Page 1 of 2 12 LastLast
Results 1 to 10 of 12
Discuss Thoughts on how to enable tethering unsing iPCC and mobileconfig without jailbreak at the iOS 3.x (iPhone OS 3.x) - Hackint0sh.org; Hello, after stumbling through many many boards it seemed, here are the brightest, technical most ...
  1. #1
    Newbie Array

    Join Date
    Apr 2010
    Posts
    2
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default Thoughts on how to enable tethering using iPCC and mobileconfig without jailbreak

    Hello,
    after stumbling through many many boards it seemed, here are the brightest, technical most advanced people around so I think I can come up to you with some ideas I had, without having the need to explain all the basic stuff.

    I've recently read an article about a certificate security flaw within iPhone 3.1.2 and 3.1.3. -> iPhone PKI handling flaws
    which provides several possible hooks to activate tethering on current iPhone OS <= 3.1.3 without the need to jailbreak

    I tried it, and it still works on 3.1.3

    Maybe one of you already tried what I'm describing below. So some feedback would be highly appreciated.

    idea 1:
    1. edit carrier.plist in IPCC bundle of your provider and remove all signed APN entries.
    2. create a mobileconfig including all apns with all parameters (username, password, apn, type-mask(!) )
    3. Export key and cert from of IPCU Cert Auth from your keychain to use them to sign your mobile config (you have to transform .p12 to .pem first)
    3. now sign the mobileconfig via commandline. Dont use IPCU to sign it, it removes paramters like type-mask!
    I spent hours finding/figuring out that command you'll need now, so here it comes: openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer ipcu_pub.pem -inkey ipcu_priv.pem -certfile ipcu_pub.pem -outform der -nodetach
    4. upload modified ipcc with itunes.
    5. install selfcreated mobileconfig via email sent to yourself
    6. install profile
    7. cross fingers

    idea 2:
    Depending on the influence range of the certificate flaw, it could be possible to selfsign the apn data within carrier.plist itself by ipcu-certificate.
    If the verification mechanism uses all root certificate in iPhones keychain to check signatures (also the inbound ones in carrier.list) it should work.

    idea 3:
    pretty similar to idea 2, but another
    As it seems to me, all MCC/MNC listed in the "SIMs" array contained by "MandatoryVerify" list have to have signed apn data.
    so what would happen if we just remove our own MCC/MNC from the list and sign it again without our IPCU certificate + key.
    I would expect that it's possible to use unsigned apn data again in selfmade carrier.plists.

    So you may come up with the question: Why haven't you tried it already?

    Well there are some things I still couldn't figure out / i don't know yet

    1. What meaning have all the type-mask keys?
    I use T-Mobile and they use the keys 22, 23 and 32. Referring to this chart and assuming this key describes one byte it would result in the following
    they are using the unused 5th bit (16) portion 22 = 4+16, 23 = 1+4+16 and 32 = 32 (which makes no sense if you apply this chart) other carriers even use keys differing from the information provided by the chart.

    2. What type/format of signature is used to sign "SIM" and "APN" data?

    3. What data is exactly signed?
    the whole xml-branch (with or without linebreak?)?
    <string>20201</string>/n/r<string>20205</string> and so on
    only the usage data?
    20201 20205
    if so which seperator is used then?

    4. What is necessary to make the tethering switch appear?
    just a change in /var/mobile/Library/Preferences/com.apple.MobileInternetSharing
    or is it more?

    5. How does the carrier remotely make the tethering switch appear?
    I ask, becaues this probably is another entrypoint for it.
    Maybe you are reading this and think: Hey, I know a guy who paid for this feature.
    And maybe this guy can explain what happend until the feature was available (Needed to sync with iTunes, appeared instantly, had to approve a prompt on the screen) a jailbroken iPhone with this feature activated would be the biggest win in this case I think. I guess you know where I'm coming from...
    So if you've got information, it would be nice if you share it with us.

    Any ideas, news, criticism ... are welcome

    Thank's for your time.

    best regards,
    howabout
    Last edited by HowAbout; 04-30-2010 at 08:14 PM. Reason: Just some more typos



  2. #2
    Senior Professional Array stonefred's Avatar

    Join Date
    Nov 2007
    Posts
    326
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    25

    Default

    Quote Originally Posted by HowAbout View Post
    4. What is necessary to make the tethering switch appear?
    just a change in /var/mobile/Library/Preferences/com.apple.MobileInternetSharing
    or is it more?
    Tethering Button will appear if APN-Checksums are not broken and the responsible tethering APN (identified by type-mask) has connection to the internet. (if you are on official carrier, usually the tethering APN is blocked until you get a tethering data plan). You do not need to reactivate by editing a plist file - it will appear after you install a valid IPCC-File and on the next loop it gets activated (after 10 - 30 seconds).

