We all know how hard Dev-Team has been working on coming up with an iPhone 4 unlocking solution for basebands 02.10.01 & 03.10.01 by updating ultrasn0w for many months now. They had also hinted previously to have found iPhone 3G/3GS unlock vectors while on the hunt for an iPhone 4 unlock. However as of now, the Dev-Team isn’t revealing much about their progress on the expected NCK iPhone 4 unlock or an ETA for its release. For those who don’t know, the NCK unlock is a new method discovered for unlocking iPhone 4 which is found to be only of 40 Bits (5 digits) which can theoretically be cracked with a brute force attack.
Since there is a lot of confusion out there, and since I’m repeating myself all the time (which I do not really like), I made this little write up of questions that are continuously being asked (my personal FAQ). Please not that this is a global explanation. Don’t try to argue with me on specific details.
1. What happend?! I thought the unlock for basebands 02.10.01 & 03.10.01 would be released within the next 2 weeks?
As you know the Dev-Team (MuscleNerd) have been working on the unlock for quite a while now. They were making great progress on the unlock, but they found out that they (accidentally) unlocked “one particular SIM card” instead of the baseband itself. Which means that the unlock would only be an unlock you could use with MuscleNerd’s T-Mobile SIM. So, useless. If the unlock would unlock the baseband instead of “the SIM”, it’d probably be out within 2 weeks (reasonable timeframe which they had hoped). But things turned out to be different. Basically these <2 weeks predictions were a lack of information.
2. What is this NCK-key cracking? How does it work?
The NCK-key is the key generated by Apple if you’d officially unlock you iPhone, and with officially I mean, via your carrier. This “NCK-unlock” method is known over a few years now, actually since geohot started working on unlocking the iPhone 2G. He developed a program that could “crack” this 15 digits long key and unique for every device. Geohots NCKBF program could do around 100,000 keys/second which would produce a hit in many years, or complete a search in 317 years. To get to a point where this is actually doable we would need many orders of magnitude of improvement. Even if you use a PS3 (would we still want to use this??) or special hardware (within 1,000 US$ range) you will only get an improvement of 20-100 times.. which doesn’t help much.
Now, luckily, with the exploits they have now, they can’t unlock your baseband, but they *can* capture more information from the baseband to speed up this cracking process. Since the NORID and CHIPID (unique for every device) are known, you’d apparently only have to check 40 more bits (5 digits). A 40 bits key is theoretically crackable on “home hardware” within a week (24/7). The downside of this approach is that you’ll have to keep your computer turned on, and your iPhone has to be connected. And that is the reason why they never tried it before. Please note that this method is completely theoretical and has NOT been tried at all at this moment.
The status of your baseband (carrier locked or unlocked) is saved in the seczone, which is cryptographically tied to each unique device and never being updated with a baseband update. Since you only have a handful attempts to test your generated (possible) NCK key’s against the crypto before the baseband permanent locks you out for a “NCK-unlock”, you can’t really verify all the generated NCK-key’s realtime with the iPhone.
So the plan is to dump the seczone, get the unique NORID and CHIPID from the baseband using the baseband hacks/exploits and generate your unique NCK-key “offline” (meaning, your iPhone does not have to be connected to your computer while finding your unique NCK-key). Please note that this is still completely theoretical, since this has never been tried at all. It’s trial and error, don’t be disappointed if it fails.
It looks like the iPhone Dev-Team successfully dumped the seczone to do the brute force NCK cracking offline. It also looks like they were able to capture the official NCK key from their carrier which they needed to “decode” the encryption algorithms that are used to generate the NCK key. That way, in combination with the NORID and CHIPID (and likely some additional information from the baseband), they will be able to generate the the NCK for every unique device out there.
deviceKey = SHA1_hash(norID+chipID)
nckKey = custom_hash(norID, chipID, SHA1_hash(NCK), deviceKey)
(the nckKey is the key that eventually gives the seczone (and so the baseband) the unlocked state).
Right now they are brute force cracking the encryption, which is going to take a few days (if not weeks). If they succeed, progress may be made fast. In the meanwhile they are working on a software unlock. Please note that both are not said to success.
3. Now what? Should I sell my locked iPhone 4?
I’d wait for more information on this “NCK-unlock”. Right now it’s pretty vague what timeframe we’re talking about. If the Dev-Team can pull this method off, it’d be very promising for those waiting for an unlock. If this method turns out to be not doable, I’d consider selling your iPhone 4 and save up for a factory unlocked iPhone 5.
4. Do you think there is ever going to be an unlock?
Of course. But that’s unlikely to be any time soon (with soon being <1 month).
5. If the NCK method fails, how long do you think it will take for the Dev-Team to unlock the iPhone 4 softwarematically?
No ETA at all. Could be a few weeks, but it could easily be a few months as well.
Hope this helps.