If you are iPhone user then you noticed that it was almost impossible to break its protection. Not many iPhones can be unlocked today. There are a lot of professionals and just enthusiast that try to unlock baseband but in the same time it is very hard to do.
This article describes one method of permanent unlock, like NCK key cracking method involved in baseband memory dumping and decrypting. Otherwise you can use this info for your personal iPhone baseband reversing.
I just found this info and thought to myself that it would be great if somebody else read it too. May be you are a strong dude in this and it will help you to develop something that can unlock iPhone permanently.
NOR seczone: This is a protected area of baseband's NOR memory that includes encrypted data. The phone's lock state depends on that information. This area is commonly called the "NVRAM" by mistake. The referring to "NVRAM" as the part of iPhone's baseband is totally incorrect. The iPhone baseband doesn't have any NVRAM, and everything (lockstate, IMEI, NCK) is stored in encrypted state in the NOR memory at the range between:
0xA03FA000 - 0xA03FC000
This script for dumping NOR is written on Python, so it would be very easy to use for anybody with basic tech knowledges. It was tested on iPhone 2g and should be successfully executed on iPhone 3G and 3GS. Newer versions of iPhone have totally different baseband structure so NOR dump and decryption won't work here, that's what we think. But please mention that our community doesn't claim to be unlocking pros so if you feel to have enough experience to continue exploring this way of unlocking - please go on. You'll find all the info we have by now in this article and by following links below.
This implementation was written by Dogbert, the shadow hacker who stands behind many iPhone unlock researches from the begining of unlock era back in 2007. Look what does he explain about permanent unlock solution and how this script can be used to decrypt NOR dump file.
Requirements:
- Dumped baseband file from iPhone 2G, 3, 3GS
- Python 2.x Installed
- GMPY 1.12
- Two identification numbers unique to each device are generated from the NOR flash and baseband CPU serials: the norID and the chipID, 8 respectively 12 bytes in size.
- The device-specific deviceKey is generated from truncating a SHA1 hash of the concatenated and padded norID and chipID.
- A supposedly random NCK ('network control key') is SHA1-hashed. With the hashed NCK and the norID and chipID, the second key nckKey is generated. The hashing algorithm uses Tiny Encryption Algorithm (TEA). The nckKey is also device-specific since both the norID and chipIDare used.
- A device-specific RSA signature is generated: two SHA1 hashes are generated from the norID and chipID. The status that the lock has after the correct NCK has been entered is also embedded into this message. The PCKS 1.5 format is used to pad the hashes and the status from (2*160+32) bit to 2048 bit (256 byte).
- The asymmetric RSA algorithm is used for the encryption of the unlock signature. Keep in mind that the algorithm uses two different keys: a private key for encryption and a public key for decryption. With the private RSA key, the signature is encrypted and stored in protected memory.
- This signature is encrypted with TEA once again using the device-specific deviceKey in CBC mode.
How to decrypt iPhone NOR dump to use NCK unlock method:
Download iPhone Baseband Decryptor
Open terminal and execute the followingwget /scripts/baseband-crypt.pyYou can also visit our GitHub source for more scripts.
How to run the script for dummies
Open terminal and navigate to the folder with downloaded script. Then make baseband-crypt.py file executable by typing in terminal:chmod +x baseband-crypt.pyNow lets modify the file settings to work with out baseband dump file.
nano baseband-crypt.pyNavigate to the last lines and change
analyzeSeczone("seczone.bin")
to point to your seczone dump file. When done press CTRL + X, then press Y. Now you are ready to run the script, type
./baseband-crypt.pyIf everything goes well you should see the image like one showed below with your unique baseband CHIP ID, NOR ID, IMEI Signature. But using this command isn't comfornable because of the dump file size as it will dump all info to the terminal. It's very uncomfortable to browse through the kilometers of code searching for needed numbers. I am alternatively using simple command in Linux to save all info by script to the text file. To save it just type
./baseband-crypt.py => your_name.txtIt will save all the decrypted info from terminal into the text file called your_name.txt Here is my decrypted dump.
