NCK Pattern: 6 So Right: No German pattern
So right I have (see title) NCK <=> IMEI combinations. I can't post them, since they square measure sore collection of the group United Nations agency were openhearted decent to extract their a.plist for me. I have conditioned that the German ones use "SP" instead of "NO". Also the deuce German NCK's I have both start with the number 3. Fortuity? Keep these a.plists flowing, could group gratify posts requests on their respective terminology iPhone forums? Also the algorithmic rule old to test the NCK on the telecommunicate is familiar and is not even close to nonreversible. Inhumane force is able at 100,000 k/s, so the letter persuasion of finding a pattern in the NCK's is to devalue the time mandatory for that inhumane force.Also my hypothetic NCK generation system; this has no portion in thing anyone has discovered but... IMEI^d adolescent n, where d and n square measure relatively prime and n is like in size to the IMEI. If Edible fruit keeps d and n secret, they could give NCK's assumption an IMEI when no one else could.
Tagi: algorithmic rule, square measure, persuasi, pattern 6, natis, edible fruit, imei, porti, deuce, hypothetic, adolescent, nck, lt
Facility, the PMU
Spell I was ready and waiting for CPICH to finish the first bits of the NAND FTL reverse application work, I've been hard to fill in no of the gaps we had in otherwise places, so much as the PMU. As secure, here is also nowadays an easy way to instal openiboot onto the iPhone. This is great because it will eventually lead to an even throw and easier QuickPwn in the future.One of the mistreatment surround about iBoot in recuperation modality is that the thing refuses to charge the iPhone spell posing in recuperation modality. The battery just eventually entirely drains. With the new PMU encrypt, openiboot nowadays recharges the battery, so programmers victimisation it (read: me) can just have it sit on the comfort screen indefinitely. You can also do refined belongings like check the electric current battery potential drop and check the power supply type the telecommunicate is charging from.
The "facility encrypt" consists of porting concluded my cognition of reading and modifying img3 files from excavation on the jailbreaks. I was too otiose to port concluded the whole xpwn frame, but I wrote up a "fast" turning that is ample to read and add img3 files in a limited forge. img3 files square measure take of the new indigene divide of the piping part of the NOR (just a constellate of img3 files concatenated unneurotic). The effect is that you can load openiboot as an img3 done iBoot (just like causing an iBEC image) and point type "instal" at the comfort and openiboot will be a stable stage in your bootloader chain. =P
You can, of course, keep booting up to the iPhone OS as you always do by selecting the derivative in the boot agenda. Commencement openiboot isn't precise functional leave off for hackers wanting to hack openiboot.
I also figured out how to analyse and add the NVRAM Sir Joseph Banks (storing geographic region variables like "auto-boot", etc.), which was actually unpointed complicated (in my public opinion). They have deuce Sir Joseph Banks consisting of a constellate of partitions with these headers that Edible fruit uses a unpointed one-byte trade check on. The whole bank is also checksumed with adler32. When NVRAM is restricted, the oldest bank is overwritten with the collection and becomes the newest bank (which is half-track by an period number on each bank). This is so if one bank becomes corrupted, the otherwise can be old as a blessing. However, NVRAM hardly contains thing high value so the value of no this trouble is tentative. Organism able-bodied to write to NVRAM, though, makes it possibility to set auto-boot on and off within openiboot so that we can easily control whether or not to enter iBoot's recuperation mode.
Person asked me how "safe" it was to do the facility, etc. Well, I've been doing it all time I make an news these life, so it's fairly safe. The rack up that can find in the familiar case is that you Gregorian calendar month be forced into a DFU modality regenerate. Everything will be disorganised with a regenerate. Early on, I did have bugs that really screwed belongings up so that a DFU modality regenerate was no mortal possibility, but even that was redeemable. I'll just go concluded how briefly:
The influential thing is to have a blessing of the NOR. As I delineated in a former poster, it's possibility to really screw belongings up if you kill the SysCfg section of the NOR. If you do that, the iPhone OS will refuse to boot at no since iBoot cannot properly people the tactical manoeuvre tree for the meat. Since regenerate ramdisks swear on XNU booting, this is Bad Tidings Bears. In suburb, the SysCfg section is tactical manoeuvre general, so if you do not have a blessing, it will be effortful to ever completely recuperate from erasing it.
