Decrypting iPhone Baseband Seczone Dump to use NCK Unlock Method by Dogbert Hacker
If you are iPhone user then you noticed that it was almost impossible to break its protection. Not many iPhones can be unlocked today. There are a lot of professionals and just enthusiast that try to unlock baseband but in the same time it is very hard to do.
This article describes one method of permanent unlock, like NCK key cracking method involved in baseband memory dumping and decrypting. Otherwise you can use this info for your personal iPhone baseband reversing.
I just found this info and thought to myself that it would be great if somebody else read it too. May be you are a strong dude in this and it will help you to develop something that can unlock iPhone permanently.
NOR seczone: This is a protected area of baseband’s NOR memory that includes encrypted data. The phone’s lock state depends on that information. This area is commonly called the “NVRAM” by mistake. The referring to “NVRAM” as the part of iPhone’s baseband is totally incorrect. The iPhone baseband doesn’t have any NVRAM, and everything (lockstate, IMEI, NCK) is stored in encrypted state in the NOR memory at the range between:
0xA03FA000 – 0xA03FC000
This script for dumping NOR is written on Python, so it would be very easy to use for anybody with basic tech knowledges. It was tested on iPhone 2g and should be successfully executed on iPhone 3G and 3GS. Newer versions of iPhone have totally different baseband structure so NOR dump and decryption won’t work here, that’s what we think. But please mention that our community doesn’t claim to be unlocking pros so if you feel to have enough experience to continue exploring this way of unlocking – please go on. You’ll find all the info we have by now in this article and by following links below.
This implementation was written by Dogbert, the shadow hacker who stands behind many iPhone unlock researches from the begining of unlock era back in 2007. Look what does he explain about permanent unlock solution and how this script can be used to decrypt NOR dump file.
- Dumped baseband file from iPhone 2G, 3, 3GS
- Python 2.x Installed
- GMPY 1.12
A way to permanently unlock the iPhone baseband has yet to be found for models other than the first iPhone 2G. In a nutshell, the protection works like this:
- Two identification numbers unique to each device are generated from the NOR flash and baseband CPU serials: the norID and the chipID, 8 respectively 12 bytes in size.
- The device-specific deviceKey is generated from truncating a SHA1 hash of the concatenated and padded norID and chipID.
- A supposedly random NCK (‘network control key’) is SHA1-hashed. With the hashed NCK and the norID and chipID, the second key nckKey is generated. The hashing algorithm uses Tiny Encryption Algorithm (TEA). The nckKey is also device-specific since both the norID and chipIDare used.
- A device-specific RSA signature is generated: two SHA1 hashes are generated from the norID and chipID. The status that the lock has after the correct NCK has been entered is also embedded into this message. The PCKS 1.5 format is used to pad the hashes and the status from (2*160+32) bit to 2048 bit (256 byte).
- The asymmetric RSA algorithm is used for the encryption of the unlock signature. Keep in mind that the algorithm uses two different keys: a private key for encryption and a public key for decryption. With the private RSA key, the signature is encrypted and stored in protected memory.
- This signature is encrypted with TEA once again using the device-specific deviceKey in CBC mode.
So to get all the needed information we have to dump the baseband memory. There is only one public baseband dumper by Dev Team members that can be used only for iPhone 2g baseband, but if you are keen on programming it would be easy to re-implement the working solution. As mentioned MuscleNerd itself there’s nothing difficult about porting this method to iPhone 3G or 3GS.
How to decrypt iPhone NOR dump to use NCK unlock method:
Download iPhone Baseband Decryptor
Open terminal and execute the following
You can also visit our GitHub source for more scripts.
How to run the script for dummies
Open terminal and navigate to the folder with downloaded script. Then make baseband-crypt.py file executable by typing in terminal:
chmod +x baseband-crypt.py
Now lets modify the file settings to work with out baseband dump file.
Navigate to the last lines and change
to point to your seczone dump file. When done press CTRL + X, then press Y. Now you are ready to run the script, type
If everything goes well you should see the image like one showed below with your unique baseband CHIP ID, NOR ID, IMEI Signature. But using this command isn’t comfornable because of the dump file size as it will dump all info to the terminal. It’s very uncomfortable to browse through the kilometers of code searching for needed numbers. I am alternatively using simple command in Linux to save all info by script to the text file. To save it just type
./baseband-crypt.py => your_name.txt
It will save all the decrypted info from terminal into the text file called your_name.txt Here is my decrypted dump.
norID: 0a000001 e3a00001 e49df004 e2422001
chipID: ea000006 e590c004 e79cc102 e35c0000
deviceKey: de13a689 bb07d494 2b872415 969d0d4c ea56cc6f
IMEI: 09371812353143345123 IMEI Cert: 00000000 36 b6 5a f6 dd fa d3 f2 cb 0e f2 97 33 0a ba 0a |6.Z.........3...| 00000010 9d 22 d0 64 5f 7a 0f cc 3d 5e 33 2f 0a 12 e4 74 |.".d_z..=^3/...t| 00000020 27 52 8f 46 b0 ec 20 de 73 b4 78 70 70 e6 40 e5 |'R.F.. [email protected]| 00000030 66 dd ec 72 08 dd 63 ca 0a 94 af a6 cd b3 78 43 |f..r..c.......xC| 00000040 1b 9b 8f b5 8b 87 74 50 db ed 6d 5a ab 5d a8 bf |......tP..mZ.]..| 00000050 d4 a3 2a 0e b5 44 e0 b1 eb 1c 5a 9a 25 06 54 d7 |..*..D....Z.%.T.| 00000060 00 b7 ae c4 74 3f 8b 43 ed e8 21 73 ee d5 a7 ec |....t?.C..!s....| 00000070 b4 de de 56 8a 99 52 50 57 82 f4 a7 99 c3 43 |...V..RPW.....C |
IMEI Checksum: 57fe469e 74e6f70b 5723d104 95710b8f f8b1ab8e
SecTable Entries ID Offset Size Entry 0f10 808f c4f3 39038676 D73A9869 5623088B B5DF226A 8FDA306B 73CF7824 C35EE653 CCB97CC7 CCAF52FB 6478B42D 02CCC231 098024E3 5FDB43ED F9C0F720 6C5F8D6E A4DB4EB9 D2DFEF49 8CF26CF4 2F48CB83 DCDE79D0 93FAF356 163A5612 8E7F413F 5CA8534F CC7DCB3A 5C8701C9 BEC77A75 4312CD8B A60487DB 7B8BF3E7 2987D692 691B6CE6 85F94B0D DC60931A E156679F
So we have here decrypted:
- nor ID
- chip ID
- IMEI Certificate
- IMEI Checksum
- Other Sectables with there memory ID, Offset, size and Entry
Device norID, chip ID, deviceKey is used in NCK unlock method. IMEI entries can be used to reverse Apple Wildcard Ticket activation process.
I personally find this script to be very helpful for all iPhone baseband researchers. Bellow is the short video of decrypting my baseband.