Has anyone tried to clone the AT&T sim to a super sim. A super sim allows you to essentially have up to 12 or so sim cards on one master sim. So you'd remove the AT&T sim, clone it to the super sim and repeat the process with the sim you want it to work with. The iPhone will still think it's an AT&T sim but whether it would grumble when you switched over to your other carrier I don't know. A long shot but maybe worth a try. Anyone have a super sim? You can buy them for a few quid on eBay such as here:

http://cgi.ebay.co.uk/12-IN-1-SIM-CARD-CLONE-COPY-BACKUP-DUPLICATE-WRITE-EDIT_W0QQitemZ220131704678QQihZ012QQcategoryZ43805 QQrdZ1QQcmdZViewItem

A related question: If I get one of those duplicators, can I have the original SIM in the iPhone and the duplicate in another phone for use when I don't want to carry the iPhone (like while bicycling for example?) It would be easier than swapping out the SIM card everytime and risking damage to the little tray. What happens if I forget and turn on both phones at the same time?

cheers,
tys

Yes you can but don't try and power up both phones at the same time. It's quite likely your network/carrier will detect this and think there is something sinister going on and they could bar your account.

Exactly same idea with you.... I hope there are bugs in SIM lock checking routine.
To tys: it's not allow for two instant of the same IMSI to stay on GSM network. It's GSM standard.
To hubbards: the new SIM is almost impossible for cloning due to new improved protection with Ki brute-force attack.

Has anyone tried to clone the AT&T sim to a super sim. A super sim allows you to essentially have up to 12 or so sim cards on one master sim. So you'd remove the AT&T sim, clone it to the super sim and repeat the process with the sim you want it to work with. The iPhone will still think it's an AT&T sim but whether it would grumble when you switched over to your other carrier I don't know. A long shot but maybe worth a try. Anyone have a super sim? You can buy them for a few quid on eBay such as here:

http://cgi.ebay.co.uk/12-IN-1-SIM-CARD-CLONE-COPY-BACKUP-DUPLICATE-WRITE-EDIT_W0QQitemZ220131704678QQihZ012QQcategoryZ43805 QQrdZ1QQcmdZViewItem

huh... never seen one of these, is the iPhone GSM v1 compatible, or v2/v3..?

Someone in UK please try it... too long to receive it here for trying.
!!!
I think it could be a good solution... altrough I have seen that sims from "3" (H3G) will not work... I think the same problem could be encountered with the 3G sim from AT&T.

Please try it rush!

I can try I have this card but I need the ICCID what are inside the a.plist supplied because this work and activate me iphone but it won't recognize my sim I need to set only ICCID into my reprogrammable sim

I will set up a new virtual location with at&t codes and after insert pin I can switch number to TIM ITALY I think this should work I have did done with others cells

what about copy your sim info into at/t sim ?

TRIED
don't work!
I created a new .plist file with imei, id ,and new virtual iccid, and after readed imsi from at&t sim, and created new position on sim as at&t...
phone ask pin and work like a bomb
but when I go to sim menu to change phone and select Italian TIM, the iphone recheck again imsi
and read a non at&t imsi and say again sim not valid...
for now I think only at&t imsi will work.
WE NEED UNLOCK SUBSIDY CODE TO MAKE IT WORK OVERSEA
THANKS TO ALL


JUST FOR INFO
08 39 01 14 XX XX XX XX XX
READED IMSI FROM IPHONE SUPPLIED SIM

MCC: 310 = USA
MNC: 41 = AT&T ?
MSIN: XX XX XX XX XX

TRIED TO MAKE NEW POSITION LIKE

08 29 22 10 XX XX XX XX XX

MCC: 222 = ITALY
MNC: 01 = TIM
PHONE TRY TO FIND AT&T NETWORK AND ASK ME TO JOIN TO AVAILABLE TIM VODAFONE ECC..
BUT WHEN YOU TRY TO SELECT TIM IPHONE RECHECK AGAIN FOR IMSI AND SAY SIM NOT VALID

Thanks for trying rsivan. Saved me a few quid and hours of frustration. Pity it didn't work but every attempt made at cracking this is a step closer (failed attempts still count). Kudos to you!

Thanks RSIVAN (GRAZIE!!!)
Sei sicuro che hai quel modello di Sim? Su ebay si parlava di "Ghost Number" in pratica è come avere un numero principale, ma puoi ricevere anche dai numeri ghost. Non è una sim dove puoi cambiare operatore da menu... Ci scambiamo gli ID skype o telefoni così possiamo magari darci una mano a vicenda tra italiani? fai un messaggio privato.

Are U sure it was the same sim advertised on Ebay? On the listing they were talking about "ghost numbers" that you can use contemporary to the main one. Is not a common double sim that allows you to change operator by a menu.
Can U please check?

CIAO! BYE

rsivan did the multi/magic sim that you used have the "invisible number" function? Below is the spec from the card that I linked to on eBay re. this function...
---------------------------------------------
Invisible number function, SIM1 switch to SIM2, while SIM1 is invisible. When
someone dials SIM 1, the system tone notices "The number you dialed can't connect at a moment, please dial later"
---------------------------------------------
Does this mean that the the inactive sim (AT&T) is in some way still active on the phone at a low level way? I would guess so as how else would the network know to provide a busy signal? If that is the case then it has a chance of working for us as the iPhone will have already passed the sim validation routine. Maybe I'm well off base???

Has anyone got one of these super sims with the invisible number function? If not, I will order one and give it a try.

Thanks!

I think the problem in same once phone read a non at&t IMSI say error again
for going into network the gsm chip need load IMSI and him inside have a clear rule like
"if IMSI not star with usa at&t codes say sim invalid"
you can try as last chance but i dubit
let us informed here links for cards with ghost function

http://cgi.ebay.it/ws/eBayISAPI.dll?ViewItem&rd=1&item=230051168282&ssPageName=STRK:MEWA:IT&ih=013

http://cgi.ebay.it/ws/eBayISAPI.dll?ViewItem&rd=1&item=220121026699&ssPageName=STRK:MEWA:IT&ih=012

---------------------------------------------

Does this mean that the the inactive sim (AT&T) is in some way still active on the phone at a low level way? I would guess so as how else would the network know to provide a busy signal? If that is the case then it has a chance of working for us as the iPhone will have already passed the sim validation routine. Maybe I'm well off base???



