Mail.app - IMAP Niggles
I’d always used one single email account and tried, wherever possible, to keep these accounts completely separate from one another. At work I now find myself using two IMAP accounts, one for work and one personal account. Setting the accounts up is a doddle but I noticed that messages I was sending from my work account where not getting store in my mailbox. After some fiddling I found that to have messages sent from one account stored in the sent mailbox for that account, you need to explicitly tell Mail.app what each of the server-side folders are to be used for. To specify this click on them and go to Mailbox >Use this mailbox for > Sent/Drafts/Trash. I just thought I’d share in case anyone else comes up against this problem.
Guide to unlocking your iPhone with a Turbo SIM 22
Since receiving my Turbo SIM yesterday and successfully getting it to work with O2 Ireland, I thought I’d write up a clear, easy to understand guide outlining the process.
Disclaimer: If you break something it’s your own stupid fault jerkface.
What you will need:
An iPhone
Your iPhone will need to be Jailbroken, have SSH installed and it will need to have been activated using at&t’s ICCID (use iASign). If you don’t know what any of this means, do some reading. There are a million zillion guides out there explaining the procedures for doing these things. If, after reading, you still don’t know what any of this means, this method is not for you. Wait for a software based unlock.
A Turbo SIM - Available here (sold out at the time of writing)
As explained in previous blog posts, this little device is sandwiched between your carriers SIM and itself. It’s capable of running small SIM level applications, one of which, Applesaft, is capable of unlocking the iPhone by exploiting a flaw in the iPhone’s baseband. I’m not going to explain how this works because anytime I do I get strange looks from people as though I’d just asked them if they’d ever been abducted by aliens. At the time of writing this, the poor small team at Bladox churning these little devices out have become inundated with orders and have had to temporarily close their online store.
Some software
applesaft-0.92.tar.gz & turbo-cable-utils-iPhone-0.7.0-rev1.tar.gz
Steps:
- Extract the contents of turbo-cable-utils-iPhone-0.7.0-rev1.tar.gz to somewhere on your computer
- Upload the contents of /bin-iPhone from the file you just unpacked to /bin on your iPhone (through SCP or SSHFS, whichever you prefer)
- SSH into your iPhone
- Run “cd /bin/”
- Now you’ll need to change the permissions for each of the binary applications which you just uploaded to /bin/ using the command “chmod +x turbo-appname”. There are 10 applications in total which you need to do this for.
- Extract the contents of applesaft-0.92.tar.gz and copy the applesaft.trb file containted within to your /bin/ folder on your iPhone the same as you uploaded the turbo cable utilities mentioned above. You can remove this and the turbo-whatever files later. Run “chmod 777 /bin/applesaft.trb” to give the file the permissions it needs.
- Download and edit (or edit on the iPhone locally if you have something like VIM installed) the file com.apple.CommCenter.plist located in /System/Library/LaunchDaemons/ on your iPhone.
- Disable the commcenter by placing ”<key>Disabled</key><true/>” after “<key>OnDemand</key><false/>” and copy the file back/save it.
- Reboot the iPhone.
- Now comes the tricky bit. Carefully CAREFULLY remove your Turbo SIM from its plastic casing. Seriously, Jesus Christ be careful. Oh god you’re going to break it WHAT ARE YOU DOING.
- Take your at&t SIM card out of your iPhone using a paperclip and carefully trim it according the the printed instructions on the Turbo SIM’s packaging. Don’t be afraid to trim it really tight around the SIM’s contacts for a snug fit.
- Carefully sandwich the trimmed at&t card with your Turbo SIM and place them both into the iPhone’s SIM tray. You’ll have to be gentle here as there’s just barely enough clearance for both devices to fit snuggly into the SIM tray.
- The carrier name area at the top left of the screen will continue to say “No Service”, this is fine. If it says “No SIM” the contacts between your SIM and the Turbo SIM aren’t properly seated, fiddle with it a bit to make sure they’re square atop of one another.
- SSH into your iPhone again and run the following command to ensure the iPhone can communicate properly with the Turbo SIM - “turbo-info”. Assuming everything is correct, this command should return “OK” along with the serial of your Turbo SIM.
- Now, lets install the applesaft application. Run the following: turbo-app /bin/applesaft.trb If all goes well you should receive an “OK” after some initial messages about the modem being initialised.
