Talk:WildcardTicket

From The iPhone Wiki
Revision as of 05:59, 18 May 2011 by Uminatsu (talk | contribs)
Jump to: navigation, search

Theoretically, can't we just edit the .plist? and make it into the factory unlocked IMSI Mask? -- --The preceding unsigned comment was added by Leobruh (talk) 5:32, 19 August 2010 (UTC). Please consult this page for more info on how to sign pages, and how to fix this.

The activation plist is signed, so to do this you require a jailbreak anyway. --Lilstevie 09:45, 20 August 2010 (UTC)- lilstevie

i realize that. but wouldnt this result in a permanent unlock? Leobruh 07:37, 19 August 2010 (UTC)!

I'm guessing the ticket is handled by the baseband, which requires an exploit to get unsigned code running in the first place? Iemit737 07:41, 19 August 2010 (UTC)

The wildcard ticket is also signed - simple edits break the signature and the ticket gets rejected then. rtfm cryptography 101. dogbert 16:02, 19 August 2010 (UTC)

kay but unsigned code already runs when the phone is jailbroken and has access to the filesystem. wouldnt editing the .plist be okay since the sig checks arent needed. again this is all theoretical. im jw Leobruh 18:33, 19 August 2010 (UTC)!

The baseband processor checks the signature, not the application processor. dogbert 18:36, 19 August 2010 (UTC)

ahh got ya! but would my theory work though through an exploit such as AT+XAPP? instead of a payload it just changes the .plist? Leobruh 00:15, 20 August 2010 (UTC)!

you would still require the valid NCK for it to process the unlock in that method, the current way the payloads work for exploits in the baseband processor are adequate --Lilstevie 09:44, 20 August 2010 (UTC)
i thought NKC was only for the iPhone 2G? 0.o Leobruh 14:47, 21 August 2010 (UTC)!
NCK or Network Code Key is on any cellular device that gets locked to a carrier --Lilstevie 14:52, 19 September 2010 (UTC)

Is there are ability to decode WildcardTicket received from Apple to see NCK or lockstate table? What about unlocked by request to carrier iPhones? Is it some differences in WildcardTicket? --Requilence 13:17, 20 March 2011 (UTC)

Decrypting is possible since the key is known. Changing the ticket is, however, not possible since it breaks the signatures. For carrier unlocked phones, Apple sends a new WildcardTicket without a lock table during sync.--Dogbert 16:43, 20 March 2011 (UTC)
Tell me this, if the signature is broken, what happens to the phone? DFU, Recovery...? Leobruh 17:41, 20 March 2011 (UTC)!
The ticket is rejected and the baseband stays unactivated, e.g. locked.--Dogbert 22:20, 20 March 2011 (UTC)
Apple send it to iphone only on sync after activate? I try SAM on unlocked by request iphone, it's activate properly with right IMSI and IMEI, but seems like WildcardTicket doesn't have lock table accept any IMSI. How can i check this? --Requilence 19:52, 20 March 2011 (UTC)
Just decrypt the activation ticket and check the tables. All the information is given in the wiki, you just have to piece it together on your own.--Dogbert 22:20, 20 March 2011 (UTC)

How do you decrypt it? And wait does apple send it on sync or on activation? For instance, if I had a locked iPhone at activation, and called my carrier to get it unlocked then sync it, would apple issue a new wildcardticket unlocking it without deactivating? Or tell me to restore and deactivate?

The decryption is implicitly described on various pages of this wiki (TEA in CBC with a pre-salted key). When your iPhone becomes unlock, Apple will issue a new WildcardTicket during sync so a restore is unnecessary. --Dogbert 19:51, 28 March 2011 (UTC)

Not true. On rogers I got my phone unlocked, and I had to restore to be able to use the unlock.--Grisolp 20:34, 8 April 2011 (UTC)

has anyone analyzed the RSA signature verification code? are they using a padding scheme like pkcs#1.5 or 2.1? if they're just using sha1 and no padding it might be exploitable