As an inactive phone CAN complete a call to 911, it looks like it's active on a low level.

R o n

Just to make it sure, rsivan: cloned AT&T card WORKED, when you copied the IMSI and set right MCC and MCN?? I mean, it was recognized by phone? If you don't have Ki, it was not able to log to GSM network.

this AT&T is not registered at server
I have ki on my cards but whit only
Imsi starting with AT&T USA
the ipone d'ont say any error search for network
I'using this cards since 1999 with old phones simlock trick
did work but this recheck again for imsi and lock code
every time you try to call result
we only need unlock code

rsivan: sorry but i don't understand

Do you mean you have cloned an AT&T sim from an original card in 1999 and has been using this cloned card since then? Also during the cloning process you have extracted the IMSI and Ki? And when you put in the clone sim you still get the message of "incorrect sim" or the iphone ask you to activate?

And what do you mean by "did work but this recheck again for imsi and lock code
every time you try to call result"? If it works why does it recheck again for the codes?

Thanks

I did clone Italian card now I just readed IMSI from sim supplied with Iphone
after I take a blank card with ICCID like 39111111111111111 (also registered with iAsign this ICCID)and make a position with this IMSI from sim supplied with iphone and a second with my italian data IMSI and KI and
i start iphone with first he don't say any sim error try to find network at&t but when I
switch to second number simlock message is show again

obzimmer: i'm little bit confused too :).

What i'm interested in, is to know what exactly needs to be on card to pass through "network lock check". I hope that it should be no big problem for me to make a card with right configuration, and for example register the AT&T's ICCID on HLR of my operator, but i really would like to know what's now known - which numbers are necesary to be set on cloned card, so iPhone will belive that's real AT&T's card.

i'm not interested in making "multisim", i would like to make a working clone of card, but which i'll be able to register with my operator. With existing AT&T card it's not possible (AFAIK), because they don't know the Ki, so they can't verify this card as card of their own network. So what i need is to make card, which iPhone will take as a real card, but on other side, my operator can register this card in own HLR and then can verify this card on loging to network too - so with operator's Ki.

It's definitly NOT very standard solution, but i realy would like to try, if it's possible at all.

I hope that anyone can understand my basic english, which is of course poor too :)

sorry rsivan i still don't understand what you are talking about - please tell me if this is what you have done:

1. You have obtained a blank card with ICCID of like 39111111111111111.
2. You extracted the IMSI from the AT&T 3G card that comes with the iphone.
3. You extracted the IMSI and Ki from your italian SIM card.
4. You put in the AT&T IMSI and Italian carrier IMSI and Ki into your blank card with Position 1 as AT&T and Position 2 as your Italian carrier.

When you start your phone, there's no sim card error as you are using the IMSI of AT&T, but when you switch to Position 2 (how do you switch it? there's no menu in iphone to do so!) the error occurs.

MaLer: There are 3 variables here: IMSI, Ki and ICCID. And each carrier has their own set of the 3 variables. So let's say AT&T has IMSI-a, Ki-a and ICCID-a, and your own carrier in your country is IMSI-b, Ki-b and ICCID-b. It's the correct combination of the above that we need to find. For your information, I have done the following for my network in Australia:

1. I have obtained a blank sim card (Silvercard).
2. I have extracted the ICCID-a, IMSI-b and Ki-b.
3. I put all theses data onto the silvercard.
4. I used the iASign method to activate my iphone using ICCID-a.

I put the cloned sim in my iphone and it says it is the incorrect sim. I then put the cloned sim into a normal unlocked phone and everything works ok (registered to my carrier network, call out, call in and data services).

The question is which variables are needed to "fool" the iphone while at the same time permit the sim card to register to your carrier network. Any good idea, anyone?

yes you done all correct exactly iphone will check first numbers of IMSI
08 39 01 14 10 XX XX XX XX
08=number of hex,
39 01 = 310
14=41
10 xx = IMSI identity
MCC: 310 usa (ITALY 222)
MNC: 41 at&t? (TIM ITALY 01)
MSIN: 01XXXXXXXX I have done some test but for bypass sim lock this need to start with "01" (mine cards in italy start all with 95,18,35 or 39

I use sim-emu have inside a menu to change sim active but when I change phone have again sim lock

what's msin?

Normally the home GSM network does not ask the phone for the IMSI if the phone has valid location information (LOCI).

So try this:
1. insert SIM-b with IMSI-b, Ki-b and ICCID-b in your normal unlocked phone
2. register to home network, do call out, call in and data services
3. power off phone -> valid LOCI and GPRSLOCI are saved to SIM-b
4. put ICCID-a, IMSI-a, Ki-b, LOCI-b and GPRSLOCI-b on Silvercard
5. insert Silvercard in iphone and activate it using ICCID-a (if not already done)

The iphone may now register to home network with LOCI-b and GPRSLOCI-b without being asked for IMSI and the iphone itself thinks it is an AT&T SIM because of IMSI-a.

This thread is starting to get exciting (for me at least). Does anyone believe a possible breakthrough is on the cards if we pursue this avenue?

I'm amazed at the lack of responses to this post considering the amount of views. Is it because most devs/hackers think we're well off base and chasing our tales?

"IPhive" - The logic sounds solid. Let's hope someone can test it soon.

Good work guys!

iPhive: Where can I find LOCI and GPRSLOCI on SIM-b?

also i have note something interesting about the iPhone AT&T SIM's ICCID and IMSI. Not sure if it's just a coincidence. May be someone could check it:

suppose my ICCID is like this 123456789ABCDEFGHIJK
and my IMSI is like this ABCDEFGHIJKLMNOPQR

For IMSI: AB is usually 08, CDEFGH is the MCC/MNC, and the rest is the MSIN (IJKLMNOPQR)

I just notice that this part of the ICCID (BCDEFGHIJ) is the same as this part of IMSI (JILKNMPORQ - reversed bit of IJKLMNOPQR) - interesting, huh?

u're right hubbard on the responses considering the possibilities.

but let's hang in there and see how successful this may turn out. I myself have been following this thread for days and find it interesting to be able to achieve the goal.

