What's new

Changing from Ultrasn0w to custom .plist....fail.

h0lms

New Member
Joined
Jun 30, 2012
Messages
16
Reaction score
0
Ahh, the fun of trying new things is creating new problems by accident.

I will just dive in: Hi hi, how are ya.. etc..welcome..


Okay, Carrier .plist. Nothing is ever small.

My old backup has a bloody p.list entry problem in it, I figure. This backup is my unfortunately my MAIN backup.
I want to know what programs are out there, used by other jb'ers to strip my contacts, and various .var's and inject them into a new 'bundle' to be
sewn into a new IPSW.

A while back, I got rid of Ultrasnow altogether. I use a modified p.list in carrier bundle instead tailored to the specific sim card.
The service provider runs on the shirt tails of another (Chat-r is a Rogers Child service) so 8 digit prefix (89302720) but the suffix is different.
Connecting one and one, I set out to doctor the Rogers plist, to accept the chatr sim.
...No I didn't have any idea what I was doing. How else am I going to further knowledge then to experiment with it....
I devised a strategy where I could mod the p.list entry and tailor it to the exact sim I wanted to use, INSTEAD of just opening it wide up using ultrasnow.

I figured this out by looking closely at a couple of old sim cards I had, I was putting the numbers together and just, trial and error. It took about 4 hours of
dorfing around before I got it.

Before the p'list mod, I would slide the Chatr sim in the phone, and no service. After modding the p'list, entry:
I got bars. I "theorized" that I used the built in Rogers carrier settings, hacked up the plist and set it up to accept the chatr sim.

Now this is where it gets fuzzy. I am starting to believe that the work I did to the Rogers plist, was actually pointless. The reasoning behind:
is upon discovery of the 'UNKown Carrier Plist' file, I have no idea what carrier plist settings the phone is using. I restored the device back to its original settings and after
restarting the phone, I was mystified to find out the chatr sim worked, anyways....running the stock p.list settings. Which to me makes no sense, because it didn't just blink-in work beforehand?

I have modified something. Its not a question, but a statement. Did the phone auto correct? I'm looking for someone to explain to me in depth how exactly this occurred.
Because now I can definitely USE the chatr sim, however NOW I am trying to get iMessage to work, to no avail. and there is something going on between the
phone activator and the plist entry. I can get in to modify the plist no problem.. but I cant figure out WHICH plist is being used?

Anyway, If you know of anything that may help, or perhaps its in a cydia repo or something, or a desktop program. I run Win7, Most current Itunes, WINSCP, and plist editor pro. Software
for the phone is: 5.1.1, BB 05.16.05, activated with an old Rogers Sim, Cydia --> Absinth. SBS settings, OpenSSH, SSHConnect, Tetherme installed. Its a 3GS, 16GB. Built by me from 3 other
wrecked phones.

AND just to let you know, I will be STILL be scouring the search engines for anything, the NATURE of the problem makes it hard to find any results for.

-cheers.
 
There is no way to unlock the 05.16.05 baseband, also not sure why you are trying to use a plist file to unlock the device, never heard of that.

Best thing to do would be do a fresh restore and if your device was manufactured before the 35th week of 2011 you can install the iPad baseband and then downgrade to 05.13.04 and unlock with Ultrasn0w again.

Hope this helps!
 
No way, have I just done the impossible here...

No way. There is like 30 Million users out there in the verse of JB'ers, and I just figured out a way to manually HACK the plist entry at accept the SIM card of CHOICE???

Get out of here.. LOL.. ME? hahaha.. Get serious.

Let me tell you what, I will document what I did, forget about the iMessage thing for now, lets just focus on the Device.
(no way I am pioneering this, too many people involved for ME to do this single handedly)

Okay, you remember the downgrade to the iPad 06.15.00 BB, in order for Ultrasn0w to jive and get the Carrier Unlocked? Of course.
Then after that came the downgrade to the (xx.xx.xx) BB for the GPS.. okay....again, another improvement.
Craziness insued, as there was that week 35BS, and etc etc etc... too complicated.

