Difference between revisions of "Talk:X-Gold 608 Unlock"

From The iPhone Wiki
Jump to: navigation, search
(Find the theorized algorithm of NCK generation: INDENT (also ---- (horizontal rules) arn't necessary))
 
(19 intermediate revisions by 14 users not shown)
Line 1: Line 1:
  +
== Getting some sensitive BB info ? ==
  +
Q: How do I get (Which AT Command to use maybe ?) to sensitive baseband information (like battery consumption/RX/TX power) ?
  +
 
== current 3G unlock status?? ==
 
== current 3G unlock status?? ==
   
Line 9: Line 12:
 
So, that's very good news :) -caique2001-
 
So, that's very good news :) -caique2001-
   
  +
To speak more technical... The X-Gold 608 has TPM features. So normally one would expect it only to run signed code. This in turn means, it doesn't matter if the code is interchangeable, because only original Apple code can be run. The crucial hack needed is the hack to run ''unsigned'' code, say patched code (as Apple's private key to sign is not known of course).
  +
  +
TPM doesn't come into play here. We're running unsigned code, and convincing s-gold3 bootrom we deserve a downgrade. It happily complies.
  +
  +
Wow! Even more good news :-) Where do we have to send the beer to :-) ?? If it should not go to much into detail, could you shortly explain what issue you are currently working on? The fact you have the possibility to run patched unsigned code, does it imply you are currently working on a patch that actually does the unlock? And does TPM come into play here or are there other issues to be solved? caique2001
  +
  +
I would assume that with unsigned code, you could patch the 3G equivalant of Simple Unlock. IIRC, geohot has already found the bits. we just need a way to patch them. About bypassing TPM...it would be interesting to see how this is done. Perhaps a malformed sig like with pwnage 2.0 and DFU mode? guess we will just have to wait and see :P [[User:ChronicDev|ChronicDev]]
   
 
== opensource baseband? ==
 
== opensource baseband? ==
Line 14: Line 24:
   
 
4.6 is on different platform, you cannot modify that for 3G.
 
