Unlocking the iPhone: The GSM SIM and Activation
July 5th, 2007
Daniel Eran Dilger
Interested in getting the iPhone to work in ways Apple never intended? Here’s a look at what’s involved in making the iPhone a mobile service-free iPod, and conversely, using it with other service providers, both here in the US and internationally.
Liberando el iPhone, un artículo de RoughlyDrafted
Traducción: Oscar Reixa
I wrote an extensive initial overview of the iPhone for AppleInsider, which presented that the iPhone is designed to work only after activation through iTunes, which involves setting up a mobile service plan through AT&T.
The previous article, “How AT&T Picked Up the iPhone” examined the history of AT&T and mobile networks in the US. Both provide some useful background for this article.
GSM SIMs, Activation, and Locking
A lot of people are interested in using the iPhone in different ways than Apple intended:
• Some want to use it as an iPod and web browser without a mobile account.
• Some want to use it as a full iPhone, but using a different mobile carrier.
• Some want to access its internals to install other software or unlock features.
Things are always more complex than they might seem. In the US and some other markets, there are rival networks using incompatible technologies. The two biggest contenders worldwide are Qualcomm’s CDMA2000 network family, and the GSM family of networks. The iPhone is a GSM phone.
Global System for Mobiles’ Subscriber Identity Module.
GSM uses a SIM smart card to identify a subscriber. It can usually be put into any phone handset to associate it with that user’s telephone account. This makes it easy for users to pick any phone and immediately being using it. In the US, AMPS (aka ‘TDMA’) and CDMA mobile phones had to be manually configured by the provider.
A GSM SIM card stores a IMSI or International Mobile Subscriber Identity. That number includes three codes:
• MCC or Mobile Country Code
• MNC or Mobile Network Code, identifying the service provider
• MSIN or Mobile Subscriber Identification Number, identifying the specific user
In addition to accepting a SIM, a GSM phone itself stores a IMEI or International Mobile Equipment Identity. This number is globally unique to the mobile phone, just like a computer’s network MAC address. This number is intended to be completely independent from the subscriber’s IMSI, meaning that in theory nothing ties a phone to a specific user’s account.
If a GSM phone is stolen, the network can ban the IMEI serial number of the stolen phone, making it worthless as a phone even if a different SIM card is put into it. If the SIM was not in the phone when it was stolen, the subscriber could continue to use it with other phones because the banned phone IMEI is not tied to the SIM.
Service Provider Subsidy Locks.
The history of mobiles in the US makes the market very different from Europe, where GSM has become more standardized. In some European countries, subsidizing phone prices and tying the phone to a specific provider is illegal. In the US, that practice is commonplace.
US mobile providers give customers a deeply discounted phone after they sign an extended contract, and enforce the contract by locking the phone hardware to only work with their own network. After a certain period, most mobile providers will unlock the phone from their network, and phones may also be unlocked by third parties who have access to the codes to do this.
This vendor lock exists to tie the heavily subsidized phone to the mobile provider who offered the rebate incentive.
However, the iPhone isn’t tied to AT&T for the same reason, because AT&T doesn’t provide iPhone subscribers with an upfront rebate as an incentive to sign a contract.
How the iPhone is Different.
Instead, it’s the iPhone itself that acts as the incentive to sign an AT&T contract. AT&T then pays Apple a portion of its service fee revenue over the term of the user’s contract for providing it with exclusive access to a desirable phone. Apple then offers the user continuous software upgrades to their iPhone.
Rather than simply locking the phone to the network, the iPhone ties the hardware provider to the service provider and invites the user to join in. That changes the mobile business model dramatically.
Unlike the iPhone, other mobiles are designed to work with many providers, but are artificially locked to one network as a way to enforce a service contract. The iPhone only needs to work with AT&T, so it’s not locked in the same way, and can’t be unlocked in the same way. Of course, that doesn’t mean it can’t be unlocked at all.
Using the iPhone without a Service Plan.
Before being activated, the iPhone can’t be used to do anything beyond placing an emergency phone call. It can only be used as a music player, organizer, and WiFi web browser after being activated from iTunes, and activation involves selecting a service plan.
Kent Pribbernow reported on his iPhone blog that a user can activate a iPhone, then add a second phone to the same FamilyTalk plan as a replacement to the first iPhone already on the account.
That will activate the second iPhone and while removing the phone service of the first iPhone, leaving it an activated, functional unit without any mobile service plan, but still functioning over WiFi.
Jon Lech Johansen, also known as DVD John, set up an automated way to spoof iTunes into thinking that it is talking to Apple’s activation servers while setting up an iPhone. This similarly results in an iPhone that is “activated” and functional as an iPod and WiFi browser, but left without any associated mobile service plan.
The Revocation Brick Risk.
There’s apparently no way for AT&T to revoke the activation of an iPhone, but it is possible that AT&T could revoke the IMEI of iPhones over its mobile network. The iPhone could brick itself after discovering that its IMEI had been banned. This mechanism is already used to kill a black market for stolen GSM phones.
It is also certainly possible that Apple could update iTunes to deactivate iPhones that have been activated but removed from a service plan. This potential for either of these happening makes trying to use the iPhone in this manner a potentially risky gamble, as the iPhone must be connected to iTunes in order to sync its library.
It appears Apple plans to earn a significant portion of its profits on the iPhone from its revenue sharing plan with AT&T. That gives both partners a motive for preventing people from using the iPhone without service. At the same time, it may not be worthwhile to engineer and deploy systems to deactivate iPhones that have been activated and then removed from service.
Using the iPhone with a Different Carrier.
While removing phone service from the iPhone appears to be rather simple, trying to use it with another service provider is more complicated. That’s because the iPhone isn’t just a GSM mobile phone with a standard SIM card. It’s really a handheld computer incorporating a SIM-enabled phone.
When activated, the iPhone checks for a special AT&T SIM card, then signs its boot software image with it. The iPhone refuses to accept SIM cards from other GSM phones, whether pulled from other phones sold by AT&T or obtained from other GSM service providers.
It appears that a iPhone SIM can be removed and used to activate nearly any other GSM phone however. That means the iPhone knows how to verify that the SIM it uses was genuinely designed for the iPhone. That security mechanism is very different from typical phone vendor subsidy locks, which lock the phone, not the SIM.
A typical locked GSM phone will only work with one network provider, but will accept any SIM associated with that network. The iPhone is more than just locked to a network, it’s locked to a special AT&T SIM.
A Tougher Nut To Crack.
Other GSM phones can be unlocked by simply clearing the locking code from the phone’s baseband processor. In order to use the iPhone with other GSM networks, one would have to unlock the system image and defeat its unique security system.
Every time the iPhone gets updated, this would have to be redone, and the security mechanisms used on the iPhone would likely get more complex with each software update.
So far, it has only been local accounts on the iPhone that have been deciphered, which are relatively quite easy to find and don’t really provide any useful access to anything.
Other Carrier and Regional Compatibility Barriers.
No matter what level of unlocking is ever accomplished on the iPhone, it will simply never work on Sprint or Verizon’s CDMA2000 network, because it lacks the radio hardware to do so. Since Apple has signed an exclusive contract with AT&T until 2012, this situation won’t change in upcoming models of the iPhone either.
Future models of the iPhone will be needed for international markets. Because 3G service is widely available in Europe and Japan, it appears that a 3G iPhone would be needed to compete in those markets. That doesn’t mean that those 3G iPhones will work in the US however.
The following article looks at what’s involved in delivering the iPhone in other markets and how Apple will need to change its strategy to target the more sophisticated networks available outside the US.
Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!