What spawned this idea, is I didn't like ultrasn0w, nothing personal, I just didn't agree with unlocking the ENTIRE phone for every carrier. Why not just the
SIM I wanted. Someone steals it, and ONLY my sim works in it. Or the SIMS that I assign to it.
Also, I didn't like the idea of flashing the BB, because in the case of where my phone went bonkers, It was difficult to tell if It was something I did, or something
the code from Ultrasn0w did. Simplicity.

I activate my iPhone, just like I do every time, using an old ROGERS sim I have had for YEARS.. This is the activation for the phone. Not HACTIVATED.. no Activated
via Rogers sim. I have used this sim so many times its polished and the surface numbers are just about worn off.

After its activated, I pop out the Rogers sim. And immediately install Cydia via Absinth.
After that I download OpenSSH from Cydia, and trunk into the phone with WINSCP.
(no sim in the device still)

So, I have a Chatr sim, with a data plan on it, and I have an IPhone, which Chatr does NOT sell. Data plans are DATA plans.. Rogers on the other hand DOES sell iPhones,
and wouldn't you know it the Rogers SIM cards, and the Chatr SIM cards have the exact same 8 digit prefix PRINTED on the surface of the SIM CARD.

Yeah, those little numbers. Printed to the left on the old Big SIMS. Well, they are not serial numbers, no they mean something more.
My chatr SIM: EXACTLY AS IT APPEARS PRINTED.

89302 <---Region (xx000) Country (00xxx)
72040 <---Carrier (xxx00) Unknown (000xx)
19418 <---Unique identifier #1 (xxxxx)
63832 <---Unique identifier #2 (xxxxx)
B009 <---No idea

I have an old Virgin Sim, and a Bell Sim, Telus SIM, Fido Sim.. and I started to compare the numbers on the cards with the carrier plist entries on the device
and I realized that each carrier has a specific sim PREFIX that allows the phone to interact with a specific set of SIM's. Like a key. In a computer its would be a registry entry.
Each carrier in the p.list has the numbers in the entry. What I also noticed was the numbers printed on the cards, matched up with the carrier profile in certain ways.

So I studied an old FIDO iPhone sim. And an old TELUS SIM (fido is a telus child) And the first 10 numbers on those SIM cards, matched up in each the Telus the FIDO carrier
profile however the Fido profile had an aditional string present:

Under the <string> entry, for fido:
<string>xxxxx_ID-XXXXXXXX</string>

It looked as though while Telus was using thier carrier string to attach it to specific telus SIMS, Fido had an independent string, but since they both occupied the same network, This string entry
was how the phone determined which is which. Hmmm..

So for the hell of it, apples with apples, I modified the Rogers Supported SIM String, with the "fido-esque" modifications, entering the appropriate numbers in the appropriate spot.

This is the result.

(copied directly out of the plist editor window)
//device/system/carrierprofiles/iphone/RogersWireless/carrier.plist

OLD (original)
149 <key>SupportedSIMs</key>
150 <array>
151 <string>302720</string>
152 </array>

...To this.
MODIFIED (Chatr Sim)
149 <key>SupportedSIMs</key>
150 <array>
151 <string>302720</string>
152 <string>19418_ID-89302720</string>
153 <string>63832_ID-89302720</string>
154 </array>

I can only conclude that I manually tied the sim to the carrier p.list. Unlocking the device.

I'm not kidding. I got bars.



My device is this:
SN: 8795063K3NQ
BB: 06.15.05 (NO JOKE...serious)
Carrier: Chatr

No ultrasn0w. None.

Now here's the funky-shoe, when I back the device up immidiately after the mod,(no respring) and restore it following with my backup in iTunes. When its complete, It removes ALL traces of Cydia and its proponents,
and the SIM CONTINUES To work.

???? crazy fluke stuff.

I will try to get some video here, because I know this seems wack.. And I have a hard time believing it.. I have done it, and re done it.. and re done to a point where I know it like the back of my hand..

I don't have the devices or I would try it on EVERYTHING..

I'd be surprized if a boy from Calgary AB, has just opened EVERY I phone to a carrier specific unlock, without even TOUCHING the BB.

