Hello,

either someone fix the stupid search engine that would allow me to search for NCK or can someone just tell me once and for all (way too many speculations out there) if the dump of traffic between apple, itunes and iPhone has been recorded and handed over to the Dev team from the official unlock processes.

Has anyone decrypted the traffic and monitored the exact commands used for the unlock (yes yes, I know it's IMEI specific etc etc) to know the EXACT format and length of the unlock code itself.

I know I should look around and I have read most of the two threads with French unlock process and the T-Mobile real life experience, but don't remember this fact ever gracing the forum.

So if it has been dumped and decyphered, then what was the result and if it has not been, then why not?

Thanks

It has not been handed to the Dev Team, according to my knowledge. But then again I may be wrong and dont quote me on it.

However,

This is how the Berlin guy supposedly does it. Unfortunately, there arent a lot of people that have such a caliber to understand and decode those packets of information.


Next time, trying hitting advanced search.

Updated my post...

it seems the iphone checks for a valid TEA after the TEA(SHA(input))

Does anyone have this TEA key ? Is it unique for every iphone ? I didn't understand that yet, how come every iphone has a unique code, is this TEA key unique for every iphone ? If so, is it possible to extract it in this new 4.6 bootloader at the moment ?

Toruonu: If you want to pursue this, I would like to help... if you have access to the TEA priavate key and more information.

well i'm pursuing it, but there seems to be some confusion all around. Maybe sam can clarify the point of the dump being in dev teams posession, i don't have the knowledge nor the tools to unlock and interpret the dump, but would be interested in the dump details, especially the unlock code lemgth as this seems one of the points one should get from the dump and would help a lot including the confirmatipn if it's all digits indeed.

Originally Posted by duwde

it seems the iphone checks for a valid TEA after the TEA(SHA1(input))

Does anyone have this TEA key ?

sha1(input)

input = nck given by user to at cmd.

The communiation between itunes and Apple's albert server happens in HTTPS mode (TLSv1), so basically it should be possible to do a mitm attack with a proxy or ettercap.

Ettercap will generate a certificate on the fly based on the albert.apple.com certificate, but that generated certificate will not be trusted, because not signed by Verisign, so iTunes could detect that, and the mitm attack would be impossible.

But, I believe it should be possible to patch iTunes at some offset to force it to accept the non-signed certificate from ettercap.

I think that's what DVDJON has done with his activation server, he patched iTunes to communicate with albert.apple.com in HTTP mode instead of HTTPS.
Maybe it is possible to do so, because albert seems to work in both http and https.

Originally Posted by sam

sha1(input)

input = nck given by user to at cmd.

Erm....

http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm

it takes the clear text block and a key, so if the key is the SHA1(NCK), then what's the cleartext

Originally Posted by skr3dii

The communiation between itunes and Apple's albert server happens in HTTPS mode (TLSv1), so basically it should be possible to do a mitm attack with a proxy or ettercap.

Ettercap will generate a certificate on the fly based on the albert.apple.com certificate, but that generated certificate will not be trusted, because not signed by Verisign, so iTunes could detect that, and the mitm attack would be impossible.

But, I believe it should be possible to patch iTunes at some offset to force it to accept the non-signed certificate from ettercap.

I think that's what DVDJON has done with his activation server, he patched iTunes to communicate with albert.apple.com in HTTP mode instead of HTTPS.
Maybe it is possible to do so, because albert seems to work in both http and https.

So, if it is basically possible why Devteam don´t try this? At least it seems to be worth for try to mess with iTunes because we don´t see any other solutions right now

cuz they dont do anythngf..just copy other..that's why

anthony can you please spam somewhere else?