The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:X-Gold 608 Unlock"
Caique2001 (talk | contribs) (New page: == current 3G unlock status?? == What actually did dev team achieve up to now?? They claim they can flash disallowed code for the baseband firmware. What does it mean, actually? Can the...) |
(→Find the theorized algorithm of NCK generation: INDENT (also ---- (horizontal rules) arn't necessary)) |
||
(27 intermediate revisions by 17 users not shown) | |||
Line 1: | Line 1: | ||
+ | == Getting some sensitive BB info ? == |
||
+ | Q: How do I get (Which AT Command to use maybe ?) to sensitive baseband information (like battery consumption/RX/TX power) ? |
||
+ | |||
== current 3G unlock status?? == |
== current 3G unlock status?? == |
||
+ | just citing: |
||
− | What actually did dev team achieve up to now?? |
||
+ | |||
+ | :'''Q:''' You can take 1.45.00 (or at least 1.43.00), patch it somewhere, flash this file and it's run? Yes or no? |
||
+ | |||
+ | :'''A:''' No(t yet as easy as that, but be sure we're on it) :p Zf |
||
+ | |||
+ | So, that's very good news :) -caique2001- |
||
+ | |||
+ | To speak more technical... The X-Gold 608 has TPM features. So normally one would expect it only to run signed code. This in turn means, it doesn't matter if the code is interchangeable, because only original Apple code can be run. The crucial hack needed is the hack to run ''unsigned'' code, say patched code (as Apple's private key to sign is not known of course). |
||
+ | |||
+ | TPM doesn't come into play here. We're running unsigned code, and convincing s-gold3 bootrom we deserve a downgrade. It happily complies. |
||
+ | |||
+ | Wow! Even more good news :-) Where do we have to send the beer to :-) ?? If it should not go to much into detail, could you shortly explain what issue you are currently working on? The fact you have the possibility to run patched unsigned code, does it imply you are currently working on a patch that actually does the unlock? And does TPM come into play here or are there other issues to be solved? caique2001 |
||
+ | |||
+ | I would assume that with unsigned code, you could patch the 3G equivalant of Simple Unlock. IIRC, geohot has already found the bits. we just need a way to patch them. About bypassing TPM...it would be interesting to see how this is done. Perhaps a malformed sig like with pwnage 2.0 and DFU mode? guess we will just have to wait and see :P [[User:ChronicDev|ChronicDev]] |
||
+ | |||
+ | == opensource baseband? == |
||
+ | Is to make one? With 3G support? or modify the 4.6 baseband to have have 3g support? |
||
+ | |||
+ | 4.6 is on different platform, you cannot modify that for 3G. |
||
+ | |||
+ | == get unlocked bootloader ?? == |
||
+ | |||
+ | as in countrys like belgium, the 3g is sold without any carrier lock. (belgium law) |
||
+ | |||
+ | wouldnt it be possible to get the bootloader from such an iphone and transfer it to any other device ?? |
||
+ | |||
+ | /harald |
||
+ | |||
+ | "Bootloader" has NOTHING todo with official unlock (or unlock). Official Unlock is IMHO done by IMEI and NCK. ~wEsTbAeR-- |
||
+ | |||
+ | == Find the theorized algorithm of NCK generation == |
||
+ | Isn't this what the thousands of keygens for PC apps do? Why is it so much harder to do it for the iPhone? Is it because you would normally decompile the software that does the validation, and this is run on apple servers and so is inaccessible? Sorry, just thinking out loud... |
||
+ | :In softwares we can (after a good amount of work) see the routine that is used to verify the numbers you input. In the iPhone it's not that simple. We know the routine but we don't know what the iPhone starts with (or even if it's generated of the iPhone's serial or just a number in a database) |
||
+ | :In a software, you input your name and a serial number. The software gets your name, translates it to numbers and does some math like (FirstLetter)*(SecondLetter)/(ThirdLetter + FourthLetter) |
||
+ | ::So by knowing those rules, we run the same routine in a software and find out what the original software will expect when you input a name such as "funny". Then you use "funny" and 129837987239187 as serial and it works. |
||
+ | :::On the iPhone we don't know what the "name" is. We know your iphone will do something like TEA(RSA(token+"name")) and will compare the response of that with what is has stored in it. |
||
+ | ::::Some people believe the NCK (aka "name" in the above example) doesn't have any relation to the numbers on the phone, such as the serial, IMEI, etc. Some people believe Apple has a big table of numbers relating one NCK for each SERIAL but the NCK isn't formed from the serial. |
||
+ | :::::I don't believe so...I think it's a number generated by the IMEI,Serial and any other unique numbers. Either with all of them, or parts of each. I started coding a program that would do a different search than Geohot's NCKBruteForcer. He was trying all the combinations and would eventually find the correct answer for each iPhone but it would take a million years with the computing power we have. I thought of it in a different way. I would assume that the NCK is made by a rule out of the combination of the following "items" [-, +, /, *, ^, Log, Ln, Log(2), exp, mod, imei, serial] and then code something to search for all the rules inside that space such as imei*serial/log(serial)+imei for instance. Another idea was that they could use only a couple digits of each, so something like this would be possible: (3 digits of imei)*(first digit of serial)^(4 last digits of imei) mod (2 last digits of serial) .. and so on. This would be a smaller search than Geohots but would not work if Apple has a table with all the NCKs. |
