The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Activation Token"
(→Layout ActivationInfo) |
GeoSn0wOLD (talk | contribs) m (→Key: ActivationInfoXML: Corrected the misspelled word "problem") |
||
(9 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | ==Layout |
+ | ==Layout of Activation Token== |
− | This is the |
+ | This is the [[wikipedia:Core Foundation|CFDictionary]] string representation which gets sent to Apple's server.The object can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value. |
+ | It is generated by [[lockdownd]]. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to [[fairplayd]] to complete signature process and obtain certificate chain. |
||
− | <?xml version="1.0" encoding="UTF-8"?> |
||
− | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
||
− | <plist version="1.0"> |
||
<dict> |
<dict> |
||
<key>ActivationInfoComplete</key> |
<key>ActivationInfoComplete</key> |
||
Line 14: | Line 12: | ||
<key>FairPlayCertChain</key> |
<key>FairPlayCertChain</key> |
||
<data> |
<data> |
||
− | (base64-encoded |
+ | (base64-encoded RSA certificate chain including root CA in DER format) |
</data> |
</data> |
||
<key>FairPlaySignature</key> |
<key>FairPlaySignature</key> |
||
<data> |
<data> |
||
− | (base64-encoded signature (SHA1+RSA) of ActivationInfoXML) |
+ | (base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate) |
</data> |
</data> |
||
</dict> |
</dict> |
||
Line 82: | Line 80: | ||
</plist> |
</plist> |
||
+ | SIMGIDs and PhoneNumber are present only if installed SIM has them and it was read correctly. |
||
− | ==Spoofing the Activation Server using python== |
||
+ | |||
− | Here's a python script to spoof it: |
||
+ | If ActivationState is not Unactivated or token signature is not correct, Apple server will respond with message "there's problem with your device". |
||
− | import httplib,urllib |
||
+ | |||
− | import time |
||
+ | ==Activation Protocol== |
||
− | ai=open("a.plist",'r') |
||
+ | Use SSL and send the request below with the values |
||
− | aidata=ai.read() |
||
+ | POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1 |
||
− | conn = httplib.HTTPSConnection("albert.apple.com") |
||
+ | Accept-Encoding: gzip |
||
− | headers = {"Content-type": "application/x-www-form-urlencoded", "User-Agent": 'iTunes/7.6 (Windows; U; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) DPI/96}'} |
||
+ | Accept-Language: en-us, en;q=0.50 |
||
− | params = urllib.urlencode({ |
||
+ | Content-Type: multipart/form-data; boundary=DeviceActivation |
||
− | 'activation-info': aidata |
||
+ | Content-Length: 1234 |
||
− | }) |
||
+ | Host: albert.apple.com |
||
− | conn.request('POST', '/WebObjects/ALActivation.woa/wa/deviceActivation',params,headers) |
||
+ | Cache-Control: no-cache |
||
− | response = conn.getresponse() |
||
+ | |||
− | resdata=response.read() |
||
+ | --DeviceActivation |
||
− | f=open("arsp.xml",'w') |
||
+ | Content-Disposition: form-data; name="activation-info" |
||
− | f.write(resdata) |
||
+ | |||
− | #time.sleep(1) |
||
+ | <dict> |
||
+ | <key>ActivationInfoComplete</key> |
||
+ | <true/> |
||
+ | <key>ActivationInfoXML</key> |
||
+ | <data> |
||
+ | (base64-encoded activation info here) |
||
+ | </data> |
||
+ | <key>FairPlayCertChain</key> |
||
+ | <data> |
||
+ | (base64-encoded cert in DER format) |
||
+ | </data> |
||
+ | <key>FairPlaySignature</key> |
||
+ | <data> |
||
+ | (base64-encoded signature (SHA1+RSA) of ActivationInfoXML) |
||
+ | </data> |
||
+ | </dict> |
||
+ | |||
==Resources== |
==Resources== |
||
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate] |
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate] |
||
+ | * [[User:sn0wra1n|iSn0wra1n]]'s [http://github.com/iSn0wra1n/iActivator iActivator v2 for Windows] |
||
[[Category:Baseband]] |
[[Category:Baseband]] |
Latest revision as of 16:36, 18 November 2015
Layout of Activation Token
This is the CFDictionary string representation which gets sent to Apple's server.The object can be obtained by using the MobileDevice Library, AMDeviceCopyValue function with the "ActivationInfo" value.
It is generated by lockdownd. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to fairplayd to complete signature process and obtain certificate chain.
<dict> <key>ActivationInfoComplete</key> <true/> <key>ActivationInfoXML</key> (base64-encoded activation info here) <key>FairPlayCertChain</key> (base64-encoded RSA certificate chain including root CA in DER format) <key>FairPlaySignature</key> (base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate) </dict>
Key: ActivationInfoXML
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ActivationRandomness</key> <string>(GUID)</string> <key>ActivationRequiresActivationTicket</key> <true/> <key>ActivationState</key> <string>Unactivated</string> <key>BasebandMasterKeyHash</key> <string>(Hash of hardware IDs)<string> <key>BasebandThumbprint</key> <string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string> <key>BuildVersion</key> <string>8A306</string> <key>DeviceCertRequest</key> (base64 encoded cert) <key>DeviceClass</key> <string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string> <key>IntegratedCircuitCardIdentity</key> <string>(ICCID as base-10 string)</string> <key>InternationalMobileEquipmentIdentity</key> <string>(IMEI as base-10 string)</string> <key>InternationalMobileSubscriberIdentity</key> <string>(IMSI as base-10 string)</string> <key>ModelNumber</key> <string>MC135</string> <key>PhoneNumber</key> <string>(String like "+1 (555) 555-5555")</string> <key>ProductType</key> <string>iPhone2,1</string> <key>ProductVersion</key> <string>4.0.1</string> <string>SIMGID1</string> (base64-encoded binary GID1) <string>SIMGID2</string> (base64-encoded binary GID2) <key>SIMStatus</key> <string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string> <key>SerialNumber</key> <string>...</string> <key>SupportsPostponement</key> <true/> <key>UniqueChipID</key> <integer>...</integer> <key>UniqueDeviceID</key> <string>(hex UUID)</string> </dict> </plist>
SIMGIDs and PhoneNumber are present only if installed SIM has them and it was read correctly.
If ActivationState is not Unactivated or token signature is not correct, Apple server will respond with message "there's problem with your device".
Activation Protocol
Use SSL and send the request below with the values
POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1 Accept-Encoding: gzip Accept-Language: en-us, en;q=0.50 Content-Type: multipart/form-data; boundary=DeviceActivation Content-Length: 1234 Host: albert.apple.com Cache-Control: no-cache --DeviceActivation Content-Disposition: form-data; name="activation-info" <dict> <key>ActivationInfoComplete</key> <true/> <key>ActivationInfoXML</key> (base64-encoded activation info here) <key>FairPlayCertChain</key> (base64-encoded cert in DER format) <key>FairPlaySignature</key> (base64-encoded signature (SHA1+RSA) of ActivationInfoXML) </dict>