paidlockdownd

EdithCowanUniversityEdithCowanUniversityResearchOnlineResearchOnlineAustralianInformationSecurityManagementConferenceConferences,SymposiaandCampusEvents12-4-2007TaxonomyofiPhoneActivationandSIMUnlockingMethodsTaxonomyofiPhoneActivationandSIMUnlockingMethodsMarwanAl-ZarouniEdithCowanUniversityHaithamAl-HajriEdithCowanUniversityFollowthisandadditionalworksat:https://ro.
ecu.
edu.
au/ismPartoftheInformationSecurityCommonsRecommendedCitationRecommendedCitationAl-Zarouni,M.
,&Al-Hajri,H.
(2007).
TaxonomyofiPhoneActivationandSIMUnlockingMethods.
DOI:https://doi.
org/10.
4225/75/57b53a26b8757DOI:10.
4225/75/57b53a26b87575thAustralianInformationSecurityManagementConference,EdithCowanUniversity,PerthWesternAustralia,December4th2007.
ThisConferenceProceedingispostedatResearchOnline.
https://ro.
ecu.
edu.
au/ism/30ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage157TaxonomyofiPhoneActivationandSIMUnlockingMethodsMarwanAl-ZarouniHaithamAl-HajriSchoolofComputerandInformationScienceEdithCowanUniversityiPhone@marwan.
comHaitham@MySecured.
comAbstractThispaperwilldiscussthedifferentmethodsofSIMunlockingandactivationfortheAppleiPhone.
EarlyiPhoneactivationandSIMcardfabricationmethodsaswellasthelatestsoftwareonlymethodswillbediscussed.
Thepaperwillexaminethebenefitsanddrawbacksofeachmethod.
Itwillprovideastep-by-stepguidetocreatingaspeciallycraftedSIMcardforaniPhonebyusingSuperSIMandTurboSIMmethods.
Thepaperwillalsoincludeasectiononrecovering(unbricking)theiPhoneandotheradvancedhacks.
KeywordsiPhoneActivation,iPhoneHacks,iPhoneSIMUnlock,iPhoneUnlocking,SuperSIM,TurboSIM.
DISCLAIMERSTheAuthorsofthispaperdonotclaimanyresponsibility,legalorotherwisefortheuseormisuseofinstructionsoranyinformationprovidedwithinthispaper.
AllinformationprovidedisforeducationalpurposesONLY.
SomeofthehacksmaybeillegalinsomecountriesandmayviolateApple'ssoftwarecopyrightsandotherintellectualpropertylaws.
DonotattemptthiswithyourowniPhone.
BACKGROUNDINFORMATIONTheAppleiPhoneisarguablyoneofthemosthypedandanticipatedgadgetsofalltime(TMHGIH2007).
ThereasonforthehypeisthattheiPhonehasanenhancedgraphicaluserinterfaceimplementingmulti-touchtechnologythatrecognizesmultiplesimultaneoustouchpointsonalargeLCDscreen.
ThisinadditiontomanyotherhardwareandsoftwarefeaturesincludinginteractiveGooglemaps,stockquotes,weather,built-incameraandaSafariwebbrowser.
TheiPhonealsoboastsapowerfulMacOSXbasedOperatingSystem(OS)whichissuperiortomanymobilephoneoperatingsystemsthatarecurrentlyonthemarket.
TheiPhoneisconsideredbymanyasarevolutionarydevicewithmorethan300patentsfiledbyApple(Apple2007b).
Beforeitsrelease,Appleannouncedthatthephonewillbesoldun-activatedandthatitwillhavetobeactivatedthroughiTunessoftwarebysigningatwoyearcontractwiththeUnitesStatesbasedtelecommunicationscompanyAT&T.
Thistypeofactivationwillhereafterbereferredtoasthe"iTunes-AT&TActivation".
ItinvolvesiTunesgettingaunique40digitDeviceIDfromtheiPhone,thephonehardware'suniqueInternationalMobileEquipmentIdentity(IMEI)number,andtheIntegratedCircuitCardID(ICCID)serialnumberfromtheSIMcardshippedwiththeiPhone.
Thisinformationthenformsauniquetokenwhichissenttotheappleserver(alfred.
apple.
com)viaSSL.
ApplethenusestheirprivatekeytosignthetokenandtransmitsitbacktoiTunes.
iTunesontheuser'scomputerthencallsAMDeviceActivatewiththissignedtoken.
Finally,thedevicegetsthetokenandcheckswhetherornotthesignaturematchesthetoken.
Ifitdoes,thedeviceisactivated(DevWiki2007).
ThereasonbehindrequiringtheiPhonetobeactivatedbeforeuseisbecauseApple,themanufactureroftheiPhone,signedafiveyearexclusivityagreementwithAT&TforphoneservicerightsontheiPhone(Cauley2007).
Thus,aniPhonebuyermustsignacontractwithAT&Tbeforeheorshecanstarttouseanyofthephone'sfeatures.
ThepicturebelowshowsabrandnewiPhonescreenonceitisturnedonandbeforeactivatingitwithiTunes-AT&TActivation(Figure1).
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage158Figure9:AnoutoftheboxiPhonescreenshowing"ActivateiPhoneconnecttoiTunes".
ITUNES-AT&TACTIVATIONANDSIMLOCKINGAppleandAT&TwenttogreatlengthstoinsurethattheiPhonecanonlybeactivatedwiththeiTunes-AT&TActivationmethod.
Activationthenenablestheusertoaccessallphonefunctionalitiesincludingthemainfeaturessuchasphone,SMS,VisualVoicemail,andYouTube.
iPhone'sphone-relatedfunctionalitiesarehoweverlockedtotheAT&TSubscriberIdentityModule(SIM)cardwhichispre-installedwithineveryiPhonesoldintheUnitedStates.