Currently i carry a work phone and now my iphone. I would love to be able to fuse both networks into one! whoa!

keep it up guys :)

ozbimmer:
IMSI (6F07), LOCI (6F7E), GPRSLOCI (6F53) are elementary files (EF) of the SIM cards file system
see TS 100 977 (former GSM 11.11) http://www.id2.cz/normy/gsm1111v830.pdf
you need a SIM card reader/writer for this

thanks iPhive.

Just wondering - in your msg you mentioned this:
4. put ICCID-a, IMSI-a, Ki-b, LOCI-b and GPRSLOCI-b on Silvercard

I think IMSI paired with a unqiue Ki. You cannot mix Ki with another IMSI (ie. IMSI-a/Ki-b not permitted)?? Please enlighten me :)

obzimer: AFAIK IMSI and Ki should be independent. Ki is never transmited over the net.

you are right MaLer: Instead of Ki, Kc is transmitted. BTW, Kc is dependent on Ki (Kc is the 64-bit ciphering key used as a Session Key for encryption of the over-the-air channel. Kc is generated by the Mobile Station from the random challenge presented by the GSM network and the Ki from the SIM utilizing the A8 algorithm.)

iPhive - about changing the LOCI, etc. I am going to use icprog to do so. Hopefully it works :)

obzimmer: yeah, and that's why your GSM network need to know your Ki. And that's why i think that the info about guy who registered his AT&T card with Vodafone is not true. Or the there must be some strange setup, because when you are in romaing, Kc (or better to say "random challenge") is sent from your home operator's (like AT&T) HLR, your guest network don't know your Ki. That's why everyone is wondering, that "registering AT&T SIM with Vodafone" is working - if Vodafone's HLR thinks, that your are at "home" network, why it should ask your real home HLR for challenge.

BTW, just as side note, what's current state of breaking of Ki on new cards - is the brutal force still possible to use? Latest news about card cloning, which i found, are from 2004/2005, when new generation of cards was released (and some counter was limited, so you can't use pure brutal force). Because you still need Ki from your current card - how you get it?

I hope that at monday i'll have chance to talk to some folks and see, if we can test it somehow... I don't have iPhone yet, without GSM functions it's just quite expensive toy. With GSM it's quite expensive gadget :))

i can get the Ki from my carrier's sim is because it's COMP128-V1, which is decryptable (use Woron). However, more recent sim use V2 (or later version) and AFAIK there's no software capable of cracking it.

Hi,
I'm wondering what do I need in order to do this?
Like what hardware,cables, software to get?
for the hardware and sim, if someone can point to products on websites so I an get the correct item?

Maybe I missed some EF's that are needed to register without IMSI...
I think it would be better to do the following:

1. insert Silvercard with IMSI-b, Ki-b and ICCID-a in your normal unlocked phone
2. register to home network, do call out and data services
3. power off phone -> valid LOCI, GPRSLOCI and other EFs are saved to Silvercard
4. change IMSI-b to IMSI-a on Silvercard (use the same 'virtual' SIM storage)
5. insert Silvercard in iphone and activate it using ICCID-a (if not already done)
6. iphone may register to home network...

If this method works, roaming will be broken once registering on a foreign network or not?

Tried method exactly like iPhive decribe - NoService as before. By the way, SilverCard with ICCID-a IMSI-b and KI-b on Iphone shows me signal strength in spite of "Wrong SIM card".

This Ki ICCD ISIM stuff is way over my head (but I would like to use my phone a a phone :rolleyes: ) but anyway, maybe it is of some use:

@ vladimir: was the sim in the phone acitvated by att (on a prepaid plan)? Because if it's not activated, maybe then the network won't accept ist.

@ all: maybe someone with a silver card an an activated sim could try

greets, Charley

I can't try because my att sim was ruined by att when the tried to activate ist on a prepaid plan :mad:
by the way: is there someone who could send me another att sim from usa to germany (If so, PM please)

Tried method exactly like iPhive decribe - NoService as before. By the way, SilverCard with ICCID-a IMSI-b and KI-b on Iphone shows me signal strength in spite of "Wrong SIM card".

Running iASign may just solve that problem... Seems like the last holdup is feeding the phone's software rather than fooling the radio (which you seem to have done).

it seems everyone is having fun :)

Let's make this more systematic. Why not try all the combinations of IMSI, Ki and ICCID (IMSI-a, IMSI-b, etc) and see which ones work...

More systematic:

I have AT&T GoPhone SIM card activated last month (visited US)
I have my local SIM decompilated to IMSI and KI extracted - works 101%
I have Iphone8G activated via JailBreak+online iASign

What I did (according to iPhive algo)
1. read ICCID and IMSI from AT&T card (KI is not possible due to 128comp(V2 or V3) - this will be IMSI-b and KI-b
2. Put IMSI-b KI-B and ICCID-a (from AT&T SIM) into SilverCard (I use SimEmu 6.01 configurator)
- disable PIN
- put only one cell available on SilverCard (not all 8 numbers but only 1)
3. Put SilverCard into normal unlocked phone (not iPhone)
4. Succesfully registered in my local network (they do not care ICCID)
5. Made a call and DATA connection via EDGE
6. Switch phone off
7. replace IMSI-B by IMSI-a
8. Put SIlverCard into iPhone
9. It shows me ("NoService") and simbol "E" at the top (I think this is for EDGE)
10. Try to call - "Call Failed"

then I try deactivate iPhone made all steps 1-8 then activate again - again no results
that's all I made - any suggestions welcome

More systematic:

I have AT&T GoPhone SIM card activated last month (visited US)
I have my local SIM decompilated to IMSI and KI extracted - works 101%
I have Iphone8G activated via JailBreak+online iASign

What I did (according to iPhive algo)
1. read ICCID and IMSI from AT&T card (KI is not possible due to 128comp(V2 or V3) - this will be IMSI-b and KI-b
2. Put IMSI-b KI-B and ICCID-a (from AT&T SIM) into SilverCard (I use SimEmu 6.01 configurator)
- disable PIN
- put only one cell available on SilverCard (not all 8 numbers but only 1)
3. Put SilverCard into normal unlocked phone (not iPhone)
4. Succesfully registered in my local network (they do not care ICCID)
5. Made a call and DATA connection via EDGE
6. Switch phone off
7. replace IMSI-B by IMSI-a
8. Put SIlverCard into iPhone
9. It shows me ("NoService") and simbol "E" at the top (I think this is for EDGE)
10. Try to call - "Call Failed"

then I try deactivate iPhone made all steps 1-8 then activate again - again no results
that's all I made - any suggestions welcome

Somebody was working on this... They had similar if not greater success, I'm going to look into that and get back to you.

