Difference between revisions of "ECID"

From The iPhone Wiki
Jump to: navigation, search
(ECID Caching)
(MobileDevice.framework moved)
 
(31 intermediate revisions by 14 users not shown)
Line 1: Line 1:
The '''E'''xclusive '''C'''hip '''ID''' or '''ECID''', is an identifier unique to every unit.
+
The '''ECID''' ('''Exclusive Chip Identification'''<ref>https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf</ref> also referred to as '''Unique Chip ID''' in official Apple terms) is an identifier unique to every unit, or more accurately, to every SoC.
   
  +
It is 64 bits wide, with either the first 12, 16, or 20 bits set to zero (looks like <tt>00???XXXXXXXXXXX</tt> in hex).
ECID looks like this: <tt>00000XXXXXXXXXXX</tt>
 
   
  +
It holds a key position in the [[SHSH Protocol]], being one of 2 elements that limit each [[APTicket]] to a single specific device.
== The Img3 Tag ==
 
With the [[iPhone 3GS]], the ECID tag with your ECID is put in the signature checked section of every firmware file, and sent to Apple's servers for re-signing to get a valid [[SHSH]].
 
   
  +
'''Note''': Some tools show it in decimal format while others do it in hexadecimal.
The implication of this is Apple has been disallowing downgrades (even via [[DFU]]) on newer devices when a new firmware version is released.
 
   
== Get your ECID ==
+
== Getting the ECID ==
===Mac Instructions===
+
===Via iTunes===
  +
* Connect your iDevice to your computer.
*Put your device in [[Recovery Mode|Recovery]] or [[DFU]] mode.
 
  +
* Open iTunes.
*Open System Profiler. (in /Applications/Utilities/)
 
  +
* Navigate to the "Summary" tab for your device.
*In the sidebar, go to "USB" (in the "Hardware" section)
 
  +
* At the top of the panel, click twice on the line that says "Serial Number".
  +
* Your ECID is displayed in '''hexadecimal'''.
  +
  +
===Via third-party software===
  +
====On-device====
  +
The [http://cydia.saurik.com/package/com.malcolmhall.udidcalculator/ UDID Calculator] application from Cydia displays (among other things) the ECID of your device (shown in '''decimal''').
  +
  +
====Via USB====
  +
* Install [https://github.com/libimobiledevice/libimobiledevice libimobiledevice].
  +
* Connect your device over USB.
  +
* Run <code>ideviceinfo | grep UniqueChipID</code> command.
  +
* There should be exactly one line, reading <code>UniqueChipID</code> followed by your ECID (in '''decimal''').
  +
* Alternatively you can run <code>ideviceinfo -k UniqueChipID</code> which fetches the UniqueChipID key directly (which is also faster).
  +
  +
===Via [[Recovery Mode]] or [[DFU Mode]]===
  +
====Mac Instructions====
  +
*Put your device in [[Recovery Mode]] or [[DFU Mode]].
  +
*Open System Profiler. (in /Applications/Utilities/).
  +
*In the sidebar, go to "USB" (in the "Hardware" section).
 
*Under "Serial Number", there should be a part called "ECID". There you go.
 
*Under "Serial Number", there should be a part called "ECID". There you go.
   
===WIndows Instructions===
+
====Windows Instructions====
  +
* Put your device in [[Recovery Mode]] or [[DFU Mode]].
* Use [http://difrnt.com/blog/?p=25 ECID Grabber] Tool or [http://www.dimosoft.com/webboard/?document_srl=594 iPhone Information Reader Extendded Ver 1.0E] Tool (Korean Only)
 
  +
* Click on the details tab.
** Recovery Mode: <pre>iProduct: "Apple Mobile Device (Recovery Mode)"</pre> <pre>iSerialNumber: "CPID:XXXX CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:XXXXXXXXXXXXXXXX IBFL:01 SRNM:[XXXXXXXXXXX] IMEI:[XXXXXXXXXXXXXXX]"</pre>
 
  +
* Click on the dropdown box and select Device Instance Path.
** DFU: <pre>iProduct: "Apple Mobile Device (DFU Mode)"</pre> <pre>iSerialNumber: "CPID:XXXX CPRV:15 CPFM:03 SCEP:03 BDID:00 ECID:XXXXXXXXXXXXXXXX SRTG:[iBoot-XXX.X.X]"</pre>
 
