How SL3 Unlock Codes are Calculated? Hi! I am just curious to know how SL3 Unlock Code calculation works. As in some boxes there is option to submit request by imei only. So the question is: > What data is needed to calculate unlock code? > Why unlock code calculation takes too much time? In short, if somebody can tell us the procedure involved in code calculation. Br, Shadab Ahmad |
As my knowledge code calculated by bruteforce so why they need too much time. |
i think some special algorithm hide in every rap id and imei...........thts depend on time to be taken |
Brute force SHA-1 of Truncated 15 digit-code + RND + IMEI until getting a match from the decrypted hash entries in PM 120. original post of x-shadow http://forum.gsmhosting.com/vbb/f609...0/#post6159636 |
Quote:
I forgot that post was in sub-forum where it shoud be. (Spent last 20 mins looking for it.) BR Haltec |
And what truncated mean in this context? Is it "Delphi" Trunc ? As discarding evriting behind floating point, or...? (ah, long time ago was that Turbo Pascal) Why RND? (not Random..., I presume?) BR Haltec |
can someone explain more this Truncated 15 digit-code +RND ?? truncate you mean this ? http://folders.pictures-upload.com/2...46gyshk9b7.png |
And this is what BPH had posted about RND value: Quote:
Br, dualtrace |
Quote:
Br, Shadab Ahmad |
i think they are manually Generating the Unlock codes from Phone IMEI ,so why it took too much time for Generate an unlock codes for a single phone. |
Quote:
for time with ordinary or lower speed or less in numbers u have data processing units it must take long time to finish jobs.. as said above nokia use random numbers so they have to bruteforce the data for greater numbers of times to get exact match.. correct me if am wrong..:) |
Quote:
All tool gets PM120 also with imei. Because SHA-1 sign is in PM120,2(decrypted hash entries i think so..) ;) and as well calculated code are stored in PM120,3 And they also modify loaders "RAPIDOv11" old hack :) In rapu phones Nokia must have fixed this hack but still some 'great teams' are able to exploit that :D BUT there are some new rapido single asic phones with (hash 479C), i am thought Nokia have fixed all bugs in it and it has high security..! There should be other method to unlock this phone instead bruteforce :-) or I could be wrong. BR |
Does unlock code depends on MCC+MNC? OR any other data which it may depend on? Br, Shadab Ahmad |
Quote:
I think no. It does not depend on MCC, MNC! They generates level7 codes which removes all restriction in phone. So, no matter which level phone is locked to. If any phone does not accept level7 code or phone is not locked to appropriate level then in this case is not possible to unlock phone with generated level7 code. - Telcel Maxico phones :) BR |
Quote:
Does this mean: > Need to make every possible 15 digit code. > Use Random number from 0-1000. > After adding both (dont know if it is simple addition), add IMEI. > Now compare SHA-1 of this value to the value stored in PM120-2 Am I right? or I need more mind power to understand it? :D Br, Shadab Ahmad |
And can someone tell what that ASCII is !!! Quote:
So even if you can fully decrypt PM120, you'll still won't know the code beacouse it is multiplied with 0-1000 range integer? hmpf.... All of guys involving in this (won't name count them here - bcos don't wan't to accidentally forgot anyone) doing really cool stuff behind our GUI unlock button. But how (and how) much closer DM3 get... (by speed reported, it seems that they doesn't use BF at all) @shadab_a4u - looks that way.... BR Haltec |
Still a mistery Mr. Shadab. i guess this work is more simple it seems, but without a little of light from programmers, will be hard for us. |
Quote:
Before few days ago i checked UB SL3 unlock average at their web and it was 5 mins only. So, i think DM3 also uses bruteforce or if DM3 does not use bruteforce then i would say UB has somehow connection with DM3 team :D BR |
Quote:
solution,co's they can't afford the service... |
Isn't DM3 is about 5-10 sec per phone ? - about same, as standalone rsa dct4 unlock.... Don't know if they (DM3) unlock 479C... And I saw pictures of Griffin "Plant" on other forum. Serious job. Would be great to see some pics from other teams too... So in production of SL3 codes - nokia multiplied every produced code with 0-1000 and let ASIC to do the math.? Good trick. Have to admit. Maybe DM3 have way to force phone to accept their PM120 an then just enter respective code? BR Haltec |
Hi, [120] 2=6AA06D79590AD984B3A89BF148C4F4C7359E675DD7D8F 835CEA93C8DBDFE489D10B3AECB108BFE14067A9A413865 92865801F796BD355B60EC9DEBAB610CF91955E33B226FD4 B0611FE410253693B308763461031F607FCF7630C8305CAA ABA031D909A6B1C7E41BFA3DEFEA11F0E93D7D0AE16A15E 10FBCCB11DEAD266470490100 On the above SL3 PM120,2 data sample, anyone who can guide locate the sha1 hash for LEVEL 7 unlock code? Br, dualtrace |
