|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Baseband TEA Keys"
(my code sucks.) |
(→Hardware Thumbprint Generation) |
||
| (8 intermediate revisions by 3 users not shown) | |||
| Line 2: | Line 2: | ||
==Key A Generation== |
==Key A Generation== |
||
| − | //return unique phone key (key A), this key is used for security zone encryption/decryption |
+ | // return unique phone key (key A), this key is used for security zone encryption/decryption |
| − | void get_keyA(u8 *A){ |
+ | void get_keyA(u8 *A) { |
SHA1Context ctx; |
SHA1Context ctx; |
||
SHA1Reset(&ctx); |
SHA1Reset(&ctx); |
||
| − | SHA1Input(&ctx,dep1_norid,0x10); |
+ | SHA1Input(&ctx, [[NORID|dep1_norid]], 0x10); |
| − | SHA1Input(&ctx,dep2_chipid,0x10); |
+ | SHA1Input(&ctx, [[CHIPID|dep2_chipid]], 0x10); |
SHA1Result(&ctx); |
SHA1Result(&ctx); |
||
| − | memcpy(A,(u8*)ctx.Message_Digest,0x14); |
+ | memcpy(A, (u8*)ctx.Message_Digest, 0x14); |
} |
} |
||
==NCK Key Generation== |
==NCK Key Generation== |
||
//ulc_mix_lock_unlock_key((u8*)A,(u8*)ctx.Message_Digest,dep1_norid,dep2_chipid,(u8*)B); |
//ulc_mix_lock_unlock_key((u8*)A,(u8*)ctx.Message_Digest,dep1_norid,dep2_chipid,(u8*)B); |
||
| − | void ulc_mix_lock_unlock_key(u8 *keyA, u8 *keyNCK,u8 *norid,u8 *chipid,u8 *keyB){ |
+ | void ulc_mix_lock_unlock_key(u8 *keyA, u8 *keyNCK, u8 *norid, u8 *chipid, u8 *keyB) { |
u8 out_iv[8]; |
u8 out_iv[8]; |
||
tea_3_round_encipher(norid,keyNCK,keyA,keyB,out_iv); //norid, keyNCK, SP+4, SP+0x14, SP+0x34 |
tea_3_round_encipher(norid,keyNCK,keyA,keyB,out_iv); //norid, keyNCK, SP+4, SP+0x14, SP+0x34 |
||
tea_3_round_encipher(chipid,keyNCK,out_iv,keyB+8,out_iv); //chipid, keyNCK, SP+4, SP+0x14, SP+0x34 |
tea_3_round_encipher(chipid,keyNCK,out_iv,keyB+8,out_iv); //chipid, keyNCK, SP+4, SP+0x14, SP+0x34 |
||
} |
} |
||
| + | |||
// auxilary function for nck key generation |
// auxilary function for nck key generation |
||
| − | void tea_3_round_encipher(u8 *in,u8 *key,u8 *iv,u8 *out,u8 *out_iv){ |
+ | void tea_3_round_encipher(u8 *in, u8 *key, u8 *iv, u8 *out, u8 *out_iv){ |
| − | u32 tmpin[2],nexttea[2]; |
+ | u32 tmpin[2], nexttea[2]; |
| − | tea_encipher((u32*)in,tmpin,(u32*)key); |
+ | tea_encipher((u32*)in, tmpin, (u32*)key); |
nexttea[0] = tmpin[0]^((u32*)iv)[0]; |
nexttea[0] = tmpin[0]^((u32*)iv)[0]; |
||
nexttea[1] = tmpin[1]^((u32*)iv)[1]; |
nexttea[1] = tmpin[1]^((u32*)iv)[1]; |
||
| − | tea_encipher(nexttea,(u32*)out,(u32*)key); |
+ | tea_encipher(nexttea, (u32*)out, (u32*)key); |
nexttea[0] = tmpin[0]^((u32*)out)[0]; |
nexttea[0] = tmpin[0]^((u32*)out)[0]; |
||
nexttea[1] = tmpin[1]^((u32*)out)[1]; |
nexttea[1] = tmpin[1]^((u32*)out)[1]; |
||
| − | tea_encipher(nexttea,(u32*)out_iv,(u32*)key); |
+ | tea_encipher(nexttea, (u32*)out_iv, (u32*)key); |
} |
} |
||
==Hardware Thumbprint Generation== |
==Hardware Thumbprint Generation== |
||
| − | u8 salt[20] = { |
+ | u8 salt[20] = { |
| + | 0x03, 0x5E, 0x20, 0x03, |
||
| − | 0xBB, 0x2D, 0x59, 0x28, 0xBF, 0x10, 0xAE, 0xB9, |
||
| + | 0xA9, 0x74, 0xFC, 0x57, |
||
| − | 0x00, 0x00, 0x00, 0x00 |
||
| + | 0xBB, 0x2D, 0x59, 0x28, |
||
| − | } ; |
||
| + | 0xBF, 0x10, 0xAE, 0xB9, |
||
| + | 0x00, 0x00, 0x00, 0x00 |
||
| + | }; |
||
void getHardwareThumbPrint(u8 *hwTP){ |
void getHardwareThumbPrint(u8 *hwTP){ |
||
SHA1Context ctx; |
SHA1Context ctx; |
||
SHA1Reset(&ctx); |
SHA1Reset(&ctx); |
||
| − | SHA1Input(&ctx,chipid,16); |
+ | SHA1Input(&ctx, [[CHIPID|chipid]], 16); |
| − | SHA1Input(&ctx,norid,16); |
