View Single Post
Old 09-10-2010, 22:51   #35 (permalink)
No Life Poster
Join Date: Mar 2009
Location: Europe Wienna
Posts: 1,269
Member: 984046
Status: Offline
Thanks Meter: 255
Originally Posted by Bph&co View Post

I can't be sure 100%, but i did some analysis on unlocked SL3 phones by DM3 and

to me it seems that he either have SX5 card connected to the server or access

to high level Salo account.

My original thought was that he is brute forcing the code, as it is no problem for

him to read the hashes from the phone. I also remembered our old conversation

that he gave me that idea for reading hashes and using powerful clusters to

bruteforce the code (back then was for dct4+).

But then i did simple tests on the data after DM3 unlock, results were:

1. Code entered by DM3 box is not the same as the Network will make, maybe

we can assume the SX5 SN is used as part of the calculation and the obvious

collision in the SL3 algo is not carelessness by Nokia but a feature to detect

who made the codes and probably blacklist SX5 codes in future firmware.

(if you remember dct4 codes, you will know what i am talking about)

2. The code DM3 box is calculating is not the first available one in the large

non-collision free keyspace, so bruteforce is maybe not what is used(Offcourse

he can just use different search algorithm)

Anyway all is assumptions because we don't have large enough data to


Feel free to send me the last key of PM120 of unlocked phones by DM3 or

network codes, with large enough subset of data, all will be clear soon.

Regards, Alex


Is this means that some SX5 card for designated operator (mcc_mnc) can be distinguished from other one by codes it generates, and any of codes generated will work the same ?

Let's say for example that Nokia produced 10 sx5 card for Orange UK - each of them can generate unlock codes trough winlock, and each code will be DIFFERENT but it will work. ?!

Uff... Guys aren't bad at all....


Page generated in 0.08152 seconds with 7 queries