Let’s take a closer look at what is iPhone baseband and how can it be unlocked. Baseband is short for baseband processor. Within a smartphone it can be a separate chip or a separate core. It can control interface with hardware such as audio, voice and mp3 codecs, video display, camera, USB, GPS, Wi-Fi, Bluetooth and so on.

The phone baseband is also called to provide the communication protocols which follow:

• GSM
• GPRS
• Edge
• UMTS

The older versions of iPhone basebands run small RTOS: iPhone, iPhone 3G, iPhone 3GS use Nucleus – a real-time operating system developed by Mentor Graphics. Uses C/C++ development environment using Code Sourcery tools. The source code of this software is closed and is available only for the clients.  It can be run on multiple CPUs and by the end of 2010 there were 2.84 billion devices running this RTOS.

The newer models of iPhones such as iPhone 4 use ThreadX basebands. That type of RTOS uses various threads to run the various modules and operations. It uses multitasking kernel with advanced scheduling, fast interrupt response and very good memory management. Definitely the kernel of such OSes are hard to crash and thats why Apple used ThreadX to run the baseband of iPhone 4. Right now the software unlock can be made on iPhone 2 running baseband version 01.59.00 via ultrasn0w version 1.2.7. Hackers doesn’t seem to have any other iPhone 4 baseband unlocking solution by now.

What is an unlock from baseband’s side? A carrier lock prevents phone’ s use on other networks. The purpose of an unlock is to remove this restriction. Some phones require numeric password to unlock and other unlocks patch bootloader/firmware, removing checks. Those are called the software unlocks.

Here’s the list of iPhone/iPad software baseband unlocks available by now:

1. Unlock by iPhone dev team
2. Unlock by Geohot
3. iPad1 baseband. iPhone 3G(S) will lose GPS functionality

NOTE: Downgrades are generally not possible except for a specific early release 3G bootloader.

As you can see, the baseband is just another embedded system. The use of unlocks allows for runtime access and combining runtime access with a development environment and existing RE methods allows for easy exploration.

Using NOR memory of your iPhone baseband you can find different exploits which you can apply to unlock your phone. The program  will help you to dump NOR memory of your baseband. This program is OpeniBoot which is used to port Linux to older iDevices and you can download it here below.

In case you don’t know NOR is a storage medium like BIOS boot in PC. NOR seczone: This is a protected area of baseband’s NOR memory that includes encrypted data. The phone’s lock state depends on that information. This area is commonly called the NVRAM by mistake. The referring to NVRAM as the part of iPhone’s baseband is totally incorrect. The iPhone baseband doesn’t have any NVRAM, and everything (lockstate, IMEI, NCK) is stored in encrypted state in the NOR memory at the range between:

0xA03FA000 – 0xA03FC000

Here below you will see two action that help you to backup and recover NOR  memory file.

How to Dump NOR Memory (recommended)

Step 1. Download OpeniBoot using link below:

Download OpeniBoot

After downloading just unzip the file in the directory you’ve created and ensure that OpeniBoot guide is not installed on your iPhone.

Step 2. Open terminal and type x: (switch to the folder where the letter), and then type: cd xxx is (to switch to the folder).

Step 3. When terminal indicates your iPhone then enter Recovery Mode.

Step 4. In the Terminal type:

loadibec openiboot.img3

iPhone will load Openiboot interface. Use the switch button to quickly select the console, press the Home key. The computer will be prompted to search for new hardware in the decompressed folder (Win7, Vista, XP) Search Installing the console driver.

Step 5. After the installation is complete in a terminal type:

oibc

to sync terminal and iPhone.

Step 6. Now type in the Terminal:

nor_read 0x09000000 0x0 1048576

Step 7. Now type:

~ norbackup.dump: 1048576

Step 8. Wait till the file is  sent and type:

reboot to restart the iPhone

Step 9. It will generate a norbackup.dump file in the directory you have created for this, so, you should keep this file.

How to Recover NOR Memory

Warning: If your iPhone functions without any boot problems please do not blindly restore!

Step 1. Download this file:

Download norbackup.rar

Note: If is something wrong with that file then try this to download.

Extract it to the directory of the memory.