More systematic:

I have AT&T GoPhone SIM card activated last month (visited US)
I have my local SIM decompilated to IMSI and KI extracted - works 101%
I have Iphone8G activated via JailBreak+online iASign

What I did (according to iPhive algo)
1. read ICCID and IMSI from AT&T card (KI is not possible due to 128comp(V2 or V3) - this will be IMSI-b and KI-b
2. Put IMSI-b KI-B and ICCID-a (from AT&T SIM) into SilverCard (I use SimEmu 6.01 configurator)
- disable PIN
- put only one cell available on SilverCard (not all 8 numbers but only 1)
3. Put SilverCard into normal unlocked phone (not iPhone)
4. Succesfully registered in my local network (they do not care ICCID)
5. Made a call and DATA connection via EDGE
6. Switch phone off
7. replace IMSI-B by IMSI-a
8. Put SIlverCard into iPhone
9. It shows me ("NoService") and simbol "E" at the top (I think this is for EDGE)
10. Try to call - "Call Failed"

then I try deactivate iPhone made all steps 1-8 then activate again - again no results
that's all I made - any suggestions welcome


Very interesting...

Just a question: did you use the AT&T ICCID (ICCID-a) to activate your phone using jailbreak and iASign?

Also, I wonder why the symbol "E" was shown if there is "No Server".

Very interesting...

Just a question: did you use the AT&T ICCID (ICCID-a) to activate your phone using jailbreak and iASign?

Also, I wonder why the symbol "E" was shown if there is "No Server".

Yes I use AT&T ICCID to activate iPhone.

Vladimir_CDI: thank you for testing and sharing your results

More systematic:
1. read ICCID and IMSI from AT&T card (KI is not possible due to 128comp(V2 or V3) - this will be IMSI-b and KI-b


The later of your post makes more sense to me if you meant "this will be IMSI-a and KI-a".

Remember: I use the nomenclature that ozbimmer has introduced in Post #20:
xxx-a : AT&T has IMSI-a (310410...), Ki-a and ICCID-a
xxx-b : your own carrier in your country is IMSI-b, Ki-b and ICCID-b

I do have neither an iphone nor an AT&T SIM.
I only have 2 "good old" Sagem phones (not SIM locked), a sim-emu and the original SIM that is emulated.

This is what I have done so far:
1. insert sim-emu with IMSI-b in phone#1 (ICCID-emu != ICCID-b, irrelevant here)
2. register to home network, do call out and data services
3. power off phone -> valid LOCI, GPRSLOCI and other EFs are saved
4. change IMSI-b to IMSI-a (310410...) on sim-emu
5. insert sim-emu in phone#2
6. phone#2 registers to home network using valid LOCI and GPRSLOCI!

Currently I can only speculate why this does not work for the iphone:
1. This is network dependent and works only with my home network (or maybe others?)
2. The iphone always insists in using the IMSI when registering to the network (or only for the first time?)

Any other ideas?

just tried some test half IMSI usa half italian but nothing
locked or unlocked but can't register on nework
just fo info read this

Will we ever unlock the iPhone?

All problems with unlocking lie in the baseband, the radio chipset for the iPhone. The chipset is an S-Gold2, and don't come in the chat and give us links to PapaUtils, we can't use them.

Now the iPhone only has one lock, a network personalization lock. This lock means the MCC(US=310) and the MNC(AT&T=410) must match the first six digits of the SIM cards IMSI. This check is done in the baseband firmware itself. I'm not really sure where yet, but that isn't really relevant.

The only thing standing in the way of an unlock is the baseband. All the other sim checks are known and can be patched out. We even know the AT command to do the unlock. It's 'AT+CLCK="PN",0,"xxxxxxxx"'. But good luck finding those x's. They are called the NCK, or Network Control Key, and are believed to be unique in everyones phone. Forget brute force(time impractical) and the obvious entries.

So why can't we just patch the firmware? The firmware, located in the ramdisk at /usr/local/standalone/firmware/ICE03.12.06_G.fls, is signed. See here for what I know about the file. The sig is checked in the baseband bootloader. The updater program, bbupdater, only checks a checksum, which can be changed. The update will take, but then the phone won't boot because the sigs don't match.

I worked two solid days on disasseming the radio fw. I found a few backdoors, but none that would lead to an unlock. If you are *good* with disassembling ARM, PM me for the idb. I've documented a lot of functions pretty well. Although, this firmware is very difficult to work through. I'm 90% sure the password check happens in the function called pwdcheck, but I haven't found it yet. For all I know there could be a simple algorithm to generate the NCKs that I am overlooking.

-geohot

I repeat my doubts about the tests:
The sim at the top of this tread was proposing 1 base number + 12 (if I remember well) "ghost numbers". So I think that the 1st "number" can be programmed using ALL the exact data of a working AT&T sim (without mixing with other carriers),
then as second number "ghost" you can use any other carriers data.
The only risk is that you can only receive, because when you try to logon the net to call (and set the ghost number as primary) you probably are subject to another sim test by the iphone.
The ghost numbers should work contemporary to the 1st one... as it's advertised.

I hope I was clear enough and I have not said a stupid thing.

CROSS OUR FINGERS!

After reading this thread and irc discussions, I tried an approach that is somewhat similar (however still different from a Super SIM) with interesting results. I've validated that I'm able to place calls on the local network.

