So far I have (see title) NCK <=> IMEI combinations. I can't post them, since they are sensitive data of the people who were kind enough to extract their a.plist for me. I have learned that the German ones use "SP" instead of "NO". Also the two German NCK's I have both start with the number 3. Coincidence? Keep these a.plists flowing, could people please posts requests on their respective language iPhone forums? Also the algorithm used to verify the NCK on the phone is known and is not even close to reversible. Brute force is capable at 100,000 k/s, so the initial idea of finding a pattern in the NCK's is to lower the time required for that brute force.
Also my theoretical NCK generation system; this has no basis in anything anyone has discovered but... IMEI^d mod n, where d and n are relatively prime and n is similar in size to the IMEI. If Apple keeps d and n secret, they could generate NCK's given an IMEI when no one else could.
Sunday, December 16, 2007
Subscribe to:
Post Comments (Atom)
75 comments:
Hello,
I offer my computer for GRID calculation if needed.
You have the full communauté for you I presume.
Keep working...
Hello form all serbian people...
Gracias por tu trabajo... Mexico te saluda
That is interesting. But if we get a few nck and imei, then we can start getting close as we could run it through a data analyser which should make it working. If you need any help to prepare this analyser or anything similar, then let me know as I make these on pro basis for Microsoft.
Thanks!! ..... Its very good to hear any kind of news from you ... Keep the great good work !!!
So the NCK is once again protected by RSA like encryption?
hope we're coming alone nicely...
George,
Do the unlock codes have many zeros?
We need to find a way to share those pairs. Me and a couple other guys have experience with algorithms and i'm sure we could help. I thinks it's a bad idea to post those pairs on the net but surely an email with an address to a page with the pairs would be okay.
I'm under the same nickname in hackint0sh forum. Also since i'm at it... Do um plan on sharing the code to check if a nck is valid? I want to attempt sonething unrelated to the pairs you have.
Thanks
15 jobs = No Brute Force? Imbecility everything can be broods
Who has nen Dual / Quad Core or server and makes it available for computing?
You have only a small program downloaded in the background and run
Here: http://deluxebits.to/file:MN2kV5
That is the 500Mb file
PLEASE DO NOT TO ITUNES FLASHEN!
YOUR iPHONE BRICKE!
"SP" instead of "NO"
Geogre, have you guys thought that the NCK can be generated by apple from IMEI and static parts of the IMSI from the SIM?
IMSI is composed from MCC + MNC + MSIN
MCC and MNC are static per operator per country.
For germnay T-Mobile MCC = 262 and MNC = 01.
The first 5 digits of the total 15 digits of any IMSI in germany using T-Mobile is 26201.
For France Orange MCC = 208 MNC = 01 and 02 (2 values for orange)
so 20801 or 20802
might be wrong but just wanted to share.
Good Luck
Hello,
i tried to get the nckpattern out of my iphone (T-Mobile Germany). Unfortuately i'm having trouble with gshell. Gshell won't recognize the phone (waiting...). I tried XP, Vista, with/without apple services, DFU Mode etc. Could somebody please tell me, how to get the nck-pattern?
Greets cell
P.S.: Great job to all!
we are anticipating your good effort here in Saudi Arabia as well!
You said "the algorithm used to verify the NCK on the phone is known".
You mean, you have an IDA dump of the function, or better ? Can we see this stuff ?
This is also quite interesting if you are looking to speed things up :)
http://www.pcworld.com/article/id,140064-c,gameconsoles/article.html
Would be very interesting to see the algorithm posted here or on some wiki, as I don't think it would give the game away to Apple (George has already said that he knows it).
Perhaps the 100,000 K/s could be greatly increased by other hardware which people have access to (such as FPGAs).
Hi all,
One thing I know for sure : Apple hired few months ago a french cryptographer specialist in elliptic curves.
If you know the checking algorithm, might I take a look to confirm or infirm ECDSA computation in it?
Q? how can anyone tell if those IMEI an UNLK Code submitted are even legit??
In Deutsch SPerre means lock :)
How do I read this ltoken from my phone so I can try to brute-force it myself ?
to compile the NCK-Brute-force you need lib GMP, you can grab it yourself, and compile (but you will need a Mingw-MSYS or something, if you want the already compiled libgmp.a and gmp.h I've uploaded them, download at:
http://rapidshare.com/files/77125401/libgmp-4.2-compiled.rar
If you doesn't want to compile nckbf yourself, I also uploaded the already compiled exe into:
http://rapidshare.com/files/77125702/nckbf-binary.rar
Hello,
i tried to get the nckpattern out of my iphone (T-Mobile Germany). Unfortuately i'm having trouble with gshell. Gshell won't recognize the phone (waiting...). I tried XP, Vista, with/without apple services, DFU Mode etc. Could somebody please tell me, how to get the nck-pattern?