- Alter the com.apple.CommCenter.plist file we edited above and remove the line we added ”<key>Disabled</key><true/>” and reboot.
- On your iPhone, go to Settings>Phone>SIM Applications>Apple Saft and press “SET”. A prompt should indicate that the IMSI and ICCID of the at&t SIM has been read and recorded successfully.
- Now, remove the Turbo SIM and at&t SIM.
- Trim your carriers SIM card just like the at&t one and insert the sandwiched pair into the iPhone.
- Reboot the iPhone.
- Pray.
- All going well, your iPhone should now properly register on your carriers network and everything should pretty much work straight away. To get EDGE/GPRS working, alter the settings in Settings>General>EDGE to use your carriers APN/Username/Password.
- Pat yourself on the back.
iPhone - Working perfectly with O2 Ireland 84
My Turbo SIM arrived today and with little effort whatsoever I had my iPhone working fine with my carrier, O2 Ireland. Everything works, calls/SMS/data (GPRS at an amazing 35kbps). Here’s some snaps:
TurboSIM iPhone unlock - confirmed working 11
Two iPhone users have reported that their TurboSIMs have been successfully used to unlock their iPhones. Both have warned that the device is quite fragile and can be destroyed if forced into a SIM slot, so be careful. Here’s some screenshots by Zf_ (who natively compiled the TurboSIM’s application uploader for the iPhone) of the Hackint0sh forums:
Ozbimmer, another member of the Hackint0sh forums posted to confirm that his Turbo SIM works as expected.
Zf_ was also kind enough to provide a quick guide:
First, your phone must be activated (with the AT&T SIM), jailbreaked, and with SSH and vim. Refer to previous tutorials to do that.
- Download the port of Bladox utilities http://www.hackint0sh.org/forum/show…5&postcount=16 on your computer, extract it on your computer (you need the binary file turbo-app)
- Download AppleSaft 0.92 from Bladox (see the link on their forum, don’t remember it), extract it on your computer (you need the .trb file)
- Turn on your phone with Turbo SIM + AT&T subscription
- Disable CommCenter - ssh to your phone, vim /System/Library/LaunchDaemons/com.apple.CommCenter.plist add
<key>Disabled</key>
<true/>
for example add it just after these lines, already present in the file
<key>OnDemand</key>
<false/>
If you don’t like vim, you can do this modification on your desktop computer (iPhuc/iPhoneInterface getfile, modify the file, and putfile)
vim ultra light survival kit
i : insert mode
ESC : command mode (from insert mode)
dd : delete the current line (in command mode)
:w! : save (in command mode)
:q! : quit (in command mode)
- Reboot
- Copy turbo-app to your phone (for example in /opt/bladox)
- Copy applesaft.trb to your phone (for example in /tmp)
- ssh to your phone, set the executable permission to turbo-app (chmod a+x /opt/bladox/turbo-app) and run it with /opt/bladox/turbo-app /tmp/applesaft.trb. It should take approximately 30 seconds and you shouldn’t see any error. Please panic if you see one.
- Reenable CommCenter - ssh to your phone, vim /System/Library/LaunchDaemons/com.apple.CommCenter.plist and delete the lines you added previously
- Reboot
- Go into Settings/Phone/SIM Applications/Apple Saft and choose Set
- Turn off your phone
- Turn on your phone with Turbo SIM + your subscription and test.
Unlocking the iPhone 8
There are two available solutions for unlocking the iPhone at the moment, and both hinge upon a “flaw” in the iPhone’s baseband. All shipped iPhones are locked with a PN (personalized network) lock to at&t. The iPhone, upon startup, enforces this PN lock by reading the included at&t SIM card’s IMSI two times initially at startup to ensure the IMSI is that of at&t. The third and subsequent reads of the IMSI during the normal operation of the iPhone is not checked to ensure it is that of at&t.
The two available unlocking solutions both exploit this to use SIM cards from providers other than at&t. The first method involves SIM card cloning, which is very much illegal in most countries. The method sees a the KI (the “secret” ciphering and authentication key embedded into the SIM) extracted from an old COMP128 V1 SIM card (these are rare to find distributed from 2002 onwards). The KI can only be extracted from these old SIM cards, and not the modern V2/V3 cards available today. The KI and IMSI from this old SIM card, along with the IMSI of the iPhone’s at&at card are combined and written to a blank SIM card (SilverCard) using a SIM card writer. Some additional programming is done to the blank card’s SIM to return the at&t IMSI the first two reads, and the V1 cards IMSI for any subsequent requests. This method works, but is frought with all sorts of legality issues (not to mention the fact that finding old V1 SIM cards is pretty difficult anyway) and so is less than ideal.
