Difference between revisions of "X-Gold 608 Unlock"

From The iPhone Wiki
Jump to: navigation, search
m (Updating)
(28 intermediate revisions by 13 users not shown)
Line 1: Line 1:
Until recenlty, the 3G software [[unlock]] was the biggest missing piece of the iPhone community. It proved more difficult than the previous unlocks due to the fact that the [[Baseband_Bootloader | baseband bootloader]] is signature checked by the bootrom. [[The dev team]] has successfully unlocked all baseband versions, by overriding carrier locks on-the-fly in RAM, therefore at boot the baseband bootrom can validate the bootloader, the bootloader can validate the baseband. The unlock, code-name [[yellowsn0w]], was released to the public on 01/01/09 for baseband 02.28.00 only. [http://blog.iphone-dev.org/post/67797811/dont-eat-yellowsn0w]
+
The 3G software [[unlock]] proved more difficult than the previous unlocks due to the fact that the [[Baseband Bootloader|baseband bootloader]] is signature checked by the bootrom. The [[iPhone Dev Team]] has successfully unlocked baseband firmwares by overriding carrier locks on-the-fly in RAM, therefore at boot the baseband bootrom can validate the bootloader, and the bootloader can validate the baseband.
  +
  +
==RAM Unlock History==
  +
On December 21, 2008, [[User:MuscleNerd|MuscleNerd]] demonstrated [[yellowsn0w]], the first unlock.[http://qik.com/video/729275] Originally, yellowsn0w was designed for basebands [[02.04.03]] and earlier, until [[User:Geohot|geohot]] shared the [[AT+stkprof Exploit]] with them. On January 27, 2009, Apple released iPhone OS 2.2.1, which contained baseband [[02.30.03]] and patched said exploit.
  +
  +
[[User:Oranav|Oranav]] discovered another exploit (the [[AT+XLOG Vulnerability]]), and shared it with the iPhone Dev Team for the next unlock. The iPhone Dev Team kept it under wraps to target firmware 3.0 and the [[N88AP|iPhone 3GS]]. The unlock, codenamed [[ultrasn0w]], was released to the public on 23 June 2009 for baseband [[04.26.08]] only. [http://blog.iphone-dev.org/post/128573459]
  +
  +
iPhone OS 3.1 contained a baseband [[05.11.07]], which patched the [[AT+XLOG Vulnerability]]. The [[AT+XEMN Heap Overflow]] was exploited in a new unlock named [[blacksn0w]], released by [[User:Geohot|geohot]] on 3 November 2009. A few months later, the vulnerability was patched in baseband [[05.12.01]].
  +
  +
When iOS 4.0 was publicly released, an updated release of [[ultrasn0w]] was released, using the [[AT+XAPP Vulnerability]] to unlock all basebands found in firmwares 3.0 through 4.0. Apple countered this with [[05.14.02|a baseband update]] in iOS 4.1.
   
 
==Possible Methods==
 
==Possible Methods==
 
===Class 1===
 
===Class 1===
* Find an exploit in the [[Baseband Bootrom|bootrom]] to break the chain of trust. A method has not yet been found to dump the bootrom, so that would obviously be needed before this becomes an option.
+
* Find an exploit in the [[Baseband Bootrom|bootrom]] to break the chain of trust. The [[iPhone Dev Team|Dev-Team]] successfully dumped the [[Baseband Bootrom|bootrom]], but they won't release it as it's copyrighted code.
* Improve by several orders of magnitude the [[NCK Brute Force|NCK brute forcer]], and find a way to extract the CHIPID and NORID
+
* Improve by several orders of magnitude the [[NCK Brute Force|NCK brute forcer]], and find a way to extract the [[CHIPID]] and [[NORID]]
* Find the theorized algorithm of NCK generation
+
* Find the theorized algorithm of [[NCK]] generation
  +
* Factorize the [[Baseband_RSA_Keys|RSA keys]] used for signing
  +
* Find a [[wikipedia:Preimage_attack|second preimage]] for a signature
   