I'm using a (private, do not ask) SIM proxy on a desktop computer to achieve that. This proxy is able to catch APDUs sent to the SIM, responses coming from the SIM, and replace them on the fly. I ran the following pseudo-code on the computer



On card power up :
- counter = 0
- catch ICCID read (3F00/2FE2)
- catch IMSI read (3F00/7F20/6F07)

On ICCID read :
- return dummy ICCID (to bypass the registration process)

On IMSI read :
- if counter < 2
return dummy AT&T IMSI
increment counter
- if counter >= 2
return the real subscription IMSI



I think this works because the baseband designers made a mistake and dissociated the network lock check from the common radio processing - the IMSI is read several times, old values discarded and not validated against the new ones during the whole session.

Now additional tests need to be done, and to be practical this proxy scheme and associated code would need to be embedded (typically in a SIM form factor with a microcontroller) to avoid carrying a large box with the phone :p. Such proxies may already exist in the wild (not sure about it) - otherwise I think somebody with some electronics design & soldering skills (and a team of ninja lawyers of course) could have a good time :cool:

I think this works because the baseband designers made a mistake and dissociated the network lock check from the common radio processing - the IMSI is read several times, old values discarded and not validated against the new ones during the whole session.


This is great. It means it basically can be "unlocked".

It wouldn't take much for some guys in China or Taiwan to start producing a SIM card that worked like this.

All this stuff sounds really interesting. Basicly your iPhone thinks it's an activated ATT Sim with roaming.. Makes a lot of sense, but what or where exactley do you think the porblem is?

@ iPhone_eu - Solution could be to find somewhere source code for SIM_EMU (or similar) and add feature you describe to that software (let's call it iPhone_SIM_EMU) - and that will be solution for everybody whoes carrier uses 128compV1 SIM's.

Idea number 2 - ask owner of SIM-EMU-6.01 to recompile this special edition of the SIM-EMU only for iPhone users for sure we can pay for that.

By the way - can you please tell us little bit more about your positive result (I mean call)? is it stable?

Hi all,

had anyone in here already looked out to the new "Nokia BB5" Hacks? There are hardware _and_ software hacks spreading around, most of them are from Serbia. Someone in here already posted a link to the homepage of a guy that *cracked* already the BB5 security. The most interesting point here is that this guy released a "BB5 generator". So, i'm not a hardware or software reverse engineering freak. I only played a little with the PSP hardware and his firmware. But i think this BB5 hack could be interesting for the unlock progress of the iPhone.

Edit: Could it be (I know, thats a n00bish question) that the BB5 algo. is the same on every phone? I mean ok, it's generated by IMEI etc. but the main algo. *could* be the same?! Is the hardware of the iPhone already analyzed and ready for a "hardware attack"? I mean something like a hardware sniffing with a fast FPGA between the main components which calculates the NCK?

Just my 5 cents

Shade

Hi all,

had anyone in here already looked out to the new "Nokia BB5" Hacks? There are hardware _and_ software hacks spreading around, most of them are from Serbia. Someone in here already posted a link to the homepage of a guy that *cracked* already the BB5 security. The most interesting point here is that this guy released a "BB5 generator". So, i'm not a hardware or software reverse engineering freak. I only played a little with the PSP hardware and his firmware. But i think this BB5 hack could be interesting for the unlock progress of the iPhone.

Just my 5 cents

Shade

Go to irc and ask the gurus if this may help!

I just sent email this morning to simemu creator, to take a look this post and if possible insert a routine for trick as said before I'm awaiting an answer

Peops, I have found an interesting forum that has a lot of wise people hacking sims!!!

http://forum.gsmhosting.com/vbb/forumdisplay.php?f=70

I hope that someone can contact them, I tried to bring them in here! Lets see what happens.. And good luck!

here on the creator of KI scan available a source code .asm for silver card
for a working sim card emulator
can someone modify also this and try to insert the dummy imsi call

http://users.net.yu/~dejan/

1. read ICCID and IMSI from AT&T card (KI is not possible due to 128comp(V2 or V3) - this will be IMSI-b and KI-b
2. Put IMSI-b KI-B and ICCID-a (from AT&T SIM) into SilverCard (I use SimEmu 6.01 configurator)
- disable PIN
- put only one cell available on SilverCard (not all 8 numbers but only 1)
3. Put SilverCard into normal unlocked phone (not iPhone)
4. Succesfully registered in my local network (they do not care ICCID)
5. Made a call and DATA connection via EDGE
6. Switch phone off
7. replace IMSI-B by IMSI-a
8. Put SIlverCard into iPhone
9. It shows me ("NoService")

I have Iphone4G activated via iActivator


Iphone show message Searching.... "Waiting for AT&T activation This may activated some time"

News around here?! Progress?!Question beside the silvercard: I have found few sellers, but this card locks like the SIM chip is on a card with the size of a creditcard. Because I haven't seen this processes I ask myself how you can remove this chip to use into your phone?!

News around here?! Progress?!Question beside the silvercard: I have found few sellers, but this card locks like the SIM chip is on a card with the size of a creditcard. Because I haven't seen this processes I ask myself how you can remove this chip to use into your phone?!

U must cut it in shape of an SIM with siccors...;)

are you jokeing?

are you jokeing?


No!

Cutting a SIM card:::http://www.mobileshop.org/usertech/simcutting.htm

Hi everybody. Thanx to rxivan I found SIM_EMU source code on http://users.net.yu/~dejan/. Spent 12 hours looking for appropriate assembler and error correction. Finally translated to hex and put code into SilverCard - With VERY OLD Nokia 6150 this SIM_EMU works perfect. It takes 0.5 second to find carrier. but with ANY NEW phone - "Wrong or abcent SIM" - I think, that this source code is for very old GSM SIM. iPhone sad: "No SIM" - so my try to use iPhone_eu's idea was unsuccesful. Idea was to change IMSI response from SIM card first two times for IMSI-a and rest for IMSI-b but for sure we need more recent source code of SIM-EMU. I'm far from idea, that anybody who have such a code will distribute it.
But let's try.

