Thread: How third parties generate valid pins for locked to the network devices
View Single Post
  #10  
Old 08-03-2018, 06:44
Mkz Mkz is offline
Friend
  
Join Date: Jan 2002
Posts: 98
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 5
Thanks Rcvd at 25 Times in 17 Posts
Mkz Reputation: 2
My take on the original question by @m0nix is that he's asking how do *non-police* companies sell, through the web, either:
- bootloader unlock codes (so you can flash non official ROMs, obtain root, etc.) or
- netlock removal PINs (that will allow you to use the device with SIM cards other than from the carrier that sold the phone to you with a subsidized price.
Not the SIM card PINs/PUKs, which are managed by the hardware inside its chip, and the *phone* manufacturer has nothing to do with.

And the most intriguing part, is that they only request from you the IMEI of your phone, nothing more.

Either:
- the vendors have a very straightforward (even if time/CPU consuming) way of generating those 2 types of unlock codes with a formula related solely with the IMEI - so they don't have to bother registering every single produced device/IMEI on a table along with the *random* bootloader / netlock codes that had been generated
- if the vendors did it safely - generating random codes and storing them on their side - these online sites need inside info so they can sell the codes to you; otherwise, they'd need more info from you, not just the IMEI. Perhaps a dump of a partition with encrypted info validating during the unlock process, or whatever.

I've asked myself this question a few times as well , but it must be the first situation, right?

I remember that when I owned a Sony Android phone and wanted to unlock the bootloader, I reversed the code and saw something along the lines of an SHA or other hash function output stored on the "TA" partition of the device.
When I entered a code to unlock the bootloader, it would get hashed (perhaps with a salt, perhaps with multiple iterations as in the PBKDF2 techniques to prevent brute force, don't remember the details) and the output of those calculations would be compared with the expected hash result stored in that TA partition. The right code will produce that expected hash, and I have no means to know it unless I get it from Sony (at the time they didn't provide unlock codes, don't think they started doing it), or from one of those sites.

Either these 3rd party sites know the formula and run a GPU farm to brute force the right code that generated that hash, crypto-mining style - assuming it's inferable from the IMEI that I as a customer provided them - or they must have inside connections with the phone manufacturer.
I mentioned the bootloader unlock code, but the netlock is likely a similar mechanism.
Reply With Quote
The Following 2 Users Say Thank You to Mkz For This Useful Post:
m0nix (08-15-2018), p4r4d0x (08-03-2018)