ThepicturebelowshowswheretheSIMcardislocated.
ThetraycontainingtheAT&TSIMcardcanbeejectedbyinsertinganunfoldedpaperclipintoatinyholeontopoftheiPhone(Figure2).
Figure10:TheiPhoneSIMtrayandslotthatcontainsanAT&TSIMcard.
ThereforetheiPhonecannotbeusedwithSIMcardsfromotherphoneserviceprovidersevenafterthephoneisactivatedwithAT&T.
TheAT&T-onlySIMcardlockingoftheiPhonewillhereafterbereferredtoasiPhone's"SIMLocking".
UsingaSIMcardotherthanphone'sAT&TSIMcardwillresultinan"InvalidSIMError".
ThisisbecausethePhonecheckstoseeiftheInternationalMobileSubscriberIdentity(IMSI)oftheSIMcardinsertedinitmatchesAT&T.
Ifitdoesn't,theiPhoneshowstheerrorandthenblacksouttheiPhonescreen.
TheonlywaytoactivatetheiPhoneagainistoreplacetheAT&TSIMcardinthephoneandrestartitProceedingsofThe5thAustralianInformationSecurityManagementConferencePage159THEPURPOSEOFTHEPAPERThehackingcommunityandiPhonefansaroundtheworldwantedtousetheiPhonefunctionswithoutbeingboundtoatwoyearcontractwithAT&T.
Furthermore,peopleoutsidetheUnitedStateswhodidnothavetheoptionofsigning-upwithAT&TwantedtoenablePhone,SMSmessaging,andGPRS(EDGE)andotherservice-provider-basedfunctionalitiesoftheiPhonewiththeirownprovider'sSIMcards.
ThisledpeopletocomeupwithhackstobypasstherestrictionsputontheiPhone.
ThepurposeofthispaperistohighlightthemethodsofhackingtheiPhoneandshowtheadvantagesanddisadvantagesofeachofthem.
THEDIFFERENCEBETWEENACTIVATIONANDUNLOCKINGMETHODSInorderforsomeonetousetheiPhonewithoutusingtheAT&TSIMcard,thephoneneedstobeactivatedand/orSIMunlocked.
Herearethedefinitionsoftheterms:Activation:Thismeansthatthephonefunctionalitieswillbeenabled.
Itmayalsomeanthattheuserisabletoinstallthird-partyapplicationsandringtonesontheiPhone.
ActivationdoesNOThowevermeanthatSIMcardrelatedfunctionalitieswillbeenabled.
SIMunlocking:ThismeansthatSIMcardsotherthantheAT&TSIMcardassociatedwiththephonecanbeusedtomakecalls,SMSanduseGPRSfunctionsoftheiPhone.
Figure3showsiPhonescreenshotsduringdifferentstagesofactivationandSIMunlocking.
ThefirstscreenshotontheleftisforabrandnewiPhonebeforeanytypeofactivation.
Thephoneislockedandcanonlybeusedtomakeemergencycalls.
Nootherfunctionsonitcanbeused.
ThenextscreenshotisofanAT&TactivatediPhonethatisfullyfunctionalwhenanAT&Tcardisinsertedinit.
TheAT&Tcarrierlogocanbeseenonthetopleftcornerofthescreenshot.
ThescreenshottothefarrightshowstheAT&TactivatediPhonebutwithanotherSIMcardinsertedinit.
ThisresultsintheiPhonerefusingtoworkanymoreandpresentingan"IncorrectSIM"error.
ThescreenshotonthebottomleftshowsahackediPhonethatisbothactivatedandSIMunlockedandworkingwithaTelstraSIMcardasshowninthetopleftofthescreenshot.
Thephonealsohasthirdpartysoftwareinstalledonitasshowninthebottomrawoficonsonitsscreen.
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage160Figure11:ScreenShotsofbrandnewiPhoneAT&TactivatediPhonewithandwithoutAT&TSIMcard,andActivatedplusSIMunlockediPhone.
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage161iPhoneHacksTimelineThefollowingisatimelineofsomeofthemostpopulariPhonehacksandactivationmethodsthatsurfacedsciencetheiPhonewasreleasedonthe29thofJune:HackNameHackLevelDateReleased(approximate)DVDJonActivationActivationOnly3July(Johansen2007)iASignActivationActivation+SoftwareLimitedSIMUnlock18July(Sadun2007)SuperSIMHardwareLimitedSIMUnlock5August(Sassha2007)TurboSIMHardwareTotalSIMUnlock14August(Al-Zarouni2007)AnySIMSoftwareTotalSIMUnlock15September(Johnston2007)Table1:iPhoneHacksTimeline.
DVDJonActivationThiswastheearliesthackfortheiPhonecomingoutassoonasafewdaysaftertheiPhonewasreleased.
ItallowedfornonSIMcardrelatedfunctionalityonly.
ThehackisbasedonfoolingtheiTunessoftwareintothinkingthatalocalhostbasedserverisactuallyApple'sactivationserverandactivatingtheiPhoneinthatway.
ThehackinvolvesHexeditingtheiTunessoftwareandislimitedtoacertainversionofiTunessoftwarenamely7.
3.
0.
54(Johansen2007).
iASignCertificate-BasedActivationTheiASignactivationmethodwascreatedtoenablepeopletousepre-paidAT&TorCingularSIMcardswiththeiPhonesothattheuserwillnotbeboundtoatwoyearcontract.
Thisiswhythismethodissometimesreferredtoasthe"PrepaidAT&TandCingularActivation".
ThemethodrequirestheiPhonetobe"jailbreaked".
JailbreakmeansthattheiPhoneisputintoamodewherefilescanbewrittentoit.
ThisisbecausetheiPhonebydefaultisshippedinread-onlymode.
AJailbreakprogramisavailableforbothWindowsOSandMacOSplatforms.
