i say that there's no unlock code being sent over the usb at all during activation. i think that the activation process merely tells the phone what provider to lock to. i don't think there's an easy way to get the unlock code, but if there is a possibility to be able to force it to lock to a different provider with a new and 'improved' activation process, then i'm going to give it a go. i have no hope in hell of decrypting the rsa, so i'm going to be making my own strings which i 'guess' the phone would be receiving and encrypt them myself.

both the public and private keys are easily available for the communication process.

again, i think that trying to find a magic unlock code, or trying to actually unlock the phone with a code is a bit of a wild goose chase. i would say my theory is also a goose chase, but better two chases be under way than just one.

I was perusing the USB activation printout (posted earlier in this thread) and stumbled across the following. I'm not a "hacker" but it seemed potentially interesting.


Original from stream
<key>HostPrivateKey</key>
<data>
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3 dJQkFBS0NB
UUVBMjdqNVBWR1RtYVNhTUR6emw5WmdHdFlvYTdydjBrVk94WT R4eTh4dHFJ
dzMwdm01ClZzSWMxckp4ZzQ0QkZPTGNSeC90N2NNK3J1dkVNam hYcmdrR3oz
S1hPWkdxR3g4OW9wc3RKUHBXUHROQ0c4Mi8KUzB5RXpwTWNYWl FnTjhVaTE2
SnhmWGdSSkppSzhwRXJ3N0dJNzNEUjRDWXRDSUFxdzgzVkFLTD FRSDRmNjdZ
Uwp0QU9CRkg2ekJKWnoxM3ZOdUZ2RTU4a3RQc0dsdVh2YWIvSF laQlJFTWV5
ZGR4eFFTdFd2K2gxMTlGZGpUbWFDCkZwZ2dOcGRzNFluSXpVRG ZCd3d0UnQ5
enRjTFYzZ0FKRjJCcFNaV292SEx3L1Jra1FHKzAwSlBxSE5yMk Y3K0sKSUVq
ZWhzaEFyZm9PdW1XSDk1d2c0eUROcnFnaUlzNzZ4RzZseVFJRE FRQUJBb0lC
QVFDK0NjZHdWSjB2dHlFdwo5WmJPVGJsRG5OVExFSjBhSlozUz JvQ1JQeGZk
UHFHTjFUV0xKMHJnR3VoNUd4b3VZV1NhRTdDckEwSzA4ZS80Cm E2alNPclpz
T0RVNXNwWUk3VVZXM1pYM05Kbmhyc0N2NFkxQmFFWTVrUjFvaH BRekNFdHhh
K3R5MUtVbkhOU1kKcGh6UEhqOU1zU3lsRFAvSUtXcFRmalJyWD RaMXBzVTRx
Y1VmYnJKTzgvcGRuV0dZNlFpejQrR3dkdllOQ1JBRwpqY2t1SG N0ZHA3Ti94
bzA5enlFc1FLcWFmL0MyMkxsL1dERTBxZjluVStBZkhGRGIxRm 5raXNITlJ3
SU9yWmQzCkdwS1Zjd09EZFBNd1J2Yk04dnBkYkdydEVlQzdFOW dzdEJIS1V5
TEJuZm9sRDZZdEIrVDNJQlI0T21MekExUEQKckxHUE5ITGRBb0 dCQVArRElQ
Slp6eVJ6TUZ1SmhHQ0pkNWtqM0dLOUg1NDJDaUlLZXljMGM2aG RaNUJFSjk4
UQpnWTJjRmJGZkVrYUdkVExLZU1tNTl0UUdCaE54WnJMUVdtck pvcXFVUmpp
QUhVcU5jQ1I1bW5MUyttdE15VllrCkZxVTl4dCtGd3ovaEpTcG NuSS90VlRy
NlJ0YW45bUtEWU5qdFFXayt3dmJwN3NZRDJuMEtPQ0UzQW9HQk FOd2sKV3Fp
aS9hTnhocnhqQTErdDZlVVk1V2pidWl3S1VLd2pZOG81dlo0VU RtWlUwREFu
QVBGZ0dUcXB5cWVlZ2xISwpuWVZjQVlKT3Y4NldhNDRvZkl3Sm VLT0VqUDY0
RTJZdG5DTmt0Z25NMkF1T2Y5cjlQYW5ScXN2VUM0M3p2QzBnCn hwLzRQbnUr
THBnd2ZLdEc1dWNxUEN1dDJ5WU9QRURxR1NLOHJ2RC9Bb0dBQ3 ByR28waFc4
SXhYVlhVL3FVSUwKVksvSVZkRERueTFlL2txeEVjOTdmV0ZqQ3 ZuSkxkamho
NThTeDJuS3VHS2NPcDlzby9LejY5alVKN3B0S0w2OQpBZkdjYn JmNHNoK2ZG
NWtITG54ZGpLWjAvajhSbkNHalR2aGhhS1dFbFFJaktMN3ZRSW 41SDVtRGx5
VWhkTFUvCkw4R3BGVlVsZ2xuekx3UzU3TGFmM2NFQ2dZQlk0SW lGaXdCeDYx
U2xYQ2d4aWNwamh4Q2ZyQTVXMTNkSWVDVkMKc05zZ0ppTEdKN2 5CcHcyWFpk
L3Bza0V5T1NtT0VncFVuQmV6MzAxSy82bSt4Qk84aWRwZDBoY0 dnNVM1YlBL
Ygp5MzQvS0tlVXl0eE5zbTRoMEpkdklWWGs0cUYzYXNNbU5KZ3 RaMVB5ZDZq
dGtYdUptcUNlVmR1aldwM3k2MUJvCm1OcmNTd0tCZ0hGTmdKV2 tHRFVrMkRr
QklmZ3NlVFpsNVNGWWZxRUhkdm91MlJTbzRnb2pvclQ1MWE0c2 lid3kKVXBi
RmxGdk92bVo4QVlWWGQwc29JZzZzRjRQVStFUFM1STkyS0k4V3 Jsc2RpMUp4
OEMxVHdGZHUrL0I3RmpHMgphUDI3V2lBenpIdVBXOXJiZllYVV RQZDdxdDk1
dDcxY1ZvMUdKeXVCdDlWMzF1RUdFeXlYCi0tLS0tRU5EIFJTQS BQUklWQVRF
IEtFWS0tLS0tCg==
</data>

