The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "NCK Brute Force"
(→Feasibility) |
(→Feasibility) |
||
(13 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
− | This is a theoretical exploit which involves brute forcing the NCK from the [[seczone]] the CHIPID and the NORID. So far no one has made public an instance of NCK discovery using this |
+ | This is a theoretical exploit which involves brute forcing the NCK from the [[seczone]] the CHIPID and the NORID. So far no one has made public an instance of NCK discovery using this theoretical approach. |
==Credit== |
==Credit== |
||
− | gray, geohot |
+ | [[gray]], [[User:Geohot|geohot]] |
==Feasibility== |
==Feasibility== |
||
− | Given that [[NCK]]s are 15 digits long, the keyspace is |
+ | Given that [[NCK]]s are 15 digits long, the keyspace is 10<sup>15</sup> (about 2<sup>50</sup>). This would be searchable if all the cryptography used was symmetric. But the algorithm is TEA(RSA(token),[[NCK]]+[[CHIPID]]+[[NORID]]) [[wikipedia:Tiny Encryption Algorithm|TEA]]. So that inside [[wikipedia:RSA|RSA]] has to be done. A modern machine can search the 8 digit keyspace in about 5 minutes, which means we need a couple orders of magnitude speed increase to consider 15 digit. |
==Implementation== |
==Implementation== |
||
− | [http:// |
+ | [http://george.insideiphone.com/index.php/2007/12/16/brute-force-on-nck-is-impossible/ Multithreaded NCK Brute Forcer] discussion and link to download. |
+ | |||
+ | [[Category:Baseband]] |
||
+ | [[Category:Unlocking Methods]] |
Latest revision as of 00:15, 6 May 2011
This is a theoretical exploit which involves brute forcing the NCK from the seczone the CHIPID and the NORID. So far no one has made public an instance of NCK discovery using this theoretical approach.
Credit
Feasibility
Given that NCKs are 15 digits long, the keyspace is 1015 (about 250). This would be searchable if all the cryptography used was symmetric. But the algorithm is TEA(RSA(token),NCK+CHIPID+NORID) TEA. So that inside RSA has to be done. A modern machine can search the 8 digit keyspace in about 5 minutes, which means we need a couple orders of magnitude speed increase to consider 15 digit.
Implementation
Multithreaded NCK Brute Forcer discussion and link to download.