There are two available solutions for unlocking the iPhone at the
moment, and both hinge upon a “flaw” in the iPhone’s baseband. All
shipped iPhones are locked with a PN (personalized network) lock to
at&t. The iPhone, upon startup, enforces this PN lock by reading the
included at&t SIM card’s
IMSI two times initially at startup to ensure the IMSI is that of at&t. The
third and subsequent reads of the IMSI during the normal operation of
the iPhone is not checked to ensure it is that of at&t.

The two available unlocking solutions both exploit this to use SIM cards
from providers other than at&t. The first method involves SIM card
cloning, which is very much illegal in most countries. The method sees a
the KI (the “secret” ciphering and authentication key embedded into the
SIM) extracted from an old COMP128 V1 SIM card (these are rare to find
distributed from 2002 onwards). The KI can only be extracted from these
old SIM cards, and not the modern V2/V3 cards available today. The KI
and IMSI from this old SIM card, along with the IMSI of the iPhone’s
at&at card are combined and written to a blank SIM card (SilverCard)
using a SIM card writer. Some additional programming is done to the
blank card’s SIM to return the at&t IMSI the first two reads, and the V1
cards IMSI for any subsequent requests. This method works, but is
frought with all sorts of legality issues (not to mention the fact that
finding old V1 SIM cards is pretty difficult anyway) and so is less than
ideal.

A second unlocking solution is much more promising and is likely to
attract a lot of attention over the next few weeks. It involves the use
of a piece of hardware from Bladox called a
Turbo SIM. This nifty thin little device sits between your original SIM
card and the SIM reader in your iPhone. It’s capable of running small
SIM applications and can be used to intercept incoming IMSI requests (or
any SIM requests for that matter), process them, and produce output. Use
of such a device is probably completely legal, since the original SIM
card is not cloned. It will also work perfectly with V2/V3 SIM cards.
It’s only purpose (in the case of unlocking the iPhone) is to get by the
“good guy, bad guy” IMSI check the phone performs at boot to provide the iPhone with the at&t IMSI it requires at startup. Thereafter, the device
relinquishes control back to the original SIM card for any further SIM
requests, including network registration. I’ve ordered one and by the
time it arrives in 2 or so weeks there should be a great deal of hype
surrounding the device. Two applications designed to run on the device
for the purpose of fooling the iPhone have already been released, here’s
the source of the first one:

{ codeblock lang:c++ }\ /*\ * iPhone baseband SIM lock 0wnage PoC\ *\ * History:\ * 0.92 - User Interface, ICCID/IMSI are read from a card and\ then used with another\ * 0.91 - some fixes, PROC_8_CONFIG_INIT_BOOSTER for speedy init of ICCID file,\
* needs bladox turbo kernel >=1.2.7\ * 0.9 - original version\ *\ * Compile, load on your leet Bladox gear\ * disable your subscription PIN and enjoy :p\ *\ * Special thanks to the baseband development team\ * It wouldn’t have been so easy without you :)\ *\ * © 2007, collective iPhone development effort\ *\ * This program is free software; you can redistribute it and/or\ * modify it under the terms of the GNU General Public License\ * as published by the Free Software Foundation; either version 2\ * of the License, or (at your option) any later version.\ *\ * This program is distributed in the hope that it will be useful,\ * but WITHOUT ANY WARRANTY; without even the implied warranty of\ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\ * GNU General Public License for more details.\ *\ * You should have received a copy of the GNU General Public License\ * along with this program; if not, write to the Free Software\ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\
/ \ #include \ #include \ #include \ #include \ #define VERSION_A 0\ #define VERSION_B 92 \ / INDENT-OFF / \ static lc_char PROGMEM lc_Show={\
LC_EN\ LC_END\ }; \ static lc_char PROGMEM lc_WasSet={\
LC_EN\ LC_END\ }; \ static lc_char PROGMEM lc_AppleSaft={\
LC_EN\ LC_END\ }; \ static lc_char PROGMEM lc_ICCID = { 0x3F, 0x00, 0x7F, 0x20, 0x6F, 0x07
};\ u8 PROGMEM ef_iccid_path;
\ u8
tmp_imsi;\
u8 tmp_iccid;
\ typedef struct _Pers_mem\
{\ u8 on;\ u8 imsi[0x09];\ u8 iccid[0x0a];\ }\ Pers_mem;
\ Pers_mem
pers_mem = NULL;

void handle_sim_file (File_apdu_data * fa)\
{\ u8 i;