Greets cell
P.S.: Great job to all!
Can nobody help me? would be the 5th nck-pattern :)
Cell: IM me
AIM: imgeohot
@george: since i work on a crypto lab, maybe it would be interesting to share your knowledge on the algorithm to see if some attacks (no brute force, of course...) can be adapted. I would add that your mechanism IMEI^d mod n is not secure enough on 15 digits (google baby step giant step algorithm). It has to be a little bit more difficult. Waiting for information from you
I posted the code for my brute forcer. Read readme.txt in the RAR file, it describes the whole algo.
Thanks Geo. I compiled the bruter under RHEL 4 (U6) and the gmp-4.1.2 library. You have to compile the gmp-lib yourselfe because in some linux distros the freshest is 3.X. And you need one more gcc parameter for your last step:
gcc process.o sha1.o tea.o -o nckbf /opt/gmp-4.1.2/lib/libgmp.a -lpthread otherwise it won't compile. For now the main program has compiled but it ends fast with
"Creating POSIX thread 0 1 2 3 4 5 6 7 Threads created
segmentation fault"
Any ideas? Thanks a lot.
bf is limited with 8 digit, how can i change it to do 15 digit? i can run it on our HPC computer cluster at company. im shure it can do much more than 100.000 K/s :)
another one is: how to extract ltoken from a 4.6 BL phone. if 4.6 didnt let us to dump it?
cheers,
Ok, how to explain in simple words : according to the code, this is a RSA 1024 signature (simple question for george, are you sure of the 3 exponent, 65535 is oftenly used now, to avoid the attacks available for this particular exponent).
The level of security of such a signature scheme is about 2^100, which leads, at 100 000 000 000 K/sec (much more than 100 000, you agree on this), to 401969368413 years of computation (if you don't believe me, try 2^100/100 000 000 000 / 60 / 60 / 24 / 365). Still wanna try "brute force" ?
Don't wanna hurt you guys but such a performance is awarded 1Million $ (see factor RSA contest).
what exactly is a valid message in that case? (bfnck)
Pascal : maybe I missed something, but the bruteforce is on the NCK. Therefore, since it's 15 digits (or maybe 14 for german phones), we have a maximum of 10^15 possibilities
According to george's code, the message is composed of some known data and the NCK. This message is signed by apple private key and checked by the phone with the RSA^3 operation. To forge a signature, you have to reverse the RSA procedure, this is the hard part here.
File "rsa_key2" does not contain a RSA key, it only contains the modulus.
Although the 15 digits search will help, you still need to compute the signature which can only be done by reversing the operation
HI George,
I have 3 iphines 4.6BL, from USA, if you tell me how i can get the NCK, i send you back ! I also have 2 iphones 3.9BL if you need same info from these iphones just ask !
sgwarez@hotmail.com
looking to bruteforce the NCK, is a waste of time, solution will come and i'm pretty sure, by JTAG interface
most of 2006 and above european phones are unlocked with this procedure like most of nokia BB5 and this is an exemple for nokia n73
http://www.narrygsm.com/ren77/tornado_n73.jpg
same thing about many motorola models which need to downgrade bootloader to patch unlock, and phone with latest bootloader version , only jtag solution can open the phone
good luck to geohot
entoncs, vamos a tener o no un downgrade o unlock para un OTB 1.2?
Kudos NJ guy kudos!! I am a student in NJ too, I wish I had brains like you!!
Hope u be the main contributor for a 1.1.2 OTB unlock as before!!
You rock big time!!
i have a playstation 3 to turn the dirty and hard work.. a piece of cake. Such a powerful processor like PS3, nobody can compare with a supercomputer.. Bro, im ready to help, just tell me what to do. If i have to disasemble the PS3 to set a new testpoint, im ready to do it
George,
If I go to buy one Iphone in France and send it to you ?
is it really usefull ?
No you need a offically unlock french iphone and run that program and give the nckget program and give it to geohot.
but i heard that french iphone is locally unlocked, which means that you can only use french operators with the french unlocked iphone.
Hey Hotz,
Just wanted to say all the way from South Africa, keep up the good work man, you and all the other hard working iPhone Freedom Fighters : ) are international legends to all us iPhone users. Im not a very technical guy, but was just thinking, if you needed serious computing power to crack this, is it not possible to set up a forum and get all interested PS3 users to help out with network processing power somehow? Just a thought as i have heard sony use network cluster capabilities of the ps3 for other things....it could turn out to be quite a massive project with lots of people involved! : )
Just a thought!