ThismethodalsoinvolvesswappingtheoriginalcertificatefileontheiPhone:"iPhoneActivation.
pem"withapre-fabricatedone.
ThemethodcanbedoneofflineonaMacmachineoronlineforwindowsusers.
Thesitetovisitis:https://ookoo.
org/iphone/iasign.
phpwhichhasaforminwhichtheuserisrequiredtoenterthefollowingvalues:DeviceID,IMEI,ICCIDinordertogenerateanexecutablefilethatcanbeusedtoactivatetheiPhone(HTIP2007).
TheICCIDinthiscaseshouldbetheICCIDforthePrepaidAT&TorCingularcardthattheuserwillusewiththeiPhone.
Theadvantageforthistypeofactivationisthatitisupdateproofuptofirmware1.
0.
2.
ThedisadvantagehoweveristhatthephonecanonlybeusedwiththeSIMcardwiththeICCIDusedtogeneratethecertificate.
Moreover,theICCIDhastobeofaSIMcardissuedbyAT&TorCingular.
ThismethodcanalsobecombinedwiththeSuperSIMunlockingmethodtoachievetotalunlock.
ThisisdonebyenteringtheICCIDnumberfromtheoriginalAT&TSIMassociatedwiththephoneandprogrammedintotheSuperSIMcardintotheiASignonlineforminsteadoftheICCIDnumberfromtheprepaidAT&TorCingularSIMcard.
TotalunlockinthiscasemeansaccesstoallphonefeaturesexceptforVisualVoicemail.
VisualVoicemailisanAT&Tnetwork-dependentiPhonefeaturethatallowsiPhoneuserstogodirectlytoanyoftheirvoicemailmessageswithoutlisteningtothepriormessages(Apple2007a).
LockdowndPatchingActivationTheideaistobypassactivationaltogether.
Itworksbypatchingthe"lockdownd"filelocatedontheiPhonein"/usr/libexec/lockdownd".
ItstillrequirestheiPhonetobejailbreakedinordertogetaccesstothatfiletoreadit,patchitonaPCandthenreplaceitinthesamedirectoryafterwards.
Thepatchingprogramusedinthiscaseis"V_KLaypatcher"whichisaRussianprogramusedtopatchthefirmwareofSiemensmobilephones(ValeraVi2007).
Thestatusofthephonethenchangesfrom"unactivated"to"FactoryActivated"sothephonedoesnotcheckthecertificatefiles.
Thepatchingchangestwovaluesinthelockdownfiletothefollowing:ActivationStatetoFactoryActivatedbrick_modeflagtobrickmode_offProceedingsofThe5thAustralianInformationSecurityManagementConferencePage162The"lockdownd"filedoesnotstayexactlythesamewitheveryupdateoftheiPhonefirmware.
Therefore,thispatchingmethodisverydependentonthefirmwareversion.
Thismeansthatapatchforfirmwareversion1.
0willnotbeapplicableforfirmwareversion1.
0.
1orlater.
Thismethodisnotupdateproofeitherwhichmeansupdatingthepatchedphonefrom1.
0to1.
0.
1willresultinre-lockingtheiPhone.
Ontheotherhand,andunlikeiASignmethod,thismethodworkswithmultipleSIMcards.
ItalsodoesnotneedtheoriginalAT&TSIMcardthatcamewiththeiPhonetoachieveactivationsoitisidealfor:iPhoneuserswhochangeSIMcardsfrequentlyConcurrentuseoftwoSIMcardsintheiPhonebyusingaspecialadapterthatallowsoneSIMtobeonstandbyandanotheronetobeactiveiPhoneusersthatlosttheoriginalSIMcardassociatedwiththeiPhonePeoplewhodonotwanttogiveouttheirphonespecificinformationtoawebbasedformThefollowingtablecomparesthefeaturesofeachactivationmethodsandtheirabilitytowithstandandsupportafirmwareupdateorrestore.
ActivationMethodPhoneSIMSupportFirmwareUpdateProofFirmwareRestoreProofLegitimateActivationYesAT&TwithtwoyearcontractYesYesDVDJonNoNANoNoiASignCert.
(AT&T,Cingular)YesAT&T,CingularSIM,1SIMonlyYesNoiASignCert.
(otherICCID)YesAnyForgedSIM,1SIMonlyYesNoLockdowndPatchingYesAnyForgedSIM,MultipleSIMSupportNoNoTable2:ActivationMethodscompared:SIM,firmwareupdateandrestoresupport.
SIMUNLOCKINGMETHODSTherearetwoSIMunlockingmethodsthatworkbyfoolingtheiPhoneintothinkingthattheSIMcardinsertedintoitistheAT&TSIMcard.
Theseare:SuperSIMMethodTurboSIMMethodEachofthetwomethodsaboveworksinadifferentwayandhassomeadvantagesanddisadvantages.
Thefollowingsectionofthepaperwilldiscussbothofthemindetail.
THESUPERSIMMETHODThiswastheworld'sfirstSIMunlockoftheiPhoneeventhoughsomeconsidereditnottobeatrueSIMunlockmethod(Shmukler2007,Sassha2007,Kenshi2007).
ThereasonforcallingthismethodaSuperSIMmethodisbecauseitreliesonSIMprogrammingablankSIMcardaswithanoldcommercialproductcalledSuperSIM.
ItwasusedtoclonefirstgenerationSIMcards.
ItwasalsousedtocombinemorethanoneSIMcardintoaspecialhigh-capacityblankSIMcardcalled"SuperSIM"thatenabledtheusertoswitchbetweenSIMcardsthroughaspecialSIMmanagementmenuonthephone.
ThephoneinthiscasewillalwaysseeonlyoneSIMcardatatime(SuperSim2007).