 
===Class 2===
 
===Class 2===
* Use a [[SIM hacks|SIM hack]] such as the [[Unlock iphone-3G with TurboSim|TurboSIM Unlock]]
+
* Use a [[SIM hacks|SIM hack]] such as the [[:Tutorial:Unlock iPhone 3G with TurboSim|TurboSIM Unlock]]
* Find a way to patch running memory to "unlock" the phone on every bootup. This is how [[yellowsn0w]] works.
+
* Find a way to patch running memory to "unlock" the phone on every bootup. This is how [[ultrasn0w]] works.
  +
* Find an exploit in the [[Baseband Bootloader]] so you can downgrade the baseband, then use ultrasn0w. [[User:Geohot|Geohot]] and the [[iPhone Dev Team]] found (independently) an exploit in bootloader 5.8, but it isn't useful enough as only very-early (week<30) iPhone 3G units have bootloader 5.8.
   
 
==Resources==
 
==Resources==
 
* Read about the [[X-Gold 608]]
 
* Read about the [[X-Gold 608]]
* Read geohot's [http://iphonejtag.blogspot.com/2008/07/infineon-we-have-problem.html blog post]
+
* Read geohot's <s>[http://iphonejtag.blogspot.com/2008/07/infineon-we-have-problem.html blog post]</s> Currently hidden, only viewable by invite only.
  +
* Read dogbert's [http://dogber1.blogspot.com/2010/06/how-to-protect-better-apple-iphone.html blog post]
* 25C3 presentation [http://events.ccc.de/congress/2008/Fahrplan/events/2976.en.html "Hacking the iPhone"] video [http://vimeo.com/2646755?pg=embed&sec=2646755 here]
 
  +
* [[25C3 presentation "Hacking the iPhone"]]
  +
  +
[[Category:Baseband]]

Revision as of 08:30, 13 October 2015

The 3G software unlock proved more difficult than the previous unlocks due to the fact that the baseband bootloader is signature checked by the bootrom. The iPhone Dev Team has successfully unlocked baseband firmwares by overriding carrier locks on-the-fly in RAM, therefore at boot the baseband bootrom can validate the bootloader, and the bootloader can validate the baseband.

RAM Unlock History

On December 21, 2008, MuscleNerd demonstrated yellowsn0w, the first unlock.[1] Originally, yellowsn0w was designed for basebands 02.04.03 and earlier, until geohot shared the AT+stkprof Exploit with them. On January 27, 2009, Apple released iPhone OS 2.2.1, which contained baseband 02.30.03 and patched said exploit.

Oranav discovered another exploit (the AT+XLOG Vulnerability), and shared it with the iPhone Dev Team for the next unlock. The iPhone Dev Team kept it under wraps to target firmware 3.0 and the iPhone 3GS. The unlock, codenamed ultrasn0w, was released to the public on 23 June 2009 for baseband 04.26.08 only. [2]

iPhone OS 3.1 contained a baseband 05.11.07, which patched the AT+XLOG Vulnerability. The AT+XEMN Heap Overflow was exploited in a new unlock named blacksn0w, released by geohot on 3 November 2009. A few months later, the vulnerability was patched in baseband 05.12.01.

When iOS 4.0 was publicly released, an updated release of ultrasn0w was released, using the AT+XAPP Vulnerability to unlock all basebands found in firmwares 3.0 through 4.0. Apple countered this with a baseband update in iOS 4.1.

Possible Methods

Class 1

  • Find an exploit in the bootrom to break the chain of trust. The Dev-Team successfully dumped the bootrom, but they won't release it as it's copyrighted code.
  • Improve by several orders of magnitude the NCK brute forcer, and find a way to extract the CHIPID and NORID
  • Find the theorized algorithm of NCK generation
  • Factorize the RSA keys used for signing
  • Find a second preimage for a signature

Class 2

  • Use a SIM hack such as the TurboSIM Unlock
  • Find a way to patch running memory to "unlock" the phone on every bootup. This is how ultrasn0w works.
  • Find an exploit in the Baseband Bootloader so you can downgrade the baseband, then use ultrasn0w. Geohot and the iPhone Dev Team found (independently) an exploit in bootloader 5.8, but it isn't useful enough as only very-early (week<30) iPhone 3G units have bootloader 5.8.

Resources