The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Baseband TEA Keys"
(→Wildcard Ticket Key Generation) |
|||
Line 50: | Line 50: | ||
==[[Wildcard Ticket]] Key Generation== |
==[[Wildcard Ticket]] Key Generation== |
||
void getHardwareThumbPrint(u8 *hwTP){ |
void getHardwareThumbPrint(u8 *hwTP){ |
||
− | u8 hwTP[ |
+ | u8 hwTP[20]; |
getHardwareThumbPrint(&hwTP); |
getHardwareThumbPrint(&hwTP); |
||
SHA1Context ctx; |
SHA1Context ctx; |
||
SHA1Reset(&ctx); |
SHA1Reset(&ctx); |
||
− | SHA1Input(&ctx,hwTP, |
+ | SHA1Input(&ctx,hwTP,20); |
SHA1Input(&ctx,salt,20); |
SHA1Input(&ctx,salt,20); |
||
SHA1Result(&ctx); |
SHA1Result(&ctx); |
Revision as of 21:56, 20 August 2010
The baseband generates TEA keys based of the CHIPID and NORID.
Contents
Key A Generation
//return unique phone key (key A), this key is used for security zone encryption/decryption void get_keyA(u8 *A){ SHA1Context ctx; SHA1Reset(&ctx); SHA1Input(&ctx,dep1_norid,0x10); SHA1Input(&ctx,dep2_chipid,0x10); SHA1Result(&ctx); memcpy(A,(u8*)ctx.Message_Digest,0x14); }
NCK Key Generation
//ulc_mix_lock_unlock_key((u8*)A,(u8*)ctx.Message_Digest,dep1_norid,dep2_chipid,(u8*)B); void ulc_mix_lock_unlock_key(u8 *keyA, u8 *keyNCK,u8 *norid,u8 *chipid,u8 *keyB){ u8 out_iv[8]; tea_3_round_encipher(norid,keyNCK,keyA,keyB,out_iv); //norid, keyNCK, SP+4, SP+0x14, SP+0x34 tea_3_round_encipher(chipid,keyNCK,out_iv,keyB+8,out_iv); //chipid, keyNCK, SP+4, SP+0x14, SP+0x34 } // auxilary function for nck key generation void tea_3_round_encipher(u8 *in,u8 *key,u8 *iv,u8 *out,u8 *out_iv){ u32 tmpin[2],nexttea[2]; tea_encipher((u32*)in,tmpin,(u32*)key); nexttea[0] = tmpin[0]^((u32*)iv)[0]; nexttea[1] = tmpin[1]^((u32*)iv)[1]; tea_encipher(nexttea,(u32*)out,(u32*)key); nexttea[0] = tmpin[0]^((u32*)out)[0]; nexttea[1] = tmpin[1]^((u32*)out)[1]; tea_encipher(nexttea,(u32*)out_iv,(u32*)key); }
Hardware Thumbprint Generation
u8 salt[20] = { 0x03, 0x5E, 0x20, 0x03, 0xA9, 0x74, 0xFC, 0x57, 0xBB, 0x2D, 0x59, 0x28, 0xBF, 0x10, 0xAE, 0xB9, 0x00, 0x00, 0x00, 0x00 } ;
void getHardwareThumbPrint(u8 *hwTP){ SHA1Context ctx; SHA1Reset(&ctx); SHA1Input(&ctx,chipid,16); SHA1Input(&ctx,norid,16); SHA1Input(&ctx,imei,16); //nibble encoded SHA1Input(&ctx,salt,20); SHA1Result(&ctx); memcpy(hwTP,(u8*)ctx.Message_Digest,0x14); }
Wildcard Ticket Key Generation
void getHardwareThumbPrint(u8 *hwTP){ u8 hwTP[20]; getHardwareThumbPrint(&hwTP); SHA1Context ctx; SHA1Reset(&ctx); SHA1Input(&ctx,hwTP,20); SHA1Input(&ctx,salt,20); SHA1Result(&ctx); memcpy(hwTP,(u8*)ctx.Message_Digest,0x14); }
The generates the key which can be used to encrypt/decrypt the wildcard ticket - the chipID/norID are NOT required.