Step 2. Now you need norbackup.dump file that you have just backed up. So change the file extension from .dump to the .bin and it will look like this:

norbackup.bin

And laeve it in that directory where it was.

Step 3. Open Terminal and type x: (switch to the folder where the letter), and then type: cd xxx is (to switch to the folder)

Step 4. Enter Recovery Mode (when your iPhone will be connected to the computer).

Step 5. In terminal type this:

loadibec openiboot.img3

And iPhone will load Openiboot interface. Use the switch button to quickly select the console, press the Home key.

Step 6. The computer will be prompted to search for new hardware in the decompressed folder (Win7, Vista, XP) Search Installing the console driver.

Step 7. After the installation is complete in a terminal type:

oibc

to sync terminal and iPhone.

Step 8. When Loaded in the terminal, enter:

!norbackup.bin

Step 9. After the file received input:

nor_write 0x09000000 0x0 0x100000

Step 10. Wait fore Done and type:

reboot to restart the iPhone

And that’s it. Now you know how to backup NOR and use that NOR file to recover NOR. I hope it was not difficult for you but if there are some questions then let me know in the comment section below and I will help you. However I’m learning too.

Remember: All you do is on your own risk because this method was tested only on my iPhone and I can’t say for sure about others. And this method works only on iPhone 2G and iPhone 3G.

Also there is another method to dump NOR memory of iPhone baseband, just go here and you will find out how.

We will talk about WildcardTicket which is also called Activation ticket (record).

When your iPhone is locked to some carrier then you need official (wildcard) activation from Apple to unlock your device. After your iPhone is unofficially unlocked by the fruit company then you can’t to connect it to iTunes for updating, syncing and stuff like this. You need to be sure that you’ve got the unlock before connecting to iTunes because when iTunes locates your iPhone it sends its data to Apple. Company’s servers analyse your baseband information like IMEI, ICCID, IMSI and generate Activation Ticket. This ActivationTicket is bound to a specific SIM card. If Apple sees that something is wrong then it locks iPhone again. In other words you can’t use iTunes if your iPhone is unlocked unofficially. SAM unlock is work with the same Wildcard Ticket Activation method to fool Apple Activation server. But you’ve heard SAM not working now. But actual thing is SAM is do working for now if you have Activation ticked but if Apple re-lock the device somehow in that case it will not work. The simple reason is the baseband Seczone not accessible.

But there is a question. How does actually Ultrasn0w works? Because when unlocking device by Dev Team Ultrasn0w you are able to connect and restore it many times as long as don’t update the baseband. The trick is: when using Ultrasn0w it unlock the iPhone baseband on the fly or in other words every time the iPhone boot => Ultrasn0w is sending its exploit to the baseband and unlocks it.

So here I am going to show you one of the possible activation exploits which can be used to find a way to unlock iPhone. Below you will see bunch of AT commands which you need to send to your baseband using Minicom. For more information on Minicom and program installation use this link.

The AT commands like ones shown below should be used for receiving information about Wildcard unlock.

The most important command is:

at+xlck

which permits a properly signed WildcardTicket to allow all ICCIDs+IMSIs. Those unlocks are the “carrier” or “IMEI” unlocks. Those are the unlocks that Apple can theoretically revoke at their discretion. Incidentally, these “Wildcard” unlocks are the only possible exploits these days. SAM unlock functioning principle is very similar to Wildcard unlock as it also uses ICCID and IMSI along with some other data to trick Apple’s servers sending them data that says iPhone is unlocked. When using at+xlck or at+xsimstate commands the Unlocked baseband sends return like this:

+ XLOCK: "PN", 1,0  + XSIM: 2 or (7)

If iPhone is locked then at+xlck returns:

+ XLOCK: "PN", 1,2

Here is the list off all known codes presented in at+xlck and at+xsimstate commands. So lets do some analyse:

Continue to analyze the results before and after the record of this return

at + xlck = 0

OK

at + xlck = 1,1, "key 1"

OK

at + xlck = 1,2, "key 2"

OK

at + xlck = 1,3, "key 3"

OK

at + xlck = 1,4, "key 4"

OK

at + xlck = 2

Should get you:

+ XLOCK: "PN", 1,0  + XSIM: 7

So the baseband is unlocked.