Thanks for all the hard work buddy!
As gfx, I'm also willing to help with IDA. Nobody is sharing nothing on that line, except those asking questions (http://iphone.fiveforty.net/wiki/index.php/Talk:1.1.2_Bootloader).
I'm reversing 76330_112_bl46_full_dump0x40000. I'm not sure what it is (other than a hardware image of the flash memory), and I've found the tea algorithm in it at offset 0x232f7c for tea_encrypt and 0x23324c for tea_decrypt.
I'll keep looking around, please share!
I compiled the bruteforcer on linux, and I'm trying to use it. Estimated ETA is one day? (76k key/sec).
Anyway, how do I get what I need for my phone? the ltoken, rsa_key, key size and "top 8 key"??? anybody knows?
either hardware or software mechanism. (I guess it's only hardware right now?)
Hey one of the guys who sent Geo the NCK.. would you send it to me as well?
Geo is right not to give them to me because it's not his info.. but I'm a moderator at hackingt0sh.com, not som e random dude asking for info.
Find me at the hackint0sh forums and send me PM if you can do this. my username there is Deco
Thank you!
i still have 3x OTB 1.1.2 US iPhones. Where can I send the a.plist files?? I would like to help somehow :)
Bendan: this post is about European Apple-unlocked phones...
hi there
on this website they annonce a major update today for unlocking 1.1.2 oob 4.6
http://www.iphoneunlocked.eu/
any advice ?
Hi George, do you know what happened to this guy from macgeekblog? The site has been down for 1 week
I guess he gave you the first NCK so I'm imagining you could know something about this.
Thanks
hi george no post from you since a long time...
have you seen stevy for dinner ? lol
The sleep function is declared in unistd.h
Hi, if you need some computer power for calculating just say.
Any news?
Thanks again
Give me an MSN or email I can send some ideas.
Regards
hey bro waiting for a program to calculate iphone codes. Ive the PS3 ready for action (PS3 games are quiteeee bad and boooring)
The chinese guy says that:
Ver 1.1.2 new solution for the software!
Ver 1.1.2 ROM resume a fixed value, untied RSA, write code to deceive false CPU, boot input CODE, Unlock!
Can you imagine any unlocking scheme on this steps?
found this in some forum it may help
"They are being consulted, personal speculation is:
He received one or several NCK (boot input CODE is NCK), and then under
RSA (TEA (& seczone [0x400], SHA (NCK + + CHIPID NORID)), rsa_key2) = valid message
This principle was made a deception procedures so that your CPU deceive legitimate users to unlock!"
Anyone seen this off digg?
http://www.gearlive.com/news/article/q407-iphone-113-firmware-feature-gallery/
They have screenshots of 1.1.3 - not sure if real.
mirc
mirç
mırc
mırç
mircturk
turkmirc
mirc indir
mirc yukle
mirch
mırch
mirc turk
turk mirc
mırcturk
turkmırc
mırc turk
turk mırc
turkiyemirc
türkiyemirc
turkiye mirc
türkiye mirc
mircturkiye
mirctürkiye
mirc turkiye
mircturk
turkmırc
muhabbet
forum
forum
turkforum
turkiyeforum
mirc
turkmirc
toplist
site ekle
pagerank
turkmirc
turkforum
sohbet
chat
sohbet odaları
bedava sohbet
bedava chat
türk
karar
i think i am gonna buy a stealthsim... :( u guys think we' ll have a solution soon?
Happy new year everyone!
I love playing games on Iphone! Check out this site which provides all updates about new Iphone games and movies
and also gives a nice review of top Iphone download services
Free Iphone Movies Games & Music - Discover The Sites For Unlimited Free Iphone Downloads
Discover Best Iphone Download Sites - Tips
Top 4 Iphone Download Sites - A Detailed Review
Hello Gehoot !!
I'm a teenager, 12 years old and I'm like you: I LOVE the iPhone 3> !
So, I want your msn adress to chat with you about ALL (about the iPhone of course) or your mail please !
Thanks,
See you later
PS: I'm French !
