Difference between revisions of "Unlock"

From The iPhone Wiki
Jump to: navigation, search
m (typo)
(add removed hardware unlock link (same as one of the others?))
Line 4: Line 4:
 
[[Image:iTunesUnlock.png|thumb|Unlock in iTunes]]
 
[[Image:iTunesUnlock.png|thumb|Unlock in iTunes]]
 
At +0x400 in the [[seczone]], a token is stored encrypted with (NCK + NORID + HWID). Apple, knowing the [[NCK]], sends it using an [[activation token]] over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated [[Baseband_TEA_Keys|key]]. If that decryption, after deRSAing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.
 
At +0x400 in the [[seczone]], a token is stored encrypted with (NCK + NORID + HWID). Apple, knowing the [[NCK]], sends it using an [[activation token]] over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated [[Baseband_TEA_Keys|key]]. If that decryption, after deRSAing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.
  +
  +
==Hardware Unlock==
  +
How to unlock your phone [http://www.iphone-hacks.com/downloads/iphoneunlock.pdf]
   
 
==Old AnySim Patch (1.0.X)==
 
==Old AnySim Patch (1.0.X)==

Revision as of 10:29, 23 October 2010

This is the process by which the iPhone baseband is modified to accept the SIM card of any GSM carrier. This is entirely different than a jailbreak though a jailbreak is required for the current unlocks to take effect.

Official Unlock

Unlock in iTunes

At +0x400 in the seczone, a token is stored encrypted with (NCK + NORID + HWID). Apple, knowing the NCK, sends it using an activation token over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated key. If that decryption, after deRSAing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.

Hardware Unlock

How to unlock your phone [1]

Old AnySim Patch (1.0.X)

This deprecated patch disabled signature checks. So the RSA signature would always validate, and the phone would always appear to be unlocked and every NCK would appear to be valid. This patch caused the locktables to be rewritten to the unlocked state which resulted in a cypto failure once the patch was removed during a BB upgrade, causing the 0049 IMEI issue. The virginizer was written in response to this problem and allowed users to write locked, virgin locktables. This removed the crypto failure and allowed the application of the ignore MCC/MNC patch.

New AnySIM Patch (1.1+)

This patch, also know as the ignore MCC/MNC patch, makes every MCC/MNC pair appear valid. This patch is overwritten on a reflash of the baseband, and doesn't touch the seczone or the locktables at all. It must be reapplied for every baseband upgrade to maintain the unlock.

IPSF

See IPSF for main article. This exploit changed the lockstate table in the seczone to read unlocked and created a spoofed RSA token that was seen as valid by BL3.9 (BL4.6 was not vulnerable to IPSF). It overwrote your previous token, which means the phone could nor longer be officially unlocked, unless a restore of the token was performed from a previously made backup. Since the token isn't modified in a baseband flash, this unlock survived a baseband downgrade or upgrade. Apple attempted to combat this by requiring AT+CLCK command to be sent every startup. In a officially unlocked iPhones, lockdownd does this. In a late version IPSF phone, signal.app does this.

Cloning Officially Unlocked Phones

This has been suggested by many people, however it has been well investigated and virtually ruled out for these reasons:

  1. Replacing the baseband bootloader or firmware of a locked phone with that of an officially unlocked phone does not unlock the phone, as the unlock information resides in a different flash area, known as the seczone and is unique to each phone.
  2. Cloning the seczone would duplicate IMEIs which would be illegal in most places and would likely result in a ban of these.
  3. Phones with cloned seczones would not even be unlocked by the NCKs of the phone they were cloned from as the CHIPID and NORID is concatenated with the NCK to produce the decryption key used on the RSA seczone token. The only way to make this work is to change the NORID and CHIPID which is not possible at this time.