Re-encrypt and re-write ltoken

**tigrouuuu** · 12-18-2007 02:20 PM

Originally Posted by zolly

Genes or Jeans?

You got me there...

**toruonu** · 12-18-2007 02:21 PM

Originally Posted by tigrouuuu

i actually have access to 10 Blue Genes...

Ok ... might want to elaborate on that

What do you mean under access? Login access and ability to utilize all CPU-s? What kind of configuration are they in etc? 10 BlueGenes (if they are the newer ones) would mean a minimum of 20 000 cores as a single rack is 2000 cores and that's the minimum config of a new BlueGene. Older ones might be smaller, but still

**thebo83** · 12-18-2007 02:38 PM

Could this also help to fix the IMEI 0049 problem with the really f*cked up seczone? To rebuild it?

**Locked** · 12-18-2007 02:58 PM

Originally Posted by thebo83

Could this also help to fix the IMEI 0049 problem with the really f*cked up seczone? To rebuild it?

No.hhhhhhhhhh

**thebo83** · 12-18-2007 03:31 PM

Sorry, was just a question!... Everybody is caring about the unlock of 1.1.2 but not about the hundreds of bricked phones...

I ran the nckbf.exe but at the end it only says:

99805872 keys done, 00033622 k/s, 00:00:05 left
99838347 keys done, 00032475 k/s, 00:00:04 left
99871932 keys done, 00033585 k/s, 00:00:03 left
99905802 keys done, 00033870 k/s, 00:00:02 left
99938382 keys done, 00032580 k/s, 00:00:01 left
99971337 keys done, 00032955 k/s, 00:00:00 left
Search Complete
Checksum: 0x0334E0C0

What does this mean?

**zolly** · 12-18-2007 03:35 PM

Originally Posted by thebo83

Sorry, was just a question!... Everybody is caring about the unlock of 1.1.2 but not about the hundreds of bricked phones...

I ran the nckbf.exe but at the end it only says:

99805872 keys done, 00033622 k/s, 00:00:05 left
99838347 keys done, 00032475 k/s, 00:00:04 left
99871932 keys done, 00033585 k/s, 00:00:03 left
99905802 keys done, 00033870 k/s, 00:00:02 left
99938382 keys done, 00032580 k/s, 00:00:01 left
99971337 keys done, 00032955 k/s, 00:00:00 left
Search Complete
Checksum: 0x0334E0C0

What does this mean?

your best bet would be to open your own thread to this question

**toruonu** · 12-18-2007 03:51 PM

Maybe a post that will help you guys:

Q: Does the current Brute Force application on geohot's website help you unlock your iPhone (1.1.2 OTB or any other)
A: NO

any way you execute that code and run it the maximum you can come up with is an answer that the NCK is found and then you can send that to geohot and he can unlock his iPhone

THIS IS A CODE SAMPLE FOR DEVELOPERS, don't take it for anything else.

**toruonu** · 12-18-2007 03:53 PM

Ok, I ran some profiling on the code, obvious place where to start looking for improvements is the TEA decipher/encipher functions:

Code:

Each sample counts as 0.01 seconds.
  %   cumulative   self              self     total           
 time   seconds   seconds    calls  ns/call  ns/call  name    
 51.09      3.76     3.76  8340137   450.83   450.83  tea_decipher
 20.92      5.30     1.54  3553634   433.36   433.36  tea_encipher
 17.66      6.60     1.30                             bf
  8.70      7.24     0.64   670411   954.64   954.64  SHA1ProcessMessageBlock
  0.95      7.31     0.07   734790    95.27   966.26  SHA1Result
  0.68      7.36     0.05   767565    65.14    65.14  SHA1Input
  0.00      7.36     0.00   686366     0.00     0.00  SHA1Reset
  0.00      7.36     0.00        8     0.00     0.00  HexDumpLine
  0.00      7.36     0.00        1     0.00     0.00  genkey

One can gain about 30-50% by just enabling the gcc compiler optimization option -O3, but I guess to improve 10x or 100x we need to work on the TEA part...

**drg** · 12-18-2007 04:02 PM

Seeing as we know the ltoken plaintext, would it be possible to re-encypt it using a known NCK, such as 123456, and re-write the ltoken to the iPhone?

I guess this is similar but more elegant than what IPSF does (zero out the token entirely). Of course, this would only work on early bootloader phones.

Would this work?

**toruonu** · 12-18-2007 04:15 PM

A small update to the profile, I copied here the profile which was for a very short run, now running 8 threads and 8+ minutes (the full 8 digit keyspace) the profile is this:

Code:

  %   cumulative   self              self     total           
 time   seconds   seconds    calls  us/call  us/call  name    
 51.25    342.44   342.44 541068147     0.63     0.63  tea_decipher
 19.78    474.59   132.15                             bf
 19.19    602.84   128.25 230763468     0.56     0.56  tea_encipher
  7.78    654.86    52.02 44395340     1.17     1.17  SHA1ProcessMessageBlock
  1.20    662.90     8.04 47844754     0.17     1.26  SHA1Result
  0.75    667.93     5.02 50031777     0.10     0.10  SHA1Input
  0.10    668.56     0.64 45691647     0.01     0.01  SHA1Reset
  0.01    668.60     0.04                             SHA1PadMessage
  0.00    668.62     0.02                             frame_dummy
  0.00    668.62     0.00        8     0.00     0.00  HexDumpLine
  0.00    668.62     0.00        1     0.00     0.00  genkey

With regard to encrypting the ltoken with another NCK I think that's what geohot did to test that his BF code works.