SIM hacks

From The Apple Wiki

These hacks all require a SIM card passthrough to be used. They typically work by spoofing the MCC/MNC. Some examples include TurboSIM, XSim, SuperSIM, Yessim, Furiousim, StealthSim.

Old SIM Exploit (iPhone)

This relies on the fact that the IMSI is read twice, once to validate the IMSI and once to connect to the network. So the SIM card spoofs the first IMSI read to trick the device into thinking it is operating on the AT&T network, or whatever network the device is locked to. The second time it allows the IMSI to be read properly from the SIM card, and this IMSI is used for the network login.

A slight variant of this exploit uses a silvercard to program the IMSI and ICCID differently. This variant requires your Ki to be known, which can only be extracted from COMPEMU v1 sim cards.

SIM Hacks for iPhone 3G

It seems that some level of 2G call and SMS operation with SIM hacks is possible. However there is a high level of unpredictable behaviour based on different networks, SIMs, SIM hack co-devices, and so on. It is also theorised that different carrier networks have an ability to detect and block such exploits. This may explain the SIM hack working for several hours or days before it stops working. On hackint0sh one user reported that all SIM solutions be _not_ working with EDGE and UMTS [1].

Warning (citation taken from dev team's blog):

We’ve been monitoring the whole “SIM-card unlock” proxy-SIM situation. This involves using a chip that is attached to your SIM card (with a small modification to your SIM) or sometimes a small PCB soldered inside the phone. These sim mods so far seem very very very questionable. Zf has found that they use trickery of the GSM and UMTS network that is considered highly illegal in most countries and they rely on sending bogus IMSIs and various other nasty hacks to obtain service on your iPhone. A couple of our members have worked out how this all “works” and we’ll try to publish our findings soon. DevTeam recommendation: Steer clear, don’t use!

(In alphabetical order)

iPhonix / Juma

MacBug.de reports only 2G mode (data mode not clear) works with this. MacBug.de seems to be distancing itself from the product.

RebelSim

The company video demonstrates 2G but mentions no 3G function at this stage. The RebelSim website claims it has tested iPhone 3G operation. More information is required.

StealthSim

One of the more expensive variants of the SIM hacks on sale now. More formal reports indicate that this method is just as unstable as the rest. It fakes IMSI like the rest, but eventually gets kicked off the network. Don't buy.

TurboSim

Indications are that no stable TurboSIM exploit is available at this time. For some providers in Germany there appears to be some success, see TurboSIM Unlock.

Universal Sim

Uses a very bad implementation of zerog (the software of TurboSIM).

Yessim / Furiousim

Overall, there are conflicting reports on whether this works on various SIMs and networks. Samples have been provided to various users on Hackint0sh Forums. Initial challenges faced because of a RJ45 type connector that is needed to set "Boost Mode". It is recommended that if ordering, the USB "YesUP" or "FuriousUP" cable is used. The company mentions that unfortunately instead of USB cables, RJ45 cables were provided to testers due to a "shipping error". Initial testing of Yessim with stock configurations shows problems after several hours or a few days.

As of 16 August 2008, a "Brand New Firmware With An 100% New Way To Trick Your Phone" has been announced on the Yessim forum[dead link] but has not been released yet. Presumably using the same method as the new Universal SIM firmware (V500).

The latest version of YesSim which was released on 25 August 2008, named "iPhone 3G Firmware" is using version 1.8 of the loader and is confirmed to be working in many countries including USA, Germany, UK, Poland & Israel.

SIM hacks development status

SIM communication

Currently it is possible to see some information at the baseband level of how the iPhone 3G baseband "interacts" with the SIM and SIM hack co-device. Investigations are ongoing. In very layman-person terms, there is a way to see the baseband requesting information from the SIM and seeing the modem commands and various other baseband operations. This information will probably be clearer in other sections of this Wiki.

Hackint0sh.Org Policy: At this stage due to complications all SIM Hack testing and discussion should be done here [Archived 2008-09-03 at the Wayback Machine].

iPhone 3G SIM Tray Warning

The iPhone 3G SIM tray is very very thin. If using SIM hacks (dual sim, etc.) a long thin tape should be attached in a way that you can easily extract the sim tray without relying on the normal tiny SIM ejector button. You have been warned. Should you not apply tape beforehand, you can still eject the simtray with an L-shaped pin and a quick but forceful yank. It sounds scary but it's just plastic, after all.