Base64 decode
<key>HostPrivateKey</key>
<data>
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA27j5PVGTmaSaMDzzl9ZgGtYoa7rv0kVOxY 4xy8xtqIw30vm5
VsIc1rJxg44BFOLcRx/t7cM+ruvEMjhXrgkGz3KXOZGqGx89opstJPpWPtNCG82/
S0yEzpMcXZQgN8Ui16JxfXgRJJiK8pErw7GI73DR4CYtCIAqw8 3VAKL1QH4f67YS
tAOBFH6zBJZz13vNuFvE58ktPsGluXvab/HYZBREMeyddxxQStWv+h119FdjTmaC
FpggNpds4YnIzUDfBwwtRt9ztcLV3gAJF2BpSZWovHLw/RkkQG+00JPqHNr2F7+K
IEjehshArfoOumWH95wg4yDNrqgiIs76xG6lyQIDAQABAoIBAQ C+CcdwVJ0vtyEw
9ZbOTblDnNTLEJ0aJZ3S2oCRPxfdPqGN1TWLJ0rgGuh5GxouYW SaE7CrA0K08e/4
a6jSOrZsODU5spYI7UVW3ZX3NJnhrsCv4Y1BaEY5kR1ohpQzCE txa+ty1KUnHNSY
phzPHj9MsSylDP/IKWpTfjRrX4Z1psU4qcUfbrJO8/pdnWGY6Qiz4+GwdvYNCRAG
jckuHctdp7N/xo09zyEsQKqaf/C22Ll/WDE0qf9nU+AfHFDb1FnkisHNRwIOrZd3
GpKVcwODdPMwRvbM8vpdbGrtEeC7E9gstBHKUyLBnfolD6YtB+ T3IBR4OmLzA1PD
rLGPNHLdAoGBAP+DIPJZzyRzMFuJhGCJd5kj3GK9H542CiIKey c0c6hdZ5BEJ98Q
gY2cFbFfEkaGdTLKeMm59tQGBhNxZrLQWmrJoqqURjiAHUqNcC R5mnLS+mtMyVYk
FqU9xt+Fwz/hJSpcnI/tVTr6Rtan9mKDYNjtQWk+wvbp7sYD2n0KOCE3AoGBANwk
Wqii/aNxhrxjA1+t6eUY5WjbuiwKUKwjY8o5vZ4UDmZU0DAnAPFgGTq pyqeeglHK
nYVcAYJOv86Wa44ofIwJeKOEjP64E2YtnCNktgnM2AuOf9r9Pa nRqsvUC43zvC0g
xp/4Pnu+LpgwfKtG5ucqPCut2yYOPEDqGSK8rvD/AoGACprGo0hW8IxXVXU/qUIL
VK/IVdDDny1e/kqxEc97fWFjCvnJLdjhh58Sx2nKuGKcOp9so/Kz69jUJ7ptKL69
AfGcbrf4sh+fF5kHLnxdjKZ0/j8RnCGjTvhhaKWElQIjKL7vQIn5H5mDlyUhdLU/
L8GpFVUlglnzLwS57Laf3cECgYBY4IiFiwBx61SlXCgxicpjhx CfrA5W13dIeCVC
sNsgJiLGJ7nBpw2XZd/pskEyOSmOEgpUnBez301K/6m+xBO8idpd0hcGg5S5bPKb
y34/KKeUytxNsm4h0JdvIVXk4qF3asMmNJgtZ1Pyd6jtkXuJmqCeVd ujWp3y61Bo
mNrcSwKBgHFNgJWkGDUk2DkBIfgseTZl5SFYfqEHdvou2RSo4g ojorT51a4sibwy
UpbFlFvOvmZ8AYVXd0soIg6sF4PU+EPS5I92KI8Wrlsdi1Jx8C 1TwFdu+/B7FjG2
aP27WiAzzHuPW9rbfYXUTPd7qt95t71cVo1GJyuBt9V31uEGEy yX
-----END RSA PRIVATE KEY-----
</data>

