There are two available solutions for unlocking the iPhone at the moment, and both hinge upon a “flaw” in the iPhone’s baseband. All shipped iPhones are locked with a PN (personalized network) lock to at&t. The iPhone, upon startup, enforces this PN lock by reading the included at&t SIM card’s IMSI two times initially at startup to ensure the IMSI is that of at&t. The third and subsequent reads of the IMSI during the normal operation of the iPhone is not checked to ensure it is that of at&t.

The two available unlocking solutions both exploit this to use SIM cards from providers other than at&t. The first method involves SIM card cloning, which is very much illegal in most countries. The method sees a the KI (the “secret” ciphering and authentication key embedded into the SIM) extracted from an old COMP128 V1 SIM card (these are rare to find distributed from 2002 onwards). The KI can only be extracted from these old SIM cards, and not the modern V2/V3 cards available today. The KI and IMSI from this old SIM card, along with the IMSI of the iPhone’s at&at card are combined and written to a blank SIM card (SilverCard) using a SIM card writer. Some additional programming is done to the blank card’s SIM to return the at&t IMSI the first two reads, and the V1 cards IMSI for any subsequent requests. This method works, but is frought with all sorts of legality issues (not to mention the fact that finding old V1 SIM cards is pretty difficult anyway) and so is less than ideal.

A second unlocking solution is much more promising and is likely to attract a lot of attention over the next few weeks. It involves the use of a piece of hardware from Bladox called a Turbo SIM. This nifty thin little device sits between your original SIM card and the SIM reader in your iPhone. It’s capable of running small SIM applications and can be used to intercept incoming IMSI requests (or any SIM requests for that matter), process them, and produce output. Use of such a device is probably completely legal, since the original SIM card is not cloned. It will also work perfectly with V2/V3 SIM cards. It’s only purpose (in the case of unlocking the iPhone) is to get by the “good guy, bad guy” IMSI check the phone performs at boot to provide the iPhone with the at&t IMSI it requires at startup. Thereafter, the device relinquishes control back to the original SIM card for any further SIM requests, including network registration. I’ve ordered one and by the time it arrives in 2 or so weeks there should be a great deal of hype surrounding the device. Two applications designed to run on the device for the purpose of fooling the iPhone have already been released, here’s the source of the first one:

\
/\*\
 \* iPhone baseband SIM lock 0wnage PoC\
 \*\
 \* History:\
 \* 0.92 - User Interface, ICCID/IMSI are read from a card and\
 then used with another\
 \* 0.91 - some fixes, PROC\_8\_CONFIG\_INIT\_BOOSTER for speedy init of
ICCID file,\
 \* needs bladox turbo kernel \>=1.2.7\
 \* 0.9 - original version\
 \*\
 \* Compile, load on your leet Bladox gear\
 \* disable your subscription PIN and enjoy :p\
 \*\
 \* Special thanks to the baseband development team\
 \* It wouldnt have been so easy without you :)\
 \*\
 \* © 2007, collective iPhone development effort\
 \*\
 \* This program is free software; you can redistribute it and/or\
 \* modify it under the terms of the GNU General Public License\
 \* as published by the Free Software Foundation; either version 2\
 \* of the License, or (at your option) any later version.\
 \*\
 \* This program is distributed in the hope that it will be useful,\
 \* but WITHOUT ANY WARRANTY; without even the implied warranty of\
 \* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\
 \* GNU General Public License for more details.\
 \*\
 \* You should have received a copy of the GNU General Public License\
 \* along with this program; if not, write to the Free Software\
 \* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.\
**/
\
\#include <config.h>\
\#include <turbo/turbo.h>
\
\#include <stdlib.h>\
\#include <string.h>
\
\#define VERSION\_A 0\
\#define VERSION\_B 92
\
/** **INDENT-OFF** **/
\
static lc\_char PROGMEM lc\_Show={\
 LC\_EN\
 LC\_END\
};
\
static lc\_char PROGMEM lc\_WasSet={\
 LC\_EN\
 LC\_END\
};
\
static lc\_char PROGMEM lc\_AppleSaft={\
 LC\_EN\
 LC\_END\
};
\
static lc\_char PROGMEM lc\_ICCID = { 0x3F, 0x00, 0x7F, 0x20, 0x6F, 0x07
};\
u8 PROGMEM ef\_iccid\_path;
\
u8**tmp\_imsi;\
u8 **tmp\_iccid;
\
typedef struct \_Pers\_mem\
{\
 u8 on;\
 u8 imsi[0x09];\
 u8 iccid[0x0a];\
}\
Pers\_mem;
\
Pers\_mem**pers\_mem = NULL;

void handle\_sim\_file (File\_apdu\_data \* fa)\
{\
 u8 i;