ThemethodworksbyextractingtheiPhoneSIMcard'sIMSInumber(issuedbyAT&T)andcombiningitwithinformationextractedfromanotherprovider'sSIMcard(Theuser'sTelstraSIMcardforexample)andProceedingsofThe5thAustralianInformationSecurityManagementConferencePage163programmingbothintoathirdblankSIMcardasshowninFigure4below.
ThisiswhySuperSIMissometimesreferredtoasa"SIMfabrication"method.
Figure12:SuperSIMMethodWorks.
Oneofthemajordrawbacksofthismethodisthattheuser'sSIMcardhastobeafirstgenerationSIMcard.
ThisisbecausethemethodrequiresthedecryptionandextractionoftheAuthenticationkey(Kinumbervalue)fromtheuser'sSIMcardwhichisonlypossiblewithfirstgenerationSIMcards.
SothismethodwillnotworkwithSIMcardsbymobilephoneserviceprovidersthatusesecondgenerationSIMcardsorprovidersthatuse3GSIMcards.
TherearemanySIMcardreadersandprogrammersonthemarketthatcanbeusedtoreadSIMcardsandprogramablankSIMcard.
ThispaperwillhoweverfocusononeofthehardwareandsoftwarecombinationstoachievetheSIMunlock.
ThehardwareusedinthiscaseistheJaycarProgrammer(Jaycar2007a).
TwoalternativehardwareprogrammersthatwereusedbyotheriPhonehackerstosuccessfullyprogramablankSIMcardareInfinityUSBUnlimitedandDynamiteProgrammer(Sassha2007).
TheadvantageoftheJaycarprogrammeroverotherprogrammersisthepriceandavailability.
ItisavailablefromJaycaroutletsandonlinefor$49.
95AustralianDollars.
TheSilverCardsarealsoavailablefromJaycarfor$9.
95.
JaycarSIMCardProgrammingTheJaycarreader/programmerisonlyavailableinanelectronicskitformandneedstobeassembled.
Theboardshouldalsobetestedaccordingtotheinstructionsmanualthatisenclosedwiththekit(asonpage29ofSiliconChipMagazineofJuly2003,underheading"testing").
AblankSIMcardisalsoneeded.
TheappropriateblankSIMiscalledSilverCardwhichisamulti-chipsmartcardbasedonthePIC16F877andcoupledwitha24LC64EEPROM(Jaycar2007b).
SomeadditionalmodificationsareneededtoenabletheJaycarprogrammertoprogramthePICchippartoftheSIMcard.
Thesechangesareasfollows(Wombatetal.
2007):Cutthetrackbetweenpins13and14onIC3.
Cutonthesideofthecardthatconnectstheswitchthatgoestothe10kresistorasshownbytheredlineinfigure5below.
Solderawirefrompin13ofIC3tothecardsocketsideofthecuttrack.
Solderawirefrompin12ofIC3tothemodeselectswitchsideofthecuttrack.
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage164Figure13:Hardwaremodifications.
Theredlinesonthefigureabovearethetrackcutsandthepurplelinesarethenewconnections.
Afterassembly,thetwojumpersontheboardshouldbesetasfollows:Figure14:Onejumperisonthe3.
5795MHzandotherisonthePHOENIXside.
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage165Nowthatthehardwareisreadytouse,itisimportanttodownloadandtestitwiththesoftwareneededforreadingandprogrammingtheSIMcard.
TestingJaycarProgrammerwithWoronScanWoronScanisaSIMcardreadingandKiextractionsoftwarethatisCOMportcompatibleandthereforeitiscompatiblewiththeJaycarprogrammer(WoronScan2007).
TherearesomesettingsthatneedtobeconfiguredinWoronScanbeforeusingit.
Theyare:Under"CardReader"onthetopmenu,"PhoenixCard"shouldbeselectedasshownbelow:Figure15:PhoenixCardisselected.
Under"CardReader"then"Settings",therightCOMportshouldbeselected.
Also,"Speed/frequency"radiobuttonandshouldbesetto"9600bit/sec3.
57Mhz"fromthedropdownmenuasshowbelow:Figure16:COMportwheretheJaycarisconnectedshouldbeselected.
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage166BeforeSIMcardreading,theboardmustbesettothecorrectmode.
ThismeansthattheS1switchshouldbeonthe"pressed-in"position.
Thisistheclearswitchwiththegreenlight.
ThisswitchestheJaycarprogrammerintothe"PhoenixMode"whichisneedednowtoreadSIMcards:Figure17:SISwitchPressed.
TheprogrammerisnowreadytodothefirstSIMread.
AfirstgenerationSIMcardcannowbeinsertedintothecardreadingslotfortestingpurposes.
ThecontactsontheSIMcardshouldbefacingdownwards.
Nowthe"ICC"buttonshouldbepressed.
IftheICCIDnumberisdisplayed,thismeansthedeviceisfunctional.
Iftheoutputlookslikethis:Communicationproblem.
.
.
closingCOMport.
.
.
Therealspeedis9600.
.
ThereisanoPhoenixdeviceorcardinserted.
.
.
Communicationproblem.
.
.
closingCOMport.
.
.
Thenthereisproblemwiththedevice.
Hereisalistofthingstoconsiderwhentroubleshootingthisproblem:MakesurethatthecorrectCOMportisselected.
Makesurethatastraight-throughserialcableisusedtoconnecttheprogrammertothecomputer.
Ifthecableandtheportarecorrectthentryanothercomputer.
TheJaycarprogrammersometimesdoesNOTworkwithsomeWindowsXPmachines.
ReadingIMSIandExtractingKivaluefromSIMcardAftergettingtheICCIDnumber,clickonthe"IMSI"button.
TheprogramshouldthendisplaytheSIM'sIMSInumber.
Afterthat,clickonthe"Ki"button.
Itshouldpopupawindow.
Inthepop-upwindowjustclick"Start"asshowninfigure10below:Figure18:Press"Start"forMagicKeySearching.