||
+ | :::::::I was coding this for the 1.1.4 OOTB when Geohot found the exploit and unlocked it. So I gave up..but maybe it's time to look at it again. ~ Deco |
||
+ | |||
+ | I was wondering: Would that in the end be useful? Just theoretically it would take less time to bruteforce the actual 15 (?) digit NCK then to do a Bruteforce via Calculation examples, doesn't it? ~BBsan |
||
+ | == Unlock by changing model and serial number == |
||
− | They claim they can flash disallowed code for the baseband firmware. What does it mean, actually? |
||
+ | Chinese grey-market importers are reportedly unlocking the iPhone 3G by changing the model and serial numbers stored in the phone to match the Hong Kong version. Can someone please test if this method works? {{unsigned|Cynix|11:14, November 6, 2008 (UTC)}} |
||
− | Can they |
||
− | * flash an older firmware version, which is not allowed by the bootloader and they found a way to circumvent these checks |
||
+ | == Bootrom dump == |
||
− | or can they |
||
− | * flash a firmware wich is not sig checked any more, which means they can also flash modified firmware? |
||
+ | In the article: "The Dev-Team successfully dumped the bootrom, but they won't release it as it's copyrighted code." |
||
− | The X-Gold 608 has TPM features. Could be, it doesn't run firmware code with wrong signature. In this case, dev team proceeded a little bit further, but is still ''very'' far from unlocking. |
||
+ | What does this mean? Copyrighted by Dev-Team??? If copyright by Apple is meant, then we should be able to get it from somewhere. Right? -- [[User:Http|http]] 22:23, 14 April 2010 (UTC) |
||
+ | :It's copyrighted by either Infineon or Apple. I've never seen any download link for it, so you'll probably have a tough time finding it. --[[User:Dialexio|Dialexio]] 22:57, 14 April 2010 (UTC) |
||
+ | == NCK Bruteforcer? == |
||
− | Anybody knows? |
||
+ | Just curious as to why this is included on this page (and the x-gold 618 unlock page aswell) as it is stated on the [[NCK]] page "Network Control Key. The 15-digit key required to "legitimately" unlock the iPhone 2G. Every other iPhone revision is unlocked with a WildcardTicket which permits every MNC/MCC/ICCID combination". Thought it was best not to remove it encase i missing something --[[User:Toddyt1|Toddyt1]] 21:44, 8 January 2011 (UTC) |
||
− | -caique2001- |
Latest revision as of 20:07, 11 January 2011
Contents
Getting some sensitive BB info ?
Q: How do I get (Which AT Command to use maybe ?) to sensitive baseband information (like battery consumption/RX/TX power) ?
current 3G unlock status??
just citing:
- Q: You can take 1.45.00 (or at least 1.43.00), patch it somewhere, flash this file and it's run? Yes or no?
- A: No(t yet as easy as that, but be sure we're on it) :p Zf
So, that's very good news :) -caique2001-
To speak more technical... The X-Gold 608 has TPM features. So normally one would expect it only to run signed code. This in turn means, it doesn't matter if the code is interchangeable, because only original Apple code can be run. The crucial hack needed is the hack to run unsigned code, say patched code (as Apple's private key to sign is not known of course).
TPM doesn't come into play here. We're running unsigned code, and convincing s-gold3 bootrom we deserve a downgrade. It happily complies.
Wow! Even more good news :-) Where do we have to send the beer to :-) ?? If it should not go to much into detail, could you shortly explain what issue you are currently working on? The fact you have the possibility to run patched unsigned code, does it imply you are currently working on a patch that actually does the unlock? And does TPM come into play here or are there other issues to be solved? caique2001
I would assume that with unsigned code, you could patch the 3G equivalant of Simple Unlock. IIRC, geohot has already found the bits. we just need a way to patch them. About bypassing TPM...it would be interesting to see how this is done. Perhaps a malformed sig like with pwnage 2.0 and DFU mode? guess we will just have to wait and see :P ChronicDev
opensource baseband?
Is to make one? With 3G support? or modify the 4.6 baseband to have have 3g support?
4.6 is on different platform, you cannot modify that for 3G.
get unlocked bootloader ??
as in countrys like belgium, the 3g is sold without any carrier lock. (belgium law)
wouldnt it be possible to get the bootloader from such an iphone and transfer it to any other device ??
/harald
"Bootloader" has NOTHING todo with official unlock (or unlock). Official Unlock is IMHO done by IMEI and NCK. ~wEsTbAeR--
Find the theorized algorithm of NCK generation
Isn't this what the thousands of keygens for PC apps do? Why is it so much harder to do it for the iPhone? Is it because you would normally decompile the software that does the validation, and this is run on apple servers and so is inaccessible? Sorry, just thinking out loud...