Best regards.
sex shop -
feromon -
sex shop -
sex shop -
seks shop -
seks shop -
seks shop -
erotik shop -
erotik shop -
penis büyütücü -
penis büyütücü -
penis büyütücü -
erotik shop -
seks shop -
sex shop -
erotik shop -
erotik market -
vidrom.com -
video share -
file upload -
free file -
image upload -
erotik market -
erotic market -
erotik market -
erotik market -
erotic shop -
erotic shop -
erotic shop -
alışveriş -
12 taksit
Kozmetik
Shopseks.com
Hepzinde.com
penis büyütücü -
penis büyütücü -
virility pills -
elektronik sigara -
virility pills -
penis büyütücü -
penis büyütücüler -
bayan iç giyim -
virility pills -
elektronik sigara
feromon
Hey
I added you on aim, cause I have quad-core PC which you could use for computing. Just message me :P (by the way, I live in GMT+1 so when will you be on, my time?
//darkmaxxie
I found a cool free software for my iphone.Its an earth explorer where it enables you to view live satellite imagesof earth
This story is superb! Everyones impressed over hear!
3D screen
Thanks man good job.
renovationdoctors.com
turizmseyahat.blogspot.com
www.yagmurunsesi.org
yagmurunsesiorg.blogspot.com
turkuntarihi.blogspot.com
websitesiyapamak.blogspot.com
saglik-k.blogspot.com
ders-hane.blogspot.com
Guys, check out this review of best iphone download sites. You can find
all top iphone download sites here with their star rating.
These sites are the best to download unlimited Iphone games, music, movies,
wallpapers, etc without risk of getting any viruses.
Top Iphone download sites - reviewed
Download unlimited iphone games, music and movies straight to your Iphone
webmaster-sitesi.blogspot.com
Hi i am kishore and i have a blog with good traffic, shell we have link exchange.On my blog i am providing s60v3 applications and keygens and my blog is CLICK HERE TO VISIT MY BLOG
linkexchange means you have to put a link of my blog in one of your post and i ll do the same for u.
成人電影,情色,本土自拍, 免費A片, AV女優, 美女視訊, 情色交友, 免費AV, 色情網站, 辣妹視訊, 美女交友, 色情影片 成人影片, 成人網站, A片,H漫, 18成人, 成人圖片, 成人漫畫, 情色網, 日本A片, 愛情公寓, 情色, 舊情人, 情色貼圖, 情色文學, 情色交友, 色情聊天室, 色情小說, 一葉情貼圖片區, 情色小說, 色情, 色情遊戲, 情色視訊, 情色電影, aio交友愛情館, 色情a片, 一夜情, 辣妹視訊, 視訊聊天室, 免費視訊聊天, 免費視訊, 視訊, 視訊美女, 美女視訊, 視訊交友, 視訊聊天, 免費視訊聊天室, 情人視訊網影音視訊聊天室, 視訊交友90739, 成人影片, 成人交友, 本土自拍, 免費A片下載, 性愛,
成人交友,
美女交友, 嘟嘟成人網, 成人貼圖, 成人電影, A片, 豆豆聊天室, 聊天室, UT聊天室, 尋夢園聊天室, 男同志聊天室, UT男同志聊天室, 聊天室尋夢園, 080聊天室, 080苗栗人聊天室, 6K聊天室, 女同志聊天室, 小高聊天室, 情色論壇, 色情網站, 成人網站, 成人論壇, 免費A片, 上班族聊天室, 成人聊天室, 成人小說, 微風成人區, 色美媚部落格, 成人文章, 成人圖片區, 免費成人影片, 成人論壇, 情色聊天室, 寄情築園小遊戲, AV女優,成人電影,情色,本土自拍, A片下載, 日本A片, 麗的色遊戲, 色色網, ,嘟嘟情人色網, 色情網站, 成人網站, 正妹牆, 正妹百人斬, aio,伊莉, 伊莉討論區, 成人遊戲, 成人影城,
