Finding a lost iPhone owner, the hard way

Posted on Tue 07 June 2022 in blog

Mars 2022

On March 20, 2022, my parents finds a partially buried phone in the snow, in Tignes. A shiny iPhone 12 Pro Max, in prinstine condition for a phone lost on a ski slope where many people could have skied on it!

Step 0: The phone is discharged, my parents don't have the proper cables, so they try a wireless charger and it works, YAY!

Step 1: As it's not the first time they find a phone, they know how to quickly find the owner back, they try to unlock it, no luck, it's a 5 or 6 digit code, so they just wait for someone to call: should take from a few minutes to a few hours.

But nobody gonna call: the SIM card is locked!

The next day I receive a message from my parents:

Yesterday I found a nice Phone, I charged it, but nobody calls, what should I do?

I ask for some pictures, to identify the phone.

Step 3: I'm guiding them to the "Medical ID" info (behind the Emergency thing).

But there's no medical ID on this phone.

Hey people, do fill the medical ID, like right now, while you're reading this article. It exists on Android too, it's called "Emergency information", and it really helps finding you back when you loose your phone.

I try to guide them to spawning Siri to ask some info about the owner, but with no luck (looks like it's not possible while the phone has not been unlocked or something like this).

As said in step 1, the phone is properly locked, which is a very good idea, even if in the past my parents quickly found the owner of a lost unlocked phone just calling back the last number in the call history. Do properly lock your phone. And no, 0000 is not a proper password.

Step 4: I don't know what to do remotely then… so I tell them to give it to the "lost and found" place in Tignes and hope for the best.

I tried to shoot a tweets about it, but with no luck.

June 2022

I went to see my parents and they remember me the lost iPhone, I ask about the phone not being given to the "lost and found" desk, they say no (hey Tignes, next time be polite to people coming to the lost and found desk... it would help).

So I'm back at it again, there's literally nothing interesting to do via the OS so I'm opening the SIM card slot:

  • Got an IMEI from the SIM card slot, probably unhelpfull... It confirms the phone model I already know, it tells me the "Find My Phone" is enabled on it, but I have nothing more to learn here, looks like a dead end.
  • Got a operator logo (Free) on the SIM card.
  • Got a 15 digits number from the SIM card, probably helpfull!

The number was 15 chars long, not enough to be an ICCID… but according to Wikipedia the ICCID may start with 89:

Major industry identifier (MII), 2 fixed digits, 89 for telecommunication purposes.

And as it's a french operator, it may be followed by 33 (the country code).

So prefixing with 8933 I have a probably valid ICCID!

Step 5: I call free (ooohhh it's hard to get to tell to a human and not a robot...) and ask them info about this ICCID, which they reply they don't know this ICCID at all... Obviously the SIM was revoked, and sadly they don't keep info on revoked SIM cards, at least not in this DB.

The guy was very sorry not being able to help, he told me the only way I had left is to give it to the police, but I told him I prefer finding the owner myself to ensure it's done, which he completly agreed.

OK let's stop trying the normal way, let's try the hard way! The SIM card is locked and revoked, I have 3 tries for the PIN number which I guess is either the default one (1234 for this operator), or 0000 or I don't know, 0123 maybe?

So I plug the SIM card on my phone (it's a Pinephone with Mobian on it), hoping to be able to unlock it and dump some data like:

  • Contact list,
  • Last call journal,
  • SMS,
  • Whatever I don't care just give me a lead...

I'm no expert with AT commands, I just now they exist, it should be enough right?

Booted my Pinephone, and knowing it would be long I sshed on it from my laptop to buy me some comfort:

$ ssh mobian@mobian.local

Because yes, I can SSH to my phone, and no I did not changed the default user. But yes I disabled the password login for SSHD and only log via my Yubikey.

Next I ran gnome-session-inhibit bash: I don't want the phone to suspend while I'm working on it... It's very comfy for me to have a real Debian on my phone: feels like working on a laptop.

OK let's start for real!!

