Results 1 to 9 of 9
Discuss IPSF network log collection at the General - Hackint0sh.org; OK so IPSF are claiming to provide the back-office system to their big resellers on ...
  1. #1
    Senior Professional Array cyberface's Avatar

    Join Date
    Jul 2007
    Posts
    139
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default IPSF network log collection

    OK so IPSF are claiming to provide the back-office system to their big resellers on Monday (which is now in the UK, but only 01:00 am). They have already asked for IMEI and serial number. The application is rumoured to be a standard iPhone .app bundle that you run on your iPhone, which connects to the IPSF server, gets some key or data, and uses that to unlock your phone.

    Great, so far so good. Now myself and no doubt a few others here have the skills to run the iPhone WiFi through a network with Ethereal / Wireshark and log all the comms between the iPhone and the IPSF servers.

    No doubt the session will be encrypted, but are any of the best hackers here able to make use of such network traffic logs? If so, I think all of us using the IPSF solution should log the traffic and send it on to someone in the Dev Team who may be interested.

    Any interest here? Or is it a dead end?



  2. #2
    Amazingly Knowledgeable Array bezman's Avatar

    Join Date
    Aug 2007
    Location
    Trinidad
    Posts
    796
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    54

    Default

    i beleive the deve team already had/have the software or credible info about it.. there have been some comments suggesting that..

    they have expressed no intrest in reversing it/hacking it

  3. #3
    Senior Professional Array spartan76092's Avatar

    Join Date
    Aug 2007
    Location
    Texas
    Posts
    150
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    14

    Default

    Quote Originally Posted by bezman View Post
    i beleive the deve team already had/have the software or credible info about it.. there have been some comments suggesting that..

    they have expressed no intrest in reversing it/hacking it
    what are you talking about? the dev team is going to hack the software.

  4. #4
    Senior Professional Array cyberface's Avatar

    Join Date
    Jul 2007
    Posts
    139
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Look - there's two possibilities here, both of which are of interest to creating a 'free' unlock.

    One is that it's unlockable other than with a NCK that's held in a secure database (that IPSF have managed to steal / compromise). The other is that the NCK is produced from a keygen off the IMEI / serial number and a 'special sekrit key' that nobody outside Apple knows about (i.e. a private key).

    IPSF could have either a copy of the DB, or the secret key and the algo. Either would be corporate theft of IP and therefore completely illegal, explaining the subterfuge and secrecy.

    The Dev Team can reverse the software, but if the software merely connects to a remote server in a unregulated jurisdiction (or a country that doesn't like to co-operate with the USA, like France, for example (good on yer Frogs, even though I'm English), then all the info the Dev Team can get is the info sent to the server, and the info sent back. You can't statistically determine the key or algo without vast numbers of key exchanges, assuming that the encryption software has weaknesses.

    The difference between a database copy or a private key theft will be easy to tell because only the phones with IMEIs in the snapshot of the stolen database will be able to be unlocked. Private key theft will be reversed in the next firmware update.

    The only other option is some hardware vulnerability and I know fuck all about hardware so I'll keep my mouth shut and appear a fool rather than open it and remove all doubt

    However, theoretically, we still need someone to log the network transmission. If the process simply connects to IPSF, validates the payment and IMEI to identify the user, then sends the NCK to the specific phone, then this NCK should still be usable if the user restores (and relocks) his phone in the future. As long as no firmware update is required, I'd at least like to have a backup of the unlock NCK just in case I need it again, and don't want to either pay again (or Trash and IPSF have been eaten by USA lawyers).

    I'm not proposing a method to reverse IPSF's solution here, just a way to back up your own unlock key so you can hack it back on. Especially if the Dev Team work out how to upgrade your iPhone to the latest technology without updating the baseband, so the old unlock will still work with the new apps.....

  5. #5
    Amazingly Knowledgeable Array carlosvaldosta's Avatar

    Join Date
    Sep 2007
    Posts
    763
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    46

    Talking

    Quote Originally Posted by cyberface View Post
    Look - there's two possibilities here, both of which are of interest to creating a 'free' unlock.

    One is that it's unlockable other than with a NCK that's held in a secure database (that IPSF have managed to steal / compromise). The other is that the NCK is produced from a keygen off the IMEI / serial number and a 'special sekrit key' that nobody outside Apple knows about (i.e. a private key).

    IPSF could have either a copy of the DB, or the secret key and the algo. Either would be corporate theft of IP and therefore completely illegal, explaining the subterfuge and secrecy.

    The Dev Team can reverse the software, but if the software merely connects to a remote server in a unregulated jurisdiction (or a country that doesn't like to co-operate with the USA, like France, for example (good on yer Frogs, even though I'm English), then all the info the Dev Team can get is the info sent to the server, and the info sent back. You can't statistically determine the key or algo without vast numbers of key exchanges, assuming that the encryption software has weaknesses.

    The difference between a database copy or a private key theft will be easy to tell because only the phones with IMEIs in the snapshot of the stolen database will be able to be unlocked. Private key theft will be reversed in the next firmware update.

