Talk:X-Gold 608 Unlock

current 3G unlock status??
just citing:


 * Q: You can take 1.45.00 (or at least 1.43.00), patch it somewhere, flash this file and it's run? Yes or no?


 * A: No(t yet as easy as that, but be sure we're on it) :p Zf

So, that's very good news :) -caique2001-

To speak more technical... The X-Gold 608 has TPM features. So normally one would expect it only to run signed code. This in turn means, it doesn't matter if the code is interchangeable, because only original Apple code can be run. The crucial hack needed is the hack to run unsigned code, say patched code (as Apple's private key to sign is not known of course).

TPM doesn't come into play here. We're running unsigned code, and convincing s-gold3 bootrom we deserve a downgrade. It happily complies.

Wow! Even more good news :-) Where do we have to send the beer to :-) ?? If it should not go to much into detail, could you shortly explain what issue you are currently working on? The fact you have the possibility to run patched unsigned code, does it imply you are currently working on a patch that actually does the unlock? And does TPM come into play here or are there other issues to be solved? caique2001

I would assume that with unsigned code, you could patch the 3G equivalant of Simple Unlock. IIRC, geohot has already found the bits. we just need a way to patch them. About bypassing TPM...it would be interesting to see how this is done. Perhaps a malformed sig like with pwnage 2.0 and DFU mode? guess we will just have to wait and see :P ChronicDev

opensource baseband?
Is to make one? With 3G support? or modify the 4.6 baseband to have have 3g support?

4.6 is on different platform, you cannot modify that for 3G.

get unlocked bootloader ??
as in countrys like belgium, the 3g is sold without any carrier lock. (belgium law)

wouldnt it be possible to get the bootloader from such an iphone and transfer it to any other device ??

/harald

"Bootloader" has NOTHING todo with official unlock (or unlock). Official Unlock is IMHO done by IMEI and NCK. ~wEsTbAeR--

Find the theorized algorithm of NCK generation
Isn't this what the thousands of keygens for PC apps do? Why is it so much harder to do it for the iPhone? Is it because you would normally decompile the software that does the validation, and this is run on apple servers and so is inaccessible? Sorry, just thinking out loud...

Reply: In softwares we can (after a good amount of work) see the routine that is used to verify the numbers you input. In the iPhone it's not that simple. We know the routine but we don't know what the iPhone starts with (or even if it's generated of the iPhone's serial or just a number in a database)

Example: In a software, you input your name and a serial number. The software gets your name, translates it to numbers and does some math like (FirstLetter)*(SecondLetter)/(ThirdLetter + FourthLetter)

So by knowing those rules, we run the same routine in a software and find out what the original software will expect when you input a name such as "funny". Then you use "funny" and 129837987239187 as serial and it works.

On the iPhone we don't know what the "name" is. We know your iphone will do something like TEA(RSA(token+"name")) and will compare the response of that with what is has stored in it.

Some people believe the NCK (aka "name" in the above example) doesn't have any relation to the numbers on the phone, such as the serial, IMEI, etc. Some people believe Apple has a big table of numbers relating one NCK for each SERIAL but the NCK isn't formed from the serial.

I don't believe so...I think it's a number generated by the IMEI,Serial and any other unique numbers. Either with all of them, or parts of each. I started coding a program that would do a different search than Geohot's NCKBruteForcer. He was trying all the combinations and would eventually find the correct answer for each iPhone but it would take a million years with the computing power we have. I thought of it in a different way. I would assume that the NCK is made by a rule out of the combination of the following "items" [-, +, /, *, ^, Log, Ln, Log(2), exp, mod, imei, serial] and then code something to search for all the rules inside that space such as imei*serial/log(serial)+imei for instance. Another idea was that they could use only a couple digits of each, so something like this would be possible: (3 digits of imei)*(first digit of serial)^(4 last digits of imei) mod (2 last digits of serial) .. and so on. This would be a smaller search than Geohots but would not work if Apple has a table with all the NCKs.

I was coding this for the 1.1.4 OOTB when Geohot found the exploit and unlocked it. So I gave up..but maybe it's time to look at it again. ~ Deco

Unlock by changing model and serial number
Chinese grey-market importers are reportedly unlocking the iPhone 3G by changing the model and serial numbers stored in the phone to match the Hong Kong version. Can someone please test if this method works?