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage167ThenwaitforKiextraction.
Thisshouldtakeabout20-50minutes.
Within10-15minutes,somevaluesshouldstartpoppingupintheboxesshownbelow:Figure19:Kinumberpairsshouldfillalltheboxesin2.
Oncethisoperationconcludes,allthevaluesneededfromthetargetSIMcardareobtainedandmustberecorded.
NowtheAT&TSIMcardshouldbeinsertedintotheJaycarprogrammerandtheIMSInumberobtainedandrecorded.
SuperSIMImageCustomizationwithSIMEMUTocreateaSuperSIMfromaBlankSilverCardthefollowingsoftwareandfilesareneeded:ASIMimagemanipulationandprogrammingutility.
SIMEMU6.
01willbeusedinthispaper.
TwocustomizableimagefilestoprogramthePICandEEPROMportionsoftheSilverCard.
AZIPfilecontainingbothimagescanbedownloadedfromthefollowingwebsite:http://www.
rapidshare.
com/files/47494428/SIM_EMU_6.
01_iphone_u1.
rarAfterinstallingtheprogram,thefollowingstepsshouldbefollowed:18.
Clickonthe"Configure"tab.
19.
Clickonthe"Readfromdisk"button.
20.
Browsetoandclickon"SIM_EMU_6.
01_iphone_u1.
HEX".
ThisfileisPICprogrammingimagefilecontainedintheZIPfilementionedinthelinkabove.
21.
Thenselectandclickon"SIM_EMU_6.
01_iphone_u1_EP.
HEX".
ThisfileisEEPROMprogrammingimagefilecontainedintheZIPfilementionedinthelinkabove.
22.
Inpositionzero"0",thedataobtainedfromWoronScanforthecarrierSIMcard(Telstra)thisincludesIMSI,KiandICCIDshouldbeenteredinthecorrespondingfields.
23.
ForADN/SMS/FDN#respectivelytypein161,15,and4.
ForSMSCentrenumber,typeinthecarrier'sSMScentrenumberincludingthe+614part(forAustraliancarriers).
24.
Inposition"9"theIMSIfromtheAT&TSIMcardshouldbetyped.
InPIN1,PUK1putinall"1s"justasinposition"0".
25.
In"Configmode",the"Files"radiobuttonshouldbeselected.
26.
Clickon"Writetodisk"button,youwillbeaskedtosavethenewlycreatedPICandEEEPROMfiles,Savethemunderdifferentnames!
Forexample"SIM_EMU_6.
01_iphone_u1_new.
HEX"and"SIM_EMU_6.
01_iphone_u1_EP_new.
HEX".
ThisconcludesthecustomizationoftheSIMimages.
ThenextstepistowritetheimagesintotheblankSilverCard.
ASIMcardprogrammingutilityisneededforSIMcardprogramming.
TheonethatwillbeusedinthispaperisIC-Prog(IC-Prog2006).
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage168SuperSIMPICProgrammingwithIC-ProgBeforestartingtousetheIC-Progutility,itshouldbedownloaded,installed,andconfigured.
Thereforethefollowingstepsshouldbefollowed(Wombatetal.
2007):CreateadirectorydirectlyunderC:\andcallitIC-ProgDownloadandunzipthecontentsofthefollowingfilesintothisdirectoryC:\IC-Prog:http://www.
ic-prog.
com/icprog105E.
ziphttp://www.
ic-prog.
com/icprog_driver.
ziphttp://www.
ic-prog.
com/icproghh_eng.
zipRunicprog.
exeThefollowinghardwaresettingsscreenshouldpop-upthefirsttimeIC-Progisexecuted:Figure20:HardwareSettingsforIC-Prog.
"JDMProgrammer"shouldbeselected.
Also,theappropriateCOMportassociatedwiththeJaycarprogrammershouldbeselected.
TheInterfaceshouldbesetto"DirectI/O"andnothingshouldbetickedunder"Communication".
"OK"shouldbeclickednext.
Someerrorsshouldpopupatthispoint.
Clicking"OK"shouldtakecareofthem.
Oncethemainprogramwindowsisshown,"Settings"tabshouldbeselectedandthenoptions:Figure21:SelectSettingsthenOption.
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage169The"Misc"tabshouldthenbeselectedandunderitthe"EnableNT/200/XPDriver"boxshouldbetickedasshownbelow:Figure22:EnableNT/2000/XPDriver.
ProcessPrioritycanbeleftas"Normal".
TheComputershouldbenowrestartedtomakesurethatthedriversareloaded.
Afterthat,theprogramshouldbeexecutedagainandtheS1buttonontheJaycarboardshouldbesettothe"out"position.
Thissetstheboardto"PICprogrammingmode".
ToprogramthePICportionoftheSilverCardsothefollowingstepsshouldbefollowed(Wombatetal.
2007):TheblankSilvercardshouldbeinsertedintotheJaycarprogrammer.
"PIC16F877"shouldbeselectedfromthedropdownmenuasshownincircle"1"inthefigurebelow:Figure23:SettingupIC-ProgforPICprogramming(1)andloadingaPICfile(2)ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage170ThePICfileshouldnowbeopenedbyclicking"File"andthenselecting"OpenFile"(asincircle2inFigure15)andselecting"SIM_EMU_6.
01_iphone_u1_new.
HEX"createdintheSIMimagefilecustomizationstepsdiscussedearlier.
"CodeProtect"dropdownmenushouldbesetto"CPOFF"whichturnsoffcopyprotection.
FunctionKey"F5"shouldnowbepressedtostartprogrammingthePICportionoftheSilverCard.
Thisprocessshouldtakearound5-10minutes.
ThisconcludesthePICprogrammingpartoftheSIMcardcreation.
ThenextstepisprogramtheEEPROMportionoftheblankSIMCard.