SIM_EMU 6.01 works perfect on iPhone and I think code creator could help us. Last chance is to disasseble SIM_EMU - and try to understand where's shiny Call "Send IMSI". To do that you need to be VERY experienced with PIC16F8x programming... this is not me for sure.

by the way - in .asm SIM-EMU code found on http://users.net.yu/~dejan it was very easy to find a place where I can change IMSI, or replace IMSI due to very good comments:

cmp sel_f2,7h ;IMSI file
jnz no_imsi

clrf ee_adr_h
movlf ee_adr_l,_imsi
call block_file ;select appropriate IMSI
jmp no_kc

block_file: movf prov_num,w
addwf prov_num,w
movwf r6
rlf r6
rlf r6,w
addwf prov_num,w ;w=prov_num * 9

addwf ee_adr_l
btfsc status,c
incf ee_adr_h
ret


If anybody could find recent (year 2002 at least) SIM EMU source code - I can try again.

Finally I have got my hands on an iphone with AT&T SIM!

I use the nomenclature that ozbimmer has introduced in Post #20:
xxx-a : AT&T has IMSI-a (310410...), Ki-a and ICCID-a
xxx-b : your own carrier in your country is IMSI-b, Ki-b and ICCID-b

I can confirm that the following works for IPHONE too:

1. insert sim-emu with IMSI-b, Ki-b and ICCID-a in your normal unlocked phone
2. register to home network, do call out and data services
3. power off phone -> valid LOCI, GPRSLOCI and other EFs are saved
4. change IMSI-b to IMSI-a (310410...) on sim-emu
5. insert sim-emu in iphone
6. iphone registers to home network using valid LOCI and GPRSLOCI!

After all done, this works:
Call out: yes
Call in : no
SMS out : yes (SMSC must be set)
SMS in : yes
Browse over EDGE: yes (apn must be set)
YouTube : no

Important: The ICCID-a must correspond to IMSI-a as stated here:



also i have note something interesting about the iPhone AT&T SIM's ICCID and IMSI. Not sure if it's just a coincidence. May be someone could check it:

suppose my ICCID is like this 123456789ABCDEFGHIJK
and my IMSI is like this ABCDEFGHIJKLMNOPQR

For IMSI: AB is usually 08, CDEFGH is the MCC/MNC, and the rest is the MSIN (IJKLMNOPQR)

I just notice that this part of the ICCID (BCDEFGHIJ) is the same as this part of IMSI (JILKNMPORQ - reversed bit of IJKLMNOPQR) - interesting, huh?

..or else you get 'failed call'

Note: since my home operator does not use Comp128/V1, I cannot use the silvercard.
I use a sim-emu that is similar to the proxy that iPhone_eu has and it is not portable too. (so do not ask about it either)

hi iphive!
since you said the neither the carrier you intended to use are not using v1 cards then that must be eiter v2 or v3, right? Also i beleive the sim cars comes with iPhone is also either v2 or v3? Then how do you extra their "ki"? I always had this problem when I tried to extract their "ki"! Really need this!

Hi parkertseng,
I don't know which algorithm my home operator or AT&T use for authentication.
There is no need to extract the Ki for my tests.

When it comes to the authentication with the gsm network, the proxy routes the authentication request from the sim-emu to the original SIM card. The SIM card calculates the correct response and sends it back (through the proxy) to the sim-emu.
-> Authentication successful without knowing Ki of the SIM.

The huge drawback of this lab experiment is that you always must have sim-emu, original SIM and PC/Notebook (running proxy software) with you. So this is just a proof of concept and far away from a portable solution.

Wouldn't it be possible to have this SIM proxy running as an process on the iPhone itself?

Hi iPhive

Did you use your hardware to validate the original iPhone_eu theory as well ? (2 fake AT&T IMSIs, then the subscription IMSI, without SIM swapping)

@JohnBond:
I don't know, pls ask the dev team.

@Zf_:
No, not yet. I had to give back the iphone I used for this...

The problem with this method might be that you don't know exactly when you have to reset the counter.

Hello to every1 who is still interested in OZ method. I offer you for trying OZ method 2nd generation.

If somebody interested in iPhone modified SIM-EMU 6.01. You can download SIlverCard files from here

http://www.rap*****re.com/files/46938469/SIM_EMU_6.01_iPhone.rar

You need just program these files to your silvercard, then change IMSI and KI in position number0 to your subscription and put your iPhone's AT&TSIM ICCID and IMSI to position number9. Then disable PIN1.

if you like SMS - you need to change your ServiceCenter number in position 0 as well

Then put SilverCard into iPhone and you will do not need anymore to take it back.

One simple change is made compared to original SIM_EMU.6.01 - two first reads of IMSI will go from position 9 and then from position 0

I'm not sure, that it will work in yout carriers, but it works on mine. Actually I need your feedback is it works or not.

**** IMPORTANT: you iPhone must be jailbreaked and activated using same ICCID that you are going to put to SIMEMU silvercard (IMSI-9 must correspond to ICCID)

Hello to every1 who is still interested in OZ method. I offer you for trying OZ method 2nd generation.

If somebody interested in iPhone modified SIM-EMU 6.01. You can download SIlverCard files from here

http://**********.com/files/46917320/SIM_EMU_6.01_iPhone.rar

You need just program these files to your silvercard, then change IMSI and KI in position number0 to your subscription and put your iPhone's AT&TSIM ICCID and IMSI to position number9. Then disable PIN1.

if you like SMS - you need to change your ServiceCenter number in position 0 as well

Then put SilverCard into iPhone and you will do not need anymore to take it back.

One simple change is made compared to original SIM_EMU.6.01 - two first reads of IMSI will go from position 9 and then from position 0

I'm not sure, that it will work in yout carriers, but it works on mine. Actually I need your feedback is it works or not.

**** IMPORTANT: you iPhone must be jailbreaked and activated using same ICCID that you are going to put to SIMEMU silvercard (IMSI-9 must correspond to ICCID)

Doesnt work for me...."Incorrect SIM"......Pitty....:(

Hello to every1 who is still interested in OZ method. I offer you for trying OZ method 2nd generation.