- In softwares we can (after a good amount of work) see the routine that is used to verify the numbers you input. In the iPhone it's not that simple. We know the routine but we don't know what the iPhone starts with (or even if it's generated of the iPhone's serial or just a number in a database)
- In a software, you input your name and a serial number. The software gets your name, translates it to numbers and does some math like (FirstLetter)*(SecondLetter)/(ThirdLetter + FourthLetter)
- So by knowing those rules, we run the same routine in a software and find out what the original software will expect when you input a name such as "funny". Then you use "funny" and 129837987239187 as serial and it works.
- On the iPhone we don't know what the "name" is. We know your iphone will do something like TEA(RSA(token+"name")) and will compare the response of that with what is has stored in it.
- Some people believe the NCK (aka "name" in the above example) doesn't have any relation to the numbers on the phone, such as the serial, IMEI, etc. Some people believe Apple has a big table of numbers relating one NCK for each SERIAL but the NCK isn't formed from the serial.
- I don't believe so...I think it's a number generated by the IMEI,Serial and any other unique numbers. Either with all of them, or parts of each. I started coding a program that would do a different search than Geohot's NCKBruteForcer. He was trying all the combinations and would eventually find the correct answer for each iPhone but it would take a million years with the computing power we have. I thought of it in a different way. I would assume that the NCK is made by a rule out of the combination of the following "items" [-, +, /, *, ^, Log, Ln, Log(2), exp, mod, imei, serial] and then code something to search for all the rules inside that space such as imei*serial/log(serial)+imei for instance. Another idea was that they could use only a couple digits of each, so something like this would be possible: (3 digits of imei)*(first digit of serial)^(4 last digits of imei) mod (2 last digits of serial) .. and so on. This would be a smaller search than Geohots but would not work if Apple has a table with all the NCKs.
- I was coding this for the 1.1.4 OOTB when Geohot found the exploit and unlocked it. So I gave up..but maybe it's time to look at it again. ~ Deco
- I don't believe so...I think it's a number generated by the IMEI,Serial and any other unique numbers. Either with all of them, or parts of each. I started coding a program that would do a different search than Geohot's NCKBruteForcer. He was trying all the combinations and would eventually find the correct answer for each iPhone but it would take a million years with the computing power we have. I thought of it in a different way. I would assume that the NCK is made by a rule out of the combination of the following "items" [-, +, /, *, ^, Log, Ln, Log(2), exp, mod, imei, serial] and then code something to search for all the rules inside that space such as imei*serial/log(serial)+imei for instance. Another idea was that they could use only a couple digits of each, so something like this would be possible: (3 digits of imei)*(first digit of serial)^(4 last digits of imei) mod (2 last digits of serial) .. and so on. This would be a smaller search than Geohots but would not work if Apple has a table with all the NCKs.
- Some people believe the NCK (aka "name" in the above example) doesn't have any relation to the numbers on the phone, such as the serial, IMEI, etc. Some people believe Apple has a big table of numbers relating one NCK for each SERIAL but the NCK isn't formed from the serial.
- On the iPhone we don't know what the "name" is. We know your iphone will do something like TEA(RSA(token+"name")) and will compare the response of that with what is has stored in it.
- So by knowing those rules, we run the same routine in a software and find out what the original software will expect when you input a name such as "funny". Then you use "funny" and 129837987239187 as serial and it works.
I was wondering: Would that in the end be useful? Just theoretically it would take less time to bruteforce the actual 15 (?) digit NCK then to do a Bruteforce via Calculation examples, doesn't it? ~BBsan
Unlock by changing model and serial number
Chinese grey-market importers are reportedly unlocking the iPhone 3G by changing the model and serial numbers stored in the phone to match the Hong Kong version. Can someone please test if this method works? --The preceding unsigned comment was added by Cynix (talk) 11:14, November 6, 2008 (UTC). Please consult this page for more info on how to sign pages, and how to fix this.
Bootrom dump
In the article: "The Dev-Team successfully dumped the bootrom, but they won't release it as it's copyrighted code." What does this mean? Copyrighted by Dev-Team??? If copyright by Apple is meant, then we should be able to get it from somewhere. Right? -- http 22:23, 14 April 2010 (UTC)
- It's copyrighted by either Infineon or Apple. I've never seen any download link for it, so you'll probably have a tough time finding it. --Dialexio 22:57, 14 April 2010 (UTC)
NCK Bruteforcer?
Just curious as to why this is included on this page (and the x-gold 618 unlock page aswell) as it is stated on the NCK page "Network Control Key. The 15-digit key required to "legitimately" unlock the iPhone 2G. Every other iPhone revision is unlocked with a WildcardTicket which permits every MNC/MCC/ICCID combination". Thought it was best not to remove it encase i missing something --Toddyt1 21:44, 8 January 2011 (UTC)