Page 3 of 20 FirstFirst 12345678910111213 ... LastLast
Results 21 to 30 of 196
Discuss [NCK] validation algorithm public at the iPhone "2G" (Rev. 1) - Hackint0sh.org; Originally Posted by Locked The NCK is the code used to illegitimately unlock a GSM ...
  1. #21
    Senior Professional Array Nikolas.A's Avatar

    Join Date
    Oct 2007
    Posts
    183
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Default

    Quote Originally Posted by Locked View Post
    The NCK is the code used to illegitimately unlock a GSM phone. This source code posted by geohot attempts to find this NCK using brute force.

    Due to miserably security on Apple's part this NCK can be found by trying out different keys (i.e NCK) to decrypt the RSA token that is stored in the seczone. Only one generated key (i.e NCK) will result in properly decrypting the token.
    So we pass keys that will be used to decrypt the RSA token and then compare it to what?
    What is the check?


  2. #22
    Nickolaicho
    Guest

    Default

    maybe dummy Q, but, can we provide those CPU power on a same way as SETI@Home work, over the network?, if we just leave our screensaver runs, or maybe, overnight leave our computers runs "something"
    Yes, but that needs heavy development.

  3. #23
    Amazingly Knowledgeable Array Locked's Avatar

    Join Date
    Aug 2007
    Location
    127.0.0.1
    Posts
    900
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    53

    Default

    Quote Originally Posted by Nikolas.A View Post
    So we pass keys that will be used to decrypt the RSA token and then compare it to what?
    What is the check?
    Read the README attached with the source code.

    Code:
    rsa_key2 is the bootloader RSA key
    
    A Quick Note on the Algo:
    The token is stored encrypted at +0x400 in the seczone
    The NCK Check prodecure is as follows:
    Create a TEA key by combining the NCK, NORID, and CHIPID
    Decrypt the token with the TEA key
    One NCK will output a valid RSA message
    This message contains the PKCS header and the NORID/CHIPID key
    
    To summarize:
    RSA(TEA(&seczone[0x400], SHA(NCK+NORID+CHIPID)),rsa_key2)=valid message

  4. #24
    Rookie Array

    Join Date
    Dec 2007
    Posts
    12
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    anyone got any good news on whether it worked?

  5. #25
    Advanced Array

    Join Date
    Oct 2007
    Posts
    37
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    0

    Default

    Quote Originally Posted by Nickolaicho View Post
    Yes, but that needs heavy development.
    http://en.wikipedia.org/wiki/CHAOS_(Linux_distribution)

    "his tiny disc will boot any i586 class PC (that supports CD booting), into a working openMosix node, without disturbing (or even touching) the contents of any local hard disk. Designed for large-scale ad hoc clusters, once booted, CHAOS runs from memory allowing the CD to be used on the next node (and allowing for automated rebooting into the host operating system)."

    just hint.......


  6. #26
    Senior Professional Array Nikolas.A's Avatar

    Join Date
    Oct 2007
    Posts
    183
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Default

    Quote Originally Posted by Locked View Post
    Read the README attached with the source code.

    Code:
    rsa_key2 is the bootloader RSA key
    
    A Quick Note on the Algo:
    The token is stored encrypted at +0x400 in the seczone
    The NCK Check prodecure is as follows:
    Create a TEA key by combining the NCK, NORID, and CHIPID
    Decrypt the token with the TEA key
    One NCK will output a valid RSA message
    This message contains the PKCS header and the NORID/CHIPID key
    
    To summarize:
    RSA(TEA(&seczone[0x400], SHA(NCK+NORID+CHIPID)),rsa_key2)=valid message
    rsa_key2: i assume this is the same for all bootloaders of the same version
    seczone[0x400]: I assume this is different for each phone.

    And i made a mistake on my previous calculations. The 317 years another member posted should be the real time of trying keys of this format(111111111111111) with the given algorithm
    So its 1000000000000000 different combinations for the NCK's.
    I doubt apple would create 1,000,000,000,000,000 iphones
    And it would be silly to make all these checks.
    And tea suffers from equivalent keys, each key is equivalent to three others,
    Can we found what keys are equivalent so we don't have to check those?

    From what i know the Tea encrypt decrypt functions re void, they dont return anything!

    any more info on this?
    Last edited by Nikolas.A; 12-17-2007 at 11:31 AM.

  7. #27
    iPhone DevTeam Array

    Join Date
    Aug 2007
    Location
    Always sunny Los Angeles, California
    Posts
    421
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    34

    Default

    Quote Originally Posted by toruonu View Post
    However as I have understood this will not work with 4.6BL. As I have read from various places and latest claimed by MuscleNerd in another thread is that there is a way to read data still in 4.6BL and gray has a way.
    For 4.6 BL iPhones, that way still requires a secpack beyond 112 to come out of Apple (unless you are good at reballing BGAs )

    Anyway, thank you geohot for publishing that code and also for coming on here to clarify some stuff.

