Tuesday, July 24, 2007

Searching for the Network Control Key

Every SIM card has a unique IMSI (International Mobile Subscriber Identity) number of between 14 and 15 digits. The first three digits are the MCC (Mobile Country Code) and the next two or three the MNC (Mobile Network Code).

The iPhone's baseband radio's firmware is locked to only work with SIM cards with IMSI numbers starting with the digits 310410, i.e. Mobile Country Code = US* and Mobile Network Code = AT&T.

According to the iPhone Dev Wiki the radio firmware can be unlocked with the AT command:

'AT+CLCK="PN",0,"xxxxxxxx"'


where xxxxxxxx is a number specific to each iPhone. I suspect - although the wiki does not say so – that the "specificity" is based on the unique IMEI number that every GSM phone has, including the iPhone.

The x's are the NCK (Network Control Key). Brute-force can't be used most notably because "there is a limit of 3-10 unlock attempts per phone, after which the firmware will "hard-lock" itself to AT&T".

Of course someone at Apple or AT&T holds the cryptographic key to calculate the NCKs. If you are buying your iPhone in France Apple or AT&T will be legally obliged to use that key to calculate a NCK based on your iPhones IMEI.

(*) the US actually has 7 country codes: 310, 311, 312, 313, 314 and 316. I wonder what the story behind that is?

2 comments:

Anonymous said...

man thanx for this information...
kindly post the way to unlock it as soon as possible...

want to use it outside u.s.

thanking you in anticipation

Anonymous said...

yea thanks a bunch man, i just bought my iphone and we have no carrier that support. I need to unlock it so i can use with existing cell phone carrier.