Current State of the Unlock

[alex1015]

The current state of the unlock seems to be different than different methods before. Based on tweets what I've gathered is that the crash found, while exploitable, isn't nessecarily perfect as an injection vector.

The traditional method was code injection via a loader and a start up daemon. As musclenerd tweeted this wasn't working with all the SIMs tried.

Instead he mentioned that the NCK is just 40 bits. What this means is that it can be easily bruteforced, by an average household computer in just a few days max. That is to say attempting to encrypt every possible combination and comparing the encrypted strings to verify a match.

To do this though the NOR and SGOLD ID's are needed, this is where the current crash comes in. It is used to retrieve these and make the bruteforce attack possible.

This seems to be roughly confirmed by what sherif_hashim has tweeted and as a backup he mentioned he is looking into new crashes.

If this new method appears it could be different from any unlock before. It still would require a baseband exploit but the advantage of cracking the NCK is the phone would behave as a standard factory unlocked phone would.

[RIKKI123]

The current state of the unlock seems to be different than different methods before. Based on tweets what I've gathered is that the crash found, while exploitable, isn't nessecarily perfect as an injection vector.

The traditional method was code injection via a loader and a start up daemon. As musclenerd tweeted this wasn't working with all the SIMs tried.

Instead he mentioned that the NCK is just 40 bits. What this means is that it can be easily bruteforced, by an average household computer in just a few days max. That is to say attempting to encrypt every possible combination and comparing the encrypted strings to verify a match.

To do this though the NOR and SGOLD ID's are needed, this is where the current crash comes in. It is used to retrieve these and make the bruteforce attack possible.

This seems to be roughly confirmed by what sherif_hashim has tweeted and as a backup he mentioned he is looking into new crashes.

If this new method appears it could be different from any unlock before. It still would require a baseband exploit but the advantage of cracking the NCK is the phone would behave as a standard factory unlocked phone would.

Thank you VERY much for putting things into perspective and making it easier for us laymans to understand the whole unlock situation. I'm still a bit agitated, but hey, call me an optimist... or an idiot, i still have faith in the devs'

[alex1015]

I don't have much background with unlocking, but I know that with modern programs and CPU power 40 bits is trivial. Now CPU and GPU power can be used by programs.

The NCK bruteforce attempt geohot created for the original iPhone would have taken years as it did not use the NOR and Sgold chip id (unique per phone)

[RIKKI123]

Sorry, just to clarify, does this mean MORE time needed, but its possible?
I'm completely oblivious to tech talk
Thanks again for the time and effort in writing up this information, this forum needs more people like you rather than the DRONE of people writing their complaints.

[alex1015]

Well yes more time definitely needed. The exploit will be used to retrieve the sgold and nor ids. These will then be used in conjunction with a bruteforce program on the computer (presumably).

The uses for the exploit (sglod and nor id's) should be relatively simple. The bruteforce program and testing should take the most time. This general procedure is entirely new. As for a timeframe...your guess is as good as mine. As we know unexpected roadblocks are...expected.

The more that is known about the NCK the better. If it is all a certain type of characters etc. this will all reduce the cycles needed to bruteforce the key

[RIKKI123]

Right okay thanks for the third time at least we know its a painfully complex procedure and that the dev's are working hard.

[alex1015]

The nice thing is if this works then once the NCK is obtained from a vulnerable baseband it could presumably be used on subsequent basebands even if they are not vulnerable. Therefore even with an iOs update you'd maintain the unlock if you obtained it once.

On a side note, I was a bit leery of this after 4.3 as there was never any explicit dev team confirmation like we typically see. Musclenerd only just announced that the attempted code injection wasn't working. We have no idea how long ago he discovered that. Odds are it wasn't just yesterday when it was tweeted. I only know as much as the tweets and the rest is speculation and minor knowledge from a background with encryption and decryption

[xCalipso]

Do you think it would be possible in about 2 ~ 3 weeks or so?
Or will it take longer than that?
Just wondering .

[i.Annie]

I am guessing it would take a bit of time. Longer than usual maybe, but maybe not. Those devs are smart.

Alex, does this mean they have to start all over or just adjust what they have now?

[Simon]

This brute force method is a whole different ballgame which sounds to be in its infancy so it could be a ways off, but could potentially be a much better means of unlocking. Thanks alex1015 for the post

[alex1015]

It's better in the sense that it would allow a permanent solution.

The exploit already exists to obtain the keys so it's not exactly starting from scratch. If musclenerd knows the keys can be obtained via the exploit then odds are he's done it before.

But at the same time, it is an entirely different method of unlock. Instead of sneaking in through a crack in the door, we're looking through to see what the lock looks like and fashioning our own key.

Ultrasn0w methods before always used the exploit to load custom code. This time the exploit is being used for keys. It's interesting to note that exploits can usually only allow a very small amount of arbitrary code to be executed, so a loader is created which allows much more code to be run. I believe in the last version of ultrasn0w this was planetbeings work, and he seems to have gone back to the real world for now.

Again I have no experience with iPhone or baseband hacking, just a marginally related field so this is pure speculation.

The iPhone wiki has a page related to this (we'd be class 1 instead of class 2 this time)

http://theiphonewiki.com/wiki/index....old_608_Unlock
http://theiphonewiki.com/wiki/index....old_618_Unlock

[i.Annie]

I'm understanding this better now, thank you.

[Simon]

Ya, planetbeing being MIA is a big reason there is no unlock yet IMO. Honestly I don't think there will be another one unless him or someone else in the same league as him steps to the plate. The only people I think that are in the same league as him are geohot and maybe comex.

[i.Annie]

Too bad GeoHot is a bit busy right now. Hopefully he gets out alive. I think we should be looking at Comex then?

[Raptors]

I don't see comex making an unlock & geo has problems of his own right now. We'll see

[Simon]

Ya, I dont think comex will either, but I think he could if he wanted too.

[i.Annie]

Wah this looks like bad news then. This is why I chose to go to an official carrier. No more worries about unlocking. It was so stressful before when I was on T-Mobile.

[Simon]

It's bad news, but with a silver lining.

[i.Annie]

I hope it turns out well though. I get excited for unlocks so I can copy an paste this response: "upgrade to 4.3 in iTunes, Jailbreak with XXXX, and install unlock from Cydia" lol.

No bb preservations, no custom firmwares, the joy!

[Simon]

Ya, always good when that happens, although it is rare for the stars to align like that.