HISTORY
The NCK-key is the key generated by Apple if you’d officially unlock you iPhone, and with officially I mean, via your carrier. This “NCK-unlock” approach is identified over a few years now, really given that geohot started working on unlocking the iPhone 2G. He developed a program that could “crack” this 15 digits lengthy key and distinctive for each device. Geohots NCKBF program could do around 100,000 keys/second which would create a hit in a lot of years, or complete a search in 317 years. To get to a point where this is actually doable we would want a lot of orders of magnitude of improvement. Even if you use a PS3 (would we still want to use this??) or special hardware (inside 1,000 US$ range) you will only get an improvement of 20-100 times.. which doesn’t assist considerably.
Now, luckily, with the exploits they have now, they can’t unlock your baseband, but they *can* capture more details from the baseband to speed up this cracking method. Because the NORID and CHIPID (distinctive for every device) are recognized, you’d apparently only have to check 40 more bits (five digits). A 40 bits key is theoretically crackable on “home hardware” inside a week (24/7). The downside of this approach is that you’ll have to keep your computer turned on, and your iPhone has to be connected. And that is the reason why they never tried it prior to. Please note that this method is completely theoretical and has NOT been tried at all at this moment.
CAPTURE THE ITOKEN FILE OR SECZONE FILE
WILL BE BACK WITH MORE AND FULLY WORKING NCK AND LINKS
have fun !!!!
The NCK-key is the key generated by Apple if you’d officially unlock you iPhone, and with officially I mean, via your carrier. This “NCK-unlock” approach is identified over a few years now, really given that geohot started working on unlocking the iPhone 2G. He developed a program that could “crack” this 15 digits lengthy key and distinctive for each device. Geohots NCKBF program could do around 100,000 keys/second which would create a hit in a lot of years, or complete a search in 317 years. To get to a point where this is actually doable we would want a lot of orders of magnitude of improvement. Even if you use a PS3 (would we still want to use this??) or special hardware (inside 1,000 US$ range) you will only get an improvement of 20-100 times.. which doesn’t assist considerably.
Now, luckily, with the exploits they have now, they can’t unlock your baseband, but they *can* capture more details from the baseband to speed up this cracking method. Because the NORID and CHIPID (distinctive for every device) are recognized, you’d apparently only have to check 40 more bits (five digits). A 40 bits key is theoretically crackable on “home hardware” inside a week (24/7). The downside of this approach is that you’ll have to keep your computer turned on, and your iPhone has to be connected. And that is the reason why they never tried it prior to. Please note that this method is completely theoretical and has NOT been tried at all at this moment.
CAPTURE THE ITOKEN FILE OR SECZONE FILE
Overview
IPSF users can probably recover their original seczone token value before IPSF zeroed it out.Details
Saving the cache
IPSF users should do the following- Make sure you have the BSD subsystem on your iPhone
- Log into your iPhone and type: cp $(find /var/root/Library/Caches/bbsimfree -name "*.cache") /ipsf.cache
- If you get an error like "missing destination file" then you either have no cache or you typed something wrong
- Copy that cache off of your iPhone and save it! It contains very valuable data.
Using the cache
To recover your token manually, do the following:- Using a hex editor, find the LTOKEN1.0 string in the cache and note its starting offset (call this value "a"). In my cache, a=0x1e7.
- Compute the offset of encrypted seczone, which will be 0x810 bytes after the start of that string: b = a + 0x810. So for my cache, b = 0x9f7
- See HowIPSFWorks for details about that 0x810 constant
- Extract the 0x2000 bytes beginning at that offset into a file called "en"
- Run geohot's deipsf program to produce the "de" file. That is your original seczone.
- Note that deipsf works only on little-endian architectures like x86 or ARM
- Sanity check the "de" file. It should begin with 0x100 bytes of "ff", and then non-ff bytes. If you don't see that, then something went wrong...try again.
- Use the decrypted seczone in a flow like this one: http://rdgaccess.com/iphone-elite/viewtopic.php?t=158
have fun !!!!
