GSM-Forum

GSM-Forum (https://forum.gsmhosting.com/vbb/)
-   GSM Programming & Reverse Engineering (https://forum.gsmhosting.com/vbb/f83/)
-   -   How SL3 Unlock Codes are Calculated? (https://forum.gsmhosting.com/vbb/f83/how-sl3-unlock-codes-calculated-1079689/)

[Shadab_M] 08-24-2010 15:56

How SL3 Unlock Codes are Calculated?
 
Hi!

I am just curious to know how SL3 Unlock Code calculation works.

As in some boxes there is option to submit request by imei only.

So the question is:
> What data is needed to calculate unlock code?
> Why unlock code calculation takes too much time?

In short, if somebody can tell us the procedure involved in code calculation.

Br,
Shadab Ahmad

malikawan 08-24-2010 17:53

As my knowledge code calculated by bruteforce so why they need too much time.

aniskhatri 08-24-2010 18:51

i think some special algorithm hide in every rap id and imei...........thts depend on time to be taken

fr3nsis 08-24-2010 19:16

Brute force SHA-1 of Truncated 15 digit-code + RND + IMEI until getting
a match from the decrypted hash entries in PM 120.

original post of x-shadow
http://forum.gsmhosting.com/vbb/f609...0/#post6159636

Haltec 08-24-2010 19:23

Quote:

Originally Posted by fr3nsis (Post 6249803)
Brute force SHA-1 of Truncated 15 digit-code + RND + IMEI until getting
a match from the decrypted hash entries in PM 120.

original post of x-shadow
http://forum.gsmhosting.com/vbb/f609...0/#post6159636



I forgot that post was in sub-forum where it shoud be.

(Spent last 20 mins looking for it.)



BR


Haltec

Haltec 08-24-2010 20:34

And what truncated mean in this context?

Is it "Delphi" Trunc ?

As discarding evriting behind floating point, or...?

(ah, long time ago was that Turbo Pascal)

Why RND? (not Random..., I presume?)



BR


Haltec

angel25dz 08-24-2010 21:34

can someone explain more this Truncated 15 digit-code +RND ??

truncate you mean this ?

http://folders.pictures-upload.com/2...46gyshk9b7.png

dualtrace 08-24-2010 22:41

And this is what BPH had posted about RND value:


Quote:

The keyspace is so large because Nokia have decided to use a random number
in the calculation. This number is in the range of 0 - 1000 at the current SL3
implementation.

The phone has no clue about this number, when you enter valid code into the
phone, the HW will try to bruteforce this RND value and check if enter code is
valid for any of the possible RND values.

Well off course this is my interpretation of the security, like many times before
i could be wrong in my analysis, so any of the 'great teams' that offer 'first
in the worlds solutions' for Nokia right now can prove me wrong and offer
unlock in seconds.


Br,

dualtrace

[Shadab_M] 08-25-2010 02:15

Quote:

Originally Posted by fr3nsis (Post 6249803)
Brute force SHA-1 of Truncated 15 digit-code + RND + IMEI until getting
a match from the decrypted hash entries in PM 120.

original post of x-shadow
http://forum.gsmhosting.com/vbb/f609...0/#post6159636

How they can match with hash in PM 120 as they take only IMEI from us?

Br,
Shadab Ahmad

..::AppleLinks::.. 08-25-2010 05:12

i think they are manually Generating the Unlock codes from Phone IMEI ,so why it took too much time for Generate an unlock codes for a single phone.

uqbah 08-25-2010 08:02

Quote:

Originally Posted by shadab_a4u (Post 6250577)
How they can match with hash in PM 120 as they take only IMEI from us?

Br,
Shadab Ahmad

as i know all boxes must have 120 along with imei to calculate unlock code..
for time with ordinary or lower speed or less in numbers u have data processing units it must take long time to finish jobs..
as said above nokia use random numbers so they have to bruteforce the data for greater numbers of times to get exact match..


correct me if am wrong..:)

..::Angel::.. 08-25-2010 09:19

Quote:

Originally Posted by shadab_a4u (Post 6250577)
How they can match with hash in PM 120 as they take only IMEI from us?

Br,
Shadab Ahmad

Hi,

All tool gets PM120 also with imei. Because SHA-1 sign is in PM120,2(decrypted hash entries i think so..) ;) and as well calculated code are stored in PM120,3

And they also modify loaders "RAPIDOv11" old hack :) In rapu phones Nokia must have fixed this hack but still some 'great teams' are able to exploit that :D

BUT there are some new rapido single asic phones with (hash 479C), i am thought Nokia have fixed all bugs in it and it has high security..! There should be other method to unlock this phone instead bruteforce :-) or I could be wrong.

BR

[Shadab_M] 08-25-2010 09:59

Does unlock code depends on MCC+MNC?

OR any other data which it may depend on?

Br,
Shadab Ahmad

..::Angel::.. 08-25-2010 10:24

Quote:

Originally Posted by shadab_a4u (Post 6251889)
Does unlock code depends on MCC+MNC?

OR any other data which it may depend on?

Br,
Shadab Ahmad

Hi,

I think no. It does not depend on MCC, MNC! They generates level7 codes which removes all restriction in phone. So, no matter which level phone is locked to. If any phone does not accept level7 code or phone is not locked to appropriate level then in this case is not possible to unlock phone with generated level7 code. - Telcel Maxico phones :)

BR

[Shadab_M] 08-26-2010 07:01

Quote:

Originally Posted by fr3nsis (Post 6249803)
Brute force SHA-1 of Truncated 15 digit-code + RND + IMEI until getting
a match from the decrypted hash entries in PM 120.

original post of x-shadow
http://forum.gsmhosting.com/vbb/f609...0/#post6159636

Bro, can you explain this?

Does this mean:
> Need to make every possible 15 digit code.
> Use Random number from 0-1000.
> After adding both (dont know if it is simple addition), add IMEI.
> Now compare SHA-1 of this value to the value stored in PM120-2

Am I right? or I need more mind power to understand it? :D

Br,
Shadab Ahmad


All times are GMT +1. The time now is 15:49.


vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2023 -

Page generated in 0.19735 seconds with 6 queries

SEO by vBSEO