If somebody interested in iPhone modified SIM-EMU 6.01. You can download SIlverCard files from here

http://**********.com/files/46917320/SIM_EMU_6.01_iPhone.rar

You need just program these files to your silvercard, then change IMSI and KI in position number0 to your subscription and put your iPhone's AT&TSIM ICCID and IMSI to position number9. Then disable PIN1.

if you like SMS - you need to change your ServiceCenter number in position 0 as well

Then put SilverCard into iPhone and you will do not need anymore to take it back.

One simple change is made compared to original SIM_EMU.6.01 - two first reads of IMSI will go from position 9 and then from position 0

I'm not sure, that it will work in yout carriers, but it works on mine. Actually I need your feedback is it works or not.

**** IMPORTANT: you iPhone must be jailbreaked and activated using same ICCID that you are going to put to SIMEMU silvercard (IMSI-9 must correspond to ICCID)

Hi,

Thanks for sharing. I have all needed equipment, will try tomorrow morning and
will report back.

Regards

registered with TIM Italy works good EDGE too!!!
BIG!

please make sure to test incoming calls (answer it & all). That's the critical step to know if your registration has been done properly :)

confirmed on tim italy work
data,sms,call in out
i have upgraded sw 1.01 iphone and there is a new menu
General>network>edge (thanks to apple)
let you change access point and I used the mine "ibox.tim.it"
I ask vladimir_cdi to make a mod to reset magic counter "imsi fake" when you select another position and make also able change number position without restarting iphone because if I login with other number the edge access point need to be set again everytime
I'm waiting for answer.
I will test my iphone on my network from now 24h no stop (still now all ok)

registered with TIM Italy works good EDGE too!!!
BIG!

:D Time to share the experience and steps you have go far:D

@rsivan:

it would be cool if you could post some sort of step by step tutorial of what you did. i want to try this on Vodafone RO and Orange RO.

Thanks!

did anyone tried on 32k AT&T sim?

Hi,
I cant seem to download the .rar file as the URL displayed is full of asterisks:

http://**********.com/files/46917320....01_iPhone.rar

What is the correct URL to download this file?

Hi,
I cant seem to download the .rar file as the URL displayed is full of asterisks:

http://**********.com/files/46917320....01_iPhone.rar

What is the correct URL to download this file?

replace asterisks with rapid share (1 word, no space)

sorry, rapid share is the name of the web site, but the name of file??

sorry, rapid share is the name of the web site, but the name of file??

find my first post on page 7

Hi Vlad and others this is great progress. I'm about to purchase the silvercard from ucables, but from the pictures it looks like they are large creditcard-size cards, like for SatTV decoders, is that the correct item to buy???

I'd very much appreciate some guidance, as I'm sure others would too... I'm comfortable with all the steps discussed here and on the other thread, but I need to buy the right stuff, as I'm going to be testing it in Brazil... anyways, a recommendation of tested working cards and reader/writers would be great. I need it to be sent to the US so I can have a friend of mine bring it this week to brazil for me.


Best & thanks!

do not buy from ucables!
they have stolen code from creator for sell programmed card
you can find cheap on ebay just search
or go to http://www.gsmhosting.com/vbb/index.php

you need to actvate iphone using ICCID from your cloned sim and this same need be programmed on simemu card

for info ICCID is only used by Phone and will never transmitted over GSM network
data used on GSM network are IMSI and KI if you have both you success cloned sim
for all
only sim comp128v1 can be cloned
for Italy my country

Tim yes old sim till 32k
Vodafone yes but only old Omnitel sim
Wind no way
H3G no way

do not buy from ucables!
they have stolen code from creator for sell programmed card
you can find cheap on ebay just search
or go to http://www.gsmhosting.com/vbb/index.php

hi rsivan, I can't find any on american ebay.... i tried all sorts of search words, nothing for infinity usb... :(

Anyways, I looked under gsmforums, and there is a lot of mention of the infinity-box, but from pictures it isnt the same thing??? I also couldnt find on any of the listed stores this particular item... if you have any idea for where to find this itll be greatly appreciated. thanks!

hi rsivan, I can't find any on american ebay.... i tried all sorts of search words, nothing for infinity usb... :(

Anyways, I looked under gsmforums, and there is a lot of mention of the infinity-box, but from pictures it isnt the same thing??? I also couldnt find on any of the listed stores this particular item... if you have any idea for where to find this itll be greatly appreciated. thanks!
http://www.cardman.com/cards.html
or
http://www.todotarjetas.com/index2.htm

i haven't understood a thing: should we have to jailbreak and activate the iphone with at&t sim or with the other sim?

After some checkes and special thanx to rsivan we found, that IMSI-a (placed to position 9) does not affect on ICCID and vice versa. So you can put to SuperSIM ANY ICCID you want. What is important, that that ICCID must be the same you put duringactivation your iPhone using Iasign or iActivator.

Important: IMSI-a must be AT&T IMSI as far as I tested

any IMSI "compliant" with the SIM lock should do the trick.

i.e. your format should be (hex) 08 39 01 14 x0 xx xx xx xx

Hey admin Stick this thread pls to make a place for simclone.


thx

deepdark: don't waste your effort my friend, don't think the admin here would put it as a sticky given their opinion on sim cloning...

deepdark: don't waste your effort my friend, don't think the admin here would put it as a sticky given their opinion on sim cloning...

hmm why they are ignorring us we are just 5-6 people who succesed the simclone min iphone in europe like i see we are not so bad we want to help others and we want to make another projects for v2 cards what if the devteam stucks somewhere i houpe that that will not happend but who knows then they will turn to simclone.


thx

agreed with you deepdark...should keep an openmind...but at the moment the "sim clone" method is not the one of those that has a good potential to succeed (considering the legal aspect of such method).

Oh, btw deepdark, given your experience, what do you think of using this device http://www.magicsim.com/cn/sim/UploadFile/200741418293835239.jpg , incorporating Vlad algorithm, to enable both AT&T and local carrier sim cards to be used, and bypass the potential problem with sim cloning?

MagicSim allows to to cut your original SIM cards into a tiny size, and allow you to plug 2 tiny sized SIM-Cards into a special designed "Mother" SIM.

http://img.eprice.com.tw/img/acc/b/645.jpg

The mother SIM contain a PIC... (12F8XX series) to control the swapping of SIM Cards.