4.6 is on different platform, you cannot modify that for 3G.
  +
  +
== get unlocked bootloader ?? ==
  +
  +
as in countrys like belgium, the 3g is sold without any carrier lock. (belgium law)
  +
  +
wouldnt it be possible to get the bootloader from such an iphone and transfer it to any other device ??
  +
  +
/harald
  +
  +
"Bootloader" has NOTHING todo with official unlock (or unlock). Official Unlock is IMHO done by IMEI and NCK. ~wEsTbAeR--
  +
  +
== Find the theorized algorithm of NCK generation ==
  +
Isn't this what the thousands of keygens for PC apps do? Why is it so much harder to do it for the iPhone? Is it because you would normally decompile the software that does the validation, and this is run on apple servers and so is inaccessible? Sorry, just thinking out loud...
  +
:In softwares we can (after a good amount of work) see the routine that is used to verify the numbers you input. In the iPhone it's not that simple. We know the routine but we don't know what the iPhone starts with (or even if it's generated of the iPhone's serial or just a number in a database)
  +
:In a software, you input your name and a serial number. The software gets your name, translates it to numbers and does some math like (FirstLetter)*(SecondLetter)/(ThirdLetter + FourthLetter)
  +
::So by knowing those rules, we run the same routine in a software and find out what the original software will expect when you input a name such as "funny". Then you use "funny" and 129837987239187 as serial and it works.
  +
:::On the iPhone we don't know what the "name" is. We know your iphone will do something like TEA(RSA(token+"name")) and will compare the response of that with what is has stored in it.
  +
::::Some people believe the NCK (aka "name" in the above example) doesn't have any relation to the numbers on the phone, such as the serial, IMEI, etc. Some people believe Apple has a big table of numbers relating one NCK for each SERIAL but the NCK isn't formed from the serial.
  +
:::::I don't believe so...I think it's a number generated by the IMEI,Serial and any other unique numbers. Either with all of them, or parts of each. I started coding a program that would do a different search than Geohot's NCKBruteForcer. He was trying all the combinations and would eventually find the correct answer for each iPhone but it would take a million years with the computing power we have. I thought of it in a different way. I would assume that the NCK is made by a rule out of the combination of the following "items" [-, +, /, *, ^, Log, Ln, Log(2), exp, mod, imei, serial] and then code something to search for all the rules inside that space such as imei*serial/log(serial)+imei for instance. Another idea was that they could use only a couple digits of each, so something like this would be possible: (3 digits of imei)*(first digit of serial)^(4 last digits of imei) mod (2 last digits of serial) .. and so on. This would be a smaller search than Geohots but would not work if Apple has a table with all the NCKs.
  +
:::::::I was coding this for the 1.1.4 OOTB when Geohot found the exploit and unlocked it. So I gave up..but maybe it's time to look at it again. ~ Deco
  +
  +
I was wondering: Would that in the end be useful? Just theoretically it would take less time to bruteforce the actual 15 (?) digit NCK then to do a Bruteforce via Calculation examples, doesn't it? ~BBsan
  +
  +
== Unlock by changing model and serial number ==
  +
  +
Chinese grey-market importers are reportedly unlocking the iPhone 3G by changing the model and serial numbers stored in the phone to match the Hong Kong version. Can someone please test if this method works? {{unsigned|Cynix|11:14, November 6, 2008 (UTC)}}
  +
  +
== Bootrom dump ==
  +
  +
In the article: "The Dev-Team successfully dumped the bootrom, but they won't release it as it's copyrighted code."
  +
What does this mean? Copyrighted by Dev-Team??? If copyright by Apple is meant, then we should be able to get it from somewhere. Right? -- [[User:Http|http]] 22:23, 14 April 2010 (UTC)
  +
:It's copyrighted by either Infineon or Apple. I've never seen any download link for it, so you'll probably have a tough time finding it. --[[User:Dialexio|Dialexio]] 22:57, 14 April 2010 (UTC)
  +
  +
== NCK Bruteforcer? ==
  +
  +
Just curious as to why this is included on this page (and the x-gold 618 unlock page aswell) as it is stated on the [[NCK]] page "Network Control Key. The 15-digit key required to "legitimately" unlock the iPhone 2G. Every other iPhone revision is unlocked with a WildcardTicket which permits every MNC/MCC/ICCID combination". Thought it was best not to remove it encase i missing something --[[User:Toddyt1|Toddyt1]] 21:44, 8 January 2011 (UTC)

Latest revision as of 20:07, 11 January 2011

Getting some sensitive BB info ?

Q: How do I get (Which AT Command to use maybe ?) to sensitive baseband information (like battery consumption/RX/TX power) ?

current 3G unlock status??

just citing:

Q: You can take 1.45.00 (or at least 1.43.00), patch it somewhere, flash this file and it's run? Yes or no?
A: No(t yet as easy as that, but be sure we're on it) :p Zf

So, that's very good news :) -caique2001-

To speak more technical... The X-Gold 608 has TPM features. So normally one would expect it only to run signed code. This in turn means, it doesn't matter if the code is interchangeable, because only original Apple code can be run. The crucial hack needed is the hack to run unsigned code, say patched code (as Apple's private key to sign is not known of course).

TPM doesn't come into play here. We're running unsigned code, and convincing s-gold3 bootrom we deserve a downgrade. It happily complies.

Wow! Even more good news :-) Where do we have to send the beer to :-) ?? If it should not go to much into detail, could you shortly explain what issue you are currently working on? The fact you have the possibility to run patched unsigned code, does it imply you are currently working on a patch that actually does the unlock? And does TPM come into play here or are there other issues to be solved? caique2001

I would assume that with unsigned code, you could patch the 3G equivalant of Simple Unlock. IIRC, geohot has already found the bits. we just need a way to patch them. About bypassing TPM...it would be interesting to see how this is done. Perhaps a malformed sig like with pwnage 2.0 and DFU mode? guess we will just have to wait and see :P ChronicDev

opensource baseband?

Is to make one? With 3G support? or modify the 4.6 baseband to have have 3g support?