Thoughts?
 
I still don't know what you're trying to explain, but your reason for not wanting to use Ultrasn0w doesn't make any sense. Even if you did lose it, the person who found it or stole it would just have to install the iPad baseband and be able to use Ultrasn0w to unlock it anyway. You wouldn't be preventing them from using the phone by not using Ultrasn0w.

The phone you have is susceptible to Ultrasn0w so there's no reason to use any other method to unlock it.
 
Okay. The reason I deviated from ultrasnow in the first place.

#1: The idea to flash my devices base band from what it is, to the iPad bb, then back again to a non iPad bb seemed a bit convoluted. There has to be a more uptodate, straightfwd way.

#2: this device by all rights is too NEW in the 3GS relm to perform the task. Im not switching to rogers just for the sake of not being able to pwn my device.

In MY MIND, there had to be a way to NOT TOUCH the base band in the first place. Instead of relying on everyone elses genious and computer knowlege to perform the task of enabling this specific phone (a 3GS built AFTER week 35, with a non ultrasn0w compatible base band) Okay? I ripped up the book, and went at it with an entirely new perspective, I am reporting my findings, in hope of sharing new ideas.

Now, if you take the entire contents of the apple IPSW and rend it from the phone, what would you have? Hardware, just a blank screen, with not much more then a 'plug me into iTunes' logo.

Its no surprize then, the IPSW governs the function on the phone to a certian degree, does it not?

Okay, that being said, what determines why sim-x works andd sim-y doesn't work? The Carrier Profile in the software on the IPSW I suspect, AS its the only software on the device. Its not FIRMWARE, its SOFTWARE in my mind.

Firmware is the baseband modem. The SIM interpreter, The camera function, the usb port function, the battery function. The basic sub-routines that are firmly placed on the device. Like a bios in a desktop computer. Software is what can be changed, different IPSW's etc.

UltrasnOw works with the software, I have determined this by doing file hashes. Before hand and after the install.

The key to getting the IPSW to work with a specific sim card is in the coding of that IPSW. Change the coding, and change the properties within that coding. That simple. Not flashing a perfectly good bb then re-flashing etc..

Try it yourself. Go on. Prove me wrong. I dont mean to be hostile, but rather then being a shift-less un compromising troglodyte, give it a shot.

Its Absinth. It allows the user to place cydia on the device, without flashing the baseband. With wifi, and openssh installed, winscp can 'trunk' into the iPhone and 'see' the contents of the IPSW.

Modify the IPSW, modify the properties of the installed software. backup and restore the device. And it works. No ultrasnow.

It works WITHOUT ultrasn0w, which MEANS, that ( for lack of devices sake, not allot to test on here) my 3GS works using this method, and I have since done this to another 3GS, and guess what.. IT WORKS TOO.
 
h0lms... tell you what. Get this, whatever you wanna call it, to work w/ the 4.11.08 & 4.12.01 iPhone 4 BB's.... then we'll talk. :)
 
I assume these devices are running ios5.1.1? If not then save the shsh blobs, if ya care to. I don't see the point, but your devices. And update.

I also dont see the point in doing this for you, so I am going to teach you how to get in and do it. So for petes sake, be open minded, cause if your new to going this far, its not going to appear very straight fwd. You have ways you do things, I have ways of doing things.

Next thing is you'll need to know exactly is which carrier you are using. Specifically the sim cards associated. We need the numbers printed on them.

Follow the above thread I wrote above to find the number string printed on each sim card. Take those numbers down.

Next, you will need a sim from the original carrier that the phone is 'tied' to (cdn, telus, rogers etc) to activate the phone. if you do NOT have this sim, you will need to HACTIVATE the phone. Using redsnow. No biggie. Stay away from snobreeze.

Just install cydia using Redsnow for the hactivation, Thats it.

If they are allready activated, and just no signal, then go and get the latest distro of Absinth. With the devices on, plug each one in and hit the go button. It will tell you when its done (5 min tops)

Once cydia is on the device, either way, search for the file SSHConnect (SSH OPEN CONNECT) it should be found in the default repos found within the app.

