How SL3 Unlock Codes are Calculated?

[Arjun mishra]

Quote:

Originally Posted by uqbah

no bro its computing is simple not so much complicated.(as much i know).
but it cost hight yes it is highly costed solution..
u need power full systems with data cards and electricity..

part of GT data centre for bruteforce sl3..

don't post fake image of any server ...
and make fool to our members

[fr3nsis]

Quote:

Originally Posted by Arjun mishra

don't post fake image of any server ...
and make fool to our members

fake images? you are crazy

[moulnisky]

the images are from this folder
Index of /test
which is the griffin credits website
If you check the dates are quite older then the posts.. you can find as well another picture of another server group.
As well if you look at the picture where you see the back side of the servers you can eaily see the 2 nvidia cards for each server.. no web server would ever need 2 graphic cards to work.
So the picture are 100% from the Griffin team servers area.

BR

Alex

[hitesh2000]

one curios question how dm3 team manages to unlocking sl3

[ribbentrop]

by magic stick ...

[Agadir__Gsm]

Quote:

Originally Posted by hitesh2000

one curios question how dm3 team manages to unlocking sl3

if we know that so it's the end of game

[Haltec]

Funny thing is, that I till yesterday morning didn't realize one basic thing that make me laugh my *** off....

I alwaws thought... WTF did they did that such a small box can compute so fast (if it works via BF, rather than some unknown EXPLOIT, or some /inside/ acess to Nokia R&D)

DM3 box (itself) is probably just a tool for extacting needed previousely mentioned fields&data, but code itself is calculated elsewhere.


I wouldn't want that guys who are able to unlock SL3, think, that this topic is something where we think can discuss like equals.

It is a merely something to satisfy our (at least mine & for me) common human curiousity. With no ANY illussions, that I am going to be able to DIY....

Does anyone knows what is DM3 stands for? (abbrevation)


Can Nokia /easily/ enlarge keyspace to 10000 with sideaffect that phone will need 10secs to validate code?

Quote:

Originally Posted by Bph&co

Hi,

/cut

And each single core in this case works faster as the code could be

optimized to use the GPU cash memory that is few nm away from each core.



/cut

BR, Alex

I read some time ago, on iaik.tugraz.at/content/research/publications/ great article about smart card security, written by some youngster (23 I think) who does lectures occasionaly on Harvard & Cambridge, where he metioned something about displacing code (physical layer) on a some SC, beacouse it is used as part of security feature on acces to nuclear warheads maintenance procedure.

& afer some selfdestructing tests - they managed to extract data from it (smartcard) in a "unlimited funded" research lab.

And producer of SC, afterwards needed to meet some demands, about diferent displacement of the the algo (on physical layer)


A.m.a.z.i.n.g.




BR



Haltec

[mehulkr76]

there's some other way too. think when we enter codes manually how does
436Mhz cpu in n97 do bruteforcing to c if the code entered is correct or not.
it unlocks the fone when correct code is entered withn a second.

[Alkapone]

Quote:

Originally Posted by mehulkr76

there's some other way too. think when we enter codes manually how does
436Mhz cpu in n97 do bruteforcing to c if the code entered is correct or not.
it unlocks the fone when correct code is entered withn a second.

It does not do any bruteforcing by that time.

B.R.
Alkapone

[angel25dz]

Quote:

Originally Posted by Alkapone

It does not do any bruteforcing by that time.

B.R.
Alkapone

how about RND ?? if phone don't use bruteforce how it find the RND value ?? or SHA1 (NCK+RND+IMEI) is fake ??

[spherus]

SL3 security is still well 'protected' while all security options
(SuperDongle, WatchDog, etc...) are still depenable on orginal
Nokia SX5 authorization. No security operations (exept reset counters)
are introduced by any team (yet). so far we got stable flashing with
new loaders (or TURBO FBUS) and 'teams' got focused mostly on very
expensive idea of 'calculating' codes for us. Soon I know some team will
figure out how athorize most of security options in SL3, then people call them
Market Killer and another War in GSM field.

Jezz... belive me it was always like that since DCT3

I wish all 'teams' the best !!! because I have all Nokia tools (exept UB,ATF and std-aSX4)

and looka at the matket now:
just like a begining of BB5 (credids consumting tools)
SL3 security un-discovered
Nokia bringing in new RapX generations (EX-series, CX-series, NX-series)


Its normal (like before) time that one or another 'team' give Us some 'gift'
for christmass (ha ha ha)

so dont get excited to much 'Lads'

[usernome]

Quote:

Originally Posted by Bph&co

Hi,

It is not. Just one of the 4U cases on the picture of the GT cluster have 3200 cores to
crunch in parallel. And each single core in this case works faster as the code could be
optimized to use the GPU cash memory that is few nm away from each core.

Also i did check those distributed clients, they are very slow and buggy. To make
something workable for GSM you need to write your own client and maybe ask users
to upgrade to latest i7 workhorse CPU with good watercooling and overclock.
But again to have real impact you will need hundreds of thousands of guys that keep
their PCs connected 24/7.

Just my 2 cents.

BR, Alex

Ok , thanks for your answer .

[ssa]

Quote:

Originally Posted by angel25dz

how about RND ?? if phone don't use bruteforce how it find the RND value ?? or SHA1 (NCK+RND+IMEI) is fake ??

our team is not in nokia business but if it use an rnd value it's not complete random, but read from phone, else phone has to compute it back to hash and that takes to much time

so my idea what is happening (if the nck+rnd+imei is correct at least)

1 read phone data (Imei + magic RND + Sha1 hashed code)
2 do bruteforce on sha1(NCK + Magic + Imei) (start with nck 99999999)
3 compare with Sha1 hashed code
4 if hash match then code found, if hash not match then NCK -1 and goto step 2

since unlockcode is 8 digits the servers should go from 99999999 till 00000000 each time -1

this algo can be computed on GPU since procedure is the same in each calc, however the part of BPh&co about paralll crunching should not have much affect on 1 code (else they have to split the nck buffer in 4 parts (or more)) but each time the gpu finished the sha1 hash it has to be compared to cache

so if they do paralel it's used to compute different codes on GPU core

just my idea.... anyway not our business but nice to read hihi

[Bph&co]

Quote:

Originally Posted by mehulkr76

there's some other way too. think when we enter codes manually how does
436Mhz cpu in n97 do bruteforcing to c if the code entered is correct or not.
it unlocks the fone when correct code is entered withn a second.

Hi,

The N97 super slow CPU has only 1000 codes to check, this is small job, even for
PIC18 When, anyone bruteforcing without real code has 1000 trillion combinations to
check.

Sorry about mistake in my previous post - i meant cache (instead of cash) memory.

BR, Alex

[Haltec]

Quote:

Originally Posted by ssa

/cut

since unlockcode is 8 digits the servers should go from 99999999 till 00000000 each time -1

/cut

12 digits : #pw+12345678901234+1# (I know you know)

Quote:

Originally Posted by ssa

/cut

our team is not in nokia business but if it use an rnd value it's not complete random, but read from phone, else phone has to compute it back to hash and that takes to much time

/cut

Care to elaborate this upper one just a lilttle bit...?


BR


Haltec