Thoughts on how to enable tethering using iPCC and mobileconfig without jailbreak
after stumbling through many many boards it seemed, here are the brightest, technical most advanced people around so I think I can come up to you with some ideas I had, without having the need to explain all the basic stuff. ;)
I've recently read an article about a certificate security flaw within iPhone 3.1.2 and 3.1.3. -> iPhone PKI handling flaws
which provides several possible hooks to activate tethering on current iPhone OS <= 3.1.3 without the need to jailbreak
I tried it, and it still works on 3.1.3
Maybe one of you already tried what I'm describing below. So some feedback would be highly appreciated.
1. edit carrier.plist in IPCC bundle of your provider and remove all signed APN entries.
2. create a mobileconfig including all apns with all parameters (username, password, apn, type-mask(!) )
3. Export key and cert from of IPCU Cert Auth from your keychain to use them to sign your mobile config (you have to transform .p12 to .pem first)
3. now sign the mobileconfig via commandline. Dont use IPCU to sign it, it removes paramters like type-mask!
I spent hours finding/figuring out that command you'll need now, so here it comes: openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer ipcu_pub.pem -inkey ipcu_priv.pem -certfile ipcu_pub.pem -outform der -nodetach
4. upload modified ipcc with itunes.
5. install selfcreated mobileconfig via email sent to yourself
6. install profile
7. cross fingers
Depending on the influence range of the certificate flaw, it could be possible to selfsign the apn data within carrier.plist itself by ipcu-certificate.
If the verification mechanism uses all root certificate in iPhones keychain to check signatures (also the inbound ones in carrier.list) it should work.
pretty similar to idea 2, but another
As it seems to me, all MCC/MNC listed in the "SIMs" array contained by "MandatoryVerify" list have to have signed apn data.
so what would happen if we just remove our own MCC/MNC from the list and sign it again without our IPCU certificate + key.
I would expect that it's possible to use unsigned apn data again in selfmade carrier.plists.
So you may come up with the question: Why haven't you tried it already?
Well there are some things I still couldn't figure out / i don't know yet
1. What meaning have all the type-mask keys?
I use T-Mobile and they use the keys 22, 23 and 32. Referring to this chart and assuming this key describes one byte it would result in the following
they are using the unused 5th bit (16) portion 22 = 4+16, 23 = 1+4+16 and 32 = 32 (which makes no sense if you apply this chart) other carriers even use keys differing from the information provided by the chart.
2. What type/format of signature is used to sign "SIM" and "APN" data?
3. What data is exactly signed?
the whole xml-branch (with or without linebreak?)?
<string>20201</string>/n/r<string>20205</string> and so on
only the usage data?
if so which seperator is used then?
4. What is necessary to make the tethering switch appear?
just a change in /var/mobile/Library/Preferences/com.apple.MobileInternetSharing
or is it more?
5. How does the carrier remotely make the tethering switch appear?
I ask, becaues this probably is another entrypoint for it.
Maybe you are reading this and think: Hey, I know a guy who paid for this feature.
And maybe this guy can explain what happend until the feature was available (Needed to sync with iTunes, appeared instantly, had to approve a prompt on the screen) a jailbroken iPhone with this feature activated would be the biggest win in this case I think. I guess you know where I'm coming from...
So if you've got information, it would be nice if you share it with us.
Any ideas, news, criticism ... are welcome
Thank's for your time.