norID:
0a000001 e3a00001 e49df004 e2422001
chipID:
ea000006 e590c004 e79cc102 e35c0000
deviceKey:
de13a689 bb07d494 2b872415 969d0d4c
ea56cc6f
IMEI: 09371812353143345123 IMEI Cert: 00000000 36 b6 5a f6 dd fa d3 f2 cb 0e f2 97 33 0a ba 0a |6.Z.........3...| 00000010 9d 22 d0 64 5f 7a 0f cc 3d 5e 33 2f 0a 12 e4 74 |.".d_z..=^3/...t| 00000020 27 52 8f 46 b0 ec 20 de 73 b4 78 70 70 e6 40 e5 |'R.F.. .s.xpp.@.| 00000030 66 dd ec 72 08 dd 63 ca 0a 94 af a6 cd b3 78 43 |f..r..c.......xC| 00000040 1b 9b 8f b5 8b 87 74 50 db ed 6d 5a ab 5d a8 bf |......tP..mZ.]..| 00000050 d4 a3 2a 0e b5 44 e0 b1 eb 1c 5a 9a 25 06 54 d7 |..*..D....Z.%.T.| 00000060 00 b7 ae c4 74 3f 8b 43 ed e8 21 73 ee d5 a7 ec |....t?.C..!s....| 00000070 b4 de de 56 8a 99 52 50 57 82 f4 a7 99 c3 43 |...V..RPW.....C |
IMEI Checksum:
57fe469e 74e6f70b 5723d104 95710b8f
f8b1ab8e
SecTable Entries ID Offset Size Entry 0f10 808f c4f3 39038676 D73A9869 5623088B B5DF226A 8FDA306B 73CF7824 C35EE653 CCB97CC7 CCAF52FB 6478B42D 02CCC231 098024E3 5FDB43ED F9C0F720 6C5F8D6E A4DB4EB9 D2DFEF49 8CF26CF4 2F48CB83 DCDE79D0 93FAF356 163A5612 8E7F413F 5CA8534F CC7DCB3A 5C8701C9 BEC77A75 4312CD8B A60487DB 7B8BF3E7 2987D692 691B6CE6 85F94B0D DC60931A E156679FSo we have here decrypted:
- nor ID
- chip ID
- deviceKey
- IMEI
- IMEI Certificate
- IMEI Checksum
- Other Sectables with there memory ID, Offset, size and Entry
Blog
Recent Blog
Ultimate Guide: How to turn Off Restricted Mode on iPhone?
Automate Apple GSX check result obtaining?
iRemove Unlock iPhone 5S, 5C, 5, SE, 4S/4 Software
MacOS High Sierra Features: Set Up Websites in Safari on Mac
How to Enable iOS 11 Mail Reply Notification on iPhone 7
How to Bypass Apple Watch Passcode Problem
Software List
LetsUnlock Services List
iPhone & iPad Activation Lock Bypass
Use LetsUnlock iCloud Tool to bypass Activation Lock Screen on iPhone and iPad running on iOS version up to 14.6.
Read More
Unlock Passcode Disabled iPhone or iPad
LetsUnlock iCloud Tool is ready to remove Find My and unlock your passcode disable device running on iOS 13.x.x in one click!
Read More
MacOS iCloud Activation Lock Bypass
The LetsUnlock Mac iCloud Activation Lock Bypass Tool will help you to remove Activation Lock on an iCloud locked Mac which is stuck on Activation Lock Screen with no need to enter the correct Apple ID and password.
Read More
Mac EFI Firmware Passcode Bypass
The LetsUnlock EFI Bypass Tool is a one button solution, which you click to start the EFI Unlock process. Bypass EFI with out password! Everything else does the software.
Read More
MacOS iCloud System PIN Bypass
The LetsUnlock MacOS iCloud System PIN Bypass Tool was designed to bypass iCloud PIN lock on macOS without passcode!
Read More