The iPhone Wiki - User contributions [en]

File:ITunesUnlock.png

2009-09-23T20:46:51Z

Yanson: uploaded a new version of "Image:ITunesUnlock.png": iPhone unlocked in iTunes 9.0.1.

The screen shown in iTunes after activation of an iPhone bought in Hong Kong.

Unlock

2008-11-23T13:11:42Z

Yanson: /* Official Unlock */

This is the process by which the iPhone baseband is modified to accept the [[SIM]] card of any GSM carrier. This is entirely different than a [[Jailbreak]].

==Official Unlock==
[[Image:iTunesUnlock.png|thumb|Unlock in iTunes]]
At +0x400 in the [[seczone]], a token is stored encrypted with (NCK + NORID + HWID). Apple, knowing the [[NCK]], sends it using an [[activation token]] over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated [[Baseband_TEA_Keys|key]]. If that decryption, after deRSAing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.

==Old AnySim Patch (1.0.X)==
This deprecated patch disabled signature checks. So the RSA signature would always validate, and the phone would always appear to be unlocked and every NCK would appear to be valid. This patch caused the locktables to be rewritten to the unlocked state which resulted in a cypto failure once the patch was removed during a BB upgrade, causing the 0049 IMEI issue. The virginizer was written in response to this problem and allowed users to write locked, virgin locktables. This removed the crypto failure and allowed the application of the ignore MCC/MNC patch.

==New AnySIM Patch (1.1+)==
This patch, also know as the ignore MCC/MNC patch, makes every MCC/MNC pair appear valid. This patch is overwritten on a reflash of the baseband, and doesn't touch the seczone or the locktables at all. It must be reapplied for every baseband upgrade to maintain the unlock.

==IPSF==
See [[IPSF]] for main article. This exploit changed the lockstate table in the [[seczone]] to read unlocked and created a spoofed RSA token that was seen as valid by BL3.9 (BL4.6 was ''not'' vulnerable to IPSF). It overwrote your previous token, which means the phone could nor longer be officially unlocked, unless a restore of the token was performed from a previously made backup. Since the token isn't modified in a baseband flash, this unlock survived a baseband downgrade or upgrade. Apple attempted to combat this by requiring AT+CLCK command to be sent every startup. In a officially unlocked iPhones, lockdownd does this. In a late verion IPSF phone, signal.app does this.

== Cloning Officially Unlocked Phones ==
This has been suggested by many people, however it has been well investigated and virtually ruled out for these reasons:
# Replacing the [[Baseband Bootloader|baseband bootloader]] or [[Baseband Firmware|firmware]] of a locked phone with that of an officially unlocked phone does ''not'' unlock the phone, as the unlock information resides in a different flash area, known as the [[seczone]] and is unique to each phone.
# Cloning the [[seczone]] would duplicate [http://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity IMEIs] which would be illegal in most places and would likely result in a ban of these.
# Phones with cloned seczones would not even be unlocked by the NCKs of the phone they were cloned from as the CHIPID and NORID is concatenated with the NCK to produce the decryption key used on the RSA [[seczone]] token. The only way to make this work is to change the NORID and CHIPID which is not possible at this time.

File:ITunesUnlock.png

2008-11-23T13:06:35Z

Yanson: The screen shown in iTunes after activation of an iPhone bought in Hong Kong.

The screen shown in iTunes after activation of an iPhone bought in Hong Kong.

PMB8878

2008-10-20T14:44:59Z

Yanson: /* Known Firmware Versions */

This is the baseband processor used in the iPhone 3G. It is upgraded with [[BBUpdaterExtreme]]. It is also known as the [[PMB8878]]

==Datasheet==
Anyone got one? Infineon provides [http://www.infineon.com/dgdl/X-GOLD608_XMM6080.pdf?location=Products.Mobile_Phone_Baseband_ICs.WCDMA___HSDPA.X-GOLD__608_-_PMB_8878.PRODUCT_TYPE_DOCUMENTS.X-GOLD608_XMM6080.pdf&folderId=db3a304312fcb1bc0113000c158f0004&fileId=db3a30431936bc4b011957c66fee3850 this], which isn't really useful.

==Memory Map==
FLASH 0x20000000 0x1000000
CODE 0x20000000 0x40000 0b0010(bootstrapper)
CODE 0x20040000 0xDC0000 0b0100(main firmware)
FFS 0x20A00000 0x100000 0b1100(empty)
DYNFFS 0x20A00000 0x100000 0b1100(empty)
FFS 0x20B00000 0x40000 0b1011(empty)
DYN_EEP 0x20E40000 0x80000 0b0110
SECPACK 0x20EC0000 0x40000
SECZONE 0x20F80000 0x40000
STATIC_EEP 0x20FC0000 0x40000 0b0111
RAM 0x40000000 0x800000

== Known Firmware Versions ==
[[1.43.00]] 2.0 (Build 5A331 - Internal Beta)
[[1.45.00]] 2.0 (Build 5A347 - Gold Master)
[[1.48.02]] 2.0.1(Build 5B108)
[[2.04.03]] 2.1 (Build 5F90)
[[2.08.01]] 2.0.2 (Build 5C1)
[[2.11.07]] 2.1 (Build 5F136)