Quote:
I believe that DM3 and all other team uses bruteforce to unlock SL3 phones. And they have invested alot of money in this project. Btw, if DM3 force phone to accept their own PM120 then unlock result would be any other config key not as unlock by codes. They could also offer simlock repairs. Well, future will tell what's method being used to unlock SL3 phone. At the moment, it seems DM3 also uses BF method..! BR |
Quote:
Not makeable i am sure ! Regards GSM Parts |
Quote:
|
Hi, Quote:
'6675636B206D61746800DEAD0067656F686F74FF : f*ck math....geohot.' Br, dualtrace |
Quote:
to decrypt this block, some more data is needed then just the pm block ;) |
Quote:
|
Quote:
there is no SHA1 Hash in PM120,2 [120] 2=6AA06D79590AD984B3A89BF148C4F4C7359E675DD7D8F 835CEA93C8DBDFE489D10B3AECB108BFE14067A9A413865 92865801F796BD355B60EC9DEBAB610CF91955E33B226FD4 B0611FE410253693B308763461031F607FCF7630C8305CAA ABA031D909A6B1C7E41BFA3DEFEA11F0E93D7D0AE16A15E 10FBCCB11DEAD266470490100 RSA-1024 bit signature = 128 bytes fixed 02 bytes That's what I think, if i'm wrong correct me :) |
Quote:
Telcel phones aren't unlockable due to byte 1 is set zo 1 in profile bits . Therfore: No cable unlock, no keypad unlock - even with correct code. Since simlock data (including profile bits) is RSA-signed there is no way to unlock without Nokia SX-4T card and online variant change. |
Quote:
So it is in PM120,1 which is 0xA0 bytes, maybe it is similar with DCT4+ which is encrypted, but I dont think BB5 will use SAFER-64 :) . |
Quote:
Yes, but MCC, MNC, can be replaced with anything (even random number) in Algo - as long as they used same variable/value during locking process... And how does this interfere IMEI+CODE+RND theory ? Quote:
And one more thing - I might maybe, JUST MAYBE, ensure acess to sniff SX card communicaton with code calculation in qty of 100 choiced codes, would anyone be interested? Will this even gain anything useful? Of course card is MCC MNC dependant. BR Haltec |
Quote:
no the sniff will bring you nothing... because you cant back calculate the results and make algo from this. |
re:codes - probably not. And I thought so, but wasn't sure (and I am still not) what exactely data are exchanged Winlock<<>>SX. When I think about it a little - you are right - input is only IMEI + Lock level. Side channel analysis, anyone? :) BR Haltec p.s. Altough even that is not possible on new(est) security card generation. |
Quote:
But makes no sense economically, yet. |
Quote:
Is this means that some SX5 card for designated operator (mcc_mnc) can be distinguished from other one by codes it generates, and any of codes generated will work the same ? Let's say for example that Nokia produced 10 sx5 card for Orange UK - each of them can generate unlock codes trough winlock, and each code will be DIFFERENT but it will work. ?! Uff... Guys aren't bad at all.... BR Haltec |
If it's calculated by brute-force why can't we (some of us) do something like distributed.net ? |
Quote:
|
calculate codes for SL3 is possible, is just find the correct ASIC/Keycode grab some calculated codes with their MNC+MCC and you will find answers |
Quote:
We will use our computers for calculation ... |
Quote:
|
why do you think that they have more calculation power than all (or a lot) of us ? |
May be, SL3 unlocking is not that complicated or doesnot need more powerfull systems. Instead, solution providers are talking about it to keep some people away from this solution. So when we hear that it requires that much computing power and money, we will move on to research on BB5 booting. :D Just an opinion... Br, Shadab Ahmad |
no bro its computing is simple not so much complicated.(as much i know). but it cost hight yes it is highly costed solution.. u need power full systems with data cards and electricity.. part of GT data centre for bruteforce sl3.. http://www.softmobile.net/test/DSC05383.JPG http://www.softmobile.net/test/DSC05384.jpg |
Anyone think that there is no real solution for unlock sl3 phones? What if those phones are unlocked only by imei in nokia service centers? B.R. |
Quote:
|
Are they using CPU to calc codes??? I was thinking they are using GPU, like Genie Team. |
so what ? All our computers will be much much powerful than that ... |
Quote:
shure is per GPU, you cant get same calculation power with the fastest CPU´s... and per cluster they have minimum 2 grafikcards build it... some mainboards can old 4 (!!!) cards for paralell calculation... so forget about your "normal" webservers... |
Quote:
Quote:
|
Quote:
Why can't we do that ? 1 milion computers are faster than 2000 GPU's ... |
All times are GMT +1. The time now is 12:52. |
vBulletin Optimisation provided by
vB Optimise (Pro) -
vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2023 -