This can be described as an attack type suitable for mobile phone hash cracking. The attack name is 'borrowed' from the Nokia mobile phone security type. Method is to use hash cracking tools to extract code from Nokia phone hash developed by security researcher Chris on gsm scene known as bphreaks.

If you want to fully understand how it works you need to read and fully understand the following articles:

• Mask attack
• oclHashcat-lite
• oclHashcat, Catalyst and ForceWare
• Distributing workload in oclHashcat-lite
• HCCAP format description

1. AMD Users only: Get latest catalyst driver! Minimum 11.4. This step is absolutely neccessary otherwise you will not find the code and you will not get an error message.
2. Get oclHashcat-lite v0.6 from its homepage and unpack it.
3. Open a command shell window and cd to the oclHashcat-lite installation directory.
4. Get your hash (SHA1). Its a 40 char hex-encoded string and looks like this: 21B1E417AF2DE6496772BCC2FE33D2593A9BB7A0
5. Get your salt (IMEI). Its a 15 char hex-encoded string and looks like this: 351523047837342 but you only use the first 14 chars from it. The last digit is just a checksum and we dont use it.
6. Prepare your salt. Prepend and Append 00 to the salt like this: 003515230478373400
7. The following command starts oclHashcat-lite. The string looks complicated but its static, it does not change. The only thing that changes is your hash and your salt. A smart user would put it into a .bat file!

oclHashcat-lite64 -m 1900 -n 80 -1 00010203040506070809 --outfile=out.txt 21B1E417AF2DE6496772BCC2FE33D2593A9BB7A0:003515230478373400 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

NOTE: The linux command is exactly the same.

I will now explain the parameters so you know what you are doing:

• oclHashcat-lite64: The program name itself. If you have an 32 bit OS then you should use oclHashcat-lite32 instead.
• -m 1900: This sets the hash-type of oclHashcat-lite. 1900 stands for SL3.
• -n 80: This is the workload-amplifier and its the most important flag that controls the Performance of the program. If you want more speed, raise it. If you want less speed, lower it. This is if your desktop is lagging too much.
• -1 00010203040506070809: This binds the charset to our custom charset 1. SL3 uses only a small charset of ten chars (0-9, binary encoded). We have to encode it in HEX, thats why they all have a leading zero.
• --outfile=out.txt: This is where the cracked pass is stored.
• 21B1E417AF2DE6496772BCC2FE33D2593A9BB7A0:003515230478373400: The only thing that changes.
• ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1: our “mask”. 15 times ?1 (which ist custom charset 1 we bound before)

SL3 always uses the same algorithm and data. Because of that it's always a known max time till exhaust. For example for 2xHD6990 clocked to 880Mhz max time to finish all of the 100% available key-space will be ~1 day 11 hours. Because we have fixed hash data and fixed salt all calculation speeds depend only on our hardware, no brains involved :)

To attack a few hashes one after another we create bash (on Linux) or batch (on Windows) files. These files are intended to run commands line by line.

Linux example:

export DISPLAY=:0
export LD_LIBRARY_PATH=$HOME/AMD-APP-SDK-v2.4-lnx64/lib/x86_64

./oclHashcat-lite64.bin -m 1900 -n 800 -1 00010203040506070809 --outfile=351514044968571.txt --session=35151404496857_1 514D1FCDE9231B61DAD191F7BC7675B87D8628B5:003515140449685700 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
./oclHashcat-lite64.bin -m 1900 -n 800 -1 00010203040506070809 --outfile=355933045509554.txt --session=35593304550955_1 B928680D8D7B1242BEBC8B7AC24FF2B90198E213:003559330455095500 ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1

Commands explained: tbd,

Very important parameter here is --session as it creates different restore files for each session, we have no risk of losing earlier restore files because of problems like overheating.

tbd, explain simple batch files and why they can cause problems.

There is a big and important difference in the word “salt” regarding how SL3 describes it and how the hash-cracking community defines it.

Since hashcat is a product of the hash-cracking scene we are using our wording.

The hashcracking scene defines a salt as some data (usually a random string or the username) which is mixed together with the plaintext password while calculating the hash. How this mixing is done in detail differs on the algorithm implementation.

The salt value is stored together with the hash value. Each hash value hash its own salt value. This makes salts a very efficient solution to avoid multihash cracking and precomputing hash tables.

From the hashcat view on SL3 cracking, the “salt” is only the 14 digit IMEI number (plus the static prepending and appending zero values).

The SL3 scene defines a salt as the last four (hex) digits of the plaintext password (the mastercode). The IMEI is just the IMEI.

A graphical view on this detail:

• H = Hash
• P = Plaintext password
• S = Salt
• I = IMEI

Hashcracking scene:

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH:00SSSSSSSSSSSSSS00:PPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

SL3 scene:

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH:00IIIIIIIIIIIIII00:PPPPPPPPPPPPPPPPPPPPPPSSSSSSSS

tbd, explain --restore and --session and what can go wrong in combination with queue's

tbd, explain the true random mastercode generator

If you want an easy-to-use-one-click solution: buy one.

The following commercial SL3 unlocking solutions/products that integrate oclHashcat-lite as cracking engine:

• Advance Turbo Flasher (ATF)
• Cyclone
• Genie Clip
• Fenix Key
• Infinity B.E.S.T.
• J.A.U.
• Kulankendi Dongle
• MT-Box
• MXKEY

GUI Interfaces / Distributed setup software:

• Martech Service Manager - SL3 BruteForce Cloud System
• NCB Team - Network Code Breaker
• SL3NET Software Team - SL3 BF Distributed Server