- Graphic tutorials on iPhone 3G/3GS flash, jailbreak, unlocking, and software installation
- Iphone unlock Principle
Graphic tutorials on iPhone 3G/3GS flash, jailbreak, unlocking, and software installation
Iphone unlock Principle
Popular Science: various types of iPhone
The principle of software unlocking and the true and perfect unlocking Theory
Because I recently bought the iPhone, I have reviewed the WIKI and hackint0sh.org of DEV TEAM over the past few days to learn more. At present, I have not posted such a post in the Chinese community. I will summarize the posts I have seen over the past few days and send a popular post. All references come from dev team wiki (http://iphone.fiveforty.net/wiki) and hackint0sh.org. In fact, I have a rough look at a lot of things. If there are any errors in the following articles, I have trouble pointing out.
The hardware configuration of the iPhone is relatively high. Although the product is expensive, the cost of the iPhone is certainly much higher than that of the Nokia N95. Now I believe that the iPhone's CPU is a Samsung S5L8900, which has a A-GPS and 3G functionality (this is the case later), but the iPhone's GSM module uses another completely independent system, that's what we often call baseband. This baseband has its own firmware (operating system) and CPU (It's a S-GOLD2, and Siemens's cell phone also uses this CPU, baseband also has its own flash memory used to record the current baseband status. This flash memory is called NOR, and what we call seczone is in it. This baseband has been removed separately for minor changes and can be used as a mobile phone. In fact, the iPhone is a very complicated mobile phone. Every time we update firmware, we actually update the firmware of the iPhone (that is, OS X Darwin), while bbupdater is the firmware of baseband. You can think like this: the iPhone is a computer with a China Unicom CDMA card. You can call and send text messages and access the Internet through a computer. The problem is that the China Unicom CDMA card is locked and can only be connected, what should I do if I want to unlock it? You cannot modify the computer's operating system (Windows XP). Because the control is in the CDMA card, you must try to modify the system on the CDMA card through Windows XP, in order to achieve the purpose of unlocking. 2. Some people may ask, what is perfect unlocking? What is not perfect for unlocking now? A perfect unlock is a real unlock. If your iPhone is unlocked perfectly, your iPhone does not need any baseband firmware that has been patched, your iPhone can be upgraded at any time with the upgrade of Apple's firmware, without any problems. Moreover, your entire iPhone system is an original Apple system without any changes! Just like the software *****, the perfect unlock is the registration code, the software is the software or the set of software. after entering the registration code, the registration code is registered, perfect, and the current unlock, in fact, they are all registration machines, and some parts of the software are patched. So how can we achieve perfect unlocking? As we mentioned earlier, the baseband information in the iPhone is stored in NOR. Yes, NOR stores the current baseband status, including the current unlock status of the iPhone. When the iPhone leaves the factory, all are locked in the ATT network. Some people want to ask: Isn't it perfect if we change this status to unlock? Yes, but the problem is: 1. only the firmware of baseband, that is, the baseband operating system, can read and write the NOR. Moreover, the seczone in NOR is strictly controlled and cannot be written directly by sending instructions. 2. the firmware of baseband is signed by Apple Digital, which means that baseband runs only when the 1024-bit private key of Apple has been signed by firmware. 3. the most important thing is that we don't know what to write to NOR seczone to unlock it. Because the data in NOR seczone is encrypted, either 0 or lock, or 1 is as simple as unlocking, the NOR of each iPhone can be the same before encryption, but each iPhone can be different after encryption, and this encryption mechanism can only be calculated through Apple's private key. So what should I do to achieve perfect unlocking? In fact, you can use the iPhone minicom to send commands to the iPhone's baseband. One of the commands is used to unlock the iPhone, and we know exactly what this command is: AT + CLCK = "PN", 0, "xxxxxxxx" Have you noticed the next eight x? The x is your unlock code, unlock code, or professional statement, called NCK and Network Control Key. Each iphone has a different key, I believe that Apple should use a random