so in a quick summary, if apple decides to include a new bootloader everytime they release a new firmware we will never be able again to crack a phone with the latest firmware coming out of the box.(?) only the ones which has been unlocked under 1.1.1 and will be updated.

am i right or did i miss the point?

@ vpr:

if you read the entire post, you'll see he explains that we will be behind one update after this. they need to reflash baseband with patched firmware with new seczone. new seczone we don't have so that's why we need another update. i think that's kind of what pspsully meant, lol.

btw thanks for the heads up and we'll stay tuned right here as always.

Originally Posted by vpr

Doesn't make sense to me. Who told you this?

Now that we have all that nasty stuff out of the way, i do have some good news!! Firstly, an exploit has been found in the new bootloader that should allow us to run anySIM, this is excellent news as many people where worried if there would be an exploit in this bootloader. So basically, When we get the next firmware update, once the secpack is retrieved, we should have no problem unlocking 1.1.2 with bootloader 4.6, however, after the next firmware comes out, we WILL NOT be able to update to it as we will then need the secpack from the one AFTER THAT to unlock it.

Originally Posted by vpr

Doesn't make sense to me. Who told you this?

http://iphonejtag.blogspot.com/

geohot's blog

Originally Posted by darksun

Regarding sniffing the germany official unlock via iTunes.

I don't think it is worth spending time on this. Likely, there is no direct relationsship or algorith to get the NCK (network control key) from the IMEI to unlock the phone. It is more likely that Apple has a database with all IMEI / Serials and the correponding NCK's. iTunes may send the IMEI and get the NCK back to unlock the phone. The official way. As the NCK is different for every phone this would not help. Likely, the NCK is only given back to iTunes when the IMEI is on the white list of the Apple server.
A more reasonable approach to an official unlock would be this:
It is already known how to get the RSA hash of the NCK from the seczone. This can not be decrypted without the private key. But if it is possible to reverse engineer the routine which encrypts the NCK to compare it with the RSA hash of the NCK, given the public key, it would be possible to create all RSA hashes of all NCK values XXXXXXXX in a database(10^8 possibilites). This would maybe take some time, a week?, I don't know, but afterwards it should be possible to get the NCK from there after extracting the RSA hack from the seczone. This would be pretty much like the official unlock.

Maybe I am wrong but has there anything been posted why reverse engineering the hash routine is not possible? Does anyone know if this is sitting in the bootloader or the firmware? Any comments would be great.

If the public key is known, is the RSA encryption used not known?

You'll get a NCK for a given iPhone. Nothing else. What's the use of knowing NCK for an unlocked iPhone? You can't use it to unlock another one!

Originally Posted by jflc9

@ vpr:

if you read the entire post, you'll see he explains that we will be behind one update after this. they need to reflash baseband with patched firmware with new seczone. new seczone we don't have so that's why we need another update. i think that's kind of what pspsully meant, lol.

btw thanks for the heads up and we'll stay tuned right here as always.

Originally Posted by pksh

Now that we have all that nasty stuff out of the way, i do have some good news!! Firstly, an exploit has been found in the new bootloader that should allow us to run anySIM, this is excellent news as many people where worried if there would be an exploit in this bootloader. So basically, When we get the next firmware update, once the secpack is retrieved, we should have no problem unlocking 1.1.2 with bootloader 4.6, however, after the next firmware comes out, we WILL NOT be able to update to it as we will then need the secpack from the one AFTER THAT to unlock it.

Originally Posted by isom3tric

http://iphonejtag.blogspot.com/

geohot's blog

Stop posting this sh*t. I know what I'm speaking about.

Originally Posted by vpr

Stop posting this sh*t. I know what I'm speaking about.

then please do not reply to this thread without facts!

vpr: that is exactly the point I meant by saying that to sniff the official unlock via iTunes does not make sense. Because you get only your NCK for you unlocked phone. This NCK is for no use for other users.

But imagine this: If I knew the rsa hash encryption, I could create the RSA hashes for all possible NCK combinations, put this into a database (stores NCK and RSA hashes for each combination), and upload this db to a Webserver.
You then would run an app on your phone to read out the RSA hash of the seczone, go to my webserver, put in the RSA hash and you get back the corresponding NCK for your phone/rsa hash out of the database. With this could could unlock the phone via AT command for example.

Of course this would not work for OTB 1.1.2 with bootloader 4.6 at the moment as it is not possible to read out the hash from the seczone but it could work for phones with bootloader 3.9 and later on for 4.6 as soon as the new secpack is available to put a routine in the baseband to read from the seczone.

Originally Posted by darksun

vpr: that is exactly the point I meant by saying that to sniff the official unlock via iTunes does not make sense. Because you get only your NCK for you unlocked phone. This NCK is for no use for other users.

But imagine this: If I knew the rsa hash encryption, I could create the RSA hashes for all possible NCK combinations, put this into a database (stores NCK and RSA hashes for each combination), and upload this db to a Webserver.
You then would run an app on your phone to read out the RSA hash of the seczone, go to my webserver, put in the RSA hash and you get back the corresponding NCK for your phone/rsa hash out of the database. With this could could unlock the phone via AT command for example.

Of course this would not work for OTB 1.1.2 with bootloader 4.6 at the moment as it is not possible to read out the hash from the seczone but it could work for phones with bootloader 3.9 and later on for 4.6 as soon as the new secpack is available to put a routine in the baseband to read from the seczone.

You need apple's private key to make a hash of a given NCK+IMEI or whatever! Public is used only for validating!

Ok, one last question. Do you know how the NCK is verified by the baseband if you do an unlock via AT command ?