4.6 is on different platform, you cannot modify that for 3G.

get unlocked bootloader ??

as in countrys like belgium, the 3g is sold without any carrier lock. (belgium law)

wouldnt it be possible to get the bootloader from such an iphone and transfer it to any other device ??

/harald

"Bootloader" has NOTHING todo with official unlock (or unlock). Official Unlock is IMHO done by IMEI and NCK. ~wEsTbAeR--

Find the theorized algorithm of NCK generation

Isn't this what the thousands of keygens for PC apps do? Why is it so much harder to do it for the iPhone? Is it because you would normally decompile the software that does the validation, and this is run on apple servers and so is inaccessible? Sorry, just thinking out loud...

In softwares we can (after a good amount of work) see the routine that is used to verify the numbers you input. In the iPhone it's not that simple. We know the routine but we don't know what the iPhone starts with (or even if it's generated of the iPhone's serial or just a number in a database)
In a software, you input your name and a serial number. The software gets your name, translates it to numbers and does some math like (FirstLetter)*(SecondLetter)/(ThirdLetter + FourthLetter)
So by knowing those rules, we run the same routine in a software and find out what the original software will expect when you input a name such as "funny". Then you use "funny" and 129837987239187 as serial and it works.
On the iPhone we don't know what the "name" is. We know your iphone will do something like TEA(RSA(token+"name")) and will compare the response of that with what is has stored in it.
Some people believe the NCK (aka "name" in the above example) doesn't have any relation to the numbers on the phone, such as the serial, IMEI, etc. Some people believe Apple has a big table of numbers relating one NCK for each SERIAL but the NCK isn't formed from the serial.
I don't believe so...I think it's a number generated by the IMEI,Serial and any other unique numbers. Either with all of them, or parts of each. I started coding a program that would do a different search than Geohot's NCKBruteForcer. He was trying all the combinations and would eventually find the correct answer for each iPhone but it would take a million years with the computing power we have. I thought of it in a different way. I would assume that the NCK is made by a rule out of the combination of the following "items" [-, +, /, *, ^, Log, Ln, Log(2), exp, mod, imei, serial] and then code something to search for all the rules inside that space such as imei*serial/log(serial)+imei for instance. Another idea was that they could use only a couple digits of each, so something like this would be possible: (3 digits of imei)*(first digit of serial)^(4 last digits of imei) mod (2 last digits of serial) .. and so on. This would be a smaller search than Geohots but would not work if Apple has a table with all the NCKs.
I was coding this for the 1.1.4 OOTB when Geohot found the exploit and unlocked it. So I gave up..but maybe it's time to look at it again. ~ Deco

I was wondering: Would that in the end be useful? Just theoretically it would take less time to bruteforce the actual 15 (?) digit NCK then to do a Bruteforce via Calculation examples, doesn't it? ~BBsan

Unlock by changing model and serial number

Chinese grey-market importers are reportedly unlocking the iPhone 3G by changing the model and serial numbers stored in the phone to match the Hong Kong version. Can someone please test if this method works? --The preceding unsigned comment was added by Cynix (talk) 11:14, November 6, 2008 (UTC). Please consult this page for more info on how to sign pages, and how to fix this.

Bootrom dump

In the article: "The Dev-Team successfully dumped the bootrom, but they won't release it as it's copyrighted code." What does this mean? Copyrighted by Dev-Team??? If copyright by Apple is meant, then we should be able to get it from somewhere. Right? -- http 22:23, 14 April 2010 (UTC)

It's copyrighted by either Infineon or Apple. I've never seen any download link for it, so you'll probably have a tough time finding it. --Dialexio 22:57, 14 April 2010 (UTC)

NCK Bruteforcer?

Just curious as to why this is included on this page (and the x-gold 618 unlock page aswell) as it is stated on the NCK page "Network Control Key. The 15-digit key required to "legitimately" unlock the iPhone 2G. Every other iPhone revision is unlocked with a WildcardTicket which permits every MNC/MCC/ICCID combination". Thought it was best not to remove it encase i missing something --Toddyt1 21:44, 8 January 2011 (UTC)