Baseband TEA Keys

The baseband generates TEA keys based of the CHIPID and NORID.

Key A Generation
// return unique phone key (key A), this key is used for security zone encryption/decryption void get_keyA(u8 *A) { SHA1Context ctx; SHA1Reset(&ctx); SHA1Input(&ctx, dep1_norid, 0x10); SHA1Input(&ctx, dep2_chipid, 0x10); SHA1Result(&ctx); memcpy(A, (u8*)ctx.Message_Digest, 0x14); }

NCK Key Generation
//ulc_mix_lock_unlock_key((u8*)A,(u8*)ctx.Message_Digest,dep1_norid,dep2_chipid,(u8*)B); void ulc_mix_lock_unlock_key(u8 *keyA, u8 *keyNCK, u8 *norid, u8 *chipid, u8 *keyB) { u8 out_iv[8]; tea_3_round_encipher(norid,keyNCK,keyA,keyB,out_iv);		//norid, keyNCK, SP+4, SP+0x14, SP+0x34 tea_3_round_encipher(chipid,keyNCK,out_iv,keyB+8,out_iv); //chipid, keyNCK, SP+4, SP+0x14, SP+0x34 } // auxilary function for nck key generation void tea_3_round_encipher(u8 *in, u8 *key, u8 *iv, u8 *out, u8 *out_iv){ u32 tmpin[2], nexttea[2]; tea_encipher((u32*)in, tmpin, (u32*)key); nexttea[0] = tmpin[0]^((u32*)iv)[0]; nexttea[1] = tmpin[1]^((u32*)iv)[1]; tea_encipher(nexttea, (u32*)out, (u32*)key); nexttea[0] = tmpin[0]^((u32*)out)[0]; nexttea[1] = tmpin[1]^((u32*)out)[1]; tea_encipher(nexttea, (u32*)out_iv, (u32*)key); }

Hardware Thumbprint Generation
u8 salt[20] = { 0x03, 0x5E, 0x20, 0x03, 0xA9, 0x74, 0xFC, 0x57, 0xBB, 0x2D, 0x59, 0x28, 0xBF, 0x10, 0xAE, 0xB9, 0x00, 0x00, 0x00, 0x00 };

void getHardwareThumbPrint(u8 *hwTP){ SHA1Context ctx; SHA1Reset(&ctx); SHA1Input(&ctx, chipid, 16); SHA1Input(&ctx, norid, 16); SHA1Input(&ctx, imei, 16); //nibble encoded SHA1Input(&ctx, salt, 20); SHA1Result(&ctx); memcpy(hwTP, (u8*)ctx.Message_Digest, 0x14); }

Apple calls this "BasebandThumbprint". It can be obtained from the baseband serial port with at+xthumb?.

Wildcard Ticket Key Generation
void getWildcardKey(u8 *wKey) { u8 hwTP[20]; getHardwareThumbPrint(&hwTP); SHA1Context ctx; SHA1Reset(&ctx); SHA1Input(&ctx, hwTP, 20); SHA1Input(&ctx, salt, 20); SHA1Result(&ctx); memcpy(wKey, (u8*)ctx.Message_Digest, 0x14); } This generates the key which can be used to encrypt/decrypt the wildcard ticket - the chipID/norID are NOT required.