    The only other option is some hardware vulnerability and I know fuck all about hardware so I'll keep my mouth shut and appear a fool rather than open it and remove all doubt

    However, theoretically, we still need someone to log the network transmission. If the process simply connects to IPSF, validates the payment and IMEI to identify the user, then sends the NCK to the specific phone, then this NCK should still be usable if the user restores (and relocks) his phone in the future. As long as no firmware update is required, I'd at least like to have a backup of the unlock NCK just in case I need it again, and don't want to either pay again (or Trash and IPSF have been eaten by USA lawyers).

    I'm not proposing a method to reverse IPSF's solution here, just a way to back up your own unlock key so you can hack it back on. Especially if the Dev Team work out how to upgrade your iPhone to the latest technology without updating the baseband, so the old unlock will still work with the new apps.....

    Excellent. I have a question not just for you but for anyone. From my experience, the Manufacturers are not who put Lock codes on phones. it is the carrier. For instance, If your T-Mobile phone is locked you can only request the unlock code from t-mobile, not the manufacturer. Nokia, samsung, moto etc have agreements with the carriers in the us to only produce phones to work with the specific carrier. They are programmed by the manufacturer but at the request and authorization of the carrier. This would lead me to believe that if there is a SW unlock, and the NCK is coming from anyone, it would be ATT. All that said... I feel that if IPSF is doing a remote flash of the Baseband, then they have information about a way to process the algorithem from someone who is at or was at ATT before. I don't think that There really os a ned to Rev what IPSF has done, but there has got to be a way to take information that is pased back and forth and find out exactly what is being done to the firmware/baseband of the phone. That is the key to a true SW unlock.

    Or i am talking out my ass.


  6. #6
    Professional Array

    Join Date
    Aug 2007
    Posts
    89
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    11

    Default

    Hahaha backtrack 3 tools or ethereal.

  7. #7
    Senior Professional Array cyberface's Avatar

    Join Date
    Jul 2007
    Posts
    139
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    13

    Default

    Going by Sam's comments - there are two options for NCK generation. Either they are completely random and there is a DB in AT&T somewhere with a random NCK for each IMEI. Or there's a keygen algorithm, which has a computation based off the IMEI, perhaps the serial number (both of which we know) *and* a 'sekrit' seed key that is only know by AT&T and closely guarded. Much like the DVD encryption key.

    The first method is very secure but only works for the IMEIs that the IPSF guys actually have in their DB snapshot. Unless they have insider info, new iPhones will be out of luck.

    The second method is the sort of thing that the IPSF guys can keep secure since they can create a secure server - you submit your IMEI and serial number, they return the NCK without any network transmission of the secret private seed key. Only hacking their servers and getting the key would bust this wide open. And AT&T can change the next batch of phones to use a different private key.

    If IPSF have managed to steal AT&T's private seed key for the algo, then general publishing of this would blow the iPhone wide open. The only trick would be if all the algo is done on the IPSF server side - like a web service - you provide your IMEI and serial number, the secure IPSF server does the algo and returns you an NCK. Such code is worthless to reverse, as no calculation is done on the client side, and realistically no interesting information is sent over the wire.

    If this is so, however, then why have IPSF taken so long to get the crack out in the open? Even legal threats are slow if your infrastructure is in San Marino.

    Apple are a close-knit firm and don't tend to leak stuff regularly - people are proud to be Apple employees. However if the algo and secret key is owned by AT&T - are there disgruntled employees at AT&T who would steal the database / algo / key?

    On top of this - after all this is a hacking forum - anyone know where the IPSF primary server is located (IP address) so we can see if anyone can get in and find their keys???

  8. #8
    peu
    peu is offline
    Respected Professional Array peu's Avatar

    Join Date
    Aug 2007
    Location
    Buenos Aires Argentina (I like ribs)
    Posts
    501
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    34

    Default

    What if:
    - someone provides them with a generic IMEI
    - changes iphone IMEI to match
    - starts to log session
    - unlocks
    - stops log session
    - changes back to real IMEI
    - share the generic IMEI with community
    - someone replicates the session with a standalone app.
    - free unlock to all

    Good luck

  9. #9
    Amazingly Knowledgeable Array carlosvaldosta's Avatar

    Join Date
    Sep 2007
    Posts
    763
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    46

    Thumbs up

    Quote Originally Posted by peu View Post
    What if:
    - someone provides them with a generic IMEI
    - changes iphone IMEI to match
    - starts to log session
    - unlocks
    - stops log session
    - changes back to real IMEI
    - share the generic IMEI with community
    - someone replicates the session with a standalone app.
    - free unlock to all

    Good luck
    This was my idea earlier...all someone would have to do is make a backend dummy server with a username and password and unlock remotely then pass along username and pass.

    great minds and such!

 

 

Similar Threads

  1. Replies: 18
    Last Post: 01-17-2008, 10:26 PM
  2. Replies: 0
    Last Post: 10-15-2007, 07:21 PM
  3. Replies: 1
    Last Post: 09-11-2007, 10:35 PM
  4. Replies: 1
    Last Post: 09-11-2007, 09:59 PM
  5. Replies: 7
    Last Post: 09-10-2007, 09:14 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 05:17 PM.
twitter, follow us!