Therefore, before you carry on, MAKE A BACKUP OF YOUR NOR. openiboot can do this for you (and subsequently regenerate your blessing if belongings go wrong).
Load openiboot via loadibec and pick out the comfort. Connect with the oibc case. Type in: nor_read 0x09000000 0x0 0x100000
This will read no of NOR into storage device. Point type: ~nordump.bin:0x100000
This will transfer the dump concluded USB onto your computing machine and save it as nordump.bin.
Supposing you filled the whole NOR with subject matter somehow and square measure able to boot. You have to get into openiboot to regenerate the NOR. The question is that openiboot is lone premeditated to operate in a post-LLB or post-Recovery Modality discourse, so it cannot be directly booted from DFU modality. Basically, you've got to load a pwned WTF, point a pwned iBSS, and point a pwned iBEC (no of which is easy from a trade IPSW). Aft that, you can use loadibec to load openiboot. Point, you can regenerate the NOR thus:
!nordump.bin
nor_write 0x09000000 0x0 0x100000
Aft that, you can boot and everything should be normal.
Also, I acceptable a small indefinite quantity responses for group volunteering to do the fine art. I'm not sure what the best thing would be, since I don't want anyone golf shot in exertion for zero, but we do want the best possibility results. So, I'll be deed back to you guys about that.
Tagi: sir joseph banks, joseph banks, square measure, potential drop, csts, telecommunicate, edible fruit, auto boot, nvram, pmu, indigene, nand, modality, deuce, piping, aces, derivative, gaps, commencement, cogniti
Exposure
Masks and witticism stuff!
We’ve had a total 39,317 downloads of the PwnApple mask in the last 7 days.
Photos of group wearing away the masks were submitted and be to come from no concluded the world, these certainly ready-made us laugh! Deciding by the comments least of you guys enjoyed the photos. Ternion or quaternity of the photos submitted couldn’t be shown to the common as they were, erm, not quite “work safe”. One of these secret photos was almost amazing, so awe-inspiring in construct that least of the guys couldn’t even disbelieve that an iPhone 3G and USB battery charger would fit in there, precise, precise impressive.
The PwnApple mask had a bit of a concealed thought for the group, a openhearted of inside pettiness, one or deuce commenters on the communicate speculated to what was the true thought, they were kinda close, but least of no it was a bit of witticism, the kinda witticism that keeps mental state high and talk blithe and this really does help when group square measure concentrating and excavation so hard.
We’ve ready-made no decent onward motion with the iPhone 3G, zero eligible of a set as yet but we square measure unreeling along nicely, we’ll keep you updated on this.
We were thinking a ‘funday’ video recording for twenty-four hour period 4-hour interval but real life has got in the way again and a small indefinite quantity of us have been engaged so we won’t have time to get it out. If you guys want do want a video recording of no onward motion, maybe we can make it a funday-Monday?
Update warning!
Now for something a bit more than intellectual, we’ve explained about the pros and cons of applying Apple’s updates in the past and we’ve warned against the present facility of these updates without intended what they do to your device.
This is indeed true of the iPhone 3G’s approaching 2.2 release. Commencement ‘2.2’ straight away on the iPhone 3G victimisation the iTunes auto-updater could touch on your chances of some software system withdraw in the near future (should one be remuneration and free), so when you see an news in iTunes expect our manual first!
Please don’t blindly instal the news and point kick about it early ;-)
iPod Touch 2G
We square measure not excavation on the iPod Touch 2G at the moment, we certainly have interest in this papers as we have mentioned before and we have finished no athletic competition analytic thinking, but currently no persuasion square measure still on the iPhone 3G, we hope to pick up work on the iPod Touch 2G erstwhile in the near future and when we have some updates relating to this we’ll communicate about them here.
Tagi: small indefinite quantity, square measure, secret photos, pettiness, period 4, moti, video recording, iphe, deuce, battery charger, software system, 3g, terni, masks, awe, commencement, interval, comm, mask, downloads