Base64 decode of section between "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----" tags (in hex)
30 82 04 a3 02 01 00 02 82 01 01 00 db b8 f9 3d 51 93 99 a4 9a
30 3c f3 97 d6 60 1a d6 28 6b ba ef d2 45 4e c5 8e 31 cb cc 6d
a8 8c 37 d2 f9 b9 56 c2 1c d6 b2 71 83 8e 01 14 e2 dc 47 1f ed
ed c3 3e ae eb c4 32 38 57 ae 09 06 cf 72 97 39 91 aa 1b 1f 3d
a2 9b 2d 24 fa 56 3e d3 42 1b cd bf 4b 4c 84 ce 93 1c 5d 94 20
37 c5 22 d7 a2 71 7d 78 11 24 98 8a f2 91 2b c3 b1 88 ef 70 d1
e0 26 2d 08 80 2a c3 cd d5 00 a2 f5 40 7e 1f eb b6 12 b4 03 81
14 7e b3 04 96 73 d7 7b cd b8 5b c4 e7 c9 2d 3e c1 a5 b9 7b da
6f f1 d8 64 14 44 31 ec 9d 77 1c 50 4a d5 af fa 1d 75 f4 57 63
4e 66 82 16 98 20 36 97 6c e1 89 c8 cd 40 df 07 0c 2d 46 df 73
b5 c2 d5 de 00 09 17 60 69 49 95 a8 bc 72 f0 fd 19 24 40 6f b4
d0 93 ea 1c da f6 17 bf 8a 20 48 de 86 c8 40 ad fa 0e ba 65 87
f7 9c 20 e3 20 cd ae a8 22 22 ce fa c4 6e a5 c9 02 03 01 00 01
02 82 01 01 00 be 09 c7 70 54 9d 2f b7 21 30 f5 96 ce 4d b9 43
9c d4 cb 10 9d 1a 25 9d d2 da 80 91 3f 17 dd 3e a1 8d d5 35 8b
27 4a e0 1a e8 79 1b 1a 2e 61 64 9a 13 b0 ab 03 42 b4 f1 ef f8
6b a8 d2 3a b6 6c 38 35 39 b2 96 08 ed 45 56 dd 95 f7 34 99 e1
ae c0 af e1 8d 41 68 46 39 91 1d 68 86 94 33 08 4b 71 6b eb 72
d4 a5 27 1c d4 98 a6 1c cf 1e 3f 4c b1 2c a5 0c ff c8 29 6a 53
7e 34 6b 5f 86 75 a6 c5 38 a9 c5 1f 6e b2 4e f3 fa 5d 9d 61 98
e9 08 b3 e3 e1 b0 76 f6 0d 09 10 06 8d c9 2e 1d cb 5d a7 b3 7f
c6 8d 3d cf 21 2c 40 aa 9a 7f f0 b6 d8 b9 7f 58 31 34 a9 ff 67
53 e0 1f 1c 50 db d4 59 e4 8a c1 cd 47 02 0e ad 97 77 1a 92 95
73 03 83 74 f3 30 46 f6 cc f2 fa 5d 6c 6a ed 11 e0 bb 13 d8 2c
b4 11 ca 53 22 c1 9d fa 25 0f a6 2d 07 e4 f7 20 14 78 3a 62 f3
03 53 c3 ac b1 8f 34 72 dd 02 81 81 00 ff 83 20 f2 59 cf 24 73
30 5b 89 84 60 89 77 99 23 dc 62 bd 1f 9e 36 0a 22 0a 7b 27 34
73 a8 5d 67 90 44 27 df 10 81 8d 9c 15 b1 5f 12 46 86 75 32 ca