    But again unless geohot (who has seen 4 plists as of now) or someone else with first-hand exposure says otherwise, the NCK is 15 digits long. It's taken me about 1.5 days to go through all 8, 9, and 10 digit NCKs for my iPhone (at about 125K keys/second). For the 10-digit run, it's been about 1 day. So it would take (at most) 100,000 days or (an average of) 50,000 days in that environment to reveal my 15-digit NCK.

    If anyone has experience with FPGA/hardware assisted RSA bruteforce, or even gmp-on-PS3 bruteforce, please speak up
    Last edited by MuscleNerd; 12-17-2007 at 12:02 PM.

  8. #28
    Senior Professional Array

    Join Date
    Nov 2007
    Posts
    107
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    12

    Default

    Quote Originally Posted by Nikolas.A View Post
    And tea suffers from equivalent keys, each key is equivalent to three others
    So if BF would be a solution we need a centralized database where we can put successful keys just to avoid troubling our systems with already cracked keys?

  9. #29
    Professional Array

    Join Date
    Aug 2007
    Posts
    59
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    24

    Default

    Okay, some good news. I have now seen 3 German NCK's and they all start with the number "3". If we find what number the American phones start with, there is a ten-fold improvement.

    Some good cryptanalysts should have a look at this, maybe they can find other improvements. At the present time, do NOT waste time running this on your iPhone, you will never find your code. I have everything in place for a distributed effort if and when the time comes.

    This is one of the first multithreaded apps I ever coded, I'm sure that there are tons of optimizations that can be made there as well. Also GPU's and PS3's are much more suited to this type of processing. And of course, FPGA's :-)

    Also, as gray pointed out to me a long time ago, "rainbow tables" or the like won't work due to every phone having a different NORID and CHIPID. The generated TEA key varies from phone to phone even with the same NCK.
    Last edited by geohot__; 12-17-2007 at 12:15 PM.

  10. #30
    Senior Professional Array

    Join Date
    Nov 2007
    Posts
    155
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    15

    Default

    Quote Originally Posted by MuscleNerd View Post
    For 4.6 BL iPhones, that way still requires a secpack beyond 112 to come out of Apple (unless you are good at reballing BGAs )
    I'm quite ok with that I mean if it takes a few months to get that started it won't bother me as until then we can verify the full unlock with some 3.9 phones.

    Anyway, thanks geohot for publishing that code and also for coming on here to clarify some stuff.

    But again unless geohot (who has seen 4 plists as of now) says otherwise, the NCK is 15 digits long. It's taken me about 1.5 days to go through all 8, 9, and 10 digit NCKs for my iPhone (at about 125K keys/second). For 10-digits, it's been about 1 day. So it would take (at most) 100,000 days or (an average of) 50,000 days in that environment to reveal my 15-digit NCK.

    If anyone has experience with FPGA/hardware assisted RSA bruteforce, or even gmp-on-PS3 bruteforce, please speak up
    Well we should assume it's 15 digits, but maybe geohot can post the NCK codes he has found so far (the code alone should be no private data), maybe there are recurring digits or something else that jumps to the eye. At some point he mentioned the two german ones had 3 as the first digit, if that would be constant across a region, then that would effectively reduce the keyspace by one digit
    iPhone 3G 16GB white. Official on contract. Used to have a w48 iPhone (OTB 1.1.2) all the way to 2.0.1 when I went legit.

    Current FW: 2.0.2
    Carrier: EMT (Estonia)
    All functions working


 

 

Similar Threads

  1. Looking for Volunteers for Product Validation
    By mafili in forum iPhone Developer Exchange
    Replies: 0
    Last Post: 06-01-2011, 04:39 AM
  2. Help with Multiple Text Field Validation
    By zacharyrs in forum iPhone Developer Exchange
    Replies: 0
    Last Post: 01-12-2010, 08:02 PM
  3. MacNN: Cheetah3D 5.1 intros new automatic skinning algorithm
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 12-01-2009, 07:50 PM
  4. MacNN: AKVIS Sketch 9.0 provides new conversion algorithm
    By hackint0sh in forum Latest Headlines
    Replies: 0
    Last Post: 08-17-2009, 09:20 PM
  5. [Update] iPod touch $20 validation on reload
    By juliangall in forum iPod Touch 1G
    Replies: 8
    Last Post: 01-21-2008, 03:53 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 11:18 PM.
twitter, follow us!