mechanism to generate these unlock codes, and then hook them with IMEI or serial numbers and put them in its own database. In the future, when Apple officially provides unlocking, they will tell you the unlock code through your IMEI or serial number to unlock it perfectly. But when you sent the command, how did your iPhone know whether the unlock code was correct or wrong? If the iPhone needs to know right or wrong, the iPhone knows the unlock code, so we can find this code somewhere on the iPhone and unlock it perfectly, right? No! In fact, what is stored on the iPhone NOR is a hash value generated by this code through a special algorithm, which is irreversible (like MD5 ). To put it bluntly, Apple taught the iPhone a set of signals, telling iPhone 1 = duck 2 = Chicken 3 = goose, then encode the unlock code 123 as a "duck chicken goose" and store it in Phone NOR. At this time, the iPhone does not know that the unlock code is 123. It only knows that if someone tells me 123, I calculated according to the Apple code. If the calculation is the same as that of "duck, chicken, and goose", the code that someone else told me is correct. Of course, this process is not that simple. Otherwise, you will be able to crack the password in a guess. At the current computer level, calculate the unlock code back through the hash value, almost impossible. So, are we stuck? Isn't it an 8-digit number? From 00000000 to 99999999, there is always one, right? This method is theoretically acceptable, but actually does not work. There are two reasons: 1. according to rough settlement, it takes 35 days to send these 0.1 billion commands to the iPhone for trial, and it does not take long for the iPhone to be considered. 2. Most importantly, there is an NCK counter in the iPhone's baseband NOR seczone. Once you fail 3-10 times, your baseband will burn your hardware to AT&T. So, for the moment, the iPhone is perfectly unlocked, and there is no such thing. I believe that if Apple doesn't make a big mistake, it won't happen, unless Apple officially launches the unlock function at that time, it is perfect to unlock it. 3. Currently, three types of software are available for unlocking the iPhone: iUnlock, Anysim 1.0.2, and iUnlock Reloaded. These are the same types of software and they all use the iUnlock core code. 2. iPhoneSimFree.com, that is, the unlocking service provided by IPSF that requires payment. Anysim 1.1.1 these three types of unlocking are not perfect! I believe that the three methods work as follows: iUnlockiUnlock directly patches on baseband firmware (I don't know how they skipped Apple's signature check, but I don't know enough ), the token (the token is the value of the hash NCK hook) Check In the NOR of the baseband firmware pair is skipped, And the AT + CLCK is sent to baseband for unlocking, because the token check has been skipped, The NCK iPhone will agree to unlock what is actually sent at this time. In this way, the unlocked baseband will modify the lockstate table in seczone, however, the result is that the data in NOR is no longer "legal", because we do not know what token is, because a patch is installed on baseband firmware, tell baseband firmware not to check the token. After that, your baseband firmware has been patched, not Apple's original baseband firmware. This also led to the later 1.1.1 upgrade. Apple upgraded baseband firmware, And the lockstate table with invalid results led to the iPhone-> brick. At the beginning, everyone thought that the unlocking of IPSF was perfect, and many people thought that the unlocking of IPSF was perfect, because the unlocking process of IPSF needed to contact their server, many believe that they have obtained the unlock code database of the Apple iPhone through a backdoor or other rape means, so they can provide real unlocking. What is widely believed now is that this is a big lie. According to dev team's research, the principle of IPSF unlocking is: They found a vulnerability in the RSA Algorithm in the Apple iPhone, a big Bug. By exploiting this BUG, they cleared the tokens in NOR seczone and constructed a special lockstate table. When the iPhone starts to verify the validity of the token/locktable, because of this BUG, the token + locktable of all 0 can be legally verified, so the iPhone considers this machine to be legally unlocked. This bug was not completed by Apple during the 1.1.1 upgrade, so the IPSF machine can continue to be unlocked after the 1.1.1 upgrade. However, the consequences of doing so are unimaginable! As I mentioned above, the tokens of each machine are different. The tokens of each iPhone are the only one in the world except Apple. No one knows that IPSF