iPhone 4 Unlocking. NCK-Bruteforce Research

Asked 18/11, 2011 at 10:39 Answered 7/6, 2013 at 8:11

iphone iphone-4 unlock

Every iPhone has a NORID (8 bytes) & CHIPID (12 bytes) unique to each phone.

Where is this stored? NOR? seczone? Can it be dumped?

An iPhone requires a NCK to unlock. From what I understand the NCK is 15 characters.

Is it numeric, alpha or alphanumeric?

The security token for check if the NCK is valid is stored encrypted at +0x400 in the seczone.

Is this correct?

Based on what I've read from dogbert's blog, the security token is created using a method similar to the following pseudo code:

deviceKey = SHA1_hash(norID+chipID)

nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)

rawSignature = generateSignature(SHA1_hash(norID+chipID), SHA1_hash(chipID))

Signature = RSA_encrypt(rawSignature, RSAkey)

security token = TEA_encrypt_cbc(Signature, nckKey)

Is the pseudocode correct? If it is then what is the custom hash that is being used? What is being used to generate the rawSignature? What is the RSAKey that is being used? Is it a public key that can be found in the phone?

If the above pseudocode is CORRECT. Then we would have to bruteforce all 15 character combinations to find the correct NCK key right? Because, even though we are able to recover the NORID and CHIPID, we will not be able to use that information to shorten the amount of characters which we need to find.

Correct?

New generations of iPhone OS contains a wildcardticket that is generated during activation process.

but this should be no problem generating once we have the NCK right? Correct?

Infold answered 18/11, 2011 at 10:39 Comment(6)

I got bumped from the Apple-Stack Exchange, saying that this is a programming related question. So I guess I'll ask it here – Infold 18/11, 2011 at 10:40

The iPhone dev team was working on this NCK cracking thing, you should search their blog also to see if they published anything that might help you. Also according to one of their members, the NCK is just 40 bits. – Grease 18/11, 2011 at 10:49

Hi, Yes I know they were working on it. But no further details, I'm looking for more technical details such as what algorithms are used, what has been done, how did they come to figure 40bits. I have tried to twitter them but no response yet. The thing is that, if the above algorithm I read about is correct, then having the NORID and CHIPID is not going to help, and still have to bruteforce all 15 characters – Infold 18/11, 2011 at 10:52

For those of you interested, here's the research I've got so far george.insideiphone.com/?p=228 ithinkdiff.com/… – Infold 18/11, 2011 at 11:4

Wish I saw this last week. I had dinner with the guy who designed this scheme and he had quite a few beers. I probably could have gotten you an answer. – Vercingetorix 4/1, 2012 at 2:14

Hey David, you had dinner with the guy who designed the iphone security scheme or the brute force scheme? I'm actually interested to know why we are not brute forcing the NCK to unlock iphones, since the information which we need can be retrieved from the iphone. – Infold 18/1, 2012 at 19:4

The NOR ID is the hardware chip id burned into the baseband chip of the device. I don't know where you are getting the 8 bytes from but it is actually burned into the chip and the size is 64 bytes for iPhone 3G and 128 bytes for the iPhone 3GS.
The NCK is a 15 digit (base 10 so it is not alpha-numeric). ie. the max NCK would be 999999999999999

Your device key is wrong.

It should read:

deviceUniqueKey = SHA(NCK + CHIPID + NORID)

teaEncryptedData = &seczone[0x400]

rsaEncryptedData = TEA_DECRYPT(teaEncryptedData, deviceUniqueKey)

validRSAMessage = RSA_DECRYPT(rsaEncryptedData, rsaKey)

When your NCK produces a valid RSA message, you have found the correct NCK to unlock your device.

Danube answered 11/1, 2012 at 20:49 Comment(2)

Hey Chris, thanks for your answer, could you point me in the direction of where you got your information? Also the million dollar question, at this moment we are able to retrieve all information needed from the iphone, so it would be possible to bruteforce the NCK right? I mean I have at disposal at least 100pcs networked up, I can write a distribution code to ease the brute force, and with some tweaking of the algos we should not take a long time to get a 15 digit key. I just curious why its not being considered by the unlock community. – Infold 18/1, 2012 at 19:10

The primary reason is because a bootrom level exploit is necessary to get the seczone data. There hasn't been a public one since the iPhone 4. – Danube 23/1, 2014 at 14:8

Here is the python script that can decrypt iPhone baseband memory so you will be able to get all NCK tokens like

CHIP ID NOR ID IMEI hushes Tea hashes

But this script was used only for old basebands (S-Gold chipset) but you can always make your own. Also here are some ways to dump iphone baseband into the file by using iPhone core dump function or by other script like NOR dumper. Hope this help

Watanabe answered 7/6, 2013 at 8:11 Comment(0)

Recommended topics

Hot tags