You all know Geohot,  famous iPhone hacker from USA. Here is the only person who provide us with theoretical iPhone NCK brute force exploit, together with his multithreaded NCK brute forcer. NCKBF program could also do around 100,000 keys per second which would produce a hit in many years or complete a search in 317 years, using the only computer. This iPhone NCK unlock method was well known over a few years, actually since Geohot started working on unlocking the iPhone 2G. So let's take a closer look at the NCK brute force algorithm used by Geohot in his NCKBF program. Before using this exploit you need to know some dependensies like: CHIP ID, NOR ID. The only way to have one is to dump iPhone baseband ( chip) memory by using iPhone NOR Dumper. Then you have to decrypt your memory dump file by using this script by Dorbert hacker.

NCKBF compiled

NCK Code Brute Force Algorithm:

  • ltoken_test is a seczone I encoded with the NCK "123456", it unlocked the iPhone with AT+CLCK="PN",0,"123456" command
  • ltoken is the ltoken off my iPhone
  • rsa_key2 is the bootloader RSA key
A Quick Note:
  • The token is stored encrypted at +0x400 in the seczone
The iPhone NCK Check procedure is as follows:
  • Create a TEA key by combining the NCK, NORID, and CHIPID
  • Decrypt the token with the TEA key
  • One NCK will output a valid RSA message
  • This message contains the PKCS header and the NORID/CHIPID key
To summarize:
  • RSA(TEA(&seczone[0x400], SHA(NCK+NORID+CHIPID)),rsa_key2)=valid message
As you might know Dev Team has already working  on this NCK brute force exploit. And had already confirmed they need to crack the 40 bits lenth key. Assuming 3'379'220'508'056'640'625 is the number of combinations to 12 characters, then multiply the result by 35, then by more 35 and then again by 35 and you will get the number of possible values ​​of NCK. Download Geohot NCKBF Source Code [Private]