78 c9 b9 f6 d4 06 06 13 71 66 b2 d0 5a 6a c9 a2 aa 94 46 38 80
1d 4a 8d 70 24 79 9a 72 d2 fa 6b 4c c9 56 24 16 a5 3d c6 df 85
c3 3f e1 25 2a 5c 9c 8f ed 55 3a fa 46 d6 a7 f6 62 83 60 d8 ed
41 69 3e c2 f6 e9 ee c6 03 da 7d 0a 38 21 37 02 81 81 00 dc 24
5a a8 a2 fd a3 71 86 bc 63 03 5f ad e9 e5 18 e5 68 db ba 2c 0a
50 ac 23 63 ca 39 bd 9e 14 0e 66 54 d0 30 27 00 f1 60 19 3a a9
ca a7 9e 82 51 ca 9d 85 5c 01 82 4e bf ce 96 6b 8e 28 7c 8c 09
78 a3 84 8c fe b8 13 66 2d 9c 23 64 b6 09 cc d8 0b 8e 7f da fd
3d a9 d1 aa cb d4 0b 8d f3 bc 2d 20 c6 9f f8 3e 7b be 2e 98 30
7c ab 46 e6 e7 2a 3c 2b ad db 26 0e 3c 40 ea 19 22 bc ae f0 ff
02 81 80 0a 9a c6 a3 48 56 f0 8c 57 55 75 3f a9 42 0b 54 af c8
55 d0 c3 9f 2d 5e fe 4a b1 11 cf 7b 7d 61 63 0a f9 c9 2d d8 e1
87 9f 12 c7 69 ca b8 62 9c 3a 9f 6c a3 f2 b3 eb d8 d4 27 ba 6d
28 be bd 01 f1 9c 6e b7 f8 b2 1f 9f 17 99 07 2e 7c 5d 8c a6 74
fe 3f 11 9c 21 a3 4e f8 61 68 a5 84 95 02 23 28 be ef 40 89 f9
1f 99 83 97 25 21 74 b5 3f 2f c1 a9 15 55 25 82 59 f3 2f 04 b9
ec b6 9f dd c1 02 81 80 58 e0 88 85 8b 00 71 eb 54 a5 5c 28 31
89 ca 63 87 10 9f ac 0e 56 d7 77 48 78 25 42 b0 db 20 26 22 c6
27 b9 c1 a7 0d 97 65 df e9 b2 41 32 39 29 8e 12 0a 54 9c 17 b3
df 4d 4a ff a9 be c4 13 bc 89 da 5d d2 17 06 83 94 b9 6c f2 9b
cb 7e 3f 28 a7 94 ca dc 4d b2 6e 21 d0 97 6f 21 55 e4 e2 a1 77
6a c3 26 34 98 2d 67 53 f2 77 a8 ed 91 7b 89 9a a0 9e 55 db a3
5a 9d f2 eb 50 68 98 da dc 4b 02 81 80 71 4d 80 95 a4 18 35 24
d8 39 01 21 f8 2c 79 36 65 e5 21 58 7e a1 07 76 fa 2e d9 14 a8
e2 0a 23 a2 b4 f9 d5 ae 2c 89 bc 32 52 96 c5 94 5b ce be 66 7c
01 85 57 77 4b 28 22 0e ac 17 83 d4 f8 43 d2 e4 8f 76 28 8f 16
ae 5b 1d 8b 52 71 f0 2d 53 c0 57 6e fb f0 7b 16 31 b6 68 fd bb
5a 20 33 cc 7b 8f 5b da db 7d 85 d4 4c f7 7b aa df 79 b7 bd 5c
56 8d 46 27 2b 81 b7 d5 77 d6 e1 06 13 2c 97


