The iPhone Wiki - User contributions [en]

Talk:NCK Brute Force

2010-03-09T10:32:23Z

Zuezuo: /* RSA attack */

Is this method usable to permanently unlock the iPhone (like IPSF) aka upgrade resistant and not needing a software like signal.app (and being able to use SIM PIN Code)?
This would allowed to have the "official" unlock (except activation)?

== Time? ==

How long would it take to search the 15 digit one?

Geohots NCKBF program could do around 100,000 keys/second which would produce a hit in many years.

To get to a point where this is actually doable we would need many orders of magnitude of improvement. Even if you use a PSP3 or special hardware (within 1,000 US$ range) you will only get an improvement of 20-100 times.. which doesn't help much. - Deco

----

Using a system like BOINC ( known for seti @ home) would not help to distribute the load ?

If Apple sold 10 Million devices, and lets say maybe 10k to 100k people participated,
we should be able to reduce that time from, lets say 200 years to a maximum of 2 weeks to 2 months.

Now we would just need someone to create a modified client, manage the calculated packages and provide the packages which would need to be calculated/crunched.

Just an idea.

Chris

And you'll end up with exactly ''one'' unlocked iPhone. Better off selling the machine hours. ~geohot

----

Is it not possible to brute force the key that apple uses and then use that to unlock all iPhones?

if we get say 1 million computers then how long would it theoretically take to generate one key? 1 million isn't that impossible given that 3 million iPhone 3Gs have been sold of most geeks have more than one computer. Assuming that on average everyone contributes 2 computers then we only need 500000 people to reach 1 million. subtract the speed of networking and the fact that some people will turn their computers off every so often and we should be able to generate 5 or 6 keys a day? this is kinda pathetic for just a proof of concept but just proving that we can generate code and can harness this much power would be a massive psychological blow to apple. also i would assume that we would need some main server to control all the computers which probably doesn't exist :P

blog.iphone-dev.org had 276,688 unique visitors on July 20th (PwnageTool release 2.0/2.0.1), so I would assume that number is the sort of participants we would get. I think 2 computers from each person is also optimistic, it would probably be less than 1 on average as most people won't run it 24/7.

== Mirror ==
Does anyone have a mirror for the Multithreaded NCK Brute Forcer I think the link is down.--[[User:Bob|Bob]] 14:49, 22 August 2008 (UTC)

Reply: done --[[User:Zuezuo|Zuezuo]] 10:32, 9 March 2010 (UTC)

== RSA attack ==

Some researches recently published this paper:
"Fault-Based Attack of RSA Authentication" - http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf

Could that be useful in this NCK attack?
--[[User:Zuezuo|Zuezuo]] 10:32, 9 March 2010 (UTC)

Talk:NCK Brute Force

2010-03-09T10:32:08Z

Zuezuo: /* Mirror */

Talk:NCK Brute Force

2010-03-09T10:31:50Z

Zuezuo: /* Mirror */

Is this method usable to permanently unlock the iPhone (like IPSF) aka upgrade resistant and not needing a software like signal.app (and being able to use SIM PIN Code)?
This would allowed to have the "official" unlock (except activation)?

== Time? ==

How long would it take to search the 15 digit one?

Geohots NCKBF program could do around 100,000 keys/second which would produce a hit in many years.

To get to a point where this is actually doable we would need many orders of magnitude of improvement. Even if you use a PSP3 or special hardware (within 1,000 US$ range) you will only get an improvement of 20-100 times.. which doesn't help much. - Deco

----

Using a system like BOINC ( known for seti @ home) would not help to distribute the load ?

If Apple sold 10 Million devices, and lets say maybe 10k to 100k people participated,
we should be able to reduce that time from, lets say 200 years to a maximum of 2 weeks to 2 months.

Now we would just need someone to create a modified client, manage the calculated packages and provide the packages which would need to be calculated/crunched.

Just an idea.

