OTB 1.1.2 iPhone unlock: Progress Report

g0tcha and I finally managed to get the NCK (unlock code) value from the french iPhone
with the help of Geohot. Thanks mate.

It looks like this: “UnlockCode” = “NO=111111111111111&”;

The ‘1′ are to be replaced with digits, so I guess that the unlock code is 15 digits long.
Way too long for a bruteforce attack…

We doubt the unlock code has any correlation with any device ids, it is more likely
that Apple has it stored in a database for every single iPhone.

Reversing continues…

More detais in the extended post…

The NCK code is transfered during activation of your iPhone.
A plist file is created on the iPhone, and then sent to Apple webserver.
If the iPhone is unlocked in Apple’s database, it will reply with the unlock code.

We have managed to send an activation request to apple webserver and catch the NCK.

OTB 1.1.2 iPhone unlock: Donations needed!

The fund has not reached the goal yet, but we couldn’t wait anymore to start :-)
Here is something you may want to check: Orange iPhone

We bought the french iPhone and we bought the official unlock.
Once we are ready, we will ask the unlock.

The donation fund is still running until it reaches the goal:

Donations663 663
Goal749 724

Note: Comments are temporary closed to preserve the donators from rude posters.
If you want to get in touch, please do it here

Procedure sent by Apple:

Bonjour,

La demande de d

OTB 1.1.2 iPhone unlock: anySim open source?

In an effort to keep up with Apple’s changes at a faster speed, the iPhone Dev Team
is considering open sourcing AnySIM, the free unlocking solution for the iPhone.

In an exclusive talk with Gizmodo, iPhone Dev Team member Sam said that this move
could “open a lot of possibilities for the future,” mainly in terms of the speed of the
updates and avoiding sloppy and possibly dangerous binary patches.

source

OTB 1.1.2 iPhone unlock: TurboSim works!

If you are impatient and can’t wait a software unlock for your 1.1.2 OTB iPhone,
you can still unlock your iPhone with the TurboSim method.

It has been confirmed, it works for the 1.1.2 iPhone OTB !!!

BUT don’t expect it to be the eternal unlock solution for further firwmare updates!
TurboSim unlocking method is based on a firmware exploit that could be fixed by Apple.

TurboSim is available at Bladox.com for 59 EUR

You will need a piece of software for this unlock method.

OTB 1.1.2 iPhone unlock: Bootloader exploits!

You have probably heard that the Dev Team needs a 1.1.3 firmware update
for hacking 1.1.2 OTB. This could not be the case anymore!

2 theoretical exploits have been found on the new bootloader 4.6 !!
And you know what it means! 1.1.2 OTB Software unlock coming very soon!

Geohot reported that there are 2 possible exploits, hardware and software.
The next coming days should be decisive!

In the meantime, read this great tutorial for 1.1.2 OTB activation: click here

Read about the exploits in the extended post…

Hardware exploit:

The version check reads from 0xA0021000 and 0xA0021004 to get the version
of the main firmware. It then compares the values [0xA0021000]==~[0xA0021004].
If that check fails it ignores the version check. It is also the only bootloader access
into high flash. So when A16 goes high, pull any data line high or low.
That will cause the check to fail, and hence the version check to be skipped.
And they shouldn’t be any memory accesses in the bootloader, so it’ll be fine.

Software exploit:

This exploit is in the the way the secpack signature is padded.
They did a lot to remove the really bad signature checking of the old bootloader
that IPSF exploited. Although the secpack still has 0×28 bytes of data at the end
that isn’t checked for normal secpack sigs. The secpack sig is(0×30 header/padding,
0×14 main fw sha, 0×14 secpack sha, 0×28 unchecked padding).
So by spoofing the first 0×58 of the RSA, you can set any secpack and main fw sha hash
you want. It is very easy in exponent 3 RSA cryptosystems to spoof the first 1/3 of the
message bytes. With some clever math and brute force, the whole 0×58 can be spoofed.

Those findings have been reported by Geohot.

T-Mobile will unlock iPhones!

The German operator Deutsche Telekom announced today that it was going
to sell the iPhone without contract, at the cost of 999 euros, following a decision
of the magistrates’ court of Hamburg.

Deustche Telekom will also propose to the customers having already acquired
an iPhone with a contract to UNLOCK their phone, it indicated in an official statement.

I’m curious about the unlock method they will use as there is no unlock for 1.1.2 yet!
Maybe an official unlock will leak soon!

You gotta love Europe!