If you view the decoded values with a tool like "http://www.paulschou.com/tools/xlate/", it looks like all the certificates and RSA keys have a common header structure (look at the "text" field of the previous link). This may not amount to anything, but just in case, I thought I'd offer it up as an additional thread for others to pull on...

Originally Posted by buddel

I can say activation must come across the internet. I life in germany and I activated the phone the offical way with an pre payed plan. So I received activasion for the phone via itunes, because i cannot receive something over air here in germany. right now i can choose betwenn 4 different providers, but i am not able to stay in one of these networks for more than a few seconds. i lost carrier all the time... so i think it is because there is no possibilitie to get international roaming on an pre paided account. So, how should at&t sen activation over air? through an roaming partner? i dont think so...

Buddel, i think you are mistaken. I activated while i was in france, and it activated fine, afer disconnecting from itunes... it took about 3 mins and the iphone was NO LONGER connected to the PC, so the phone activation to the SIM did go through OTA... it wouldnt be surprising, as SMS messages, OTA messages *should* be able to reach the phone on most (not all) networks....

at the mo i'm in israel, trying to activate another iphone and i'm stuck waiting for OTA... no i dont know if it is yet another bad SIM from the iphone (this is the 2nd problem iphone) or if it is the cellcom network that isnt sending the messages... i'll try in italy again tomorrow, or else get yet another sim...

Originally Posted by cuzco

If you view the decoded values with a tool like "http://www.paulschou.com/tools/xlate/", it looks like all the certificates and RSA keys have a common header structure (look at the "text" field of the previous link). This may not amount to anything, but just in case, I thought I'd offer it up as an additional thread for others to pull on...

The "-----BEGIN RSA PRIVATE KEY-----" stuff is called PEM format.
The structure of the binary representation of it looks like quite ASN1, which would make sense.

0x30 = ASN1_SEQUENCE
0x82 = 2 bytes defining the size of the following block
0x04A3 = the following block has 1187 bytes, which makes absolutely sense, since the whole block including the first 4 bytes is 1191 bytes.

Use Asn1Editor for example to parse the structure. I'm not quite sure if that is able to deal with this one though.

