Hi All !

1st Im not a programmer or hacker or analyser, but all I've done, and all experiences I had was cost much of time and money.

Some of them was success. So belive it or not it depend on you but I.

After 3 weeks fighting with devilPhones locked and not locked, with Pwntool and hardware method, I found out a theory myself.

And with the hit of many Mods and Admins in this forum, I decide to talk it out.

Apple after the 1st gen iPhone must had much more experiences on defending hacker. Now they use this "my theory" to

control all the lock state of their device that so much secure but I think the experts here such as Dev team will pass over and come to the real software unlock.

My suppositon is the BB now on 3G is no more locked. Why I think so ??
I did: exchanged the pair X-Gold and Nor of LOCKED phone to the International not lock phone. Both phone are in good condition of physical state with the right IMEI of the pair IC, have wifi. Then what happened ?

- The Locked phone now got the pair of IC not locked: put work sim inside
+ Pwned it: of cause No Service. Call 112, there no signal broadcast. I put the Nor out and dumped this state call State 1.
+ Restore it with original fw and active by iTunes: iTunes said can not active, and the phone must be broght to Apple Service. Still No Service in the top left of the screen. Call 112, there no signal broadcast. I put the Nor out and dumped this state call State 2.

- The Not Locked phone now got the pair of IC locked: put work sim inside
+ Pwned it: of cause No Service. Call 112, there no signal broadcast. I put the Nor out and dumped this state. I put the Nor out and dumped this state call State 3.
+ Restore it with original fw and active by iTunes: iTunes said can not active, and the phone must be broght to Apple Service. Still No Service in the top left of the screen. Call 112, there no signal broadcast. I put the Nor out and dumped this State 4.
- Compare State 1 2 3 4 to each other, all changed in 0xE8 to 0xFC (maybe logs data or whatever). And as we know with the memory map, this area doesnt effect to the LOCK STATE. Maybe just for the Jailbreak state.

After all of this test, I think the whole BB doesnot invole to the lock or not lock carrier. It just recieves the commands from the main firmware to work or not (broadcasting Rx + Tx transmission of the network).

The damn thing is whatever system action you want to act to the phone by iTunes, you must connect to the internet. And Im sure, iTunes collects all the log and force the state of phone in their rules: Activate or not, lock or not, crash the apps or not, etc ....

So my result here is: iTunes server handle all the devices they produces by: MODEL + SERIAL + IMEI (3 of these will be identified the phone belong to which carrier). Each sync action with iTunes, the server with check the database of the Factory (lol) then know this phone will be locked or not and with my damn naughty actions, they decide to BLOCK my phone forever or not

- The iTunes server BLOCKED my International phone cos of it found the MODEL + SERIAL not fit to the IMEI (I changed 1 pair IC of other locked phoned to, then the IMEI is the IMEI of the locked phone) so the server BLACKLIST my phone OUT OF FULL ACTIVATION WITH UNLOCK STATE.

- DEV TEAM must know why and where their Pwntool made the International phone relocked in the OS disk. Maybe they still not know how to resolve it.

Totatly, I can finish my post with the point: 3G BB NO MORE LOCKED - THE LOCKED STATE IS CONTROL BY: ITUNES SERVER + MODEL + SERIAL + IMEI AND IT STAY IN THE OS DISK WHEN THE PHONE SYNC WITH ITUNES. - NO MORE TRYING TO HACK THE X-GOLD.

Monitoring, capturing the transmission of usb and internet from iTunes then decrypt, patch ... will help the unlock process ???
Come on Dev Team, GeoHot, all other expert, let try and give out the soft .
Hoping some day my blocked Inter-phone will work again like it did

I give the thanks to all the good sense post from the one who know what to say event it show that I was stupid !

BR

__________________
iPhone Cydia Repo
iPhone IPA collection for Installous
iPhone hardware issues

Another thing which is very interesting that TA forgot to mention is:

- an international phone (fulling funtional) which means the baseband is unlocked right?

