Thoughts on how to enable tethering unsing iPCC and mobileconfig without jailbreak

Hello,
after stumbling through many many boards it seemed, here are the brightest, technical most advanced people around so I think I can come up to you with some ideas I had, without having the need to explain all the basic stuff. ;)

I've recently read an article about a certificate security flaw within iPhone 3.1.2 and 3.1.3. -> iPhone PKI handling flaws
which provides several possible hooks to activate tethering on current iPhone OS <= 3.1.3 without the need to jailbreak

I tried it, and it still works on 3.1.3

Maybe one of you already tried what I'm describing below. So some feedback would be highly appreciated.

idea 1:
1. edit carrier.plist in IPCC bundle of your provider and remove all signed APN entries.
2. create a mobileconfig including all apns with all parameters (username, password, apn, type-mask(!) )
3. Export key and cert from of IPCU Cert Auth from your keychain to use them to sign your mobile config (you have to transform .p12 to .pem first)
3. now sign the mobileconfig via commandline. Dont use IPCU to sign it, it removes paramters like type-mask!
I spent hours finding/figuring out that command you'll need now, so here it comes: openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer ipcu_pub.pem -inkey ipcu_priv.pem -certfile ipcu_pub.pem -outform der -nodetach
4. upload modified ipcc with itunes.
5. install selfcreated mobileconfig via email sent to yourself
6. install profile
7. cross fingers

idea 2:
Depending on the influence range of the certificate flaw, it could be possible to selfsign the apn data within carrier.plist itself by ipcu-certificate.
If the verification mechanism uses all root certificate in iPhones keychain to check signatures (also the inbound ones in carrier.list) it should work.

idea 3:
pretty similar to idea 2, but another
As it seems to me, all MCC/MNC listed in the "SIMs" array contained by "MandatoryVerify" list have to have signed apn data.
so what would happen if we just remove our own MCC/MNC from the list and sign it again without our IPCU certificate + key.
I would expect that it's possible to use unsigned apn data again in selfmade carrier.plists.

So you may come up with the question: Why haven't you tried it already?

Well there are some things I still couldn't figure out / i don't know yet

1. What meaning have all the type-mask keys?
I use T-Mobile and they use the keys 22, 23 and 32. Referring to this chart and assuming this key describes one byte it would result in the following
they are using the unused 5th bit (16) portion 22 = 4+16, 23 = 1+4+16 and 32 = 32 (which makes no sense if you apply this chart) other carriers even use keys differing from the information provided by the chart.

2. What type/format of signature is used to sign "SIM" and "APN" data?

3. What data is exactly signed?
the whole xml-branch (with or without linebreak?)?
<string>20201</string>/n/r<string>20205</string> and so on
only the usage data?
20201 20205
if so which seperator is used then?

4. What is necessary to make the tethering switch appear?
just a change in /var/mobile/Library/Preferences/com.apple.MobileInternetSharing
or is it more?

5. How does the carrier remotely make the tethering switch appear?
I ask, becaues this probably is another entrypoint for it.
Maybe you are reading this and think: Hey, I know a guy who paid for this feature.
And maybe this guy can explain what happend until the feature was available (Needed to sync with iTunes, appeared instantly, had to approve a prompt on the screen) a jailbroken iPhone with this feature activated would be the biggest win in this case I think. I guess you know where I'm coming from...
So if you've got information, it would be nice if you share it with us.

Any ideas, news, criticism ... are welcome

Thank's for your time.

best regards,
howabout

Quote:

---

Originally Posted by HowAbout

4. What is necessary to make the tethering switch appear?
just a change in /var/mobile/Library/Preferences/com.apple.MobileInternetSharing
or is it more?

---

Tethering Button will appear if APN-Checksums are not broken and the responsible tethering APN (identified by type-mask) has connection to the internet. (if you are on official carrier, usually the tethering APN is blocked until you get a tethering data plan). You do not need to reactivate by editing a plist file - it will appear after you install a valid IPCC-File and on the next loop it gets activated (after 10 - 30 seconds).

Quote:

---

Originally Posted by HowAbout

3. Export key and cert from of IPCU Cert Auth from your keychain to use them to sign your mobile config (you have to transform .p12 to .pem first)

---

can you explain this step in detail? thank you!

Thanks for the hint with com.apple.MobileInternetSharing. Might be easier as expected, if it works.

Here comes the explanation on how to selfsign mobileconfigs:
I assume you are using a Mac and you're familiar with mobileconfig files.
Also you have installed iPhone Configuration Utility from Apple and run it at least one time. (It creates the certificate we want to use) Also your iPhone has been connected to your computer and assigned to the iPCU (this installs the certificate on the iPhone)
That said, we can start.