Keys List

Key 1:

020000009a136738e8274df334fca53d6e9e758b0b5af0024d753ed3a9407eae9d8685c027a4cd5f812500bb91bb088b42315b06fed148569c3d81170e9ae9549681457fe8e25dc9232535dc90f2bcaea63aba2b10996fdde753292230b6ea35f6c29d125ca93109d4a14f27d24dc42dbbac66b3154cbbce5734b4f4f52ea4278289f9c8d99619099a0212d707765da387766a50d6e79cca4ffac87cf6d7fd195627a5e2d6b32be2dfec286c510dea4b9448c2617479fc9684b70b3fe080a902101c04ae215c46f4cf27ff2f97b9335cebcc0567bee51075b4b23a8fdcbd8da3aec9d6cf44bf10bf645e7cf7db1fbfd9b88aa829e868e59d1368f05ef5a5c3b6

Key 2:

c0e4b460e4960fa688e722b85101a3cb64a1519f8d7dd731cb4d07692cba4908884cdcb82073b6f6ac2dd6852c5359d5b934340347b460ba08ea2b187f3b7477d8bb0f2eab5116529b5a5da7854a9c2c0c15d2a3ce8a8daa87e01f2ecc66de34a7ed846dfb79266f8497fcb0d4b56bb2329fbe548270f9934b85f3b7987ac0ecfaeb71a2e2b748e5625beb90d92d916591cfdd3e31beef134b51e1441813e362c969c8a41d39105b227025961431897c5914c0ece5d33844c14e7ed32b6ea1496910912d3696d710deb62362ed2706596e1c4fb619e80ddbb7de74385b00eb4d6be0dc49ccdd6455d92b882814afbd0200d8ebbb2ab7441f9b50427dc174c972

Key 3:

532c9e9210c76a6164a2aab9055c8c2bee5f6a7dd79dc1b2fb2bb5f4ea2a918b6865e8c29a1c62b9b0be507f46e8c993629d44443996bdce37aae47e3fb36dbb06f225f7001fa47d8c489a14000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Key 4:

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

So if you have read all the info above and understood nothing here’s the simpler explanation of what’s going on in general steps:

Step 1. You need to send – at + xlck = 0 to receive information about unlock data.

Step 2. Send – at + xlck = 1, x, sending four 512-byte lenth unlock key.

Step 3. Send at + xlck = 2, the implementation of unlock verify operation.

If everything goes right then baseband return  + XLOCK: “PN”, 1,0, if not then it returns to + XLOCK: “PN”, 1,2

Wildcard Ticket wildcard_record.plist

Here is the source of the 4 strings of 512 bytes unlock keys where file with activation information generated its key. I have saved activation ticket manually. Also you can use Redsn0w to do that.

You can find your activation file in the following directory:

 /var/root/Library/Lockdown/activation_records/

Here you can find an .plist file with ICCID which is used to be unique for each SIM. You can use the plist editor to open plist file. There you should find AccountToken field. This is actually activated base64 encoding of the information you need. Decoded base64 encoded string of information, get activated.

ActivationTicket is sent to the baseband unlock key. The key is based on Apple’s server side where it confirms validation of the activation file. If it is not activated then => send Activation ticket to the baseband to get + XLOCK: “PN”, 1,0, and then activate it. You don’t need your original Sim card to be activated. Current activation vulnerability to unlock iPhone is possible when you backup the activation file and don’t update the baseband. After baseband updating your saved activation ticket will failure because it belongs to other baseband firmware version.

I hope this information was helpful for you. Now you have the possibility to use this WildCardTicket exploit as you want. You use of this info is done on your own risk.

The NCK code actually looks like this: 

NO=123456789012345&

It has 15 unique numbers (which also can have different meanings and sign the locktype). Simple bruteforce will take years but if you have those parameters it will take significantly less time to generate the whole code.

NCK codes are used in all mobile phones but Apple iPhone has the most strongest “NCK” protection.

