI IC to replace it.
Tips: the WiFi chipset of this iPad code is ended with 0045.

Remove the WiFI IC is straightforward. You can heat this area by using a very high temp and it won't get a problem.

When you install the new WiFi IC, be sure to use a lower temp of soldering paste. Normally the new chipset is easy to get damaged from high temp.
Final step - Assemble everything.
Connect it to iTunes and click Restore.
It will download an iPad WIFI version firmware to restore.

Finally, you're done!
Tips: Always censored the SN. Because the experts like me that have similar skills can steal your SN. You'll be screwed if you haven't log in the Apple ID on it.

iPad remove iCloud

Q: Can I still update the iOS in the future?
A: Yes

Q: Can I use a new Apple ID after that?
A: Yes

Q: Will the "ex-owner" able to track it by GPS?
A: No. The whole device became another device. The server only recognizes the device from the SN.

Q: Why they didn't block this kind of unlocking?
A: So far they won't. Because this method is very extreme and only a trained professional can do it.