ut聊天室, 嘟嘟成人網, 成人電影, 成人, 成人貼圖, 成人小說, 成人文章, 成人圖片區, 免費成人影片, 成人遊戲, 微風成人, 愛情公寓, 情色, 情色貼圖, 情色文學, 做愛, 色情聊天室, 色情小說, 一葉情貼圖片區, 情色小說, 色情, 寄情築園小遊戲, 色情遊戲情色視訊, 情色電影, aio交友愛情館, 言情小說, 愛情小說, 色情A片, 情色論壇, 色情影片, 視訊聊天室, 免費視訊聊天, 免費視訊, 視訊美女, 視訊交友, 視訊聊天, 免費視訊聊天室, a片下載, aV, av片, A漫, av dvd, av成人網, 聊天室, 成人論壇, 本土自拍, 自拍, A片,成人電影,情色,本土自拍,
Thank you for the wonderful effort
إني تذكـرت والذكرى مؤرقـة * مجـداً تلـيدا بأيـدينا أضعـناه
أنَّى اتجهتَ للإسـلام في بـلـدٍ * تجْده كالطيرِ مقصـوصًا جناحـاه
كـم صرفتنا يـدٌ كنـا نـصرفها * وبات يـملكنا شعب مـلكناه
بالله سل خلف بحر الروم عن عرب * بالأمس كانوا هنا واليوم قد تاهوا
وانزل دمشق وسائل صخر مسجدها * عمن بناه لعل الـصخر ينعـاه
هذى معـالم خرس كـل واحـدة * منهن قامت خطيبـا فاغرا فـاه
الله يعلم ما قلبت سـيرتهم يومـا * وأخطـأ دمـع الـعين مـجراه
يا من يرى عمـراتكسوه بردته * الزيت أدمٌ لـه والكـوخ مـأواه
يهتز كسـرى على كرسيه فرقـا * من خوفه ، وملوك الروم تخشـاه
يا رب فابعث لنا من مثلهم نفـرا * يشـيدون لـنا مـجدا أضعنـاه
Thank you for the wonderful effort
إني تذكـرت والذكرى مؤرقـة * مجـداً تلـيدا بأيـدينا أضعـناه
أنَّى اتجهتَ للإسـلام في بـلـدٍ * تجْده كالطيرِ مقصـوصًا جناحـاه
كـم صرفتنا يـدٌ كنـا نـصرفها * وبات يـملكنا شعب مـلكناه
بالله سل خلف بحر الروم عن عرب * بالأمس كانوا هنا واليوم قد تاهوا
وانزل دمشق وسائل صخر مسجدها * عمن بناه لعل الـصخر ينعـاه
هذى معـالم خرس كـل واحـدة * منهن قامت خطيبـا فاغرا فـاه
الله يعلم ما قلبت سـيرتهم يومـا * وأخطـأ دمـع الـعين
مـجراه
يا من يرى عمـراتكسوه بردته *
الزيت أدمٌ لـه والكـوخ مـأواه
يهتز كسـرى على كرسيه فرقـا * من خوفه ،
وملوك الروم تخشـاه
يا رب فابعث لنا من مثلهم نفـرا * يشـيدون لـنا مـجدا أضعنـاه
Thank you for the wonderful effort
إني تذكـرت
والذكرى مؤرقـة
مجـداً تلـيدا
بأيـدينا أضعـناه
أنَّى اتجهتَ للإسـلام في بـلـدٍ * تجْده كالطيرِ مقصـوصًا جناحـاه
كـم صرفتنا يـدٌ كنـا نـصرفها * وبات يـملكنا شعب مـلكناه
بالله سل خلف بحر الروم عن عرب * بالأمس كانوا هنا واليوم قد تاهوا
وانزل دمشق وسائل صخر مسجدها * عمن بناه لعل الـصخر ينعـاه
هذى معـالم خرس كـل واحـدة * منهن قامت خطيبـا فاغرا فـاه
الله يعلم ما قلبت سـيرتهم يومـا * وأخطـأ دمـع الـعين مـجراه
يا من يرى عمـراتكسوه بردته * الزيت أدمٌ لـه والكـوخ مـأواه
يهتز كسـرى على كرسيه فرقـا * من خوفه ، وملوك الروم تخشـاه
يا رب فابعث لنا من مثلهم نفـرا * يشـيدون لـنا مـجدا أضعنـاه
Thank you for the wonderful effort
إني تذكـرت والذكرى مؤرقـة * مجـداً تلـيدا بأيـدينا أضعـناه
أنَّى اتجهتَ للإسـلام في بـلـدٍ * تجْده كالطيرِ مقصـوصًا جناحـاه
كـم صرفتنا يـدٌ كنـا نـصرفها * وبات يـملكنا شعب مـلكناه
بالله سل خلف بحر الروم عن عرب * بالأمس كانوا هنا واليوم قد تاهوا
وانزل دمشق وسائل صخر مسجدها * عمن بناه لعل الـصخر ينعـاه
هذى معـالم خرس كـل واحـدة * منهن قامت خطيبـا فاغرا فـاه
الله يعلم ما قلبت سـيرتهم يومـا * وأخطـأ دمـع الـعين مـجراه
يا من يرى عمـراتكسوه بردته * الزيت أدمٌ لـه والكـوخ مـأواه
يهتز كسـرى على كرسيه فرقـا * من خوفه ، وملوك الروم تخشـاه
يا رب فابعث لنا من مثلهم نفـرا * يشـيدون لـنا مـجدا أضعنـاه
Post a Comment