SuperSIMEEPROMProgrammingwithIC-ProgTheIC-ProgutilityshouldnowbeconfiguredtoprogramtheEEPROMpartoftheSilverCard.
Thefollowingstepsshouldbefollowed(Wombatetal.
2007):Inthedrop-downmenu,"24C64"shouldbeselectedasshownincircle"1"below:Figure24:SettingupIC-ProgtoprogramtheEEPROMportionoftheSIMcardTheEEPROMfileshouldnowbeopenedbyclicking"File"andthenselecting"OpenFile"(asshownincircletwoinFigure16)andselecting"SIM_EMU_6.
01_iphone_u1_EP.
HEX"createdintheSIMimagefilecustomizationstepsdiscussedearlier.
FunctionKey"F5"shouldnowbepressedtostartprogrammingtheEEPROMportionoftheSilverCard.
Thisprocessshouldtakearound5-10minutes.
ThisconcludestheEEPROMprogrammingpartoftheSIMcardcreation.
TheSilvercardisreadynowtobeinsertedintotheiPhone.
AfterinsertingtheSIMcardintotheiPhone,thephoneshoulddisplaythattheSIMislockedandwillaskforaSIMPINnumbertoactivatetheSIMcard.
Thenumberthatshouldbeenteredis"1111".
THETURBOSIMMETHODTurboSIMisamicrochipbaseddevicethatisdevelopedbytheCzechRepublicancompanyBladox(Bladox2007).
ItisaboutthesizeofaSIMcardbutitislessthanonemillimetreinthickness.
ThedeviceisdesignedtobeplacedbetweenthePhoneandaSIMcard.
ItisprogrammablewithaSIMToolkitwirelessApplicationProgrammingInterface(API).
ThedevicecanbeprogrammedtointerceptandmodifycommunicationsfromthephonetotheSIMcardandviceversa.
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage171Figure25:TurboSIMTurboSIMcanbeusedtofooltheiPhoneintothinkingthattheSIMcarditiscommunicatingwithisactuallytheAT&TSIMcardassociatedwiththeiPhone.
TheTurboSIMdoesthisbyinterceptingspecificinquiresfromtheiPhoneabouttheSIMcard'sIMSIandprovidingthepreviouslyprogrammedAT&TSIMcard'sIMSIinsteadoftheactualIMSIfromtheSIMcardplacedbehindtheTurboSIM.
ThiseffectivelymakesiPhonecompatiblewithanyGSMSIMcardinsertedbehindtheTurboSIM.
TurboSIMPreparationandProgrammingInordertoprogramtheTurboSIMtointerceptspecificIMSIrequestsfromtheiPhone,anAT&TSIMcardneedstobecutandplacedbehindtheTurboSIMandbothinsertedintoajailbrokeniPhone.
ThenthefollowingtwofilesshouldbeuploadedintotheiPhone(Farnoud2007):applesaft.
trb:TheimagefilethatneedstobeuploadedtotheTurboSIM'sinternalmemory.
ThefilecanbedownloadedfromBladoxat:http://www.
bladox.
com/pub/applesaft-0.
92.
tar.
gzturbo-app:TheuploadapplicationthatcanberunontheiPhonetoupload"applesaft.
trb"intotheTurboSIM'sinternalmemory.
Itcanbedownloadedfrom:http://www.
gofilego.
com/fileid=71aef6d5c92b32b596cbf6bec73da7541ee37ae8Afterthefilesareuploaded,theturbo-appneedstobeexecutedontheiPhone.
ThisrequireschangingthefollowingfileontheiPhone:"/System/Library/LaunchDaemons/com.
apple.
CommCenter.
plist"andaddingthefollowingline:"Disabled"afterthefollowingtaginthefile(Farnoud2007):Permissionsonturbo-appandonapplesaft.
trbneedtobechangedto775.
Thenturbo-appcanbeexecutedontheiPhoneasfollows:/turbo-app/applesaft.
trbTheapplesaft.
trbisnowuploadedtotheiPhoneandcanbeexecutedbygoingtoSettings->Phone->SIMApplications->AppleSaftandthenclickingSET.
ThiscopiestheIMSInumberoftheAT&TSIMcardtothetheTurboSIM.
Themodifiedfile:"/System/Library/LaunchDaemons/com.
apple.
CommCenter.
plist"cannowbereturnedtoitsnormalstatebyremovingtheaddedlineofcode.
AnySIMcardcannowbecutandplacedbehindtheTurboSIMandtheiPhonewillnotbeabletoviewitsrealICCID.
ThemainadvantageoftheTurboSIMmethodoverSuperSIMisthatanyGSMSIMcardcanbeplacedbehindtheTurboSIMthereforeitisnotlimitedtofirstgenerationSIMcardsaswithSuperSIM.
Also,theTurboSIMmethodiseasiertofollowthantheSuperSIMmethodandfewerthingscangowrongduringtheprocesswhencomparedtoSuperSIM.
ThedisadvantagesofTurboSIMincludethehighpriceandscarceavailabilityoftheTurboSIMdevice.
TheTurboSIMretailpriceis$159AustralianDollarsbutbecauseofhighdemandassociatedwiththeiPhonehack,themanufacturerandsuppliersranoutofit(Votech2007).
AnotherdisadvantageofTurboSIMisthatitisfragile.
ManyiPhoneusersendedupdamagingtheirTurboSIMbytryingtofititwithiniPhone'sSIMcardtray(MetalRat2007).
AnotherissuewiththeTurboSIMisthecontactsOnDemandProceedingsofThe5thAustralianInformationSecurityManagementConferencePage172betweentheTurboSIMandtheSIMcardplacedbehinditsometimesdon'ttouch.
ThiscouldbebecauseofaphysicalproblemwiththeTurboSIMdeviceortheSIMcardplacedbehinditoracombinationofboth.