NCK generation algorithm:

In pseudo code, it looks like this

deviceKey = SHA1_hash(norID+chipID)  nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)  rawSignature = generateSignature(SHA1_hash(norID+chipID), SHA1_hash(chipID))  Signature = RSA_encrypt(rawSignature, privateRSAkey)  encryptedSignature = TEA_encrypt_cbc(Signature, nckKey)

So now you can use this algorithm to find exploits to unlock iPhone. I know that it can take a lot of time but there is a real possibility to find the way out. Also I tried to describe you the NCK key signing and verification process in general below. The NOR ID is the hardware chip id burned into the baseband chip of the device. It is actually burned into the chip and the size is 64 bytes for iPhone 3G and 128 bytes for the iPhone 3GS. CHIP IP is the motherboard  id.

Baseband NCK key signing and verification process:

The encryptedSignature is then saved to a protected memory area – the device has been locked. This happens when Apple issues the AT+CLCK=”PN”,1,”NCK” command presumably directly after manufacturing the phone. When testing a network code key, the baseband firmware reads the encryptedSignature, calculates the deviceKey and the nckKey from the entered NCK, decrypts the encryptedSignature with the nckKey using TEA, decrypts it once more with the public RSA key and verifies the signature with the SHA1 hashes of the chipID / norID. Here’s the pseudo code from Dogbert hacker:

deviceKey = SHA1_hash(norID+chipID)  nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)  encryptedSignature = readEncryptedSignature()  Signature = TEA_decrypt_cbc(encryptedSignature, nckKey)  rawSignature = RSA_decrypt(Signature, publicRSAKey)  if ( (rawSignature has correct format) and (rawSignature contains both SHA1_hash(norID+chipID), SHA1_hash(chipID)) and (Lock status byte in rawSignature is OK) )  .. accept every SIM card  else  .. block non-authorized SIMs

A correct NCK key can be stored the application processor part of device. When a certain flag is set, the application firmware (iOS) feeds the NCK into the baseband modem during the boot-up. If the decrypted rawSignature passes the check, the baseband unlocks.

Bruteforcing the NCK from the SecZone

So as you know the NCK code is stored in iPhone baseband memory in the zone which is called SecZone. So the first thing is needed to be done is dumping your NOR memory. When done decrypt it using TEA algorithm (Dogbert’s perl script). There is the algorithm that is used to generate that code. Geohots NCKBF program could do around 100,000 keys/second which would produce a hit in many years, or complete a search in 317 years. But those who don’t know, the Dev Team members have found the NCK to be only of 40 Bits (5 digits) which can theoretically be cracked with a brute force attack.

Big thanks to Dogbert for providing the clearest info on Apple’s NCK algorithm.

This article describes one method of permanent unlock, like NCK key cracking method involved in baseband memory dumping and decrypting. Otherwise you can use this info for your personal iPhone baseband reversing.

I just found this info and thought to myself that it would be great if somebody else read it too. May be you are a strong dude in this and it will help you to develop something that can unlock iPhone permanently.

NOR seczone: This is a protected area of baseband’s NOR memory that includes encrypted data. The phone’s lock state depends on that information. This area is commonly called the “NVRAM” by mistake. The referring to “NVRAM” as the part of iPhone’s baseband is totally incorrect. The iPhone baseband doesn’t have any NVRAM, and everything (lockstate, IMEI, NCK) is stored in encrypted state in the NOR memory at the range between:

0xA03FA000 – 0xA03FC000

This script for dumping NOR is written on Python, so it would be very easy to use for anybody with basic tech knowledges. It was tested on iPhone 2g and should be successfully executed on iPhone 3G and 3GS. Newer versions of iPhone have totally different baseband structure so NOR dump and decryption won’t work here, that’s what we think. But please mention that our community doesn’t claim to be unlocking pros so if you feel to have enough experience to continue exploring this way of unlocking – please go on. You’ll find all the info we have by now in this article and by following links below.

This implementation was written by Dogbert, the shadow hacker who stands behind many iPhone unlock researches from the begining of unlock era back in 2007. Look what does he explain about permanent unlock solution and how this script can be used to decrypt NOR dump file.