1. Open your Keychain Access program (type "keychain" in spotlight, if you don't know where to find it)
2. locate and select the iPCU Certificate Authority (Unique ID on you system) in Category/Certificates (lower left)
3. Now you select Export "iPCU Certificate Authority (Unique ID on you system)" from the context menu
4. name it something like ipcu_pub (format is "Personal Information Exchange") and export it to a folder you want. In our example I will put every file in a folder labeled mobcon on my desktop
5. now you go back to Keychain Access and expand the certificate using the triangle to it's left.
6. select the entry <key> and export it. Give it the name ipcu_priv for example.
7. additionally you have to secure it with a password due to the fact it contains the secret key, necessary to sign data. Choose something simple, like test or so.
8. drop your mobileconfig file you want to sign also into the folder mobcon
9. open "Terminal" (again, just type "terminal" in spotlight)
10. head for the "mobcon" folder on your desktop (cd Desktop/mobcon/)
11. change format of .p12 formatted files into .pem format doing the following
12. type "openssl pkcs12 -in ipcu_pub.p12 -nokeys -out ipcu_pub.pem" to change the format of the certificate file
13. repeat with our key file "openssl pkcs12 -in ipcu_priv.p12 -nocerts -out ipcu_priv.pem". Type in your password "test" for three times
14. now we have everything to sign our mobileconfig file issuing the following command
"openssl smime -sign -in YOURFILE.mobileconfig -out YOURSIGNEDFILE.mobileconfig -signer ipcu_pub.pem -inkey ipcu_priv.pem -certfile ipcu_pub.pem -outform der -nodetach". Type in your password "test" again.
15. now you have your selfsigned mobileconfig in the "mobcon" folder
16. take YOURSIGNEDFILE.mobileconfig and attach it to an email you send to yourself
17. open mail on iPhone, select attachment and install configuration.
18. Enjoy

Appendix:

• ipcu_pub.p12 and .pem is the certificate file
• ipcu_priv.p12 and .pem is the keyfile
• YOURFILE.mobileconfig is the unsigned iPhone configuration
• YOURSIGNEDFILE.mobileconfig is the signed iPhone configuration
• Not necessary to mention that all files and passwords can be named whatever you like.

Thank you for your detailed manual - I've done everything step by step and created a selfsigned mobileconfig. But the ipcu-certificate has been untrusted (this root certificate is not trusted) until I've trusted it with my keychain access program.

So the mobileconfig has also been on the iphone not the green flag and there has been a message, that the signature is not verified.

After trusting my ipcu certificate on my mac and syncing it with my iphone the selfsigned mobileconfig file has the green flag and is fully trusted. :)

But why selfsigning mobileconfig file - it does also install if not signed. And as far I know it is not possible to add tethering by using mobile config files on firmware 3.1.3. It did not work for me, when I've been trying - so my solution for blacklisted SIMs has been a simple commcenter patch on 3.1.3 (but as you told jailbreaking is required then) or IPCC files with the Manadatoryverify key inside for unsupported carriers (no jailbreak required)

ok, ipcu cert is working to sign profile files - but it is not trusted, until the iphone ist connected to the local ipcu. This makes it impossible, to spread tethering profiles to other people who do not have their iphones connected to your ipcu. That means such devices will not validate your signature and the fix will not work.

but thanks to your link with root certificate flaw I think it's really possible to selfsign mobileconfig files and perhaps apn-data by using certificates signed by official root CAs, if the commcenter also offers the certificate flaw

I am still investigating another possible workaround.

History: My iPhone 3GS has been at fw 3.1.2 for a long time, I avoided to have it updated cause I used MyWi (had used the Commcenter patch before but wanted Wi-Fi router function) and a custom carrier bundle I created for my carrier. All worked fine for a long time.
My iPhone then got stuck at the Apple logo, now way out. So I decided to go for as restore to 3.1.3.
Worked fine. On the board here I always told ppl to refrain from using the backup then - but I did. I still can apply custom carrier bundles, use tethering - everything.
I tried before applying the backup and it did not work of cause.

So - somethings in my backup that makes my custom bundle work. Problem is: The backup is 600 MB. i have used Erica's mdhelper to extract all files for a first try but did not find anything.
I'll be digging a bit further and let you know

Have your tried this page from safari on your iphone?

help.benm.at

Scroll down to the bottom of the page and create a custom mobileconfig with your carrier APN.

Hope that works

Quote:

---

Originally Posted by manuelant

Have your tried this page from safari on your iphone?

help.benm.at

Scroll down to the bottom of the page and create a custom mobileconfig with your carrier APN.

---

This only works on iPhone OS 3.0 (without jailbreak)

The thread is about a solution for OS 3.1 (or higher) without jailbreak

seems that Unlockit - APN Changer for your iPhone have created a generator for trusted signed mobileconfigs for >= 4.0 beta 3. But this does not work for me on apple supported carriers.

is anybody reversing the signatures? Seems that the APN and bundle signatures are RSA encrypted with an unknown private key. This makes it impossible to generate valid signatures without jailbreaking and either replacing the public key or patching the signature check. The root certificate flaw will not help us then.

I think best decision would be to not buy iPhone 4 with apple supported/reduced carrier contract.

Correct, it only works on non-Apple contracts. Same story for OS 3.1.2. It's not about reverse engeneering. For Apple supported carriers you still and will need to patch CommCenter to get around the sig check. For non Apple carriers you can create bundles or Mobileconfigs - no problem.
Plus - with 4.0 you wont need to do so. Non Apple carriers allow to modify APNs for Data, MMS and Tethering!

Quote:

---

Originally Posted by volkspost

For non Apple carriers you can create bundles or Mobileconfigs - no problem.

---

And how should we sign the carrier bundles for non-apple carriers? Unsigned bundles don't work.... I would just like to get rid of the "call forwarding alert". And that can't be done with mobileconfigs...