Tuesday, May 10, 2011

...there is nothing new under the sun

It amazes me how quickly people can forget things. Gevey and Rebel have been selling so-called "Unlocking SIM card" for a number of years and people reacted as if these named never existed before. If my memory serves right I bought my APDU kit from Rebel not long ago(before they became involved with i4, of course).

When Gevey broke the news that they have an working SIM interposer for i4, most people reacted in disbelief. Gevey themselves did not help when they released a (poorly) edited demo video and everybody was convinced that it was just another scam.



However, other reports soon emerged with some important details: First of all it seems to work, however it requires dialling 112 and data service only works if you enable Data Roaming. In hindsight it makes good sense why Gevey did not want us to know these things before they could ship the product: it can be copied very easily once the methodology has been figured out. In fact the same protocol/exploit has been found by other as early as November 2010 but nobody thought it could be made into a product.

They did come up with other interesting accessories such as this i4 dual-SIM device which can be reprogrammed to act like a gevey  

Gevey only made it with meticulous planning: While they have been dropping hints about their product a long time ago, announcement was only made after the Dev Team admitted that they have no baseband unlocks - back in 2009 Gevey and others almost went out of business when ultrasn0w came out and there are tens of thousands of old SIM interposers gathering dust in their warehouses. Mass production followed soon enough to saturate the market, price was initially high to make sure they get a fair scoop of profit before copycats and negative feedback could ever appear.

On the contrary, Rebel made a number of bold claims ("No need to use the illegal number[sic] 112", "World First", "Untethered unlock", btw do we even have a tethered unlock in the first place?) and failed to back them up with evidence. Release date were pushed back a few times, shipping charges are exonerate and the worst part: They don't even work, at least not as advertised.

Anyway let's get to the methods:

What you will need:

Programmable SIM Card - Preferably the newer types and of course it needs to be cut to fit in the SIM tray.
SIM Programmer - Those PL-2303 USB dongles are cheap and easy to find on ebay. The more expensive smartcard programmers often based on the R200 PC/SC chipset is an overkill and does not work well with 64-bit Windows. For cheapskates like myself, you can build a simple circuit that allows direct connection via serial port.
SIM Data - Three out of four parameters, namely IMSI, ICCID and SMSC are stored on the SIM unencrypted, however the main authentication key Ki is not. Best way to get it is to ask your mobile service provider to disclose these figures for your personal use, and I know some carriers in UK that allows you to have a back-up SIM. There are various "solutions" for sale over the internet to obtain your Ki by brute force however there are good reasons to avoid them:
A. The key is never transmitted directly, instead it is used within the SIM card to encrypt a random string sent from the network. Given enough time, a collision could be found to deduce the key, however most SIM cards have a built-in counter that disables the SIM after an unknown number of failed attempts so brute-force will never work. You have been warned and it is your fault if anything happens. BTW anybody that claims to be able to obtain Ki in mere minutes is probably fraud material since the speed is constrained by the very limited computation power of the SIM chip.
B. Cracking SIM cards, even your own SIM, is still illegal because the SIM is not the end user's property (it always belong to the provider) and most carriers have clauses in their Terms of Service that forbade any tampering with SIM cards. While they are unlikely to take anybody to court, you will have a lot of explanation to do after a few requests to replace your SIM card.

For those with legitimate access to their SIM data:

1. Write your SIM data to the blank SIM, leave ICCID, SMSC and Ki as is and replace the first eight digits of your IMSI with 08091010.
2. With your original SIM in your i4, dial 112 and immediately disconnect.
3. Toggle flight mode ON
4. Eject SIM tray.
5. Replace SIM with the one we programmed.
6. Toggle flight mode OFF, you should have reception in a few seconds.

My earlier comments and FAQ for Gevey applies for the method as well. Chances are you will retain the reception after reboot, however there might be issues with data and incoming calls. There is some room to optimise the outcome following a reboot but it is impossible to test on every single MNC/PLMN/VLR/MSC which could all have a different authentication protocol. This is why Gevey decided to play it safe by implementing an elaborate STK menu to require 112 dialing following every reboot; Rebel did away with the STK with the hope that it might allow some users to restart their phone without losing reception, yet they ended up with a disappointing and erratic product. 

----------------------------------------------------------------------------------

I have tried to find a way to make the method work without having to dial 112 but so far it appears impossible unless the baseband FW is patched to handle TMSI like it used to prior to 05.11.07. Not mention if we were able to patch the baseband directly we would already have a software unlock.

So here you go folks, it's the "unlock" we have been talking about for the past two months. All's right if it works; don't lose any sleep if it doesn't work for you - after all it is just a phone and we have more important things to worry about in dear life.

P.S. And I must agree with @sherif_hashim that "money for unlock = bullshit"