NCK iPhone Unlock: Definition and Usage of NCK Code
Lots of you have probably heard of iPhone NCK unlock. NCK means Network Control Key, that’s an ancient dream of all the hackers to unlock an iPhone using NCK code. This way will open the possibility to permanent unlock all the released units despite of iOS version and baseband version. That method worked for iPhone 2G but since that time lots of things changed in iPhone’s baseband structure and right now this method is very difficult to be implemented to unlock such devices as iPhone 3G/3GS/4/4S as there is activation process based on Apple Server side. So let’s try to figure out what is NCK code and how can it help by unlocking Apple’s devices.
The NCK code actually looks like this:
It has 15 unique numbers (which also can have different meanings and sign the locktype). Simple bruteforce will take years but if you have those parameters it will take significantly less time to generate the whole code.
NCK codes are used in all mobile phones but Apple iPhone has the most strongest “NCK” protection.
NCK generation algorithm:
In pseudo code, it looks like this
deviceKey = SHA1_hash(norID+chipID) nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey) rawSignature = generateSignature(SHA1_hash(norID+chipID), SHA1_hash(chipID)) Signature = RSA_encrypt(rawSignature, privateRSAkey) encryptedSignature = TEA_encrypt_cbc(Signature, nckKey)
So now you can use this algorithm to find exploits to unlock iPhone. I know that it can take a lot of time but there is a real possibility to find the way out. Also I tried to describe you the NCK key signing and verification process in general below. The NOR ID is the hardware chip id burned into the baseband chip of the device. It is actually burned into the chip and the size is 64 bytes for iPhone 3G and 128 bytes for the iPhone 3GS. CHIP IP is the motherboard id.
Baseband NCK key signing and verification process:
The encryptedSignature is then saved to a protected memory area – the device has been locked. This happens when Apple issues the AT+CLCK=”PN”,1,”NCK” command presumably directly after manufacturing the phone. When testing a network code key, the baseband firmware reads the encryptedSignature, calculates the deviceKey and the nckKey from the entered NCK, decrypts the encryptedSignature with the nckKey using TEA, decrypts it once more with the public RSA key and verifies the signature with the SHA1 hashes of the chipID / norID. Here’s the pseudo code from Dogbert hacker:
deviceKey = SHA1_hash(norID+chipID) nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey) encryptedSignature = readEncryptedSignature() Signature = TEA_decrypt_cbc(encryptedSignature, nckKey) rawSignature = RSA_decrypt(Signature, publicRSAKey) if ( (rawSignature has correct format) and (rawSignature contains both SHA1_hash(norID+chipID), SHA1_hash(chipID)) and (Lock status byte in rawSignature is OK) ) .. accept every SIM card else .. block non-authorized SIMs
A correct NCK key can be stored the application processor part of device. When a certain flag is set, the application firmware (iOS) feeds the NCK into the baseband modem during the boot-up. If the decrypted rawSignature passes the check, the baseband unlocks.
Bruteforcing the NCK from the SecZone
So as you know the NCK code is stored in iPhone baseband memory in the zone which is called SecZone. So the first thing is needed to be done is dumping your NOR memory. When done decrypt it using TEA algorithm (Dogbert’s perl script). There is the algorithm that is used to generate that code. Geohots NCKBF program could do around 100,000 keys/second which would produce a hit in many years, or complete a search in 317 years. But those who don’t know, the Dev Team members have found the NCK to be only of 40 Bits (5 digits) which can theoretically be cracked with a brute force attack.
Big thanks to Dogbert for providing the clearest info on Apple’s NCK algorithm.