Chris

And you'll end up with exactly ''one'' unlocked iPhone. Better off selling the machine hours. ~geohot

----

Is it not possible to brute force the key that apple uses and then use that to unlock all iPhones?

if we get say 1 million computers then how long would it theoretically take to generate one key? 1 million isn't that impossible given that 3 million iPhone 3Gs have been sold of most geeks have more than one computer. Assuming that on average everyone contributes 2 computers then we only need 500000 people to reach 1 million. subtract the speed of networking and the fact that some people will turn their computers off every so often and we should be able to generate 5 or 6 keys a day? this is kinda pathetic for just a proof of concept but just proving that we can generate code and can harness this much power would be a massive psychological blow to apple. also i would assume that we would need some main server to control all the computers which probably doesn't exist :P

blog.iphone-dev.org had 276,688 unique visitors on July 20th (PwnageTool release 2.0/2.0.1), so I would assume that number is the sort of participants we would get. I think 2 computers from each person is also optimistic, it would probably be less than 1 on average as most people won't run it 24/7.

== Mirror ==
Does anyone have a mirror for the Multithreaded NCK Brute Forcer I think the link is down.--[[User:Bob|Bob]] 14:49, 22 August 2008 (UTC)

Reply: done

== RSA attack ==

Some researches recently published this paper:
"Fault-Based Attack of RSA Authentication" - http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf

Could that be useful in this NCK attack?

Talk:NCK Brute Force

2010-03-09T10:30:25Z

Zuezuo: /* RSA attack */ new section

Is this method usable to permanently unlock the iPhone (like IPSF) aka upgrade resistant and not needing a software like signal.app (and being able to use SIM PIN Code)?
This would allowed to have the "official" unlock (except activation)?

== Time? ==

How long would it take to search the 15 digit one?

Geohots NCKBF program could do around 100,000 keys/second which would produce a hit in many years.

To get to a point where this is actually doable we would need many orders of magnitude of improvement. Even if you use a PSP3 or special hardware (within 1,000 US$ range) you will only get an improvement of 20-100 times.. which doesn't help much. - Deco

----

Using a system like BOINC ( known for seti @ home) would not help to distribute the load ?

If Apple sold 10 Million devices, and lets say maybe 10k to 100k people participated,
we should be able to reduce that time from, lets say 200 years to a maximum of 2 weeks to 2 months.

Now we would just need someone to create a modified client, manage the calculated packages and provide the packages which would need to be calculated/crunched.

Just an idea.

Chris

And you'll end up with exactly ''one'' unlocked iPhone. Better off selling the machine hours. ~geohot

----

Is it not possible to brute force the key that apple uses and then use that to unlock all iPhones?

if we get say 1 million computers then how long would it theoretically take to generate one key? 1 million isn't that impossible given that 3 million iPhone 3Gs have been sold of most geeks have more than one computer. Assuming that on average everyone contributes 2 computers then we only need 500000 people to reach 1 million. subtract the speed of networking and the fact that some people will turn their computers off every so often and we should be able to generate 5 or 6 keys a day? this is kinda pathetic for just a proof of concept but just proving that we can generate code and can harness this much power would be a massive psychological blow to apple. also i would assume that we would need some main server to control all the computers which probably doesn't exist :P

blog.iphone-dev.org had 276,688 unique visitors on July 20th (PwnageTool release 2.0/2.0.1), so I would assume that number is the sort of participants we would get. I think 2 computers from each person is also optimistic, it would probably be less than 1 on average as most people won't run it 24/7.

== Mirror ==
Does anyone have a mirror for the Multithreaded NCK Brute Forcer I think the link is down.--[[User:Bob|Bob]] 14:49, 22 August 2008 (UTC)

== RSA attack ==

Some researches recently published this paper:
"Fault-Based Attack of RSA Authentication" - http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf

Could that be useful in this NCK attack?

NCK Brute Force

2010-03-09T10:28:06Z

Zuezuo: i've updated link to the nck brute forcer because previous one was dead

This is a theoretical exploit which involves brute forcing the NCK from the [[seczone]] the CHIPID and the NORID. So far no one has made public an instance of NCK discovery using this theortical approach.

==Credit==
gray, geohot

==Feasibility==
Given that [[NCK]]s are 15 digits long, the keyspace is log(10^15)/log(2)~=2^50 This would be searchable if all the cryptography used was symmetric. But the algo is TEA(RSA(token), NCK+CHIPID+NORID) [[http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm TEA]]. So that inside [http://en.wikipedia.org/wiki/RSA RSA] has to be done. A modern machine can search the 8 digit keyspace in about 5 minutes, which means we need a couple orders of magnitude speed increase to consider 15 digit.

==Implementation==
[http://www.filedropper.com/nckbf Multithreaded NCK Brute Forcer]

[[Category:Baseband]]
[[Category:Unlocking Methods]]