Difference between revisions of "Unlock"

From The iPhone Wiki
Jump to: navigation, search
(Proper Unlock)
Line 4: Line 4:
 
At +0x400 in the [[seczone]], a token is stored encrypted with the NCK.
 
At +0x400 in the [[seczone]], a token is stored encrypted with the NCK.
   
==Proper Unlock==
+
==Official Unlock==
 
Apple, knowing the [[NCK]], sends it using an [[activation token]] over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated [[Baseband_TEA_Keys|key]]. If that decryption, after dersaing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.
 
Apple, knowing the [[NCK]], sends it using an [[activation token]] over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated [[Baseband_TEA_Keys|key]]. If that decryption, after dersaing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.
   

Revision as of 02:31, 31 July 2008

This is the process by which the iPhone baseband is modified to accept the SIM card of any GSM carrier. This is entirely different than a Jailbreak. Unlocked iPhones may be relocked while updating the baseband firmware.

Locking Process

At +0x400 in the seczone, a token is stored encrypted with the NCK.

Official Unlock

Apple, knowing the NCK, sends it using an activation token over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated key. If that decryption, after dersaing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.

Old AnySim Patch

This patch disabled signature checks. So the RSA signature would always validate, and the phone would always appear to be unlocked and every NCK would appear to be valid. This caused problems if NCKs other than all 0's were used. The virginizer was written in response to the corruption this caused, because the baseband wouldn't run unless it was patched.

MNC Patch

This patch, also the new AnySim patch, doesn't technically unlock the phone. It makes every MCC/MNC appear valid. This patch is overwritten on a reflash of the baseband, and doesn't touch the seczone at all.

IPSF

This patch changed the lockstate table to read unlocked and created a spoofed RSA token that was valid. It deleted your previous token, which means the phone can't be unlocked properly anymore. Since the RSA validation routine is in the bootloader, this unlock stays around after the baseband has been reflashed. Apple attempted to combat this by requiring CLCK to be sent every startup. In a properly unlocked phone, lockdownd does this. In a late verion IPSF phone, signal.app does this.