    Quote Originally Posted by HowAbout View Post
    3. Export key and cert from of IPCU Cert Auth from your keychain to use them to sign your mobile config (you have to transform .p12 to .pem first)
    can you explain this step in detail? thank you!
    Last edited by stonefred; 05-01-2010 at 01:24 AM.
    Every time you Can Has, God kills a LOLcat.

  3. #3
    Newbie Array

    Join Date
    Apr 2010
    Posts
    2
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Thanks for the hint with com.apple.MobileInternetSharing. Might be easier as expected, if it works.

    Here comes the explanation on how to selfsign mobileconfigs:
    I assume you are using a Mac and you're familiar with mobileconfig files.
    Also you have installed iPhone Configuration Utility from Apple and run it at least one time. (It creates the certificate we want to use) Also your iPhone has been connected to your computer and assigned to the iPCU (this installs the certificate on the iPhone)
    That said, we can start.

    1. Open your Keychain Access program (type "keychain" in spotlight, if you don't know where to find it)
    2. locate and select the iPCU Certificate Authority (Unique ID on you system) in Category/Certificates (lower left)
    3. Now you select Export "iPCU Certificate Authority (Unique ID on you system)" from the context menu
    4. name it something like ipcu_pub (format is "Personal Information Exchange") and export it to a folder you want. In our example I will put every file in a folder labeled mobcon on my desktop
    5. now you go back to Keychain Access and expand the certificate using the triangle to it's left.
    6. select the entry <key> and export it. Give it the name ipcu_priv for example.
    7. additionally you have to secure it with a password due to the fact it contains the secret key, necessary to sign data. Choose something simple, like test or so.
    8. drop your mobileconfig file you want to sign also into the folder mobcon
    9. open "Terminal" (again, just type "terminal" in spotlight)
    10. head for the "mobcon" folder on your desktop (cd Desktop/mobcon/)
    11. change format of .p12 formatted files into .pem format doing the following
    12. type "openssl pkcs12 -in ipcu_pub.p12 -nokeys -out ipcu_pub.pem" to change the format of the certificate file
    13. repeat with our key file "openssl pkcs12 -in ipcu_priv.p12 -nocerts -out ipcu_priv.pem". Type in your password "test" for three times
    14. now we have everything to sign our mobileconfig file issuing the following command
    "openssl smime -sign -in YOURFILE.mobileconfig -out YOURSIGNEDFILE.mobileconfig -signer ipcu_pub.pem -inkey ipcu_priv.pem -certfile ipcu_pub.pem -outform der -nodetach". Type in your password "test" again.
    15. now you have your selfsigned mobileconfig in the "mobcon" folder
    16. take YOURSIGNEDFILE.mobileconfig and attach it to an email you send to yourself
    17. open mail on iPhone, select attachment and install configuration.
    18. Enjoy

    Appendix:
    • ipcu_pub.p12 and .pem is the certificate file
    • ipcu_priv.p12 and .pem is the keyfile
    • YOURFILE.mobileconfig is the unsigned iPhone configuration
    • YOURSIGNEDFILE.mobileconfig is the signed iPhone configuration
    • Not necessary to mention that all files and passwords can be named whatever you like.

  4. #4
    Senior Professional Array stonefred's Avatar

    Join Date
    Nov 2007
    Posts
    326
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    25

    Default

    Thank you for your detailed manual - I've done everything step by step and created a selfsigned mobileconfig. But the ipcu-certificate has been untrusted (this root certificate is not trusted) until I've trusted it with my keychain access program.

    So the mobileconfig has also been on the iphone not the green flag and there has been a message, that the signature is not verified.

    After trusting my ipcu certificate on my mac and syncing it with my iphone the selfsigned mobileconfig file has the green flag and is fully trusted.

    But why selfsigning mobileconfig file - it does also install if not signed. And as far I know it is not possible to add tethering by using mobile config files on firmware 3.1.3. It did not work for me, when I've been trying - so my solution for blacklisted SIMs has been a simple commcenter patch on 3.1.3 (but as you told jailbreaking is required then) or IPCC files with the Manadatoryverify key inside for unsupported carriers (no jailbreak required)

    ok, ipcu cert is working to sign profile files - but it is not trusted, until the iphone ist connected to the local ipcu. This makes it impossible, to spread tethering profiles to other people who do not have their iphones connected to your ipcu. That means such devices will not validate your signature and the fix will not work.

    but thanks to your link with root certificate flaw I think it's really possible to selfsign mobileconfig files and perhaps apn-data by using certificates signed by official root CAs, if the commcenter also offers the certificate flaw
    Every time you Can Has, God kills a LOLcat.

  5. #5
    iPhone Moderator Array

    Join Date
    Aug 2007
    Posts
    3,620
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    220

    Default

    I am still investigating another possible workaround.