- pwned the international phone. It became locked. So, the saying about once the baseband is unlocked it stays unlocked is not the case here. Eventhough the BB version remains the same.

- Restored the phone with original apple firmware. Hooked it up to itunes, phone fully working again.

- So even if the the imei, serial/model are the same. The pwnage action (jb/act) changed things in the phone, itunes detected that and turned the phone to "lock" state.

__________________
** If you just want to support hackint0sh.org with a donation click here **

Interesting read
Thanks

__________________
-
Read the stickies and search the forum before posting!
If you want to become a Hackint0sh supporter click here
----------
Follow Hackint0sh Follow Me

This is expected. The patched lockdownd does not pass the NCK to the baseband at boot. For the unlock to happen Apple's token containing the NCK must be present and the NCK must be passed to the baseband.

I can't comment on TA's findings, but what you describe here is expected.

To test this theory, extract your NCK manually, then pwn your phone and pass your NCK to the baseband manually. Your phone will be unlocked again.

My experience with pwning is a little different: I live in Greece, and I just received an originally unlocked iphone 3g from Italy.

I pwned it, and when the phone rebooted the familiar please connect to itunes to activate screen came up on the iphone.

With my Greek SIM card inside, I connected the iphone to the computer, and in fragments of a seconds it activated. The activation was so quick that I do not believe any communication with an apple server took place.

Comparing the behaviour of a Swisscom (locked) and Mobistar (unlocked) iPhone, this is what I found out on the iTunes-unlocked Belgium iPhone by logging all type of communication:

a.) There is a new kind of activation which is called "WildcardActivation" (in comparison to the "old" FactoryActivation)


Note the HASH-values!


b.) The unlock is done by sending some data (not only NCK, it looks like CERTS/KEYS are sent).


The whole process seems to be working like this:

a.) iPhone is connected to iTunes
b.) iTunes identifies iPhone by serial no. and sends activation request to albert.apple.com
c.) the activation records is created and return to iTunes
d.) iTunes "syncs" the activation record to the iPhone
e.) CommCenter is sending the unlock commands to the Baseband


From the iPhone point of view:

- A lock is signaled from baseband to ComCenter:

- CommCenter asks for activation level (via iTunes)

- CommCenter sends unlock commands (2 checks, 4 sequences) to baseband, succeeding it results in

My expecations is now that either 4 facilities (Phone, SMS, YouTube, AppStore) are unlocked or 4 different CERTS/KEYS (514 bytes) are sent (which is to be verified)

BTW, the unlock does not survie a restore and it has to be re-activated after every restore. I verified this a couple of times, even with 2.01 and baseband ICE2-01.48.02


Almost, I think it's locked in a different way as no NCK is used for unlocking

Hum..... very interesting...
I'm wondering how this fits in the scenarios posted by TA_Mobile.

Now, if the restore "erases" the "unlock", then there are 3 options:

1) It writes over some area where the unlock state is stored (seczone?)

2) The unlock state is not in the seczone, and therefore may fall outside the protection of the bootloader sig check.

3) The unlock is actually stored as OS files, and the whole process to "lock/unlock" the baseband is controlled by a software component (some part of CommCenter?)

We need to examine more evidence, and we need the expert opinion of the Dev Team...

Total newb here, but does all of this info mean that an unlock for the 3G is near-impossible? Or is it just slightly more difficult to unlock than the older Iphone?

I will try to verify this by submitting a valid activation record without connecting iTunes after the restore, or in a second try I connect iTunes for creation of valid pairing information but without ouside connectivity before sending the activation record. If the unlock is still sent to BB, it's depending on lockdown state/activation record.

And yes, it seems to be the CommCenter itself which is sending the unlock sequences

Cool guys,
Seems like things are getting fun now.

TA good job, you really have balls to do all this, keep up this way!