$ mmcli -m any
[...it's a long output so here's the relevant part...]
  -----------------------------------
  Status   |                   state: failed
           |           failed reason: sim-missing
           |             power state: on
           |          signal quality: 0% (cached)
  -----------------------------------
[...it's a long output so here's the relevant part...]

What? Oh damned, the SIM card is not properly installed in its slot... And on a Pinpheon when you want to remove the SIM you have to remove the battery...

OK let's start again from scratch and:

$ mmcli -m any
[...it's a long output so here's the relevant part...]
  -----------------------------------
  Status   |                    lock: sim-pin
           |          unlock retries: sim-pin (3), sim-puk (10), sim-pin2 (3), sim-puk2 (10)
           |                   state: locked
           |             power state: on
           |          signal quality: 0% (cached)
  -----------------------------------
[...it's a long output so here's the relevant part...]

Hello SIM card, so you're locked?

$ mmcli -m any -i 0 --pin 1234
successfully sent PIN code to the SIM
$ mmcli -m any
[...it's a long output so I redacted it...]
  -----------------------------------
  Status   |                    lock: sim-pin2
           |          unlock retries: sim-pin (3), sim-puk (10), sim-pin2 (3), sim-puk2 (10)
           |                   state: enabled
           |             power state: on
           |          signal quality: 0% (cached)
  -----------------------------------
[...it's a long output so I redacted it...]

Yeah, I like when it finally starts to be easy! So what can I get from this SIM card? The CPBS commands is to choose the storage of phone book memory, and SM is for SIM Phonebook:

$ mmcli -m any --command='AT+CPBS=?'
response: '+CPBS: ("SM","DC","MC","ME","RC","EN")'
$ mmcli -m any --command='AT+CPBS="SM"'
response: ''

OK there's a SIM Phonebook and we just choosen it, let's read it using CPBR (R for Read)

$ mmcli -m any --command='AT+CPBR=?'
response: '+CPBR: (1-250),40,14'
$ mmcli -m any --command='AT+CPBR=1'
error: command failed: 'GDBus.Error:org.freedesktop.ModemManager1.Error.MobileEquipment.NotFound: Not found'

Damned, no contacts in the phone book... Which is probably very normal for an iPhone, but if you don't try, you don't know...

OK let's try to read some SMS messages then:

$ mmcli -m any --command='AT+CMGF=1'
response: ''
$ mmcli -m any --command='AT+CMGL="ALL"'
response: ''

Damned, nothing here neither.

Out of idea I start doodling around...

...trying mmcli -m any again, remember it was a long output and I readacted for your readability? I read it fully once, but before unlocking the SIM, I went to read it fully a second time and BOOM a section appeared since I unlocked the card:

  -----------------------------------
  Numbers  |                     own: 3365xxxxxxx
  -----------------------------------

(Obviously there was no xs, only a real phone number, redacted for the owner privacy.)

I immediatly called the number (using a landline phone, remember, my mobile phone had its guts open with another SIM card in it), got no response, dropped a weird, completly unprepared message on his voice mail, like:

Hey you may have lost an IPhone, I may have found it, write me an email at julien@palard.fr!

From my point of view I was not 100% sure to find the right owner, so the less info I would give, the more info I could ask to validate it's the right person!

Gave my email instead of my phone number because... I still had to put my SIM card in my phone... and I don't know my own landfill number...

I bet if I receive this message all my scam alerts goes red. All his scam alerts went red but he called back a few minutes later (after all, he really lost an iPhone), and after telling him the phone was found in a ski resort his scam alerts went back green, and after him telling me the name of the ski resort, my confidence I found the real owner went green too.

Hopefully he was working not far away from my house, and we were able to meet literaly a few minutes later!

I asked him to unlock the phone as a last ultimate veritifcation he was the owner, which he was easily be able to do, then he showed me pictures taken right before loosing the phone! We had a nice chat afterwards, it's not a situation that happen often!

So next time you find a phone, don't give up, there's always a tiny lead hidden somewhere that could get you back to the owner.

I hope you all added some Emergency Information on your lock screen by now, saving me a lot of time if I find it!