WildcardTicket

The wildcard ticket is used for activating the baseband. It is stored in the file "/var/root/Library/Lockdown/activation_records/wildcard_record.plist". When activating an iPhone, the ticket is pulled from Apple's server and stored on the device. It contains all the information about sim-/netlocks. Factory- and carrier-unlocked devices receive a wildcard ticket with policies that permit all SIM cards.

Ticket Layout
0x0 Version number (=2 for iPhone 3G, 3GS) 0x4 Encrypted Ticket

The ticket is decrypted with TEA in CBC mode using a key hashed from the NORID, CHIPID, IMEI and a salt. The layout of the decrypted ticket looks like this:

0x000       Certificate Length (in bits) 0x004       Certificate Serial (usually 1) 0x008       Public Key Length (in bits) 0x00c       Public Key Exponent 0x010-0x090 Public Key (RSA Key 3) 0x090-0x110 Montgomery Reduction 0x110-0x190 Certificate of the first 0x110 bytes signed with rsa_key2 0x190-0x19B ICCID mask (relevant bits for simlock) 0x19C-0x1A3 IMEI 0x1A4-0x1B7 Hash of several hardware IDs (IMEI, NORID, CHIPID) 0x1B8-... Table of "policies" (netlock)

Attached to the decrypted ticket is a certificate (0x80 byte) signed with the RSA key 3 at 0x010.

Policy Table Layout
0x0         Total length of the policy table in bytes 

An item is 12 byte in size and has this structure: 0x0-0x2     ID 0x2-0x4      type? 0x4-0xC     IMSI mask

Each nibble of a mask corresponds to a number - the wildcard is encoded as 0xE.

AT&T USA
IMSI Mask 310150????????? 310170????????? 310410????????? 311180????????? 310980????????? This is an iPhone 3GS from AT&T.

T-Mobile Germany
IMSI Mask 26201?????????? 26201?????????? 26201?????????? This is an iPhone 3G from T-Mobile Germany.

Factory Unlocked Device
IMSI Mask ??????????????? Obligatory.