* Read USB device info when Apple Device in connected in Recovery Mode or DFU mode
+
* Open Device Manager and right click on Apple Mobile Device (Recovery or DFU Mode) for properties.
  +
* You should find it in the textbox.
  +
  +
===Extracting from an SHSH===
  +
====Img3====
  +
There are 19 blobs in an SHSH, and the first line of every blob is the same as below:
  +
  +
<code>RElDRUAAAAAIAAAA********AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</code>
  +
  +
The * part is the ECID(Dec) encrypted by a certain formula which is
  +
  +
a.Transform ECID(Dec) into ECID(Hex) such as 58608372174291 ---> 35 4D D3 34 4D D3
  +
  +
b.Reverse the ECID(Hex) string such as 35 4D D3 34 4D D3 ---> D3 4D 34 D3 4D 35
  +
  +
c.Transform the string we have got into binary such as D3 4D 34 D3 4D 35 ---> ÓM4ÓM5
  +
  +
d.Encode the binary with base64 such as ÓM4ÓM5 ---> 00000001
  +
  +
Use this formula backward (d. to a.) we can extract the * part into ECID(Dec).
  +
  +
====Img4====
  +
First, get your apticket.der. There are two options:
  +
* Copy it from your device in <code>/System/Library/Caches/apticket.der</code>.
  +
* Extract it from an SHSH file, e.g. using <code>plutil -extract ApImg4Ticket xml1 -o - *.shsh | xmllint -xpath '/plist/data/text()' - | base64 -D > apticket.der;</code>.
  +
  +
Now you can use any old ASN.1 parser to display the file, such as <code>openssl asn1parse -i -inform DER -in apticket.der</code>.
  +
To get only the ECID part, use <code>openssl asn1parse -inform DER -in apticket.der | grep -A1 ECID</code>. It should show on the second line after the colon (in '''hexadecimal''', possibly with a leading zero).
  +
  +
===Developer Instructions===
  +
On macOS, call <code>AMDeviceCopyValue</code> in the [[MobileDevice Library|MobileDevice Framework]] with "UniqueChipID". It returns the ECID as a <code>CFNumberRef(kCFNumberSInt64Type)</code> object.
  +
  +
Example implementation (all safeties removed, will probably crash if connection fails), compile with <code>clang -F/System/Library/PrivateFrameworks -F/Library/Apple/System/Library/PrivateFrameworks -framework MobileDevice -framework CoreFoundation</code>:
  +
  +
<pre>
  +
// Please ping Siguza (siguza@siguza.net) if this file stops compiling/working
  +
#include <stdint.h>
  +
#include <stdio.h>
  +
#include <stdlib.h>
  +
#include <CoreFoundation/CoreFoundation.h>
  +
  +
// Cheap aliases to make things compile without headers
  +
typedef void am_device;
  +
typedef void am_device_notification;
  +
typedef void* am_device_notification_callback_info;
  +
extern void AMDeviceNotificationSubscribe(void(*callback)(am_device_notification_callback_info *info, void *arg), int unused1, int unused2, void *unknown, am_device_notification** notification);
  +
extern void AMDeviceConnect(am_device *device);
  +
extern void AMDeviceStartSession(am_device *device);
  +
extern void* AMDeviceCopyValue(am_device *device, int unknown, CFStringRef value);
   
  +
void cb(am_device_notification_callback_info *info, void *arg)
== ECID Caching ==
 
  +
{
Saurik has developed his own server that has been designed to 'cache' every signature that Apple has given you. Rather than being 'live' and talking directly to Apple's servers, it retrieves on file results.
 
  +
uint64_t ecid;
  +
am_device *dev = *info; /* info->dev */
  +
CFRetain(dev);
  +
AMDeviceConnect(dev);
  +
AMDeviceStartSession(dev);
   
  +
CFNumberRef ecidRef = AMDeviceCopyValue(dev, 0, CFSTR("UniqueChipID"));
To use this server, open up your hosts file and add the following line
 
  +
CFNumberGetValue(ecidRef, kCFNumberSInt64Type, &ecid);
<pre>74.208.10.249 gs.apple.com</pre>
 
  +
printf("ECID: %llX\n", ecid);
   
  +
CFRelease(dev);
Now, when iTunes thinks it is talking to Apple, it is talking to Cydia instead. Doing this will allow iTunes to access signatures already stored by Cydia's "on file" feature.
 
  +
exit(0);
This server will also act as a cache for any SHSH blobs it hasn't seen, acting as an intermediary to Apple's server. This effectively registers your device with the "on file" mechanism, which means you can now enjoy the protections of being able to downgrade your firmware in the future even if you aren't jailbroken.
 
  +
}
   
  +
int main()
  +
{
  +
uint32_t buf[5];
  +
am_device_notification *notification = (am_device_notification*)buf;
  +
AMDeviceNotificationSubscribe(&cb, 0, 0, NULL, &notification);
  +
CFRunLoopRun();
  +
return 0;
  +
}
  +
</pre>
   
  +
===References===
[http://www.saurik.com/id/12 Caching Apple's Signature Server]
 
  +
<references />

Latest revision as of 17:30, 25 November 2022

The ECID (Exclusive Chip Identification[1] also referred to as Unique Chip ID in official Apple terms) is an identifier unique to every unit, or more accurately, to every SoC.