Requirements:

• Dumped baseband file from iPhone 2G, 3, 3GS
• Python 2.x Installed
• GMPY 1.12

A way to permanently unlock the iPhone baseband has yet to be found for models other than the first iPhone 2G. In a nutshell, the protection works like this:

• Two identification numbers unique to each device are generated from the NOR flash and baseband CPU serials: the norID and the chipID, 8 respectively 12 bytes in size.
• The device-specific deviceKey is generated from truncating a SHA1 hash of the concatenated and padded norID and chipID.
• A supposedly random NCK (‘network control key’) is SHA1-hashed. With the hashed NCK and the norID and chipID, the second key nckKey is generated. The hashing algorithm uses Tiny Encryption Algorithm (TEA). The nckKey is also device-specific since both the norID and chipIDare used.
• A device-specific RSA signature is generated: two SHA1 hashes are generated from the norID and chipID. The status that the lock has after the correct NCK has been entered is also embedded into this message. The PCKS 1.5 format is used to pad the hashes and the status from (2*160+32) bit to 2048 bit (256 byte).
• The asymmetric RSA algorithm is used for the encryption of the unlock signature. Keep in mind that the algorithm uses two different keys: a private key for encryption and a public key for decryption. With the private RSA key, the signature is encrypted and stored in protected memory.
• This signature is encrypted with TEA once again using the device-specific deviceKey in CBC mode.

So to get all the needed information we have to dump the baseband memory. There is only one public baseband dumper by Dev Team members that can be used only for iPhone 2g baseband, but if you are keen on programming it would be easy to re-implement the working solution. As mentioned MuscleNerd itself there’s nothing difficult about porting this method to iPhone 3G or 3GS.

How to decrypt iPhone NOR dump to use NCK unlock method:

Download iPhone Baseband Decryptor

Open terminal and execute the following

wget http://www.letsunlockiphone.com/scripts/baseband-crypt.py

You can also visit our GitHub source for more scripts.

How to run the script for dummies

Open terminal and navigate to the folder with downloaded script. Then make baseband-crypt.py file executable by typing in terminal:

chmod +x baseband-crypt.py

Now lets modify the file settings to work with out baseband dump file.

nano baseband-crypt.py

Navigate to the last lines and change

analyzeSeczone("seczone.bin")

to point to your seczone dump file. When done press CTRL + X, then press Y. Now you are ready to run the script, type

./baseband-crypt.py

If everything goes well you should see the image like one showed below with your unique baseband CHIP ID, NOR ID, IMEI Signature. But using this command isn’t comfornable because of the dump file size as it will dump all info to the terminal. It’s very uncomfortable to browse through the kilometers of code searching for needed numbers. I am alternatively using simple command in Linux to save all info by script to the text file. To save it just type

./baseband-crypt.py => your_name.txt

It will save all the decrypted info from terminal into the text file called your_name.txt Here is my decrypted dump.

norID:  0a000001 e3a00001 e49df004 e2422001

chipID:  ea000006 e590c004 e79cc102 e35c0000

deviceKey:  de13a689 bb07d494 2b872415 969d0d4c  ea56cc6f

IMEI: 09371812353143345123  IMEI Cert:  00000000 36 b6 5a f6 dd fa d3 f2 cb 0e f2 97 33 0a ba 0a |6.Z.........3...|  00000010 9d 22 d0 64 5f 7a 0f cc 3d 5e 33 2f 0a 12 e4 74 |.".d_z..=^3/...t|  00000020 27 52 8f 46 b0 ec 20 de 73 b4 78 70 70 e6 40 e5 |'R.F.. .s.xpp.@.|  00000030 66 dd ec 72 08 dd 63 ca 0a 94 af a6 cd b3 78 43 |f..r..c.......xC|  00000040 1b 9b 8f b5 8b 87 74 50 db ed 6d 5a ab 5d a8 bf |......tP..mZ.]..|  00000050 d4 a3 2a 0e b5 44 e0 b1 eb 1c 5a 9a 25 06 54 d7 |..*..D....Z.%.T.|  00000060 00 b7 ae c4 74 3f 8b 43 ed e8 21 73 ee d5 a7 ec |....t?.C..!s....|  00000070 b4 de de 56 8a 99 52 50 57 82 f4 a7 99 c3 43 |...V..RPW.....C |

