GSM Tech

[Dr. H. Nikolaus Schaller]

Am 15.12.2007 um 21:53 schrieb Torsten Schlabach:

> Dr. H. Nikolaus Schaller wrote:
>
> > * The code might be individual for each IMEI (Mobile Equipment
> > Identifier), i.e. your specific device.
>
> It is! There is no "universal" unlocking code.
>
> > * It is NOT stored on the SIM.
> > So, the phone is locked for a specific  SIM.
>
> Well, it's called SIM lock, but it's the phone which is locked, not  
> the SIM. The network operator does not care what terminal equipment  
> you use to make him earn money, they just

The phone is locked so that it can be used only with a specific SIM.  
So, the SIM is the key to make the phone useable. Therefore, a SIM- 
lock (well it should be called SIM-key).

> don't want to you create revenue for a different operator with a  
> terminal (phone) they subsidized.
>
> > * It is NOT stored in the Network (Home Location Register)
>
> That wouldn't make any sense either. All other operators (not the  
> one who locked the phone) would have to ban it. But they couldn't  
> care less. They don't even care to block stolen phones any more AFAIK.
>
> > * So, the only remaining location can be the EEPROM/Flash of the GSM
> > module.
>
> Sorry, but I cannot follow you here. How do you come to that  
> conclusion?

Well. There are two basic architectures of GSM phones.

One is a single processor system (cheap phones) which does OS, GUI  
and the GSM stack. Then, there is just one EEPROM/Flash.

Or, you have a two-processor architecture (powerfull PDA phones)  
where there is a GSM module and a separate application processor with  
separate memory. Like the OpenMoko.
>
> It could as well be stored in the phone's memory. The phone's  
> memory is not the same as the GSM module's memory. (If that even  
> has any.)

Well, what constitutes the "phone" for you?

The GSM module in a two-processor architecture has its own flash,  
RAM, EEPROM etc. where all the GSM protocols run and where the AT  
command interpreter sits.
>
> In other words: I'd expect SIM lock to be a feature of the phone's  
> operating system, not of the GSM module. I might be wrong, though ...

Why? It is a feature of the GSM security system. And - there are  
modules in GSM-CF cards format. There, the operating system is called  
"Windows", "Linux", "MacOS". And, they clearly have no support for  
SIM-locks.

>
> The interesting question is: How much software and how much  
> hardware is in a GSM module's chipset.

You will be astonished how much...

How many AT commands can a GSM module interpret without (internal)  
software?

>
> Regards,
> Torsten
>
> Dr. H. Nikolaus Schaller schrieb:
>> Am 15.12.2007 um 16:28 schrieb Joe Pfeiffer:
>>> Steve writes:
>>>
>>>>
>>>> I'd agree with the statement about the AT commands, but I do  
>>>> think  its
>>>> probably possible to get unintended functionality out of the  
>>>> GSM  modem
>>>> without resorting to decapping the chip.  After all that is   
>>>> exactly what
>>>> the unlockers are doing.
>>>>
>>>> The unlockers are probably a major reason why TI is so paranoid  
>>>> about
>>>> the workings of their chipset since that is where the SIM and   
>>>> provider
>>>> locks are usually implemented.  I wish I could give you more   
>>>> information
>>>> about the techniques they use, but I don't know what they are.   
>>>> It  would
>>>> be interesting to find out, but FIC may not appreciate the   
>>>> discussion on
>>>> their mailing list either.
>>>
>>>
>>> I hadn't thought of that -- now I do find myself wondering where and
>>> how the locks are really implemented....
>>>
>> If you look here (which is an official T-Mobile page in German):
>> http://www.t-mobile.de/vertrag/0,11547,17655-_,00.html?WT.srch=1
>> it is described as follows:
>> 1. you purchase an unlock code within 24 months or get it for free.
>> 2. how the unlock code is operated depends on the device model, i.e.
>> they have a set of different PDF files describing it.
>> 3. for example on a Siemens phone, you switch on the device without
>> the SIM card and type in the unlocking code. Then, you switch off
>> and can install an arbitrary SIM card since it is unlocked.
>> So, what can we deduce from it?
>> * There is no "timer" for the 24 months
>> * The code might be individual for each IMEI (Mobile Equipment   
>> Identifier), i.e. your specific device.
>> * It is NOT stored on the SIM. So, the phone is locked for a  
>> specific  SIM.
>> * It is NOT stored in the Network (Home Location Register)
>> * So, the only remaining location can be the EEPROM/Flash of the  
>> GSM  module.
>> Basically it is the same as a login on a computer. There is a  
>> user  name (IMEI)
>> and a password (IMSI). Passwords are stored in encrypted form   
>> somewhere in the internals
>> of the operating system (/etc/passwd). And there is a second  
>> password  which can be
>> used to enable "guest" login, i.e. remove the standard password.
>> Unlocking a module could therefore be securely provided by an AT   
>> "UNLOCK"
>> command where the user must provide an unlocking code that the
>> network operator has issued.
>> Now, if it is stored in the module, the module's hard- and  
>> software  manufacturer
>> must make sure that it can be unlocked only by providing the  
>> correct  unlock
>> code through AT commands and that there is nothing like directly   
>> writing to
>> memory etc. Well, if the software of the module would be open source,
>> they simply cannot assure this.