Originally Posted by wombat

i say that there's no unlock code being sent over the usb at all during activation. i think that the activation process merely tells the phone what provider to lock to. i don't think there's an easy way to get the unlock code, but if there is a possibility to be able to force it to lock to a different provider with a new and 'improved' activation process, then i'm going to give it a go. i have no hope in hell of decrypting the rsa, so i'm going to be making my own strings which i 'guess' the phone would be receiving and encrypt them myself.

I don't think that the pairing in done through iTunes. My experience with locked mobiles is that the locking is always done in the firmware. Usuallay a list of allowed MCC/MNC pairs is stored somewhere in the code. Unlocking just tells the radio to forget about that list.

I once bought Treo at CompUSA, which was locked to T-Mobile USA (310-200...310). The Treo refused to accept my SIM card issued by T-Mobile Germany (262-01, 262-06). A simple call to T-Mobile USA by a friend, who has a valid plan with them, claiming to use the German T-Mobile SIM while travelling, convinced people at T-Mobile to give him the code for unlocking. The only thing they needed for the calculation was the IMEI of the device.

It would be very simple for Apple to update and maintain this list for differend countries together with the localization information. As we only have the US-version of the iPhone, the SIM lock list probably contains only the AT&T codes (310, ...), which can be found here:

> http://en.wikipedia.org/wiki/Mobile_Network_Code

May be it's as simple as looking for the code in some plists oder somewhere else in the code. But nevertheless, we should look into all possibilities;-)

cu/

Sergeij

Hi guys.... Yes, I have 2 iPhones (activated & unactivated).... I was puzzled that the good SIM in the dead phone didn't show me a screen other than the usual "Let's get Started" screen to activate. My dead iPhone showed the same screen with the 'slide for emergency' calls, etc. I tried hitting 'cancel' and 'continue', etc. Didn't go further.

This confused me because I know so many return/swap their defective phones and I'm understanding that Apple isn't doing anything to them other than swapping the SIM. I've got a few questions out on this elsewhere and so far was only told that I need to swap the sim and Activate on iTunes. Trying to find out if I should get a different screen or what they are doing to bypass this.

In frustration I did the iActivator hack and there are some issues with the phone and plan to restore it and go to Apple tomorrow for a swap (which should be interesting because if I restore it, I can't show them the defect on a locked phone! So my goal today is get my husband's SIM working in this darned phone. Then tomorrow, watch Apple like a hawk to see if they do any magic to a new phone besides just the SIM swap. (Assuming they physically swap it and not merely give my card back).

If anyone wants me to try/test anything late tonight & down the road with these 2 iPhones, I'd be up for it. I don't plan on a 'real' activation on phone #2 for a long while. But you have to talk REAL slow.

I wonder what would happen if I put the Good iPhone SIM into the iActivator hacked iPhone. Hmmm.....

I'm going to temporarily retract my statements.... If one sends the phone to Apple due to having no stores around, they are to yank the SIM and simply put it in the new phone. I called Apple to confirm this. I should've been able to swap the sim, hook to iTunes, and get a different screen and merely activate that phone without the whole menu system I got. It's possible something is defective, etc. I'm going to attempt again this evening but first I'm going to try with the hack on for kicks and pray it doesn't nuke my hubby's sim.

Originally Posted by CCRDude

Use Asn1Editor for example to parse the structure. I'm not quite sure if that is able to deal with this one though.

I took a look at this but it's Windows only. (I'm on a Mac) I Googled a bit for Mac ASN1 viewers but didn't find anything that actually worked. There is something called BERViewer but it was pretty much non functional.

I'm sure whatever lies between the --Begin RSA-- and --End RSA-- tags isn't going to be all that useful (that would be too obvious) but if the data is encoded in ASN 1 as "CCRDude" suggests, it would be interesting to see what's inside that block and how it is structured.

Any Windows users up for looking at a decoded block with the above ASNEditor?

here you go:



did it on the mac with a program called resorcerer. only a demo though so can't copy out the ascii.