How SL3 Unlock Codes are Calculated?

[Haltec]

Quote:

Originally Posted by german gsm team

IMHO codes are still calculated by SX-5 algo (with MCC, MNC and configuration key)

Telcel phones aren't unlockable due to byte 1 is set zo 1 in profile bits .

Therfore: No cable unlock, no keypad unlock - even with correct code.

Since simlock data (including profile bits) is RSA-signed there is no way to unlock without Nokia SX-4T card and online variant change.

Yes, but MCC, MNC, can be replaced with anything (even random number) in Algo - as long as they used same variable/value during locking process...

And how does this interfere IMEI+CODE+RND theory ?

Quote:

Originally Posted by karwos

Hi,
this should work on all nokia phones (dct3/4, bb5, wd2, infineon)
and most probably on units which were unlocked by code before (need chk that carefully).

So just enter code this format:

*pw+123451234512345+x#

(where X is lock level, and use * instead of #)

Do anybody knew this before ? Credit goes to cyclone team.

This is more a curious trick than any update.
I will post some more "cool codes" later.

And one more thing - I might maybe, JUST MAYBE, ensure acess to sniff SX card communicaton with code calculation in qty of 100 choiced codes, would anyone be interested?

Will this even gain anything useful?


Of course card is MCC MNC dependant.



BR


Haltec

[oOXTCOo]

Quote:

Originally Posted by Haltec

Yes, but MCC, MNC, can be replaced with anything (even random number) in Algo - as long as they used same variable/value during locking process...

And how does this interfere IMEI+CODE+RND theory ?




And one more thing - I might maybe, JUST MAYBE, ensure acess to sniff SX card communicaton with code calculation in qty of 100 choiced codes, would anyone be interested?

Will this even gain anything useful?


Of course card is MCC MNC dependant.



BR


Haltec

no the sniff will bring you nothing...
because you cant back calculate the results and make algo from this.

[Haltec]

re:codes - probably not.

And I thought so, but wasn't sure (and I am still not) what exactely data are exchanged Winlock<<>>SX.

When I think about it a little - you are right - input is only IMEI + Lock level.


Side channel analysis, anyone?




BR


Haltec

p.s. Altough even that is not possible on new(est) security card generation.

[german gsm team]

Quote:

Originally Posted by Haltec

p.s. Altough even that is not possible on new(est) security card generation.

But chip opening in a nanotech lab was and is still an option.

But makes no sense economically, yet.

[Haltec]

Quote:

Originally Posted by Bph&co

Hi,



I can't be sure 100%, but i did some analysis on unlocked SL3 phones by DM3 and

to me it seems that he either have SX5 card connected to the server or access

to high level Salo account.



My original thought was that he is brute forcing the code, as it is no problem for

him to read the hashes from the phone. I also remembered our old conversation

that he gave me that idea for reading hashes and using powerful clusters to

bruteforce the code (back then was for dct4+).



But then i did simple tests on the data after DM3 unlock, results were:



1. Code entered by DM3 box is not the same as the Network will make, maybe

we can assume the SX5 SN is used as part of the calculation and the obvious

collision in the SL3 algo is not carelessness by Nokia but a feature to detect

who made the codes and probably blacklist SX5 codes in future firmware.

(if you remember dct4 codes, you will know what i am talking about)



2. The code DM3 box is calculating is not the first available one in the large

non-collision free keyspace, so bruteforce is maybe not what is used(Offcourse

he can just use different search algorithm)



Anyway all is assumptions because we don't have large enough data to

analyse.



Feel free to send me the last key of PM120 of unlocked phones by DM3 or

network codes, with large enough subset of data, all will be clear soon.



Regards, Alex

B-phreaks

Is this means that some SX5 card for designated operator (mcc_mnc) can be distinguished from other one by codes it generates, and any of codes generated will work the same ?

Let's say for example that Nokia produced 10 sx5 card for Orange UK - each of them can generate unlock codes trough winlock, and each code will be DIFFERENT but it will work. ?!

Uff... Guys aren't bad at all....



BR



Haltec

[usernome]

If it's calculated by brute-force why can't we (some of us) do something like distributed.net ?

[mustipusti]

Quote:

Originally Posted by usernome

If it's calculated by brute-force why can't we (some of us) do something like distributed.net ?

that wil cost too much money and the unlock price will be high for the customers.

[luigivsf]

calculate codes for SL3 is possible, is just find the correct ASIC/Keycode

grab some calculated codes with their MNC+MCC and you will find answers

[usernome]

Quote:

Originally Posted by mustipusti

that wil cost too much money and the unlock price will be high for the customers.

what money to cost ?
We will use our computers for calculation ...

[mustipusti]

Quote:

Originally Posted by usernome

what money to cost ?
We will use our computers for calculation ...

I dont know but the price will be high( Thats why the teams are asking €30 to 100 for 1 unlock) With our computers it wil take months for 1 calculation.

[usernome]

why do you think that they have more calculation power than all (or a lot) of us ?

[[Shadab_M]]

May be, SL3 unlocking is not that complicated or doesnot need more powerfull systems.

Instead, solution providers are talking about it to keep some people away from this solution. So when we hear that it requires that much computing power and money, we will move on to research on BB5 booting.

Just an opinion...

Br,
Shadab Ahmad

[uqbah]

no bro its computing is simple not so much complicated.(as much i know).
but it cost hight yes it is highly costed solution..
u need power full systems with data cards and electricity..

part of GT data centre for bruteforce sl3..

[digitalgsm_cora]

Anyone think that there is no real solution for unlock sl3 phones?

What if those phones are unlocked only by imei in nokia service centers?

B.R.

[moimoun]

Quote:

Originally Posted by uqbah

no bro its computing is simple not so much complicated.(as much i know).
but it cost hight yes it is highly costed solution..
u need power full systems with data cards and electricity..

part of GT data centre for bruteforce sl3..

Thanks for sharing ! I was rather thinking about big super computer calculator !