SL3 + ighashgpu + input data: /uh /salt /h

[dragon7]

Hello, can someone with real knowledge explain the meaning and extracting of these data from the phones? I am interested about the input of /uh /salt and maybe of the /h switches!!! Thanks in advance!

[KrzychuG]

ighashgpu -t:sha1 -salt:00_IMEI_15_digits_0 -h:HASH -uh:00010203040506070809 -min:15 -max:15

That's it, example:

ighashgpu -t:sha1 -salt:003582560396627500 -h:5F0D0ABEB59E67A779D15B8EA431FF45D648F985 -uh:00010203040506070809 -min:15 -max:15

[MOURAD™]

if you are Romanian, its easy to ask orbita or zulea......

[angel25dz]

Quote:

Originally Posted by KrzychuG

ighashgpu -t:sha1 -salt:00_IMEI_15_digits_0 -h:HASH -uh:00010203040506070809 -min:15 -max:15

That's it, example:

ighashgpu -t:sha1 -salt:003582560396627500 -h:5F0D0ABEB59E67A779D15B8EA431FF45D648F985 -uh:00010203040506070809 -min:15 -max:15

imei only 14 digits

br

[MOURAD™]

Code:

ighashgpu -t:sha1 -salt:00[imei]00 -h:[hash] -uh:00010203040506070809 -min:15 -max:15

[imei] = 14 digits.

[hash] = hash readed with mxkey.


put this line in notepad file and change extension *.txt to *.cmd

Put this *.cmd file to IGHASHGPU folder and double click to start bruteforce.



Hope its clear now.

[dragon7]

This read out hash is equal with CMT_ROOT_KEY_HASH + CMT_SECURE_ROM_CRC or it is some other data form PM120? For example in the file below (after a LBF done with the code in the end) where is the hash???
359370036240079
9B485686BFD39D4B35D358C4E82C05AC876C5ED5FA20EF0080 204F31E618767A947C6C9A9B8CF9322EBA04115487ED122B32 219F64B5C5B514023344D0A55D16507D6A7CD11534A3773C7D 606135D47344C07827C3711451B7941A3D74770735181D8FD5 C55A5155B20D556B7CA4D8499361318B88F41FA977A89F6842 B54017B612A246FB565263F18299DA512387159D707CACC244 0EA57E90D5DF3EBD9133
972798506488412

This phone has a CMT_ROOT_KEY_HASH: 9DDBFCFE6E73CED7D8C6268C8EB85723 and CMT_SECURE_ROM_CRC: DFAAF68F if I read info from phone. Thanks for all who answered the topic!

[MOURAD™]

[hash] =SHA1(mastersp+salt+00+imei+00)



imei must be 14 digits.

[dragon7]

And where is this hash stored? In PM120? When I read PM120 wich bytes are the right ones for this? Has PM120 to be modifyed to see these datas? Thanks and sorry for insistence!

[angel25dz]

Quote:

Originally Posted by dragon7

And where is this hash stored? In PM120? When I read PM120 wich bytes are the right ones for this? Has PM120 to be modifyed to see these datas? Thanks and sorry for insistence!

Hash is stored in PM120 subfield 1 and crypted with AES 128, u must decrypt data to get the correct hash.

/br

[MOURAD™]

Re-read this again: http://forum.gsmhosting.com/vbb/f83/...2/#post7167220

You need only mastersp.








Best regards.

[yusniel]

I need to know if i can extract the hash with an usb conection...Mt Box Sl3 Usb Reader gives me this information...

MODEL: NOKIA 2730 CLASSIC (CLASSIC PHONE)
SW: V 10.45 05-07-10 RM-578 (C) NOKIA
IMEI: 354343044xxxxxx
Product Code: 0584996
Life timer: 50490000 <> 000005:12
--------------------------------------------------------------------------
ST_SIM_LOCK_TEST: PASSED
ST_SECURITY_TEST: PASSED
ST_SUPERDONGLE_TEST: PASSED
--------------------------------------------------------------------------
PROVIDER KEY: 0000000000000000
CONFIG KEY: 2440700000000000
PROVIDER: AT&T;U.S.A. (3650)
KEY CODE COUNT: 0 , FBUS CODE COUNT: 0
--------------------------------------------------------------------------
APE: none
--------------------------------------------------------------------------
CMT: 89820089
CMT PUBLIC ID: 0F300009BCB501568FE23BF8AB00D618BE3B33DF
CMT ROOT KEY HASH: 9DDBFCFE6E73CED7D8C6268C8EB85723
CMT PAPUBKEYS HASH: 8669C77551AE1280331BBAE6FD0C7CB3D3F44CC1
--------------------------------------------------------------------------

My question is: this software gives me the hash that i need??

[MOURAD™]

Quote:

And where is this hash stored? In PM120? When I read PM120 wich bytes are the right ones for this? Has PM120 to be modifyed to see these datas? Thanks and sorry for insistence!

You can find it in PM120,4 Contain:

- simlock
- sha1
- rsa signature.


When you extract an decrypt sha1 hash.

example:

imei: 356918031143509

sha1 Hash: 8D1C71F10A3F36FAFCFEB60B8B3D10E341E4B78D

Brutforce:

sha1 hash = 8D1C71F10A3F36FAFCFEB60B8B3D10E341E4B78D = SHA1(mastersp+salt+00+35691803114350+00)

mastersp: [000000000000000~999999999999999]

Salt : [0~9999]

[MOURAD™]

Here small example about Bruteforce calcul:


Hash find OK:

SHA1 TEST [35691803114350] = 8D1C71F10A3F36FAFCFEB60B8B3D10E341E4B78D
SHA1 Hash [35691803114350] = 8D1C71F10A3F36FAFCFEB60B8B3D10E341E4B78D
Mastersp = 065222098608403

Best Regards
Mourad

[crushader8]

Quote:

Originally Posted by Mrd07

Here small example about Bruteforce calcul:


Hash find OK:

SHA1 TEST [35691803114350] = 8D1C71F10A3F36FAFCFEB60B8B3D10E341E4B78D
SHA1 Hash [35691803114350] = 8D1C71F10A3F36FAFCFEB60B8B3D10E341E4B78D
Mastersp = 065222098608403

Best Regards
Mourad

nice info sir ..

but why mx-key not support to brute force with ati hd 6990 ??

[dragon7]

Quote:

Originally Posted by crushader8

nice info sir ..

but why mx-key not support to brute force with ati hd 6990 ??

According to Ivan Golubev author of the brute force attack program (included in mx tool): HD68xx are supported only by ighashgpu_v0.90.17.3 but from that version the SHA1 cracking was disabled because the mx team: they violated the licence agrement. Read this:
More about ATI 6XXX - Ivan Golubev's blog
and
Спи$дили - Ivan Golubev's blog
Last remark: You can use maybe Fenix key with HD6xxx. Chec them out.
Best regards!