+ | SHA1Input(&ctx, [[NORID|norid]], 16); |
| − | SHA1Input(&ctx,imei,16); //nibble encoded |
+ | SHA1Input(&ctx, imei, 16); //nibble encoded |
| − | SHA1Input(&ctx,salt,20); |
+ | SHA1Input(&ctx, salt, 20); |
SHA1Result(&ctx); |
SHA1Result(&ctx); |
||
| − | memcpy(hwTP,(u8*)ctx.Message_Digest,0x14); |
+ | memcpy(hwTP, (u8*)ctx.Message_Digest, 0x14); |
} |
} |
||
| + | |||
| + | Apple calls this "BasebandThumbprint". It can be obtained from the baseband serial port with [[Baseband Commands|at+xthumb?]]. |
||
==[[Wildcard Ticket]] Key Generation== |
==[[Wildcard Ticket]] Key Generation== |
||
| − | void getWildcardKey(u8 *wKey){ |
+ | void getWildcardKey(u8 *wKey) { |
u8 hwTP[20]; |
u8 hwTP[20]; |
||
getHardwareThumbPrint(&hwTP); |
getHardwareThumbPrint(&hwTP); |
||
SHA1Context ctx; |
SHA1Context ctx; |
||
SHA1Reset(&ctx); |
SHA1Reset(&ctx); |
||
| − | SHA1Input(&ctx,hwTP,20); |
+ | SHA1Input(&ctx, hwTP, 20); |
| − | SHA1Input(&ctx,salt,20); |
+ | SHA1Input(&ctx, salt, 20); |
SHA1Result(&ctx); |
SHA1Result(&ctx); |
||
| − | memcpy(wKey,(u8*)ctx.Message_Digest,0x14); |
+ | memcpy(wKey, (u8*)ctx.Message_Digest, 0x14); |
} |
} |
||
| − | + | This generates the key which can be used to encrypt/decrypt the wildcard ticket - the [[CHIPID|chipID]]/[[NORID|norID]] are NOT required. |
|
[[Category:Baseband]] |
[[Category:Baseband]] |
||
Latest revision as of 19:51, 29 April 2012
The baseband generates TEA keys based of the CHIPID and NORID.
Contents
Key A Generation
// return unique phone key (key A), this key is used for security zone encryption/decryption
void get_keyA(u8 *A) {
SHA1Context ctx;
SHA1Reset(&ctx);
SHA1Input(&ctx, dep1_norid, 0x10);
SHA1Input(&ctx, dep2_chipid, 0x10);
SHA1Result(&ctx);
memcpy(A, (u8*)ctx.Message_Digest, 0x14);
}
NCK Key Generation
//ulc_mix_lock_unlock_key((u8*)A,(u8*)ctx.Message_Digest,dep1_norid,dep2_chipid,(u8*)B);
void ulc_mix_lock_unlock_key(u8 *keyA, u8 *keyNCK, u8 *norid, u8 *chipid, u8 *keyB) {
u8 out_iv[8];
tea_3_round_encipher(norid,keyNCK,keyA,keyB,out_iv); //norid, keyNCK, SP+4, SP+0x14, SP+0x34
tea_3_round_encipher(chipid,keyNCK,out_iv,keyB+8,out_iv); //chipid, keyNCK, SP+4, SP+0x14, SP+0x34
}
// auxilary function for nck key generation
void tea_3_round_encipher(u8 *in, u8 *key, u8 *iv, u8 *out, u8 *out_iv){
u32 tmpin[2], nexttea[2];
tea_encipher((u32*)in, tmpin, (u32*)key);
nexttea[0] = tmpin[0]^((u32*)iv)[0];
nexttea[1] = tmpin[1]^((u32*)iv)[1];
tea_encipher(nexttea, (u32*)out, (u32*)key);
nexttea[0] = tmpin[0]^((u32*)out)[0];
nexttea[1] = tmpin[1]^((u32*)out)[1];
tea_encipher(nexttea, (u32*)out_iv, (u32*)key);
}
Hardware Thumbprint Generation
u8 salt[20] = {
0x03, 0x5E, 0x20, 0x03,
0xA9, 0x74, 0xFC, 0x57,
0xBB, 0x2D, 0x59, 0x28,
0xBF, 0x10, 0xAE, 0xB9,
0x00, 0x00, 0x00, 0x00
};
void getHardwareThumbPrint(u8 *hwTP){
SHA1Context ctx;
SHA1Reset(&ctx);
SHA1Input(&ctx, chipid, 16);
SHA1Input(&ctx, norid, 16);
SHA1Input(&ctx, imei, 16); //nibble encoded
SHA1Input(&ctx, salt, 20);
SHA1Result(&ctx);
memcpy(hwTP, (u8*)ctx.Message_Digest, 0x14);
}
Apple calls this "BasebandThumbprint". It can be obtained from the baseband serial port with at+xthumb?.
Wildcard Ticket Key Generation
void getWildcardKey(u8 *wKey) {
u8 hwTP[20];
getHardwareThumbPrint(&hwTP);
SHA1Context ctx;
SHA1Reset(&ctx);
SHA1Input(&ctx, hwTP, 20);
SHA1Input(&ctx, salt, 20);
SHA1Result(&ctx);
memcpy(wKey, (u8*)ctx.Message_Digest, 0x14);
}
This generates the key which can be used to encrypt/decrypt the wildcard ticket - the chipID/norID are NOT required.