SOFTWARESIMUNLOCKINGSuperSIMandTurboSIMunlockingmethodsrevolvearoundthefabricationofaSIMcard.
ThesoftwareunlockingmethodshoweverachieveSIMunlockingbymodifyingthebasebandsoftwareontheiPhoneitself.
ThiswasnotthoughttobepossiblebythehackingcommunityuntilacommercialwebsiteiPhoneSIMFree.
comstartedsellingasoftwarebasedunlockingsolutionthroughtheirre-sellers.
Thehackingteambehindthefreesoftwareunlockthenreverseengineeredthecommercialsoftwareanddiscoveredthatitworksbyprogramming(flashing)thebasebandsoftwareoftheiPhone.
Afterthat,afreesoftwareapplicationcalledAnySIMwasdevelopedtounlocktheiPhone.
Thedisadvantagesofthistypeofunlockingareasfollows:First,thesoftwareonlyworkswithaspecificversionofiPhone'sphonefirmwareandmodemfirmware,namelyphonefirmwareversion:1.
0.
2(1c28)andmodemfirmwareversion:03.
14.
08_G.
TheseconddisadvantageisthatusingthisunapprovedsoftwareontheiPhonevoidsApple'swarranty.
Also,updatingtheiPhonetofirmwareversion1.
1.
1andbeyondmayrendertheiPhoneuseless(bricktheiPhone)(Miller2007).
ADVANCEDTECHNIQUESOtherthirdpartysoftwarebeyondSIMunlockingcanalsobeinstalledtotheiPhoneeventhoughitisconsideredunapprovedsoftwareandcanvoidthewarrantyandbricktheiPhone(Murph2007).
Thiscanbedoneinmanyways;oneofthesewaysisthroughusingsoftwarecallediBrikrwhichenablesringtonesandapplicationsincludingAnySIMtobeinstalledontheiPhone(True2007).
UnlockingtheiPhonewithAnySIMbasedSIMunlockingcanenabletheiPhonetobeusedwithMulti-SIMadapterssuchasHyperCard(MagicSIM2007).
Multi-SIMadaptersallowtwoSIMcardstobecutdowninsizebyusingaspecialtoolandtheyaretheninsertedintoaspecialSIM-card-shapedadapterthatcanbeinsertedintotheiPhone.
TheiPhonecanthenbeusedwithtwoSIMcardsatthesametime;oneSIMcardonstand-byandoneactiveSIMcard.
InsertingthecardintotheiPhonecanbedifficultduetothethicknessoftheadapteritself,thethicknessofthetwoSIMcardsinsertedintoitandthethicknessofamicrochipthatsticksoutoftheadapterasshowninthecirclemarked1inthefigurebelow:Figure26:Hyper-CardandTelstraSIMcardbeforeandafterSIMcuttingandplacementwithanotherSIMcard.
TheadapteraddsaSIMmanagementscreentotheiPhonethatenablesSIMcardselectionandotheroptionstobeselectedsuchassettingtheanumberforeachSIMoranIDforeachforeasymaintenance.
UNBRICKINGTHEIPHONEInelectronics,thetermbrickeddescribesadevicethatcannotfunctioninanycapacitysuchasaniPhonewithadamagedfirmware.
TheiPhonecanbebrickedbydisruptingafirmwareupgradeorcorruptingasystemfileorsomeotherdamagetotheOperatingSystem(OS)software.
Inthiscase,theiPhonecanbeunbrickedbyusingtherestorefunctionfromwithintheiTunessoftwarewithinWindowsXP.
Thefollowingarethestepstofollow(Batten2007):DownloadthedesirediPhoneupdatefilefromApple.
ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage173PlacethefileunderthefollowingdirectoryinWindows:DocumentsandSettings\\ApplicationData\AppleComputer\iTunes\iPhoneSoftwareUpdatesHoldthe"shift"keywhileclickingtheiPhone"Restore"buttoniniTunes.
Selectthefirmwarefiletousefromthedialogbox.
TherestoreoperationshouldtakeafewminutesafterwhichtheiPhonewillberesettofactorynewstatus.
TheiPhonemayalsobecomebrickedifitisupdatedtofirmwareversion1.
1.
1afterbeingactivatedviameansotherthantheiTunes-AT&TactivationorSIMunlockedviatheAnySIMsoftwareupdate(Miller2007).
Inthiscase,theunbrickingprocessismorecomplexbutunbrickingguidescanstillbefoundontheInternet(iPhone-Elite2007).
CONCLUSIONANDCONSIDRATIONSWarrantyissueswithiPhoneactivationandunlockingshouldbeconsideredwhenattemptinganyofthehacksontheiPhone.
SIMfabricationmethodsaretheonlymethodsthatdonotvoidthewarrantybecausetheydonotchangeanythingintheiPhonebutrather,theymodifySIMcardstoworkwiththeiPhone.
SomeactivationmethodssuchastheiASignandthepatchingmethodareeasilyreversiblebyrestoringtheiPhonetofactorysettingsfromiTunesthusnotvoidingthewarranty.
HardwaremodificationssuchastheGeohothardwarere-wiringmethodmadefamousontheInternetshouldneverbeattemptedastheywilldefinitelyvoidtheiPhone'swarranty(Geohot2007).
REFERENCESAl-Zarouni,M.
(2007)iPhoneUnlockedforAllSIMs,URLhttp://www.
mysecured.
com/p=159,Accessed17September2007Apple(2007a)Apple-iPhone-Features-Voicemail,URLhttp://www.
apple.
com/iphone/features/index.
html#voicemail,Accessed11October2007Apple(2007b)Apple-iPhone-HighTechnology,URLhttp://www.
apple.
com/iphone/technology/,Accessed18September2007Batten,A.