==Accessing Interactive Mode==
Interactive mode isn't accessed by sending characters to the baseband. Instead a GPIO pin is raised with a kernel call to preupdate reset.
result = IOConnectCallScalarMethod(conn, 0, 0, 0, 0, 0); //reset
result = IOConnectCallScalarMethod(conn, 1, 0, 0, 0, 0); //power set
result = IOConnectCallScalarMethod(conn, 2, 0, 0, 0, 0); //configuring mux
result = IOConnectCallScalarMethod(conn, 7, 0, 0, 0, 0); //powercycle
result = IOConnectCallScalarMethod(conn, 8, 0, 0, 0, 0); //preupdate reset

Talk:X-Gold 608 Unlock

2008-09-01T17:45:04Z

Yanson: /* Find the theorized algorithm of NCK generation */ new section

== current 3G unlock status?? ==

just citing:

:'''Q:''' You can take 1.45.00 (or at least 1.43.00), patch it somewhere, flash this file and it's run? Yes or no?

:'''A:''' No(t yet as easy as that, but be sure we're on it) :p Zf

So, that's very good news :) -caique2001-

To speak more technical... The X-Gold 608 has TPM features. So normally one would expect it only to run signed code. This in turn means, it doesn't matter if the code is interchangeable, because only original Apple code can be run. The crucial hack needed is the hack to run ''unsigned'' code, say patched code (as Apple's private key to sign is not known of course).

TPM doesn't come into play here. We're running unsigned code, and convincing s-gold3 bootrom we deserve a downgrade. It happily complies.

Wow! Even more good news :-) Where do we have to send the beer to :-) ?? If it should not go to much into detail, could you shortly explain what issue you are currently working on? The fact you have the possibility to run patched unsigned code, does it imply you are currently working on a patch that actually does the unlock? And does TPM come into play here or are there other issues to be solved? caique2001

I would assume that with unsigned code, you could patch the 3G equivalant of Simple Unlock. IIRC, geohot has already found the bits. we just need a way to patch them. About bypassing TPM...it would be interesting to see how this is done. Perhaps a malformed sig like with pwnage 2.0 and DFU mode? guess we will just have to wait and see :P [[User:ChronicDev|ChronicDev]]

== opensource baseband? ==
Is to make one? With 3G support? or modify the 4.6 baseband to have have 3g support?

4.6 is on different platform, you cannot modify that for 3G.

== get unlocked bootloader ?? ==

as in countrys like belgium, the 3g is sold without any carrier lock. (belgium law)

wouldnt it be possible to get the bootloader from such an iphone and transfer it to any other device ??

/harald

"Bootloader" has NOTHING todo with official unlock (or unlock). Official Unlock is IMHO done by IMEI and NCK. ~wEsTbAeR--

== Find the theorized algorithm of NCK generation ==

Isn't this what the thousands of keygens for PC apps do? Why is it so much harder to do it for the iPhone? Is it because you would normally decompile the software that does the validation, and this is run on apple servers and so is inaccessible? Sorry, just thinking out loud...

Talk:NCK Brute Force

2008-08-19T20:00:28Z

Yanson:

Is this method usable to permanently unlock the iPhone (like IPSF) aka upgrade resistant and not needing a software like signal.app (and being able to use SIM PIN Code)?
This would allowed to have the "official" unlock (except activation)?

== Time? ==

How long would it take to search the 15 digit one?

Geohots NCKBF program could do around 100,000 keys/second which would produce a hit in many years.

To get to a point where this is actually doable we would need many orders of magnitude of improvement. Even if you use a PSP3 or special hardware (within 1,000 US$ range) you will only get an improvement of 20-100 times.. which doesn't help much. - Deco

----

Using a system like BOINC ( known for seti @ home) would not help to distribute the load ?

If Apple sold 10 Million devices, and lets say maybe 10k to 100k people participated,
we should be able to reduce that time from, lets say 200 years to a maximum of 2 weeks to 2 months.

Now we would just need someone to create a modified client, manage the calculated packages and provide the packages which would need to be calculated/crunched.

Just an idea.

Chris

And you'll end up with exactly ''one'' unlocked iPhone. Better off selling the machine hours. ~geohot

----

Is it not possible to brute force the key that apple uses and then use that to unlock all iPhones?

if we get say 1 million computers then how long would it theoretically take to generate one key? 1 million isn't that impossible given that 3 million iPhone 3Gs have been sold of most geeks have more than one computer. Assuming that on average everyone contributes 2 computers then we only need 500000 people to reach 1 million. subtract the speed of networking and the fact that some people will turn their computers off every so often and we should be able to generate 5 or 6 keys a day? this is kinda pathetic for just a proof of concept but just proving that we can generate code and can harness this much power would be a massive psychological blow to apple. also i would assume that we would need some main server to control all the computers which probably doesn't exist :P

blog.iphone-dev.org had 276,688 unique visitors on July 20th (PwnageTool release 2.0/2.0.1), so I would assume that number is the sort of participants we would get. I think 2 computers from each person is also optimistic, it would probably be less than 1 on average as most people won't run it 24/7.

Talk:NCK Brute Force

2008-08-19T11:01:00Z

Yanson: /* Time? */

Talk:NCK Brute Force

2008-08-17T11:11:10Z

Yanson: /* Time? */ new section