This is my multithreaded NCK brute forcer.
Thanks to gray for his initial work with the algorithm.
ltoken_test is a seczone I encoded with the NCK "123456"
It unlocked the phone with AT+CLCK="PN",0,"123456"
ltoken is the ltoken off my phone
rsa_key2 is the bootloader RSA key
A Quick Note on the Algo:
The token is stored encrypted at +0x400 in the seczone
The NCK Check prodecure is as follows:
Create a TEA key by combining the NCK, NORID, and CHIPID
Decrypt the token with the TEA key
One NCK will output a valid RSA message
This message contains the PKCS header and the NORID/CHIPID key
RSA(TEA(&seczone[0x400], SHA(NCK+NORID+CHIPID)),rsa_key2)=valid message