if (fa>ef EF_ICCID && fa->ins ME_CMD_READ_BINARY)\
{\ if )\ {\ dbsp ;\ //memcpy );\ memcpy ;\ }\ else\ {\ dbsp ;\ sim ;\ } \ fa
>data[fa>p3] = 0x90;\ fa>data[fa>p3 + 1] = 0x00;\ }\ else if \ {\ sim ;\ switch \ {\ case 0:\ dbsp ;\ /* learn and retransmit /\ // low_level_imsi_select ;\ // sim ; / READ BINARY /\ // memcpy ;\ fa>data[fa>p3] = 0x90;\ fa>data[fa>p3 + 1] = 0x00;\ counter++;\ break;\ case 1:\ / spoof /\ if )\ {\ dbsp ;\ // memcpy );\ memcpy ;\ }\ else\ {\ dbsp ;\ }\ fa>data[fa>p3] = 0x90;\ fa>data[fa>p3 + 1] = 0x00;\ counter;\ break;\ case 2:\ counter;\ / no break intended here /\ default:\ dbsp ;\ / play nice /\ // memcpy ;\ sim ;\ fa>data[fa>p3] = 0x90;\ fa>data[fa>p3 + 1] = 0x00;\ }\ }\ else\ sim ;\ } \ void get_files \
{\ u8 path[6]; \ memcpy ;\ select ;\ sim ;\ select ; \ memcpy ;\ select ;\ sim ;\ select ;\ } \ u8 saft_set \
{\ if \ {\ u8
buf = buf_B ;\ u8 r = buf;\ u8 i; \ get_files ; \ memcpy ;\ memcpy ;\ wb ; \ r = sprints );\ r = sprintc ; \ r = sprints );\ for \ {\ r = sprintch );\ r = sprintc ;\ } \ r = sprints );\ for \ {\ r = sprintch );\ r = sprintc ;\ }\ r = sprintc ; \ r = sprintc ;\ i = display_text ;\ if \ return APP_BACK;\ return i; \ return APP_BACK;\ }\ return APP_OK;\ } \ u8 saft_show \
{\ if \ {\ u8
buf = buf_B ;\ u8 r = buf;\ u8 i; \ get_files ; \ r = sprints );\ for \ {\ r = sprintch ;\ r = sprintc ;\ } \ r = sprints );\ for \ {\ r = sprintch ;\ r = sprintc ;\ }\ r = sprintc ; \ r = sprintc ;\ i = display_text ;\ if \ return APP_BACK;\ return i;\ }\ return APP_OK;\ } \ u8 saft_version \
{\ if \ {\ u8
buf = buf_B ;\ u8 r = buf;\ u8 i; \ r = sprints );\ r = sprintc ; \ r = sprinti ;\ r = sprintc ;\ r = sprinti ;\ r = sprintc ; \ r = sprintc ;\ i = display_text ;\ if \ return APP_BACK;\ return i;\ }\ return APP_OK;\ } \ SNodeP saft_n = { lc_AppleSaft, NULL };\
SNodeP saft_set_n = { lc_Set, saft_set };\
SNodeP saft_show_n = { lc_Show, saft_show };\
SNodeP saft_version_n = { lc_Version, saft_version };
\ /
INDENT-OFF / \ SEdgeP saft_edges_p[] = {\
,\ ,\ ,\ NULL\ }; \ /
INDENT-ON / \ void action_menu \
{\ SCtx
c; \ c = spider_init ;\ c>eP = &saft_edges_p;\ c->n = &saft_n;\ spider ©;\ }

void turbo_handler (u8 action, void data)\
{\ switch \ {\ case ACTION_APP_REGISTER:\ {\ Pers_mem
p = emalloc (sizeof (Pers_mem));

pers_mem = p;\
wb (&p->on, 0);\ reg_app_data (p);

set_proc_8 (PROC_8_CONFIG_INIT_BOOSTER, 1);\
}\ break;\ case ACTION_APP_UNREGISTER:\ {\ Pers_mem *p = app_data ();

efree (p);\
}\ break;\ case ACTION_APP_INIT:\ dbsp (“APP_INIT\n”);\ counter = 0;\ pers_mem = app_data ();

tmp_imsi = malloc (0x09);\
tmp_iccid = malloc (0x0a);

imsi = malloc (IMSI_SIZE);\
imsi_response = malloc (IMSI_RESPONSE_SIZE);\ reg_file (ef_imsi_path, 3);\ reg_file (ef_iccid_path, 2);\ break;\ case ACTION_FILE_APDU:\ handle_sim_file (data);\ break;\ case ACTION_INSERT_MENU:\ insert_menu (locale (lc_AppleSaft));\ break;\ case ACTION_MENU_SELECTION:\ stk_thread (action_menu, NULL);\ break;\ default:\ break;\ }\ }\ { endcodeblock }

As you can see, it’s pretty simple. Over the coming days we’ll probably
see a native iPhone application for writing applications such as the one
above to the Turbo SIM. An updated application provided by the kind
folks from Bladox is up at their forums
here. Happy hacking.

About Author

Jason Madigan

Jason Madigan

Programmer from Waterford, Ireland.