A second unlocking solution is much more promising and is likely to attract a lot of attention over the next few weeks. It involves the use of a piece of hardware from Bladox called a Turbo SIM. This nifty thin little device sits between your original SIM card and the SIM reader in your iPhone. It’s capable of running small SIM applications and can be used to intercept incoming IMSI requests (or any SIM requests for that matter), process them, and produce output. Use of such a device is probably completely legal, since the original SIM card is not cloned. It will also work perfectly with V2/V3 SIM cards. It’s only purpose (in the case of unlocking the iPhone) is to get by the “good guy, bad guy” IMSI check the phone performs at boot to provide the iPhone with the at&t IMSI it requires at startup. Thereafter, the device relinquishes control back to the original SIM card for any further SIM requests, including network registration. I’ve ordered one and by the time it arrives in 2 or so weeks there should be a great deal of hype surrounding the device. Two applications designed to run on the device for the purpose of fooling the iPhone have already been released, here’s the source of the first one:
/*
* iPhone baseband SIM lock 0wnage PoC
*
* History:
* 0.92 - User Interface, ICCID/IMSI are read from a card and
then used with another
* 0.91 - some fixes, PROC_8_CONFIG_INIT_BOOSTER for speedy init of ICCID file,
* needs bladox turbo kernel >=1.2.7
* 0.9 - original version
*
* Compile, load on your leet Bladox gear
* disable your subscription PIN and enjoy :p
*
* Special thanks to the baseband development team
* It wouldn't have been so easy without you :)
*
* (c) 2007, collective iPhone development effort
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#include <config.h>
#include <turbo/turbo.h>
#include <stdlib.h>
#include <string.h>
#define VERSION_A 0
#define VERSION_B 92
/* *INDENT-OFF* */
static lc_char PROGMEM lc_Show[]={
LC_EN("Show")
LC_END
};
static lc_char PROGMEM lc_Set[]={
LC_EN("Set")
LC_END
};
static lc_char PROGMEM lc_WasSet[]={
LC_EN("Following was set: ")
LC_END
};
static lc_char PROGMEM lc_Version[]={
LC_EN("Version")
LC_END
};
static lc_char PROGMEM lc_AppleSaft[]={
LC_EN("Apple Saft")
LC_END
};
static lc_char PROGMEM lc_IMSI[]={
LC_EN("IMSI: ")
LC_END
};
static lc_char PROGMEM lc_ICCID[]={
LC_EN("ICCID: ")
LC_END
};
/* *INDENT-ON* */
#define EF_IMSI 0x6F07
#define EF_ICCID 0x2FE2
u8 PROGMEM ef_imsi_path[] = { 0x3F, 0x00, 0x7F, 0x20, 0x6F, 0x07 };
u8 PROGMEM ef_iccid_path[] = { 0x3F, 0x00, 0x2F, 0xE2 };
#define IMSI_SIZE 9
#define IMSI_RESPONSE_SIZE 15
u8 counter;
u8 *imsi;
u8 *imsi_response;
u8 file[2];
u8 *tmp_imsi;
u8 *tmp_iccid;
typedef struct _Pers_mem
{
u8 on;
u8 imsi[0x09];
u8 iccid[0x0a];
}
Pers_mem;
Pers_mem *pers_mem = NULL;
void handle_sim_file (File_apdu_data * fa)
{
u8 i;
if (fa->ef == EF_ICCID && fa->ins == ME_CMD_READ_BINARY)
{
if (rb (&pers_mem->on))
{
dbsp ("FAKE_ICCID\n");
//memcpy (fa->data, _att_iccid, sizeof (_att_iccid));
memcpy (fa->data, &pers_mem->iccid[0], 0x0a);
}
else
{
dbsp ("REAL_ICCID\n");
sim (fa->ins, fa->p1, fa->p2, fa->p3, fa->data);
}
fa->data[fa->p3] = 0x90;
fa->data[fa->p3 + 1] = 0x00;
}
else if (fa->ef == EF_IMSI && fa->ins == ME_CMD_READ_BINARY)
{
sim (fa->ins, fa->p1, fa->p2, fa->p3, fa->data);
switch (counter)
{
case 0:
dbsp ("REAL_IMSI_0\n");
/* learn and retransmit */
// low_level_imsi_select ();