It is 64 bits wide, with either the first 12, 16, or 20 bits set to zero (looks like 00???XXXXXXXXXXX in hex).

It holds a key position in the SHSH Protocol, being one of 2 elements that limit each APTicket to a single specific device.

Note: Some tools show it in decimal format while others do it in hexadecimal.

Getting the ECID

Via iTunes

  • Connect your iDevice to your computer.
  • Open iTunes.
  • Navigate to the "Summary" tab for your device.
  • At the top of the panel, click twice on the line that says "Serial Number".
  • Your ECID is displayed in hexadecimal.

Via third-party software

On-device

The UDID Calculator application from Cydia displays (among other things) the ECID of your device (shown in decimal).

Via USB

  • Install libimobiledevice.
  • Connect your device over USB.
  • Run ideviceinfo | grep UniqueChipID command.
  • There should be exactly one line, reading UniqueChipID followed by your ECID (in decimal).
  • Alternatively you can run ideviceinfo -k UniqueChipID which fetches the UniqueChipID key directly (which is also faster).

Via Recovery Mode or DFU Mode

Mac Instructions

  • Put your device in Recovery Mode or DFU Mode.
  • Open System Profiler. (in /Applications/Utilities/).
  • In the sidebar, go to "USB" (in the "Hardware" section).
  • Under "Serial Number", there should be a part called "ECID". There you go.

Windows Instructions

  • Put your device in Recovery Mode or DFU Mode.
  • Open Device Manager and right click on Apple Mobile Device (Recovery or DFU Mode) for properties.
  • Click on the details tab.
  • Click on the dropdown box and select Device Instance Path.
  • You should find it in the textbox.

Extracting from an SHSH

Img3

There are 19 blobs in an SHSH, and the first line of every blob is the same as below:

RElDRUAAAAAIAAAA********AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

The * part is the ECID(Dec) encrypted by a certain formula which is

a.Transform ECID(Dec) into ECID(Hex) such as 58608372174291 ---> 35 4D D3 34 4D D3

b.Reverse the ECID(Hex) string such as 35 4D D3 34 4D D3 ---> D3 4D 34 D3 4D 35

c.Transform the string we have got into binary such as D3 4D 34 D3 4D 35 ---> ÓM4ÓM5

d.Encode the binary with base64 such as ÓM4ÓM5 ---> 00000001

Use this formula backward (d. to a.) we can extract the * part into ECID(Dec).

Img4

First, get your apticket.der. There are two options:

  • Copy it from your device in /System/Library/Caches/apticket.der.
  • Extract it from an SHSH file, e.g. using plutil -extract ApImg4Ticket xml1 -o - *.shsh | xmllint -xpath '/plist/data/text()' - | base64 -D > apticket.der;.

Now you can use any old ASN.1 parser to display the file, such as openssl asn1parse -i -inform DER -in apticket.der. To get only the ECID part, use openssl asn1parse -inform DER -in apticket.der | grep -A1 ECID. It should show on the second line after the colon (in hexadecimal, possibly with a leading zero).

Developer Instructions

On macOS, call AMDeviceCopyValue in the MobileDevice Framework with "UniqueChipID". It returns the ECID as a CFNumberRef(kCFNumberSInt64Type) object.

Example implementation (all safeties removed, will probably crash if connection fails), compile with clang -F/System/Library/PrivateFrameworks -F/Library/Apple/System/Library/PrivateFrameworks -framework MobileDevice -framework CoreFoundation:

// Please ping Siguza (siguza@siguza.net) if this file stops compiling/working
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <CoreFoundation/CoreFoundation.h>

// Cheap aliases to make things compile without headers
typedef void am_device;
typedef void am_device_notification;
typedef void* am_device_notification_callback_info;
extern void AMDeviceNotificationSubscribe(void(*callback)(am_device_notification_callback_info *info, void *arg), int unused1, int unused2, void *unknown, am_device_notification** notification);
extern void AMDeviceConnect(am_device *device);
extern void AMDeviceStartSession(am_device *device);
extern void* AMDeviceCopyValue(am_device *device, int unknown, CFStringRef value);

void cb(am_device_notification_callback_info *info, void *arg)
{
    uint64_t ecid;
    am_device *dev = *info; /* info->dev */
    CFRetain(dev);
    AMDeviceConnect(dev);
    AMDeviceStartSession(dev);

    CFNumberRef ecidRef = AMDeviceCopyValue(dev, 0, CFSTR("UniqueChipID"));
    CFNumberGetValue(ecidRef, kCFNumberSInt64Type, &ecid);
    printf("ECID: %llX\n", ecid);

    CFRelease(dev);
    exit(0);
}

int main()
{
    uint32_t buf[5];
    am_device_notification *notification = (am_device_notification*)buf;
    AMDeviceNotificationSubscribe(&cb, 0, 0, NULL, &notification);
    CFRunLoopRun();
    return 0;
}

References