IMEI Checksum:  57fe469e 74e6f70b 5723d104 95710b8f  f8b1ab8e

SecTable Entries  ID Offset Size Entry  0f10 808f c4f3 39038676 D73A9869 5623088B B5DF226A 8FDA306B 73CF7824 C35EE653   CCB97CC7 CCAF52FB 6478B42D 02CCC231 098024E3 5FDB43ED F9C0F720   6C5F8D6E A4DB4EB9 D2DFEF49 8CF26CF4 2F48CB83 DCDE79D0 93FAF356   163A5612 8E7F413F 5CA8534F CC7DCB3A 5C8701C9 BEC77A75 4312CD8B   A60487DB 7B8BF3E7 2987D692 691B6CE6 85F94B0D DC60931A E156679F

So we have here decrypted:

• nor ID
• chip ID
• deviceKey
• IMEI
• IMEI Certificate
• IMEI Checksum
• Other Sectables with there memory ID, Offset, size and Entry

Device norID, chip ID, deviceKey is used in NCK unlock method. IMEI entries can be used to reverse Apple Wildcard Ticket activation process.

I personally find this script  to be very helpful for all iPhone baseband researchers. Bellow is the short video of decrypting my baseband.

What is NOR memory? How can I find it in my iPhone?

NOR flash is used by iPhone’s baseband. This is actually the flash chip for booting up the application processor. NOR can be accessed by using a kernel hack or patched version of iBoot.

S-Gold NORDumper – the iPhone Dev Team’s NOR memory dumper. Extract the contents from the S-Gold2′s NOR memory. Used strictly for analysis and development purposes. S-Gold 2 is the baseband chipset used on iPhone 2G devices. It’s also known as  baseband chip PMB8876.

NORDumper Features:

• dump NOR memory in the bootloader interactive mode (S Gold 2 baseband)
• dump bootloader
• dump the main code
• dump eeprom information

How to Dump iPhone Baseband NOR Memory using NORDumper binary

Step 1: Install openssh (standard  Cydia package) and wget (add http://cydia.myrepospace.com/etgamingx/ repo to your Cydia sources) pachages from Cydia. (you could also use MobileTerminal or any other SSH software)

Step 2: Login into your iPhone and navigate to /usr/bin/ directory

cd /usr/bin/

Step 3: Download NORDumper using following command

wget http://www.letsunlockiphone.com/scripts/NORDumper.tar

Step 4: Extract the bin file from archive:

tar xvf NORDumper.tar

Step 5: set the executable flag to NORDumper with chmod command:

chmod +x /usr/bin/NORDumper

Step 6: We are almost done. Now you have to make some changes to com.apple.CommCenter.plist file in order to dump the memory. Just enter this command in terminal:

nano /System/Library/LaunchDaemons/com.apple.CommCenter.plist

End enter the following files your file

<key>Disabled</key>  <true/>

NOTE: Remember to remove the Disabled key from your com.apple.CommCenter.plist file after dumping the NOR, then reboot, otherwise you won’t be getting any calls.

Step 7: Reboot you iPhone. You can manually reboot or as soon as we are using the terminal we can execute reboot process by entering

reboot

Step 8: Now here is the time to launch our binary file and dump that S-Gold baseband

./NORDumper dump.bin

If everything from the previous setup steps is okay you should see ……… Don’t touch your iPhone while the dump file is writting. Here is the question I’ve found online about baseband dumping process.

Question: I know this is possibly the most time consuming step of the entire (some waiting as long as 30-40mins for this step to complete) and i’m just wondering, what does this “NORdumper” really do? i understand that it is “dumping” something into the file that we are creating “dump.bin” but besides the dump, is there any munipulation happening? Are we writing information into the phone while the dump is taking place? Or is this process strictly dumping the information from the sgold2 chip inside the phone?

Answer: NOR memory is dumped while in the bootloader’s interactive mode; the resulting file will contain the bootloader, the main code, and the eeprom. Somewhere in that mess of binary data is what we’re looking for!

Okay I have successfully dumped my baseband, what can should I do next or how can I read the dump.bin file?

Copy the dump.bin from /usr/bin to your PC and open this file with the Hex Editor. Now select the range 00020000-00304000. In the taskbar it should show 20000-304000 (if not do the selection again) Goto menu edit–> select copy to file. name the file : nor. Open this file (nor) with the hexeditor. Find the row 215148 and change 04 00 A0 E1 to 00 00 A0 E3 and save the file, and upload it to /usr/bin

Use Python script by Dogbert to decrypt the dumped memory file.