    History: My iPhone 3GS has been at fw 3.1.2 for a long time, I avoided to have it updated cause I used MyWi (had used the Commcenter patch before but wanted Wi-Fi router function) and a custom carrier bundle I created for my carrier. All worked fine for a long time.
    My iPhone then got stuck at the Apple logo, now way out. So I decided to go for as restore to 3.1.3.
    Worked fine. On the board here I always told ppl to refrain from using the backup then - but I did. I still can apply custom carrier bundles, use tethering - everything.
    I tried before applying the backup and it did not work of cause.

    So - somethings in my backup that makes my custom bundle work. Problem is: The backup is 600 MB. i have used Erica's mdhelper to extract all files for a first try but did not find anything.
    I'll be digging a bit further and let you know
    Read the stickies and search the forum before posting!
    If you want to become a Hackint0sh supporter click here
    ----------
    iPhone 4 factory unlocked, iOS 4.3.1, jailbroken
    iPad Wi-Fi + 3G (1G), iOS 4.3.1, jailbroken
    iPad 2


  6. #6
    Newbie Array

    Join Date
    Apr 2009
    Posts
    3
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default Have you tried?

    Have your tried this page from safari on your iphone?

    help.benm.at

    Scroll down to the bottom of the page and create a custom mobileconfig with your carrier APN.

    Hope that works

  7. #7
    Super Moderator Array Olethros's Avatar

    Join Date
    Sep 2007
    Location
    Norway
    Posts
    8,360
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    439

    Default

    Quote Originally Posted by manuelant View Post
    Have your tried this page from safari on your iphone?

    help.benm.at

    Scroll down to the bottom of the page and create a custom mobileconfig with your carrier APN.
    This only works on iPhone OS 3.0 (without jailbreak)

    The thread is about a solution for OS 3.1 (or higher) without jailbreak
    Please read the stickies & search forum before posting!
    How to report an iTunes restore/update fail in a useful manner
    -

    iPad 3G 64GB (4.3.3, Redsn0w) oldest SHSH 3.2.2
    iPhone 4 32GB (4.2.1, Redsn0w JB-monte) oldest SHSH 4.1
    iPhone 3GS 32GB (4.3.3; Pwnagetool) factory unlocked oldest SHSH 3.1
    iPhone 8GB (3.1.3; Pwnagetool) AT&T Locked - Unlocked with bootneuter

    -
    Did we solve your problem? Got a dollar or two spare ? Donate!

  8. #8
    Senior Professional Array stonefred's Avatar

    Join Date
    Nov 2007
    Posts
    326
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    25

    Default

    seems that Unlockit - APN Changer for your iPhone have created a generator for trusted signed mobileconfigs for >= 4.0 beta 3. But this does not work for me on apple supported carriers.

    is anybody reversing the signatures? Seems that the APN and bundle signatures are RSA encrypted with an unknown private key. This makes it impossible to generate valid signatures without jailbreaking and either replacing the public key or patching the signature check. The root certificate flaw will not help us then.

    I think best decision would be to not buy iPhone 4 with apple supported/reduced carrier contract.
    Last edited by stonefred; 06-02-2010 at 12:32 AM.
    Every time you Can Has, God kills a LOLcat.

  9. #9
    iPhone Moderator Array

    Join Date
    Aug 2007
    Posts
    3,620
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    220

    Default

    Correct, it only works on non-Apple contracts. Same story for OS 3.1.2. It's not about reverse engeneering. For Apple supported carriers you still and will need to patch CommCenter to get around the sig check. For non Apple carriers you can create bundles or Mobileconfigs - no problem.
    Plus - with 4.0 you wont need to do so. Non Apple carriers allow to modify APNs for Data, MMS and Tethering!
    Read the stickies and search the forum before posting!
    If you want to become a Hackint0sh supporter click here
    ----------
    iPhone 4 factory unlocked, iOS 4.3.1, jailbroken
    iPad Wi-Fi + 3G (1G), iOS 4.3.1, jailbroken
    iPad 2

  10. #10
    Senior Professional Array

    Join Date
    Mar 2008
    Posts
    120
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Quote Originally Posted by volkspost View Post
    For non Apple carriers you can create bundles or Mobileconfigs - no problem.
    And how should we sign the carrier bundles for non-apple carriers? Unsigned bundles don't work.... I would just like to get rid of the "call forwarding alert". And that can't be done with mobileconfigs...


 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. enable ipcc support
    By ggonxhi in forum iPhone 3GS
    Replies: 3
    Last Post: 01-14-2010, 10:06 PM
  2. 3.0: Enable both tethering and MMS
    By hazkid in forum iOS 3.x (iPhone OS 3.x)
    Replies: 0
    Last Post: 09-26-2009, 10:54 PM
  3. enable ipcc
    By ggonxhi in forum iPhone 3GS
    Replies: 1
    Last Post: 09-04-2009, 10:33 AM
  4. Replies: 0
    Last Post: 08-03-2009, 12:27 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 07:18 AM.
twitter, follow us!