iPhone 4 Unlocking. NCK-Bruteforce Research
I'm trying to do some research on the above topic and was wondering if you could help. All below is in relation to iPhone 4
1 Every iPhone has a NORID (8 bytes) & CHIPID (12 bytes) unique to each phone.
Question: Where is this stored? NOR? seczone? Can it be dumped?
2 An iPhone requires a NCK to unlock.
3 From what I understand the NCK is 15 characters.
Question: Is it numeric, alpha or alphanumeric?
4 The security token for check if the NCK is valid is stored encrypted at +0x400 in the seczone.
Question: Is this correct?
5 Based on what I've read from dogbert's blog, the security token is created using a method similar to the following pseudo code:
deviceKey = SHA1_hash(norID+chipID)
nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)
rawSignature = generateSignature(SHA1_hash(norID+chipID), SHA1_hash(chipID))
Signature = RSA_encrypt(rawSignature, RSAkey)
security token = TEA_encrypt_cbc(Signature, nckKey)
Question: Is the pseudocode correct? If it is then what is the custom hash that is being used? What is being used to generate the rawSignature? What is the RSAKey that is being used? Is it a public key that can be found in the phone?
6 If the above pseudocode is CORRECT. Then we would have to bruteforce all 15 character combinations to find the correct NCK key right? Because, even though we are able to recover the NORID and CHIPID, we will not be able to use that information to shorten the amount of characters which we need to find.
7 New generations of iPhone OS contains a wildcardticket that is generated during activation process. <- but this should be no problem generating once we have the NCK right?