|
|
Counters
Initial study on the counter seczone. By Zibri.
Introduction
As Counter Seczone I hereby mean the seczone block at
0xa03fac88.
This block contains the nck attempt counter and the
locks status.
Is useless to say that you can't just put "unlocked" bytes there
without the hash of the lock code in the a03fa400 zone.
So, let's have a look at the counters!
Details
This is the unencrypted "counter zone" in 3 different situations:
1) Virgin state.
2) After one NCK attempt.
3) After TWO NCK attempts.
4) After IPSF.
NCK Counter=0 (Virgin) [0000] [00]01[05]00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 01 00 00 00 01 01 05 01 00 00 00 00 ........ ........ [0020] 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0040] 05 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0060] 00 00 00 00 00 00 00 00 05 05 00 00 00 00 00 00 ........ ........ [0070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0090] 05 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00a0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00b0] 00 00 00 00 00 00 00 00 05 05 00 00 00 00 00 00 ........ ........ [00c0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00d0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ NCK Counter=1 (Fucked for the first time) :) [0000] [01]01[05]00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 01 00 00 00 01 01 05 01 00 00 00 00 ........ ........ [0020] 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 09 00[01]00[01]00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0040] 05 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0060] 00 00 00 00 00 00 00 00 05 05 00 00 00 00 00 00 ........ ........ [0070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0090] 05 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00a0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00b0] 00 00 00 00 00 00 00 00 05 05 00 00 00 00 00 00 ........ ........ [00c0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00d0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ NCK Counter=2 (Gangbanged) :) [0000] [02]01[00]00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 01 00 00 00 01 01 05 01 00 00 00 00 ........ ........ [0020] 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 09 00[02]00[07]00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0040] 05 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0060] 00 00 00 00 00 00 00 00 05 05 00 00 00 00 00 00 ........ ........ [0070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0090] 05 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00a0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00b0] 00 00 00 00 00 00 00 00 05 05 00 00 00 00 00 00 ........ ........ [00c0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00d0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ AFTER IPSF (cumshot party) [0000] [02]01[01]04*00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 01 00 00 00 *05*05 05 01*00 00 00 00 ........ ........ [0020] 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 09 00[00]00[00]00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0040] 05 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0060] 00 00 00 00 00 00 00 00 05 05 00 00 00 00 00 00 ........ ........ [0070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0090] 05 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00a0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00b0] 00 00 00 00 00 00 00 00 05 05 00 00 00 00 00 00 ........ ........ [00c0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00d0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
Sign in to add a comment
lol about the comments :)
looool
Zibri,
If i'm not mistaken, the NCK is not on the phone, but since the phone must be able to tell when the right NCK is entered, it stores a hash of the NCK. It then compares hash(NCK) to the stored hash and if they match... unlock is written.
If we knew the hash routine, could we -- entirely off the phone, say on our PC -- brute force the NCK? The keyspace is 8, correct? A PC-based program, which after having downloaded the expected hash value, brute forces HASH(TEST_NCK) = EXPECTED_HASH could yield the phone's NCK. Of course this would only unlock 1 phone at a time... but is it theoretically possible?
Did I make a mistake in logic?
To the others: Don't reply to tell me about the NCK counter... my potential brute force attack happens on a PC, not on the iPhone !
nukesmd: you are not mistaken BUT:
1) you should do 3-4 bruteforces, then virginiza the block, reflash and so on... and that would take ages. Key space should be 10*8 or 10^10.
So now we have 2 chances (and 2 roads that we started to walk on):
1) We find were the counter is increased in the baseband firmware. Patch it not to increase and the bruteforce all keys.
2) Find the way the rsa hash is calculated and bruteforce the has offline.
The second would be great but it's not easy even to understand a simple checksum since the baseband firmware is OBFUSCATED ARM assembler.
But...yet...we are working on it :)
Hi,
First thanks to Zibri, the elite dev team and the dev team for all of their hard work.
I like what nukesmd said, yes, getting the hash algorithm and brute forcing would be lovely... but here are a few comments of mine :
1) @zibree : doing the bruteforce on a PC means that we won't waste any attempts on the iphone, so it should be safe, no need to virginize each time..
2) @zibree : what about qemu ? it's ARM assembler, even if obfuscated, we could still run it, so can it be run on a pc using qemu emulation or something ? I know that we can run ARM programs on maemo's scratchbox for the N800.
What we could do is emulate it on a PC, and use gdb to debug it, find the function entry point that does the hashing, then, no need to reverse-engineer the algorithm, just extract the code into a .as or something and do a call in your code to that offset (actually, if it was/(could be modified to become) a dylib/.so then it would be easy to just load the lib and hardcode the offset of the hashing function). and use the baseband code directly for doing the hashing..
3) @nukesmd : not sure if it would really mean we could unlock one at a time.. considering the fact that the NCK code is all digits, and we know the exact number of digits that need to be entered (not sure if NCK code has fixed number of digits), then we can brute force it "pretty fast" (since we won't be trying 1 digit, 2 digits, 3 digits, etc.. and we'll only bruteforce numbers, not alphanums). And for each attempt, if we don't get our NCK, we will still get the NCK code for someone else... so we could set up a database containing the hash for each NCK code we tried to brute force, then someone could just give to the server his hashed nck and it would return the pre-calculated NCK code that answers to that hash.
What do you guys think ?
KaKaRoTo?
snifikino: I think what Zibree is saying is that we don't know how the algorithm used to generate the hash for comparison to the actual NCK hash.
@snifikino: All great ideas.. i guess implementation is the hard part!
@ijeaston: Yes, you are correct, it seem the hash algo has yet to be discovered.
Hi,
@ijeaston: Yes, I know the hash algo is still unknown, which is why I said "Getting the hash algorithm". It will of course require some reverse engineering to get the algorithm used for hashing, but once it's done, we should be good to go.
Also read carefully my second note, I'm talking about using the hash algorithm using the assembly directly with an emulator, so we don't even need to reverse engineer the algorithm.. but I'm not sure if that's even possible (for now)..
Add Source installer : http://iphonebaidu.com/app/ Test iPhone - iPhone Simulator : http://iphonebaidu.com/test/ All Software for Apple MAC : http://iphonebaidu.com/mac-iphone/ All Software for Apple iPhone : http://iphonebaidu.com/mac-iphone/iphone.html
Install iTransformy (.swf) view for iPhone : http://iphonebaidu.com/beta/ Forum, DOwnload Themes, Apps for iPhone. http://iphonebaidu.com/forum/
Copyright © 2008 iPhone Baidu! Inc. All rights reserved