if (fa~~\>ef  EF\_ICCID && fa-\>ins  ME\_CMD\_READ\_BINARY)\
 {\
 if )\
 {\
 dbsp ;\
 //memcpy );\
 memcpy ;\
 }\
 else\
 {\
 dbsp ;\
 sim ;\
 }
\
 fa~~\>data[fa~~\>p3] = 0x90;\
 fa~~\>data[fa~~\>p3 + 1] = 0x00;\
 }\
 else if \
 {\
 sim ;\
 switch \
 {\
 case 0:\
 dbsp ;\
 /\* learn and retransmit **/\
// low\_level\_imsi\_select ;\
// sim ; /** READ BINARY **/\
// memcpy ;\
 fa~~\>data[fa~~\>p3] = 0x90;\
 fa~~\>data[fa~~\>p3 + 1] = 0x00;\
 counter++;\
 break;\
 case 1:\
 /** spoof **/\
 if )\
 {\
 dbsp ;\
// memcpy );\
 memcpy ;\
 }\
 else\
 {\
 dbsp ;\
 }\
 fa~~\>data[fa~~\>p3] = 0x90;\
 fa~~\>data[fa~~\>p3 + 1] = 0x00;\
 counter**;\
 break;\
 case 2:\
 counter**;\
 /** no break intended here **/\
 default:\
 dbsp ;\
 /** play nice **/\
// memcpy ;\
 sim ;\
 fa~~\>data[fa~~\>p3] = 0x90;\
 fa~~\>data[fa~~\>p3 + 1] = 0x00;\
 }\
 }\
 else\
 sim ;\
}
\
void get\_files \
{\
 u8 path[6];
\
 memcpy ;\
 select ;\
 sim ;\
 select ;
\
 memcpy ;\
 select ;\
 sim ;\
 select ;\
}
\
u8 saft\_set \
{\
 if \
 {\
 u8**buf = buf\_B ;\
 u8 **r = buf;\
 u8 i;
\
 get\_files ;
\
 memcpy ;\
 memcpy ;\
 wb ;
\
 r = sprints );\
 r = sprintc ;
\
 r = sprints );\
 for \
 {\
 r = sprintch );\
 r = sprintc ;\
 }
\
 r = sprints );\
 for \
 {\
 r = sprintch );\
 r = sprintc ;\
 }\
 r = sprintc ;
\
 r = sprintc ;\
 i = display\_text ;\
 if \
 return APP\_BACK;\
 return i;
\
 return APP\_BACK;\
 }\
 return APP\_OK;\
}
\
u8 saft\_show \
{\
 if \
 {\
 u8**buf = buf\_B ;\
 u8 **r = buf;\
 u8 i;
\
 get\_files ;
\
 r = sprints );\
 for \
 {\
 r = sprintch ;\
 r = sprintc ;\
 }
\
 r = sprints );\
 for \
 {\
 r = sprintch ;\
 r = sprintc ;\
 }\
 r = sprintc ;
\
 r = sprintc ;\
 i = display\_text ;\
 if \
 return APP\_BACK;\
 return i;\
 }\
 return APP\_OK;\
}
\
u8 saft\_version \
{\
 if \
 {\
 u8**buf = buf\_B ;\
 u8 **r = buf;\
 u8 i;
\
 r = sprints );\
 r = sprintc ;
\
 r = sprinti ;\
 r = sprintc ;\
 r = sprinti ;\
 r = sprintc ;
\
 r = sprintc ;\
 i = display\_text ;\
 if \
 return APP\_BACK;\
 return i;\
 }\
 return APP\_OK;\
}
\
SNodeP saft\_n = { lc\_AppleSaft, NULL };\
SNodeP saft\_set\_n = { lc\_Set, saft\_set };\
SNodeP saft\_show\_n = { lc\_Show, saft\_show };\
SNodeP saft\_version\_n = { lc\_Version, saft\_version };
\
/** **INDENT-OFF** **/
\
SEdgeP saft\_edges\_p[] = {\
 ,\
 ,\
 ,\
 NULL\
};
\
/** **INDENT-ON** **/
\
void action\_menu \
{\
 SCtx**c;
\
 c = spider\_init ;\
 c~~\>eP = &saft\_edges\_p;\
 c-\>n = &saft\_n;\
 spider ©;\
}

void turbo\_handler (u8 action, void **data)\
{\
 switch \
 {\
 case ACTION\_APP\_REGISTER:\
 {\
 Pers\_mem**p = emalloc (sizeof (Pers\_mem));

pers\_mem = p;\
 wb (&p-\>on, 0);\
 reg\_app\_data (p);

set\_proc\_8 (PROC\_8\_CONFIG\_INIT\_BOOSTER, 1);\
 }\
 break;\
 case ACTION\_APP\_UNREGISTER:\
 {\
 Pers\_mem \*p = app\_data ();

efree (p);\
 }\
 break;\
 case ACTION\_APP\_INIT:\
 dbsp (APP\_INIT\\n);\
 counter = 0;\
 pers\_mem = app\_data ();

tmp\_imsi = malloc (0x09);\
 tmp\_iccid = malloc (0x0a);

imsi = malloc (IMSI\_SIZE);\
 imsi\_response = malloc (IMSI\_RESPONSE\_SIZE);\
 reg\_file (ef\_imsi\_path, 3);\
 reg\_file (ef\_iccid\_path, 2);\
 break;\
 case ACTION\_FILE\_APDU:\
 handle\_sim\_file (data);\
 break;\
 case ACTION\_INSERT\_MENU:\
 insert\_menu (locale (lc\_AppleSaft));\
 break;\
 case ACTION\_MENU\_SELECTION:\
 stk\_thread (action\_menu, NULL);\
 break;\
 default:\
 break;\
 }\
}\

As you can see, it’s pretty simple. Over the coming days we’ll probably see a native iPhone application for writing applications such as the one above to the Turbo SIM. An updated application provided by the kind folks from Bladox is up at their forums here. Happy hacking.