Once SSHopen is installed on the device, go to settings menu, and under the wifi you should see an extra menu, open it and take down the IP address listed within, never mind the rest. Just the xxx.xxx.x.x or whatever. Make sure its ON.

Next scroll down to the general tab, open, scroll down to auto-lock and switch that to never.

If the device sleeps while 'trunked' in, it will sever the connection.

Go back to the settings list, and make SURE THE DEVICE is on the same Network your pc is plugged into as it turns the wifi signal into a wireless serial trunk into the iPhone from winscp on the machine.

Okay, plugged in for power, set it aside for now.

Next is download WINSCP, and Plist Editor. From the web.

Once those programs are on the computer, open Winscp. Your gonna see a log in screen:

File protocol set it to:SCP
HOST NAME: IP address you took from the menu on the device. Username is:root. Pword:alpine
(same for all devices). If not, then google.
Port#: 22

Hit login. And it may take a couple of attempts, and ask you to certify a certificate. Hit yes.

Once in there, you should see two windows, your computer file system on the left, and the device file system on the right. Copying between the two is now just drag and drop.

On your home computer, create a folder in your documents, and inside that folder create a folder for each device. We are going to make a backup of the plist file, so if anything goes funky, you will be able to revert it.

Next on the device side of the window, navigate down directory trees untll you cant anymore. Open: Settings, carrier bundles, iphone (just be paitent) and finally you now 'see' the provisioning bundles I was talking about. They are all there, after the numbers further on down near the bottom.

Select the profile of your carrier of choice ( the one the sim is tied to ) grab that folder and drag it accross to the file window and copy it. Thats the backup. Rename it (backup)
Drag another copy over, this is the working copy.
On the left side, open the carrier provisioning bundle you just copied over. Near the bottom theres a file called carrier.plist, right click on it, and select 'edit property list file'.

Now you in the very heart of the carrier bundle.
You can see thar it has mms seetings, carrier naming, lots of things.

This is where you sim information will be input here. You will see in XML view, that theres keys, arrays, and dicts, as well as strings.

Navigate down to the string specifically called SupportedSIMs
You should see a 6 digit number undernieth.
Put your curser at the end of the <string>xxxxxx</string> and hit return to create a new line.

Type in the 3rd row of 5 digit numbers copied from your sim you want to use with that phone like this:
<string>yourthirdrownumberhere_ID-89xxxxxx</string> (where xxxxxx is the same number from the above <string>xxxxxx</string>)
Then create a new line.
Again <string>your4thrownumbershere_ID-89xxxxxx</string>

when that is done, save the plist.

Close that window, go back to win scp. Now open the choice plist folder on the device, and drag the modified carrier.plist onto the iPhone, click yes and wait. It will ask you to replace, click yes.

Right click on the carrier.plist ON THE DEVICE SIDE, right, go to properties, change the number at the bottom from 644 to 755, and apply and close.

Go to the device and plug the sim card into it. Respring.

When the device fires back up, you SHOULD SEE BARS. And voila. Pat yourself on the back.

Let me know how you make out. Cheers.

By the way, theres no way this method can harm your device. If things go awry, just restore stock from apple, and begin again. You will always be able to hactivate with redsn0w, and this method leaves the stock modem firmware intact. Essentially only modifying the software of the phone. Harmless.
 
So h0lms... are you telling us that this is a FULL PROOF method of unlocking any iPhone on any BB? Honestly, I'm not interesting in unlocking mine. However... we have many, many iPhone 4 users w/ the latest couple BB's who would like to.
 
What I NEED is more devices, or people (a group) that has the knowlege and the hardware to do a comprehensive study on this. As I do not have a device emulator (similar to a virtual machine) to rule out/determine weather this hack is model specific. OR best case scenario, works on all models.

Hack.. Sorry.. It would be a plist entry preference forgery. At the deepest level in the file structure, that the only way Appl would be able to determine its there, is either by doing a straight accross file-hash, or know how it is being accomplished because a restore removes all traces of it even being there.