(2007)IsthereawaytorestoremyiPhonewithaselectedversionofiPhonefirmware,URLhttp://www.
iphonefaq.
org/archives/97285,Accessed23October2007Bladox(2007)BLADOX,URLhttp://www.
bladox.
com/,Accessed16October2007Cauley,L.
(2007)AT&TeagertowielditsiWeapon,URLhttp://www.
usatoday.
com/tech/wireless/2007-05-21-at&t-iphone_N.
htm,Accessed24October2007DevWiki(2007)HowActivationWorks-TheiPhoneDevWiki,URLhttp://iphone.
fiveforty.
net/wiki/index.
php/How_Activation_Works,Accessed10October2007Farnoud,H.
(2007)iPhoneUnlocked,URLhttp://hadi.
wordpress.
com/2007/08/14/iphone-unlocked/,Accessed23October2007Geohot(2007)FindingJTAGontheiPhone:FULLHARDWAREUNLOCKOFIPHONEDONE,URLhttp://iphonejtag.
blogspot.
com/2007/08/full-hardware-unlock-of-iphone-done.
html,Accessed23October2007HTIP(2007)HacktheiPhone-Usingnon-stockSIMsintheiPhoneonWindows,URLhttp://www.
hacktheiphone.
net/iphone_using_cingular_for_windows.
html,Accessed10October2007IC-Prog(2006)IC-ProgPrototypeProgrammer,URLhttp://www.
ic-prog.
com/,Accessed16October2007iPhone-Elite(2007)DowngradingBaseband-iphone-elite-GoogleCode,URLhttp://code.
google.
com/p/iphone-elite/wiki/DowngradingBaseband,Accessed23October2007Jaycar(2007a)FullFunctionSmartCardReader/ProgrammerKitURLhttp://www.
jaycar.
com.
au/productView.
aspID=KC5361,Accessed15October2007Jaycar(2007b)SilverWaferCard,URLhttp://www.
jaycar.
com.
au/productView.
aspID=ZZ8810,Accessed15October2007ProceedingsofThe5thAustralianInformationSecurityManagementConferencePage174Johansen,J.
L.
(2007)iPhoneIndependenceDay,URLhttp://nanocr.
eu/2007/07/03/iphone-without-att/,Accessed17September2007Johnston,M.
(2007)anySIMReleased:FreeGUIiPhoneUnlock,URLhttp://www.
iphonealley.
com/news/anysim-released-free-gui-iphone-unlock,Accessed30October2007Kenshi(2007)iPhonemakingcallsonAustralia'sTelstra(iPhone+hack+iActivator+ozbimmer),URLhttp://tech.
commongate.
com/post/iPhone_making_calls_on_Australia_s_Telstra,Accessed17September2007MagicSIM(2007)Hyper-CardforiPhone,URLhttp://hyper-card.
com/home/english/main.
htm,Accessed23October2007MetalRat(2007)AMuppet'sGuidetoTurboSIM-Hackint0sh,URLhttp://www.
hackint0sh.
org/forum/showthread.
phpt=2663,Accessed23October2007Miller,P.
(2007)iPhoneupdate:factsandfiction,URLhttp://www.
engadgetmobile.
com/2007/09/28/iphone-update-facts-and-fiction/,Accessed23October2007Murph,D.
(2007)ApplefinallyweighsinoniPhonehacks,unlocking,URLhttp://www.
engadget.
com/2007/09/24/apple-finally-weighs-in-on-iphone-hacks-unlocking/,Accessed23October2007Sadun,E.
(2007)iPhone+DisposableCellphone+PrepaidCards+NewActivationTool=HolyCow,URLhttp://www.
tuaw.
com/2007/07/18/iphone-disposable-cellphone-prepaid-cards-new-activation-t/,Accessed17September2007Sassha(2007)Tutorial:"Unlock"youriPhonewithSuperSim-Hackint0sh,URLhttp://www.
hackint0sh.
org/forum/showthread.
phpt=2215,Accessed17September2007Shmukler,C.
(2007)AppleiPhoneUnlockedforUseinEurope,URLhttp://www.
iphonefaq.
org/archives/97228,Accessed15October2007SuperSim(2007)SuperSIM16in1,URLhttp://www.
nowgsm.
com/supersim.
htm,Accessed15October2007TMHGIH(2007)TheMostHypedGadgetInHistory,URLhttp://www.
tmhgih.
com/,Accessed10September2007True,N.
(2007)iBrickr:EasyiPhoneringtone/appmanagementforWindows,URLhttp://cre.
ations.
net/creation/ibrickr,Accessed23October2007ValeraVi(2007)SiteofValeraVi-V_KLayandpatchesforSiemensmobilephones,URLhttp://www.
vi-soft.
com.
ua/index_e.
htm,Accessed11October2007Votech(2007)Votech-TurboSIMStatusUpdates,URLhttp://www.
votech.
com.
au/bladox_updates.
php,Accessed23October2007Wombat,TheGuide,Secured&freeproductions(2007)JaycarKit-Hackint0sh,URLhttp://www.
hackint0sh.
org/forum/showthread.
phpt=2805,Accessed25October2007WoronScan(2007)WoronScanDownload,URLhttp://www.
kinforce.
com/down/kinforce/supersim/ws109.
zip,Accessed15October2007COPYRIGHTMarwanAl-Zarouni,HaithamAl-Hajri2007.
TheauthorsassignEdithCowanUniversityanon-exclusivelicensetousethisdocumentforpersonaluseprovidedthatthearticleisusedinfullandthiscopyrightstatementisreproduced.
SuchdocumentsmaybepublishedontheWorldWideWeb,CD-ROM,inprintedform,andonmirrorsitesontheWorldWideWeb.
Theauthorsalsograntanon-exclusivelicensetoECUtopublishthisdocumentinfullintheConferenceProceedings.
Anyotherusageisprohibitedwithouttheexpresspermissionoftheauthors.