Page 1 of 3 123 LastLast
Results 1 to 10 of 23
Discuss Dumping, reverse engineering and understanding the real carrier unlock at the General - Hackint0sh.org; Hello, either someone fix the stupid search engine that would allow me to search for ...
  1. #1
    Senior Professional Array

    Join Date
    Nov 2007
    Posts
    155
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    15

    Default Dumping, reverse engineering and understanding the real carrier unlock

    Hello,

    either someone fix the stupid search engine that would allow me to search for NCK or can someone just tell me once and for all (way too many speculations out there) if the dump of traffic between apple, itunes and iPhone has been recorded and handed over to the Dev team from the official unlock processes.

    Has anyone decrypted the traffic and monitored the exact commands used for the unlock (yes yes, I know it's IMEI specific etc etc) to know the EXACT format and length of the unlock code itself.

    I know I should look around and I have read most of the two threads with French unlock process and the T-Mobile real life experience, but don't remember this fact ever gracing the forum.

    So if it has been dumped and decyphered, then what was the result and if it has not been, then why not?

    Thanks
    iPhone 3G 16GB white. Official on contract. Used to have a w48 iPhone (OTB 1.1.2) all the way to 2.0.1 when I went legit.

    Current FW: 2.0.2
    Carrier: EMT (Estonia)
    All functions working



  2. #2
    Jedi Admin Array

    Join Date
    Sep 2007
    Location
    sao paulo, brasil
    Posts
    1,242
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    10

    Default

    It has not been handed to the Dev Team, according to my knowledge. But then again I may be wrong and dont quote me on it.

    However,

    This is how the Berlin guy supposedly does it. Unfortunately, there arent a lot of people that have such a caliber to understand and decode those packets of information.


    Next time, trying hitting advanced search.
    MSN/AIM? PM me
    If you want to become a Hackint0sh supporter click here.
    I DO READ PM's

    "Just because I'm losing
    Doesn't mean I'm lost
    Doesn't mean I'll stop
    Doesn't mean I will cross

    Just because I'm hurting
    Doesn't mean I'm hurt
    Doesn't mean I didn't get what I deserve
    No better and no worse "

  3. #3
    Senior Professional Array duwde's Avatar

    Join Date
    Oct 2007
    Location
    Tatooine
    Posts
    164
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    15

    Default

    Updated my post...

    it seems the iphone checks for a valid TEA after the TEA(SHA(input))

    Does anyone have this TEA key ? Is it unique for every iphone ? I didn't understand that yet, how come every iphone has a unique code, is this TEA key unique for every iphone ? If so, is it possible to extract it in this new 4.6 bootloader at the moment ?

    Toruonu: If you want to pursue this, I would like to help... if you have access to the TEA priavate key and more information.
    Last edited by duwde; 12-12-2007 at 06:40 AM.

  4. #4
    Senior Professional Array

    Join Date
    Nov 2007
    Posts
    155
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    15

    Default

    well i'm pursuing it, but there seems to be some confusion all around. Maybe sam can clarify the point of the dump being in dev teams posession, i don't have the knowledge nor the tools to unlock and interpret the dump, but would be interested in the dump details, especially the unlock code lemgth as this seems one of the points one should get from the dump and would help a lot including the confirmatipn if it's all digits indeed.
    iPhone 3G 16GB white. Official on contract. Used to have a w48 iPhone (OTB 1.1.2) all the way to 2.0.1 when I went legit.

    Current FW: 2.0.2
    Carrier: EMT (Estonia)
    All functions working

  5. #5
    sam
    sam is offline
    Chief of Administration
    iPhone Dev Team
    Array sam's Avatar

    Join Date
    Jun 2007
    Posts
    1,852
    Post Thanks / Like
    Downloads
    35
    Uploads
    277
    Rep Power
    10

    Default

    Quote Originally Posted by duwde View Post
    it seems the iphone checks for a valid TEA after the TEA(SHA1(input))

    Does anyone have this TEA key ?
    sha1(input)

    input = nck given by user to at cmd.


  6. #6
    Professional Array skr3dii's Avatar

    Join Date
    Apr 2006
    Posts
    95
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    The communiation between itunes and Apple's albert server happens in HTTPS mode (TLSv1), so basically it should be possible to do a mitm attack with a proxy or ettercap.

    Ettercap will generate a certificate on the fly based on the albert.apple.com certificate, but that generated certificate will not be trusted, because not signed by Verisign, so iTunes could detect that, and the mitm attack would be impossible.

    But, I believe it should be possible to patch iTunes at some offset to force it to accept the non-signed certificate from ettercap.

    I think that's what DVDJON has done with his activation server, he patched iTunes to communicate with albert.apple.com in HTTP mode instead of HTTPS.
    Maybe it is possible to do so, because albert seems to work in both http and https.
    Last edited by skr3dii; 12-12-2007 at 02:47 PM.

  7. #7
    Senior Professional Array

    Join Date
    Nov 2007
    Posts
    155
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    15

    Default

    Quote Originally Posted by sam View Post
    sha1(input)

    input = nck given by user to at cmd.
    Erm....

    http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm

    it takes the clear text block and a key, so if the key is the SHA1(NCK), then what's the cleartext
    iPhone 3G 16GB white. Official on contract. Used to have a w48 iPhone (OTB 1.1.2) all the way to 2.0.1 when I went legit.

    Current FW: 2.0.2
    Carrier: EMT (Estonia)
    All functions working

  8. #8
    Advanced Array

    Join Date
    Nov 2007
    Posts
    41
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Quote Originally Posted by skr3dii View Post
    The communiation between itunes and Apple's albert server happens in HTTPS mode (TLSv1), so basically it should be possible to do a mitm attack with a proxy or ettercap.

    Ettercap will generate a certificate on the fly based on the albert.apple.com certificate, but that generated certificate will not be trusted, because not signed by Verisign, so iTunes could detect that, and the mitm attack would be impossible.

    But, I believe it should be possible to patch iTunes at some offset to force it to accept the non-signed certificate from ettercap.

    I think that's what DVDJON has done with his activation server, he patched iTunes to communicate with albert.apple.com in HTTP mode instead of HTTPS.
    Maybe it is possible to do so, because albert seems to work in both http and https.
    So, if it is basically possible why Devteam donīt try this? At least it seems to be worth for try to mess with iTunes because we donīt see any other solutions right now

  9. #9
    Senior Professional Array

    Join Date
    Dec 2007
    Posts
    133
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    cuz they dont do anythngf..just copy other..that's why

  10. #10
    Senior Professional Array Nikolas.A's Avatar

    Join Date
    Oct 2007
    Posts
    183
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Default

    anthony can you please spam somewhere else?


 

 
Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 1
    Last Post: 10-18-2009, 10:50 PM
  2. Reverse Engineering C Frameworks
    By Matt342 in forum iPhone Developer Exchange
    Replies: 1
    Last Post: 07-31-2008, 05:33 PM
  3. Looking for reverse engineering advice from the gurus here
    By jonwil in forum iPhone "2G" (Rev. 1)
    Replies: 0
    Last Post: 03-01-2008, 02:28 PM
  4. Reverse Engineering
    By klturi421 in forum General
    Replies: 0
    Last Post: 09-28-2007, 06:26 PM
  5. iPhone Reverse Engineering Completed
    By H. Bennis in forum General
    Replies: 2
    Last Post: 08-01-2007, 11:10 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 12:02 PM.
twitter, follow us!