BruteForce iPhone NCK

[shak360]

Is it possible to use a similar technique in used with sl3?

can't we dump baseband and decrypt it as it may contain the nck?

flashing a modified baseband? which allows the nck to be read and lead to a permanent unlock

[rkinfo_khan]

may be or maybe not , in future lets see

[shak360]

Yeah'
it would be good if some teams from mobile boxes could give a hand?

[angel25dz]

Quote:

Originally Posted by shak360

Is it possible to use a similar technique in used with sl3?

can't we dump baseband and decrypt it as it may contain the nck?

flashing a modified baseband? which allows the nck to be read and lead to a permanent unlock

not so easy as u think, security in Iphone is much stronger than SL3, there is many common things between SL3 and Iphone : RSA1024, SHA1, Unique Value ...etc

take a look here : Dogbert's Blog: How to protect better: The Apple iPhone 2G

./br

[Boshko_Alfa]

I think is not possible, b`coz iphone security is on server based :/
maybe will be in near future possible to perm. unlock, but not via codes... i think with full dumping perm. never locked iphones via jtag and wrote security in locked...

and that is puritania

[Haltec]

Some comment from Fernando (DM3) would be really interesting...

Or Bph&Co...



BR


Haltec

[Gecko_UK]

to even attempt to extract NCK you need baseband exploit to dump seczone

you can't just flash modified baseband as it's sigchecked

even if you somehow, magically managed to extract and bruteforce valid NCK.. Apple can issue new wildcardticket (via itunes server) and disable the unlock, unlike other handsets such as SL3 security .(. although AFAIK you can capture this using SAM's backup auth token feature, which recently users of factory unlocks purchased unofficaly are doing

read below: see if u can see more info on this around it's not a bruteforce but would, in theory allow semi-permanent unlock without additional software

Quote:

Wildcard Ticket Unlock Guide
IF YOU PAYED FOR THIS TYPE OF UNLOCK DEMAND A REFUND!!! THIS IS FREE TO THE MASSES!!!

This guide might become obsolete soon, I will try to implement this into a GUI so that it will become faster and less risky.
FOR THE SAKE OF SANITY, MY UNLOCK USES A MINOR EDIT, NONE OF THE EXPLOITS USED ARE NEW. YOU NEED TO BE JAILBROKEN, ALL THIS DOES IS CREATE A TEMPORARY TOKEN TO UNLOCK. NOT A TRUE NCK BRUTEFORCE UNLOCK, BUT STILL MORE ADVANCED THAN ULTRASN0W.
Jailbreak for READ/WRITE ACCESS
SecZone- patch lockdown.
Baseband- deactivate.
Direct to:
0x010-0x090 Public Key (RSA Key 3)
0x80 byte
0x0 Total length of the policy table in bytes
<Policy Item>
0x0-0x2 ID
0x2-0x4 type?
0x4-0xC IMSI mask

Activate Seczone lock down patch to allow IMSI Wildcard.plist EDIT
Go to: /var/root/Library/Lockdown/activation_records/wildcard_record.plist at this point the patch should allow you to find the IMSI Mask. You need to find these values.
YOU SHOULD SEE EITHER OF THE FIRST (2) VALUES [If you have the third value (aka the unlocked value) I have one question. Why the hell are you reading this guide?]
==>AT&T USA
IMSI Mask
310150?????????
310170?????????
310410?????????
311180?????????
310980?????????
==>T-Mobile Germany
IMSI Mask
26201??????????
26201??????????
26201??????????
All restrictions should be off at this point and the SecZone should have full read/write access via Modem. Copy and Paste from plisteditor will work as long as the baseband is deactivated. So change the values to that of a factory unlocked iPhone. The NCK BruteForce method can attain the actual key to create a pseudo Factory Unlocked Device that can stay unlocked via updates, this edit method makes your iPhone think that it is unlocked via a fake sig checked activation token (NOTE: RESTORES AND SYNC RESTORES WILL DEFAULT BACK TO THE ORIGINAL CARRIER SETTINGS! YOU WILL LOSE YOUR UNLOCK!)
At this point you change the values of the IMSI Mask to that of a Factory Unlocked Device.
==> Unlocked Device
IMSI Mask
???????????????

Reactivate Baseband. Signature token will activate phone via baseband and your phone will be unlocked

[s400py]

that guide is obvious BS - modifying the lock table breaks the signature so a tempered ticket will be discarded.

[ching_ty]

//no cannot
//yes can

[::gsmcoder::]

Simple theory, apple can can regenerate a new wildcard and block any nck based unlock due to alt-lo algorithm

[yousha]

Quote:

Originally Posted by s400py

that guide is obvious BS - modifying the lock table breaks the signature so a tempered ticket will be discarded.

Correct and the biggest mystery is IPHONE-4 seczone dumper which was not working previously But Musclenerd twitted about it sometime ago that he managed to get it working and the idea behind it is

dump seczone before factroy unlock
dump seczone after factory unlock

than work for offline BF flow but there is no nck (that unique code which we think like sl3)at all in iphone factory unlocking its just legit wildcard

Wildcard=When activating an iPhone, the ticket is pulled from Apple's server and stored on the device. It contains all the information about sim-/netlocks. Factory- and carrier-unlocked devices receive a wildcard ticket with policies that permit all SIM cards.)

Similar argument i had on Twitter where people asking if i can preserve FactoryUnlock with (SAM) thing and misinterpreted my twits as SAM not working But actual thing is SAM is working for Now but if apple relock the device somehow in that case it will not work reason is same (seczone not accessible )

iphone factory unlock hit direct to seczone rewrite and save token to seczone via itune than itune just verify if imei allowed to get nck or not if got means its factory unlock and allow wildcard with imei


And i have no doubt about that in our forum we have that potential Bph&Co,DM3,DEJAN,CINEK,ZULEA,SARAS,LASER,FLORIN many other to name who can bring down the iphone protection in days (just depends on interest)

wbr

[[Shadab_M]]

Means if we can write own signed Tickets then it will unlock permanently without any restrictions?

Br,
Shadab Ahmad

[s400py]

seczone/nck and wildcardticket are two separate unlock mechanisms. for either, you need either a private rsa key for generating a valid certificate or a hash collision for not breaking it.
dumping the seczone is trivial if the baseband is exploitable, e.g. custom code can be executed.

[shak360]

couldn't we use custom firmware or tiny umbrella to spoof some of this? like the unlock token? or maybe use custom firmware fkash baseband to a lower version??

[Salami1_1]

Quote:

Originally Posted by shadab_a4u

Means if we can write own signed Tickets then it will unlock permanently without any restrictions?

Br,
Shadab Ahmad

yes, only is done with 1024bit key..