clears the tokens of the iPhone, at present, when this bug has not been fixed, the iPhone that IPSF has unlocked can still be used. However, when Apple is fixing this vulnerability, it may not be upgraded, either after the upgrade, the IPSF iPhone becomes useless and basically no medicine can be saved. Anysim 1.1.1's latest Anysim 1.1.1 should be the best software solution at present. Anysim 111 works differently from iUnlock. Anysim 111 does not need to change the token and lockstate table in seczone at all, you do not need to send the AT + XCLK command during the entire unlock process. If you unlock the table after running minicom, you will know whether the lockstate table is locked. anysim 111 uses the baseband firmware patch, skipping the so-called mnc check (network check, I am not very clear about what it is) completely spoofed the iPhone and made the iPhone think it was unlocked. The advantage of this method is that seczone has never been moved, and the content is complete. If Apple upgrades baseband firmware again, it will not be changed if our mobile phone is locked again. Therefore, the so-called change to a "virgin" method is to re-Modify the locktable of the iUnlock modification seczone. As for the seczone destroyed after IPSF is unlocked, you have to let it go ...... Anysim 1.1.1p now has 1.1.1p in anysim. There is only one brief description on google code: "fix the counter problem", that is, "solved the counter problem ". I don't know what this is. I have discussed on hackint0sh that anysim 111 sent the XCLCK command after baseband firmware was updated. According to the working principle of anysim 111, this command is completely unnecessary and completely impossible to succeed. In addition, executing this command will increase the number of NCK attempts to unlock. It is said that the code was removed when anysim 102-> 111 was incorrect. However, this post was denied at the time. It is said that the call has been marked on the source code and will not be called any more. However, the final result is no result. It cannot be determined that the so-called counter refers to the NCK counter. In my opinion, if you want to unlock it now, use anysim 1.1.1p. If you have already used anysim 1.1.1 to unlock it, it doesn't matter at all, anyway, NOR seczone can be completely rewritten (the NCK unlock counter is restored to 0 after the factory status is restored). This NCK counter is already a decoration (as long as you don't have to do anything, you just need to try to unlock it, if you are okay, you will always try to use iUnlock to send the XLCK command, and you will not brush back to seczone. When the NCK counter is too large, I don't know what will happen ). Unlock now. Can you use the official unlocking tool released by Apple in the future? If you have already unlocked the tool, use iUnlock 1.0.2/anysim 1.0.2/anysim 1.1.1/anysim 1.1.1p, in the future, when Apple launches the official unlocking function, you can use the official Apple method to unlock it. All you need is to re-fix seczone (1.02) or refresh back to the original factory baseband firmware (1.0.2/1.1.1). If you have already unlocked and the unlock tool uses the paid solution released by iPhone simfree.com, I don't know if you can use the official solution in the future. I personally think: Your machine may not be able to even upgrade 1.1.2 or more advanced firmware in the future, let alone unlock it, the only thing you can expect is that iPhoneSimFree.com backed up your seczone when unlocking. In addition, if you think you are lucky, you really want to guess your NCK: first brush back to the factory firmware (recovery once), and then refer to the n000b this post: http://bbs.iphone.com.cn/viewthread.php? Tid = 32086. Enter minicom according to the POST method and enter AT + CLCK = "PN", 0, the "NCK code" NCK code ranges from 00000000 to 999999999999,8 digits, and then uses the method in the n000b post to determine whether it has been unlocked. Warning: This method is completely based on current knowledge. I don't know if it is successful or dangerous. If you really want to try it, thank you for your contribution to the iPhone. Please let us know after your attempt. Warning: If you fail over the number of NCK counters, your iPhone may always belong to AT&T. Of course, if someone thinks he is lucky, he can try to refresh the original baseband firmware, and then use minicom to try AT + CLCK = "PN", 0, "Think about 8 digits at will"
Maybe you have guessed it, so congratulations, you have the world's first truly unlocked iPhone, and your iPhone is worth doubled, and it is worth a lot, it is absolutely no problem to go to ebay to sell a 1 w usd instance.