Theres also an unknown amount of preference data related to the carrier settings stored in the user backup file, which tells me that most, if not all of this forging process exists on the software level of the device, not the firmware.

In simpler terms, what I am doing is just linking the SIM installed in the device with the carrier.plist preferences allready installed on the device and authorizing the sim's for use with the device. The dumb device treats it (the sim) like it BELONGS THERE.

Its allot like port forwarding on a network. I just 'open' the port that I need, so data can get thru the firewall.

Allow me to think outloud here..

The phone obviously uses the sim's identifiers to 'talk' to the server and send and recieve data specific to the client (aka you), otherwise billing would be a nightmare. Thus, the phone is dependant on the data within the sim to link the device to the appropriate profile on the network. Using the SIM as a key. Switch sim cards, switch network identifier, switch the phones identity. The phone ( device) is just a fancy GUI/Tool, to turn various functions input into the device into data thats sent to the server via the unique identifier in the SIM card.

So, by forging the phones preferences to accept a different SIM then the one its 'assigned' and authorized to use (apple carrier partnership), the phone uses the deemed 'un authorized' sim like it is an authorized one.

Its not changing the SIM in any way or the Devices firm ware in any way, its merely granting the sim usage rights in the deepest levels of the installed software.

I was trying to increase an old 3GS' page file, because the device was having a hard time dealing with the current memory allocation within the IPSW 5.1.1 preferences.

The page file increase is accomplished (Vietual memory, in desktop language) by 'patching' in with WINscp. Using the wifi as a serial up-link. And MANUALLY changing the preferences script. A light went on. Inside I saw that there was bundles for each of the carriers that appl has a 'contract' with. I was curious. It looked asthough each carrier bundle was assigned a specific set of sim cards. A broad range, for each. My guess is likely...well I don't know why... Maybe my sim would work if I changed the preferences?

So I had a shwack of old sims and started to do a visual comparison between the numbers printed on the SIM cards, and the carrier profile preferences for each carrier. Bingo, the numbers started to make sence. Before that I thought they were just internal garbeldy-gook mean nothing. Oh no.. They are printed there for a reason.

Fluke, dude.. Just fluke... It was a 'discovery' by literally falling into it. By accident man.

Thats how the best ones happen.
 
OKAY

I am just going to take a moment and announce that I think I no know why I was born with brown eyes. It's with a great amount of regret that I inform any readers out there that a plist modifications I spoke so highly and aggressively of (apologies) would unlock the device. I was excited. This is what really was happening:

It just so happens that the phone I have is a 'Rogers locked' phone (go figure) As Chat-r here in Canada operates under the Rogers umbrella. Similarly as to how Koodo operates as a sub of Telus, Virgin on the Bell network, and so on.

I was activating the phone with a Rogers iPhone sim. It also (this makes me really wear the egg here) happens that ALL of the devices I tested were also LOCKED to Rogers as well, giving me the impression that the process was indeed working on multiple devices. Which it clearly was NOT. I didn't realize the folly of this untill I started to peel off the layers, and discovered that a redsnow install of cydia (hactivate) was getting me no place, and funny the forgery wouldn't work with any other carrier, just Rogers.

The only way to get Cydia on the device any other way, was Absinthe, but that required the phone to be activated. (..hense the Rogers activation sim requirement.)

So, the absolute moment I realized, was when I restored the 3GS to a stock IPSW, activated the phone with the Rogers sim, then immediately pulled it out, and drove in the Chatr sim.. Guess what.. Bars..(duh)

So I am feeling like the wind has been knocked thourghly out of my sails, on this one. My apologies to anyone who I may have mislead in this. I am looking back at what I wrote, and though the science is relatively sound. I was missing the fact that the carrier locked status of the device, coupled with the fact that....I think you understand what I mean.

I suppose in light of this, I have discovered that Chatr sim cards work in Rogers phones, locked to Rogers, that is. However the data connection seems to be something only activated thru the Tetherme application. And I am absolutely sure, EVERYONE is aware of this.

So continues the p.list adventure. peace.
 
Top