There are few iPhone unlock methods. Those are:

• Software unlock with ultrasn0w package from Cydia.
• Hardware unlock (the first iPhone unlock developed by GeoHot). Designed for iPhone 2G.
• Unlock with help of SIM cards  aka Gevey SIM, Gevey Ultra, TPSim, RSim developed mostly by chinese guys. Those unlock are for iPhone 4/4S which couldn’t be unlocked by any software methods right now.
• The iPhone NCK unlock method. This method is imposible unless you dump the iPhone baseband. There is a nice software from Dev Team called iPhone NORDumper. It can dump iPhone 2 baseband memory into the binary file.

Downloads:

My dump.bin file from locked iPhone 2G (S-Gold) locked to AT&T carrier. To download copy command to terminal:

wget http://www.letsunlockiphone.com/scripts/dump.bin

Examples:

Modified com.apple.CommCenter.plist file

<?xml version="1.0" encoding="UTF-8"?>   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">   <plist version="1.0">   <dict>   <key>Disabled</key>   <true/>   <key>HopefullyExitsFirst</key>   <true/>   <key>Label</key>   <string>com.apple.CommCenter</string>   <key>MachServices</key>   <dict>   <key>com.apple.commcenter</key>   <dict>   <key>ResetAtClose</key>   <true/>   </dict>   </dict>   <key>OnDemand</key>   <false/>   <key>ProgramArguments</key>   <array>   <string>/System/Library/PrivateFrameworks/CoreTelephony.framework/Support/CommCenter</string>   </array>   <key>ServiceIPC</key>   <false/>   </dict>   </plist>

Remember another way to Dump the iPhone Baseband is to use OpeniBoot Software from Cydia. I am going to release the short guide soon. NORDumper, hnor, norz and speedynor (the other iPhone baseband dumping tools by Zibri and other iPhone Elite Members) all give the same results when dumping the NOR

Resources:

NOR Flash Chip: theiphonewiki info

This iPhone NCK unlock method was well known over a few years, actually since Geohot started working on unlocking the iPhone 2G. So let’s take a closer look at the NCK brute force algorithm used by Geohot in his NCKBF program.

Before using this exploit you need to know some dependensies like: CHIP ID, NOR ID. The only way to have one is to dump iPhone baseband ( chip) memory by using iPhone NOR Dumper. Then you have to decrypt your memory dump file by using this script by Dorbert hacker.

NCK Code Brute Force Algorithm:

• ltoken_test is a seczone I encoded with the NCK “123456“, it unlocked the iPhone with AT+CLCK=”PN”,0,”123456″ command
• ltoken is the ltoken off my iPhone
• rsa_key2 is the bootloader RSA key

A Quick Note:

• The token is stored encrypted at +0×400 in the seczone

The iPhone NCK Check procedure is as follows:

• Create a TEA key by combining the NCK, NORID, and CHIPID
• Decrypt the token with the TEA key
• One NCK will output a valid RSA message
• This message contains the PKCS header and the NORID/CHIPID key

To summarize:

• RSA(TEA(&seczone[0x400], SHA(NCK+NORID+CHIPID)),rsa_key2)=valid message

As you might know Dev Team has already working  on this NCK brute force exploit. And had already confirmed they need to crack the 40 bits lenth key.

Assuming 3’379’220’508’056’640’625 is the number of combinations to 12 characters, then multiply the result by 35, then by more 35 and then again by 35 and you will get the number of possible values ​​of NCK.

Download Geohot NCKBF Source Code [Private]

This new theoretical unlocking method called NCK unlocking has the possibility (if the Dev-Team are able to carry this method of unlocking out) to permanently unlock the iPhone 4.

If you do not understandany of these words, explains how the activation of the iPhone. Each iPhone baseband has a number of unique identifiers that indicate in which country and whathe was bought for the operator. When activated, this information is sent to theservers at Apple, where is kept the great and terrible a universal database for alliPhone ever sold (imagine how many records?).

If your iPhone if unlocked or if it is locked, but the phone is inserted the correct SIM, Apple servers will be sent in response to the unique iPhone NCK code by which iTunes will activate the unit ofter it connected.