[iPhone 3G][Unlock][Supposition on the way of success] - Page 2

aviegas · #11 (**permalink**) 08-08-2008, 01:29 AM

Quote:

Originally Posted by todro

I will try to verify this by submitting a valid activation record without connecting iTunes after the restore, or in a second try I connect iTunes for creation of valid pairing information but without ouside connectivity before sending the activation record. If the unlock is still sent to BB, it's depending on lockdown state/activation record.

And yes, it seems to be the CommCenter itself which is sending the unlock sequences

I hope it ends up being CommCenter.... much simpler to handle.

volkspost · #12 (**permalink**) 08-08-2008, 01:33 AM

Quote:

Originally Posted by todro

Comparing the behaviour of a Swisscom (locked) and Mobistar (unlocked) iPhone, this is what I found out on the iTunes-unlocked Belgium iPhone by logging all type of communication:

a.) There is a new kind of activation which is called "WildcardActivation" (in comparison to the "old" FactoryActivation)

Just to add a note: WildcardActivation is and was already present on my old 2G iPhone. I got one during the short ammount of time Apple had to sell unlocked iPhones in Germany due to a lawsuit Vodafone/T-Mobile last autumn.

v.

tinhbantotvn · #13 (**permalink**) 08-08-2008, 02:20 AM

So, everything came from Itunes? Itunes seem to control everything...
BTW: This sound seem simple but it may take month todo

. There is no way we can restore the phone without connect to the internet (if you connect to internet, itunes will send your info back to server)...Hope we can come out with the solution very soon.(this is how apple know how many first gen iphone have been unlocked

) )

tramuyo · #14 (**permalink**) 08-08-2008, 05:20 AM

Well, we should take a more deeper look on iTunes secrets... and try to "spoof" a apple server

drg · #15 (**permalink**) 08-08-2008, 05:27 AM

I don't think there's any reason to think iTunes (the least secure code in the whole chain) is responsible for the unlock. Yes, we know it passses the NCK to the phone via the token, which in turn passes it to the baseband, but that's where it ends.

Apple knows iTunes is an easy target, and I'm almost certain the NCK paradigm enumerated above still holds true for the 3G. Geohot or any dev's care to confirm?

Bottom line: Until proven otherwise, iTunes is a dead end in terms of unlocking the 3G.

Tamagochi · #16 (**permalink**) 08-08-2008, 05:45 AM

Quote:

Originally Posted by dtube

Another thing which is very interesting that TA forgot to mention is:

- an international phone (fulling funtional) which means the baseband is unlocked right?

- pwned the international phone. It became locked. So, the saying about once the baseband is unlocked it stays unlocked is not the case here. Eventhough the BB version remains the same.

- Restored the phone with original apple firmware. Hooked it up to itunes, phone fully working again.

- So even if the the imei, serial/model are the same. The pwnage action (jb/act) changed things in the phone, itunes detected that and turned the phone to "lock" state.

I can confirm that pwning the International iPhone does not lock it. I did it many times, and many International owners here can also confirm that. Just have to choose advanced mode in Pwntool and uncheck Activation option when pwning. So, what I suggest here is devteam used a patched activation records to activate the iPhone but this patched activation records in another hand conflicts with activation records in International iPhone, and results to "No Service" state. May be devteam has not yet tested with International version.
IMHO, the most "suspicious area" is the Seczone because I have already overwriten all other areas with International version.
As I know, Seczone contains NCK, IMEI, S/N, MAC addresses and of course all of them are encrypted. Wrong modification may lead to IMEI 0049xxx

ta_mobile · #17 (**permalink**) 08-08-2008, 06:17 AM

Quote:

Originally Posted by Tamagochi

I can confirm that pwning the International iPhone does not lock it. I did it many times, and many International owners here can also confirm that. Just have to choose advanced mode in Pwntool and uncheck Activation option when pwning. So, what I suggest here is devteam used a patched activation records to activate the iPhone but this patched activation records in another hand conflicts with activation records in International iPhone, and results to "No Service" state. May be devteam has not yet tested with International version.
IMHO, the most "suspicious area" is the Seczone because I have already overwriten all other areas with International version.
As I know, Seczone contains NCK, IMEI, S/N, MAC addoresses and of course all of them are encrypted. Wrong modification may lead to IMEI 0049xxx

hmm... I've known this bro. But you did not test the state when 1 unlocked pair of xgold + nor in the pcb of a locked phone. Pwned it without activation check still make it locked. So what is the difference point ?

dtube · #18 (**permalink**) 08-08-2008, 06:50 AM

Quote:

Originally Posted by Tamagochi

I can confirm that pwning the International iPhone does not lock it. I did it many times, and many International owners here can also confirm that. Just have to choose advanced mode in Pwntool and uncheck Activation option when pwning. So, what I suggest here is devteam used a patched activation records to activate the iPhone but this patched activation records in another hand conflicts with activation records in International iPhone, and results to "No Service" state. May be devteam has not yet tested with International version.
IMHO, the most "suspicious area" is the Seczone because I have already overwriten all other areas with International version.
As I know, Seczone contains NCK, IMEI, S/N, MAC addresses and of course all of them are encrypted. Wrong modification may lead to IMEI 0049xxx

What I stated above is to raise awareness for readers & not about using pwnage. In the 2g world, at&t subscriber would run into issue of youtube not working and etc if you replace with a patched activation file. In the 3g world, the phone is semi-activated; appstore will not work, phone remains in locked state, basically it's an 3g itouch :-)

As far as what TA found (to my understanding), it's not because of 0049xxx.
Thanks for joining the discussion. We need more brain cells.

Shade.sh · #19 (**permalink**) 08-08-2008, 08:05 AM

Quote:

Originally Posted by dtube

What I stated above is to raise awareness for readers & not about using pwnage. In the 2g world, at&t subscriber would run into issue of youtube not working and etc if you replace with a patched activation file. In the 3g world, the phone is semi-activated; appstore will not work, phone remains in locked state, basically it's an 3g itouch :-)

As far as what TA found (to my understanding), it's not because of 0049xxx.
Thanks for joining the discussion. We need more brain cells.

Hm i have a AT&T locked 3G, "activated" with Pwnage and AppStore works without problems. the only thing i discovered was, before pwnage i got a "Wrong Sim Card" message every reboot. After Pwnage there isn't a message like this. Only simple no signal...

Just my 5 cents

Shade

thieu_bocap · #20 (**permalink**) 08-08-2008, 08:17 AM

Quote:

Originally Posted by Shade.sh

Hm i have a AT&T locked 3G, "activated" with Pwnage and AppStore works without problems. the only thing i discovered was, before pwnage i got a "Wrong Sim Card" message every reboot. After Pwnage there isn't a message like this. Only simple no signal...

Just my 5 cents

Shade

So there is more evidence for the theory that Pwntool overwrite smth in the official lock/unlock state right ?

Why Dev Team keep silence ? Pls correct me if Im wrong Dev ...
Ah, 1 thing more, this time no one care about Donating for Dev Team ... so that maybe the reason or maybe they have another donation source ?

haha, just my 2 cents

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode