GSM-Forum  

Welcome to the GSM-Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features.
Only registered members may post questions, contact other members or search our database of over 8 million posts.

Registration is fast, simple and absolutely free so please - Click to REGISTER!

If you have any problems with the registration process or your account login, please contact contact us .

Go Back   GSM-Forum > Other Gsm/Mobile Related Forums > GSM Programming & Reverse Engineering

GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets.

Reply
 
LinkBack Thread Tools Display Modes
Old 08-30-2010, 10:31   #31 (permalink)
No Life Poster
 
Join Date: Mar 2009
Posts: 1,262
Member: 984046
Status: Offline
Thanks Meter: 245
Quote:
Originally Posted by german gsm team View Post
IMHO codes are still calculated by SX-5 algo (with MCC, MNC and configuration key)

Telcel phones aren't unlockable due to byte 1 is set zo 1 in profile bits .

Therfore: No cable unlock, no keypad unlock - even with correct code.

Since simlock data (including profile bits) is RSA-signed there is no way to unlock without Nokia SX-4T card and online variant change.

Yes, but MCC, MNC, can be replaced with anything (even random number) in Algo - as long as they used same variable/value during locking process...

And how does this interfere IMEI+CODE+RND theory ?

Quote:
Originally Posted by karwos View Post
Hi,
this should work on all nokia phones (dct3/4, bb5, wd2, infineon)
and most probably on units which were unlocked by code before (need chk that carefully).

So just enter code this format:

*pw+123451234512345+x#

(where X is lock level, and use * instead of #)

Do anybody knew this before ? Credit goes to cyclone team.

This is more a curious trick than any update.
I will post some more "cool codes" later.

And one more thing - I might maybe, JUST MAYBE, ensure acess to sniff SX card communicaton with code calculation in qty of 100 choiced codes, would anyone be interested?

Will this even gain anything useful?


Of course card is MCC MNC dependant.



BR


Haltec
  Reply With Quote
Old 08-30-2010, 12:08   #32 (permalink)
Product Manager
 
oOXTCOo's Avatar
 
Join Date: Dec 2000
Location: J.A.U - Just Another Unlocker
Age: 34
Posts: 3,497
Member: 2878
Status: Offline
Thanks Meter: 9,125
Quote:
Originally Posted by Haltec View Post
Yes, but MCC, MNC, can be replaced with anything (even random number) in Algo - as long as they used same variable/value during locking process...

And how does this interfere IMEI+CODE+RND theory ?




And one more thing - I might maybe, JUST MAYBE, ensure acess to sniff SX card communicaton with code calculation in qty of 100 choiced codes, would anyone be interested?

Will this even gain anything useful?


Of course card is MCC MNC dependant.



BR


Haltec

no the sniff will bring you nothing...
because you cant back calculate the results and make algo from this.
  Reply With Quote
Old 08-30-2010, 12:47   #33 (permalink)
No Life Poster
 
Join Date: Mar 2009
Posts: 1,262
Member: 984046
Status: Offline
Thanks Meter: 245
re:codes - probably not.

And I thought so, but wasn't sure (and I am still not) what exactely data are exchanged Winlock<<>>SX.

When I think about it a little - you are right - input is only IMEI + Lock level.


Side channel analysis, anyone?




BR


Haltec

p.s. Altough even that is not possible on new(est) security card generation.
  Reply With Quote
Old 08-31-2010, 00:32   #34 (permalink)
No Life Poster
 
Join Date: Mar 2002
Location: Somewhere in the World
Posts: 1,342
Member: 9848
Status: Offline
Thanks Meter: 132
Quote:
Originally Posted by Haltec View Post

p.s. Altough even that is not possible on new(est) security card generation.
But chip opening in a nanotech lab was and is still an option.

But makes no sense economically, yet.
  Reply With Quote
Old 09-10-2010, 23:51   #35 (permalink)
No Life Poster
 
Join Date: Mar 2009
Posts: 1,262
Member: 984046
Status: Offline
Thanks Meter: 245
Quote:
Originally Posted by Bph&co View Post
Hi,



I can't be sure 100%, but i did some analysis on unlocked SL3 phones by DM3 and

to me it seems that he either have SX5 card connected to the server or access

to high level Salo account.



My original thought was that he is brute forcing the code, as it is no problem for

him to read the hashes from the phone. I also remembered our old conversation

that he gave me that idea for reading hashes and using powerful clusters to

bruteforce the code (back then was for dct4+).



But then i did simple tests on the data after DM3 unlock, results were:



1. Code entered by DM3 box is not the same as the Network will make, maybe

we can assume the SX5 SN is used as part of the calculation and the obvious

collision in the SL3 algo is not carelessness by Nokia but a feature to detect

who made the codes and probably blacklist SX5 codes in future firmware.

(if you remember dct4 codes, you will know what i am talking about)



2. The code DM3 box is calculating is not the first available one in the large

non-collision free keyspace, so bruteforce is maybe not what is used(Offcourse

he can just use different search algorithm)



Anyway all is assumptions because we don't have large enough data to

analyse.



Feel free to send me the last key of PM120 of unlocked phones by DM3 or

network codes, with large enough subset of data, all will be clear soon.



Regards, Alex

B-phreaks

Is this means that some SX5 card for designated operator (mcc_mnc) can be distinguished from other one by codes it generates, and any of codes generated will work the same ?

Let's say for example that Nokia produced 10 sx5 card for Orange UK - each of them can generate unlock codes trough winlock, and each code will be DIFFERENT but it will work. ?!

Uff... Guys aren't bad at all....



BR



Haltec
  Reply With Quote
Old 09-11-2010, 15:43   #36 (permalink)
No Life Poster
 
usernome's Avatar
 
Join Date: Jan 2003
Location: Iassy
Posts: 4,152
Member: 19723
Status: Offline
Thanks Meter: 490
If it's calculated by brute-force why can't we (some of us) do something like distributed.net ?
  Reply With Quote
Old 09-11-2010, 16:26   #37 (permalink)
Freak Poster
 
Join Date: Mar 2009
Location: Unlocking SL3 Without BF
Posts: 234
Member: 984268
Status: Offline
Thanks Meter: 150
Quote:
Originally Posted by usernome View Post
If it's calculated by brute-force why can't we (some of us) do something like distributed.net ?
that wil cost too much money and the unlock price will be high for the customers.
  Reply With Quote
Old 09-11-2010, 16:40   #38 (permalink)
Cheater -Don't Deal with him-
 
Join Date: Jan 2005
Location: In QBits and X86/ASM code
Age: 32
Posts: 1,283
Member: 110715
Status: Offline
Sonork: -
Thanks Meter: 234
calculate codes for SL3 is possible, is just find the correct ASIC/Keycode

grab some calculated codes with their MNC+MCC and you will find answers
  Reply With Quote
Old 09-12-2010, 05:20   #39 (permalink)
No Life Poster
 
usernome's Avatar
 
Join Date: Jan 2003
Location: Iassy
Posts: 4,152
Member: 19723
Status: Offline
Thanks Meter: 490
Quote:
Originally Posted by mustipusti View Post
that wil cost too much money and the unlock price will be high for the customers.
what money to cost ?
We will use our computers for calculation ...
  Reply With Quote
Old 09-12-2010, 09:54   #40 (permalink)
Freak Poster
 
Join Date: Mar 2009
Location: Unlocking SL3 Without BF
Posts: 234
Member: 984268
Status: Offline
Thanks Meter: 150
Quote:
Originally Posted by usernome View Post
what money to cost ?
We will use our computers for calculation ...
I dont know but the price will be high( Thats why the teams are asking €30 to 100 for 1 unlock) With our computers it wil take months for 1 calculation.
  Reply With Quote
Old 09-13-2010, 07:36   #41 (permalink)
No Life Poster
 
usernome's Avatar
 
Join Date: Jan 2003
Location: Iassy
Posts: 4,152
Member: 19723
Status: Offline
Thanks Meter: 490
why do you think that they have more calculation power than all (or a lot) of us ?
  Reply With Quote
Old 09-13-2010, 09:02   #42 (permalink)
No Life Poster
 
[Shadab_M]'s Avatar
 
Join Date: Mar 2006
Location: .: India :. Heaven on Earth
Posts: 2,498
Member: 238812
Status: Offline
Sonork: 100.1602669
Thanks Meter: 1,423
May be, SL3 unlocking is not that complicated or doesnot need more powerfull systems.

Instead, solution providers are talking about it to keep some people away from this solution. So when we hear that it requires that much computing power and money, we will move on to research on BB5 booting.

Just an opinion...

Br,
Shadab Ahmad
  Reply With Quote
The Following User Says Thank You to [Shadab_M] For This Useful Post:
Old 09-13-2010, 15:39   #43 (permalink)
No Life Poster
 
uqbah's Avatar
 
Join Date: Aug 2004
Location: MicroControllers::
Age: 34
Posts: 1,688
Member: 78619
Status: Offline
Thanks Meter: 297
no bro its computing is simple not so much complicated.(as much i know).
but it cost hight yes it is highly costed solution..
u need power full systems with data cards and electricity..

part of GT data centre for bruteforce sl3..




  Reply With Quote
The Following 9 Users Say Thank You to uqbah For This Useful Post:
Show/Hide list of the thanked
Old 09-13-2010, 21:21   #44 (permalink)
No Life Poster
 
digitalgsm_cora's Avatar
 
Join Date: Mar 2008
Location: ROMANIA
Posts: 1,175
Member: 727888
Status: Offline
Thanks Meter: 206
Anyone think that there is no real solution for unlock sl3 phones?

What if those phones are unlocked only by imei in nokia service centers?

B.R.
  Reply With Quote
Old 09-13-2010, 22:26   #45 (permalink)
Freak Poster
 
Join Date: Dec 2006
Location: in earth !!!
Posts: 112
Member: 413243
Status: Offline
Thanks Meter: 48
Quote:
Originally Posted by uqbah View Post
no bro its computing is simple not so much complicated.(as much i know).
but it cost hight yes it is highly costed solution..
u need power full systems with data cards and electricity..

part of GT data centre for bruteforce sl3..




Thanks for sharing ! I was rather thinking about big super computer calculator !
  Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
thread Thread Starter Forum Replies Last Post
How to upload a new firmware... Brand Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) 29 06-13-2014 16:30
How to add a language in 51xx/61xx tati Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) 8 05-21-2013 20:20
How can I do a Welcome note for my 6110 a dosn't have any one ? Viper Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) 7 07-18-2012 08:57
Help: Forgot my 6110 user lock code!! GByte9 Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) 3 04-03-2011 16:00
how the **** do i make wintesla 6.03 work Ravetrancer Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) 0 06-16-1999 09:41

 



All times are GMT +1. The time now is 11:43.



Powered by Searchlight © 2014 Axivo Inc.
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2014 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2014 -
Page generated in 0.45126 seconds with 8 queries

SEO by vBSEO