// sim (0xB0, 0x00, 0x00, 0x09, imsi); /* READ BINARY */
// memcpy (fa->data, imsi, IMSI_SIZE);
fa->data[fa->p3] = 0x90;
fa->data[fa->p3 + 1] = 0x00;
counter++;
break;
case 1:
/* spoof */
if (rb (&pers_mem->on))
{
dbsp ("FAKE_IMSI_1\n");
// memcpy (fa->data, _att_imsi, sizeof (_att_imsi));
memcpy (fa->data, &pers_mem->imsi[0], 0x09);
}
else
{
dbsp ("REAL_IMSI_1\n");
}
fa->data[fa->p3] = 0x90;
fa->data[fa->p3 + 1] = 0x00;
counter++;
break;
case 2:
counter++;
/* no break intended here */
default:
dbsp ("REAL_IMSI_2+\n");
/* play nice */
// memcpy (fa->data, imsi, IMSI_SIZE);
sim (fa->ins, fa->p1, fa->p2, fa->p3, fa->data);
fa->data[fa->p3] = 0x90;
fa->data[fa->p3 + 1] = 0x00;
}
}
else
sim (fa->ins, fa->p1, fa->p2, fa->p3, fa->data);
}
void get_files ()
{
u8 path[6];
memcpy (path, ef_imsi_path, 6);
select (path, 3);
sim (ME_CMD_READ_BINARY, 0x00, 0x00, 0x09, tmp_imsi);
select (0, 0);
memcpy (path, ef_iccid_path, 4);
select (path, 2);
sim (ME_CMD_READ_BINARY, 0x00, 0x00, 0x0a, tmp_iccid);
select (0, 0);
}
u8 saft_set (SCtx * ctx, u8 action)
{
if (action == APP_ENTER)
{
u8 *buf = buf_B ();
u8 *r = buf;
u8 i;
get_files ();
memcpy (&pers_mem->imsi[0], tmp_imsi, 9);
memcpy (&pers_mem->iccid[0], tmp_iccid, 0x0a);
wb (&pers_mem->on, 1);
r = sprints (r, locale (lc_WasSet));
r = sprintc (r, '\n');
r = sprints (r, locale (lc_IMSI));
for (i = 0; i < 0x09; i++)
{
r = sprintch (r, rb (&pers_mem->imsi[i]));
r = sprintc (r, ' ');
}
r = sprints (r, locale (lc_ICCID));
for (i = 0; i < 0x0a; i++)
{
r = sprintch (r, rb (&pers_mem->iccid[i]));
r = sprintc (r, ' ');
}
r = sprintc (r, '\n');
r = sprintc (r, '\0');
i = display_text (buf, NULL);
if (i != APP_END)
return APP_BACK;
return i;
return APP_BACK;
}
return APP_OK;
}
u8 saft_show (SCtx * ctx, u8 action)
{
if (action == APP_ENTER)
{
u8 *buf = buf_B ();
u8 *r = buf;
u8 i;
get_files ();
r = sprints (r, locale (lc_IMSI));
for (i = 0; i < 0x09; i++)
{
r = sprintch (r, tmp_imsi[i]);
r = sprintc (r, ' ');
}
r = sprints (r, locale (lc_ICCID));
for (i = 0; i < 0x0a; i++)
{
r = sprintch (r, tmp_iccid[i]);
r = sprintc (r, ' ');
}
r = sprintc (r, '\n');
r = sprintc (r, '\0');
i = display_text (buf, NULL);
if (i != APP_END)
return APP_BACK;
return i;
}
return APP_OK;
}
u8 saft_version (SCtx * ctx, u8 action)
{
if (action == APP_ENTER)
{
u8 *buf = buf_B ();
u8 *r = buf;
u8 i;
r = sprints (r, locale (lc_AppleSaft));
r = sprintc (r, ' ');
r = sprinti (r, VERSION_A);
r = sprintc (r, '.');
r = sprinti (r, VERSION_B);
r = sprintc (r, '\n');
r = sprintc (r, '\0');
i = display_text (buf, NULL);
if (i != APP_END)
return APP_BACK;
return i;
}
return APP_OK;
}
SNodeP saft_n = { lc_AppleSaft, NULL };
SNodeP saft_set_n = { lc_Set, saft_set };
SNodeP saft_show_n = { lc_Show, saft_show };
SNodeP saft_version_n = { lc_Version, saft_version };
/* *INDENT-OFF* */
SEdgeP saft_edges_p[] = {
{&saft_n, &saft_show_n},
{&saft_n, &saft_set_n},
{&saft_n, &saft_version_n},
NULL
};
/* *INDENT-ON* */
void action_menu (Menu_selection_data * x)
{
SCtx *c;
c = spider_init ();
c->eP = &saft_edges_p;
c->n = &saft_n;
spider (c);
}
void turbo_handler (u8 action, void *data)
{
switch (action)
{
case ACTION_APP_REGISTER:
{
Pers_mem *p = emalloc (sizeof (Pers_mem));
pers_mem = p;
wb (&p->on, 0);
reg_app_data (p);
set_proc_8 (PROC_8_CONFIG_INIT_BOOSTER, 1);
}
break;
case ACTION_APP_UNREGISTER:
{
Pers_mem *p = app_data ();
efree (p);
}
break;
case ACTION_APP_INIT:
dbsp ("APP_INIT\n");
counter = 0;
pers_mem = app_data ();
tmp_imsi = malloc (0x09);
tmp_iccid = malloc (0x0a);
imsi = malloc (IMSI_SIZE);
imsi_response = malloc (IMSI_RESPONSE_SIZE);
reg_file (ef_imsi_path, 3);
reg_file (ef_iccid_path, 2);
break;
case ACTION_FILE_APDU:
handle_sim_file (data);
break;
case ACTION_INSERT_MENU:
insert_menu (locale (lc_AppleSaft));
break;
case ACTION_MENU_SELECTION:
stk_thread (action_menu, NULL);
break;
default:
break;
}
}
As you can see, it’s pretty simple. Over the coming days we’ll probably see a native iPhone application for writing applications such as the one above to the Turbo SIM. An updated application provided by the kind folks from Bladox is up at their forums here. Happy hacking.
iPhone JTAG Interface discovered 1
George Hotz (geohot) over at #iphone.unlock on Undernet finally uncovered the iPhone Baseband’s (S-Gold 2) JTAG interface, which means an unlocking solution (albeit hardware based for the moment) is within reach. Geohot initally thought the JTAG interface may have been been located in the dock, but his search proved fruitless. Accessing these traces is incredibly difficult because the board has many layers and blind via’s, and in the end could only be done by removing the S-Gold 2 from the baseband board altogether, which meant wrecking the board:
With this removed geohot found the TDI (Test Data In), TDO (Test Data Out), TCK (Test Clock), TMS (Test Mode Select) and TRST (Test ReSeT) connector pins quite easily. He now has to find a way of powering up the S-Gold 2 with these connectors attached to a JTAG interface, which is going to require a lot of precise soldering. It should result in a hardware (and eventually software) iPhone unlock.You can read more about his efforts here: http://iphonejtag.blogspot.com/
Even more iPhone first impressions (because I own this one)
I had a nice surprise waiting for me when I arrived home yesterday. I was like a kid at Christmas opening the box for this thing. I hadn’t been so excited about a gadget for a long time. As mentioned a few posts ago, I’d gotten to play with one at work over the past few weeks but nothing compares to owning one and getting to play with one on your own time. The design, as with all things Apple, is elegant, simple and gorgeous. The screen is amazingly bright and it’s resolution of 320x480 at 160PPI is incredible. In my spare time this evening I’ve toyed a little with some development/design for an iPhone interface for Runt. I’ll post some more about this over the next few days or whenever I get a chance. It means so much to have a real browser in a mobile phone.
I’ve seen a lot of poor saps posting about how their plastic N95’s are a better deal but these people are clearly delusional. The best one has to be “No MMS? Oh I won’t buy it so”. Uh, you have an unlimited data plan and you’ve got a fantastic handheld email capable device, is this really an issue? If we’re talking pure design, there’s just no comparison either. To paraphrase Douglas Adams, the N95 looks as if it had been not so much designed as congealed.I think the only minor niggle I have with the device so far is its mini-jack which makes a lot of headphones not fit. That and the fact that I found the headphones it ships with, much like the iPod’s, are incredibly painful to wear for more than say, oh, 10 seconds. My ears seem pretty normal to me so I don’t get it.
