As you may be aware, the 3G iPhone is sold "Officially unlocked" in Italy and HongKong.

http://www.hackint0sh.org/forum/showthread.php?t=45363

If our beloved Development Team got their hands on one of these 'officially unlocked' units, could they not 'replicate' the way that the unlock is done, to either create a new unlock for the rest of us or a component for PWNAGE?

Maybe worth a try...

Originally Posted by fuzzy

As you may be aware, the 3G iPhone is sold "Officially unlocked" in Italy and HongKong.

http://www.hackint0sh.org/forum/showthread.php?t=45363

If our beloved Development Team got their hands on one of these 'officially unlocked' units, could they not 'replicate' the way that the unlock is done, to either create a new unlock for the rest of us or a component for PWNAGE?

Maybe worth a try...

It's a good idea.. Maybe someone who knows what they're doing should pm one of the guys who responded in the other thread and ask them to upload the BB files over via instant messenger or something (not via the forum because of the rules)... who knows maybe it is a simple as replacing our files with theirs?

Wont work, the "official unlock" involves iTunes reading some data from the iPhone and sending it to an apple server. The apple server then checks to see if the phone is in its database as a phone that is allowed to be unlocked. If it is, the server does some calculations and math and en/decryption and stuff (likely using apple's private RSA key) and returns the results to iTunes which then hands it to the phone (who then unlocks it).

Without the apple algorithim and the apple private key, the only way to unlock is to use holes in the baseband (assuming such holes exist in the new 3G baseband software) to modify it so it thinks its unlocked.

Has anyone tried to spoof the iTunes server to return results that would tell iTunes that the phone can be activated?

Originally Posted by CaptainCode

Has anyone tried to spoof the iTunes server to return results that would tell iTunes that the phone can be activated?

Not possible and highly unlikely. Not to mention borderline illegal.

N41

Originally Posted by Number_41

Not possible and highly unlikely. Not to mention borderline illegal.

N41

It's not at all illegal to do on your own computer to imitate the iTunes activation server.

And how will you get the private encryption key? Qualified guessing, or simply studying tea leaves? Perhaps the same method as Mr Bush uses for finding WMDs?

I asked if anyone has tried. Since you seem to know how the whole thing works I assume you tried or are you just guessing at how it works?

the formula is known.

This is my multithreaded NCK brute forcer.
Thanks to gray for his initial work with the algorithm.

ltoken_test is a seczone I encoded with the NCK "123456"
It unlocked the phone with AT+CLCK="PN",0,"123456"

ltoken is the ltoken off my phone
rsa_key2 is the bootloader RSA key

A Quick Note on the Algo:
The token is stored encrypted at +0x400 in the seczone
The NCK Check prodecure is as follows:
Create a TEA key by combining the NCK, NORID, and CHIPID
Decrypt the token with the TEA key
One NCK will output a valid RSA message
This message contains the PKCS header and the NORID/CHIPID key

To summarize:
RSA(TEA(&seczone[0x400], SHA(NCK+NORID+CHIPID)),rsa_key2)=valid message

~geohot

Originally Posted by fuzzy

As you may be aware, the 3G iPhone is sold "Officially unlocked" in Italy and HongKong.

http://www.hackint0sh.org/forum/showthread.php?t=45363

If our beloved Development Team got their hands on one of these 'officially unlocked' units, could they not 'replicate' the way that the unlock is done, to either create a new unlock for the rest of us or a component for PWNAGE?

Maybe worth a try...

It's not like that if be, then this will be easy
All key is carrier (accepted carrier from apple) if Italy and HongKong iPhones are Unlocked, That Means Unlocked by they carriers.

maybe i'm wrong, but seems like that