Talk:NCK Brute Force

2011-02-05T04:52:50Z

Jmh9072:

== Permanent unlock? ==
Is this method usable to permanently unlock the iPhone (like IPSF) aka upgrade resistant and not needing a software like signal.app (and being able to use SIM PIN Code)?
This would allowed to have the "official" unlock (except activation)?

== Time calculations ==

How long would it take to search the 15 digit one?

Geohots NCKBF program could do around 100,000 keys/second which would produce a hit in many years, or complete a search in 317 years.

To get to a point where this is actually doable we would need many orders of magnitude of improvement. Even if you use a PSP3 or special hardware (within 1,000 US$ range) you will only get an improvement of 20-100 times.. which doesn't help much. - Deco

I assume in the article there's something wrong regarding time calculation. It states that for 8 bit you need 5 mins and we have 15 bit. That would mean 128 fold more or only 11 hours with a PC two years old. That must be wrong. -- [[User:Http|http]] 08:26, 24 July 2010 (UTC)

It's clear now. We are talking about decimal digits, not bits! So it takes 10(15-8) times longer, or about 95 years. -- [[User:Http|http]] 21:53, 5 August 2010 (UTC)

== Cloud project ==

Using a system like BOINC ( known for seti @ home) would not help to distribute the load ?

If Apple sold 10 Million devices, and lets say maybe 10k to 100k people participated,
we should be able to reduce that time from, lets say 200 years to a maximum of 2 weeks to 2 months.

Now we would just need someone to create a modified client, manage the calculated packages and provide the packages which would need to be calculated/crunched.

Just an idea.

Chris

And you'll end up with exactly ''one'' unlocked iPhone. Better off selling the machine hours. ~geohot

But with such a project you could compare the results of every calculation not only with one iPhone, but with a list of all iPhones that have registered in the project. That's the advantage of brute force attack. So it would still be possible I think - assuming we could create such a network. But it could also arise legal problems. -- [[User:Http|http]] 08:33, 24 July 2010 (UTC)

== Brute force master key ==

Is it not possible to brute force the key that apple uses and then use that to unlock all iPhones?

if we get say 1 million computers then how long would it theoretically take to generate one key? 1 million isn't that impossible given that 3 million iPhone 3Gs have been sold of most geeks have more than one computer. Assuming that on average everyone contributes 2 computers then we only need 500000 people to reach 1 million. subtract the speed of networking and the fact that some people will turn their computers off every so often and we should be able to generate 5 or 6 keys a day? this is kinda pathetic for just a proof of concept but just proving that we can generate code and can harness this much power would be a massive psychological blow to apple. also i would assume that we would need some main server to control all the computers which probably doesn't exist :P

blog.iphone-dev.org had 276,688 unique visitors on July 20th (PwnageTool release 2.0/2.0.1), so I would assume that number is the sort of participants we would get. I think 2 computers from each person is also optimistic, it would probably be less than 1 on average as most people won't run it 24/7.

== Mirror ==
Does anyone have a mirror for the Multithreaded NCK Brute Forcer I think the link is down.--[[User:Bob|Bob]] 14:49, 22 August 2008 (UTC)

Reply: done --[[User:Zuezuo|Zuezuo]] 10:32, 9 March 2010 (UTC)

The link doesn't appear to be active anymore. I have an interest in this code, and maybe porting it to some faster machines. Does it still exist, or did someone erase it/stop hosting it? ---[[User:Unrstuart|Unrstuart]] 15:10, 24 July 2010 (PDT)

I have updated the page with a valid link to a blog discussing geohot's Multithreaded NCK Brute Forcer. This page contains a link to the source code and a Windows binary. --[[User:Jmh9072|Jmh9072]] Feb 4, 2011, 23:52 (EST)

== RSA attack ==

Some researches recently published this paper:
"Fault-Based Attack of RSA Authentication" - http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf

Could that be useful in this NCK attack?
--[[User:Zuezuo|Zuezuo]] 10:32, 9 March 2010 (UTC)

NCK Brute Force

2011-02-05T04:50:08Z

Jmh9072:

This is a theoretical exploit which involves brute forcing the NCK from the [[seczone]] the CHIPID and the NORID. So far no one has made public an instance of NCK discovery using this theoretical approach.

==Credit==
[[gray]], [[User:Geohot|geohot]]

==Feasibility==
Given that [[NCK]]s are 15 digits long, the keyspace is 1015 (about 250). This would be searchable if all the cryptography used was symmetric. But the algorithm is TEA(RSA(token), [[NCK]]+[[CHIPID]]+[[NORID]]) [[wikipedia:Tiny Encryption Algorithm|TEA]]. So that inside [[wikipedia:RSA|RSA]] has to be done. A modern machine can search the 8 digit keyspace in about 5 minutes, which means we need a couple orders of magnitude speed increase to consider 15 digit.

==Implementation==
[http://george.insideiphone.com/index.php/2007/12/16/brute-force-on-nck-is-impossible/ Multithreaded NCK Brute Forcer] discussion and link to download.

[[Category:Baseband]]
[[Category:Unlocking Methods]]

The iPhone Wiki - User contributions [en]

Talk:NCK Brute Force

NCK Brute Force