My idea is that, would we re-programme the on-board 12F8XX PIC with VLad/OZ idea?

If it works... then no matter what version of your SIM... comp128 v1, v2, v3, we can enjoy the SIM unlocking method.

I have ordered one (just US$10), will arrive 2 days after, I will try to de-assembler the onboard PIC and reprogram it with VLad idea. Let's see what we can get...

garyz88: good idea...this has been suggested in the original thread and also among other related threads.

garyz88: good idea...this has been suggested in the original thread and also among other related threads.
BTW, I really need help from VLad, since I didn't get the full idea of his work.
And I'm poor on PIC disassembler.

I merged together 3 thread with same/similar topic.

MagicSim allows to to cut your original SIM cards into a tiny size, and allow you to plug 2 tiny sized SIM-Cards into a special designed "Mother" SIM.

http://img.eprice.com.tw/img/acc/b/645.jpg

The mother SIM contain a PIC... (12F8XX series) to control the swapping of SIM Cards.

My idea is that, would we re-programme the on-board 12F8XX PIC with VLad/OZ idea?

If it works... then no matter what version of your SIM... comp128 v1, v2, v3, we can enjoy the SIM unlocking method.

I have ordered one (just US$10), will arrive 2 days after, I will try to de-assembler the onboard PIC and reprogram it with VLad idea. Let's see what we can get...

what´s the differenz between v1 v2 v3 cards?
can you see the differenz on the card looks like?

thanks, sam

garyz88: originally you said you were going to re-program the onboard PIC, and now you tell me you are poor on PIC disassembler... Vlad someone need your help...

pendalf: AFAIK no difference externally.

here a pic disassembler and emulator
http://www.oshonsoft.com/picsimulatoridesetup.exe

thanks, sam

garyz88: originally you said you were going to re-program the onboard PIC, and now you tell me you are poor on PIC disassembler... Vlad someone need your help...

pendalf: AFAIK no difference externally.

thanks oz.

but again, i cant find the piece, where receiving of calls happened.
i red u thread oz, till page 37 nobody can receive the calls and then receantly it works...
oz very short whats happened, was it the mailbox?

:confused:

i just wanna know, its all.

garyz88: originally you said you were going to re-program the onboard PIC, and now you tell me you are poor on PIC disassembler... Vlad someone need your help...
:) Just get PIC programming experience at university age... very long time ago.

Anyway, 2 concerns that I'm worrying:

1. See some post and review on MagicSim, its a little bit thicker than original sim card
it may have trouble to insert it into iPhone (We will get the answer 2 days after when I
get the MagicSIM.

2. Just read some post from some *.ru website, the onboard chip is an 12F6XX series
PIC. However, no one 100% confirm. Anyway, I will try to read its program and see any luck exist :)

To VLad, if you need the MagicSim and you have some idea. I can mail 1-2 to you for free. Just PM me.

I have already tried the magicsim, it fits into iphone without problem but a little hard to pull it out...

If only I know how to program the IC... btw I couldn't see any markings on the PIC, it has been removed deliberately.

Do you have PIC programmer, can you read it based on 12F6XX series?

you need to enlighten me... I have a PIC programmer for my silver card, but would it read the PIC on the magicsim?

Is there any way to determine if you have a comp v1 SIM card without a sim card reader? Is there a list somewhere which shows which cell providers are on which version of the cards? As I understand it if you try to extract the ki from a comp v2/3 card you'll destroy it? Thanks :)

don't know if there's a list, and I don't think it would be available to the public.

Well I have some v2 cards, try to extract the Ki using WoronScan -> no go as it says it's not v1 card so no way I could "destroy" it. Try it using other sim clone software, Ki extraction continue for a long while, obviously no Ki, put the sim back and it still work :)

you need to enlighten me... I have a PIC programmer for my silver card, but would it read the PIC on the magicsim?
I don't think so. But you can use IC-Prog for a try.

I can't find any silvercards on eBay, but can I use this (http://ucables.com/ref/SIM-MAX-12) Sim Card Reader and can I also use the "SIM-MAX"-card as a silvercard?
Can I use a Gold Card (http://mobtech.no/catalog/product_info.php?cPath=1&products_id=97)?

Has anyone tried to clone the AT&T sim to a super sim. A super sim allows you to essentially have up to 12 or so sim cards on one master sim. So you'd remove the AT&T sim, clone it to the super sim and repeat the process with the sim you want it to work with. The iPhone will still think it's an AT&T sim but whether it would grumble when you switched over to your other carrier I don't know. A long shot but maybe worth a try. Anyone have a super sim? You can buy them for a few quid on eBay such as here:

http://cgi.ebay.co.uk/12-IN-1-SIM-CARD-CLONE-COPY-BACKUP-DUPLICATE-WRITE-EDIT_W0QQitemZ220131704678QQihZ012QQcategoryZ43805 QQrdZ1QQcmdZViewItem

i have this card olso i have a already emu installed sim no way :( its not working.only simemu and silvercard

Two questions, if I decide to try this:

1. My simcard is relatively new, could it still be a "usable" and "cloneable" card (1.0)? Or are the chances small?

2. I could find out for myself, I have an infinity phoenix card programmer, but the sim is so small, and the programmer takes full sized cards. Is there som kind of adapter one could use?

Two questions, if I decide to try this:

1. My simcard is relatively new, could it still be a "usable" and "cloneable" card (1.0)? Or are the chances small?

2. I could find out for myself, I have an infinity phoenix card programmer, but the sim is so small, and the programmer takes full sized cards. Is there som kind of adapter one could use?

if is new 99% is v2 or v3 so no clone but if you can find a old one than make like i writed here:

http://www.hackint0sh.org/forum/showthread.php?t=2252

Is there some kind of real size template I can use to cut out the room for the sim? I have an old M2 card I can use as adapter, but I have to know where to cut...

hello i try to make supersim but i have probleme the PIN 1 is bloked and PUK 1 is bloked how can i do to unblok PIN 1 and PUK 1
thanks

I have the silvercards needed for this method here:

http://cgi.ebay.com/ws/eBayISAPI.dll...m=130143234910

$20 USD each
International shipments are sent via FedEx International Priority