Difference between revisions of "Activation"

From The iPhone Wiki
Jump to: navigation, search
m
m
 
(25 intermediate revisions by 14 users not shown)
Line 1: Line 1:
  +
[[Image:foto.jpg|thumb|right|iPhone with 1 signal bar and damaged [[hacktivation]] or it doesn't have an internet connection|100px]]
Lockdownd is always running on the iPhone and is in charge of monitoring the activation status of the device. When the iPhone is first purchased it is unactivated and only the "Emergency Call Screen" is available. The lockdownd patches here (which require a [[jailbreak]]) activate your phone and obviate the need to activate legitimately through iTunes with an official carrier.
 
   
  +
'''Activation''' is the process by which a new (or newly restored) iPhone or iPod touch can get by the "Emergency Call Screen" ([[List of iPhones|iPhone]]) or "Connect to iTunes" screen (not to be confused with [[Recovery Mode]]; the activation screen has a battery icon in the top right corner to indicate this) to access the SpringBoard.
'''Lockdownd Patches on Difference Versions'''
 
   
  +
The code in charge of this resides in [[lockdownd]], which is always running on [[iOS]] and monitors the activation status of the device. Lockdownd patches (which requires a [[jailbreak]] whereby a patched kernel can be booted by [[iBoot (Bootloader)|iBoot]] without dynamic libraries dynamically patching in RAM) activate your phone and remove the need to activate legitimately through [[iTunes]] with an official carrier (this process is also called "[[hacktivation]]"), however the iPhone cannot be used to communicate unless an [[unlock]] is found for the [[baseband]]. Lockdownd patches are only used on the [[List of iPhones|iPhone]] as the [[List of iPod touches|iPod touch]] has never been denied activation regardless of firmware, country etc.
Lockdownd 1.1.2:
 
   
  +
Activation is handled by https://albert.apple.com/deviceservices/deviceActivation
Offset Original Patched Reason
 
0×4B3B 0×1A 0xEA Changed to ignore baseband version.
 
0×79FC 0xD7 0xFF 0×00 00 Disallows enabling of Voided Warranty.
 
0×79FE 0xFF 0×1A 0xA0 0xE1 Part of patch at 0×79FC
 
0×7E0B 0×0A 0xEA Disallows enabling of Voided Warranty.
 
0xAC73 0×0A 0xEA Disallows enabling of Voided Warranty.
 
0xBC40 0×01 0×00 Change enable brick mode to disable.
 
0xC5CC 0×01 0×00 Change enable brick mode to disable.
 
0xC5D4 0×88 0xEC Change Unactivated to FactoryActivated
 
0xC614 0×48 0xAC Change Unactivated to FactoryActivated
 
0xC640 0×1C 0×80 Change Unactivated to FactoryActivated
 
0xC6F0 0×90 0xD0 Change MissingSIM to FactoryActivated
 
0xC74C 0×44 0×74 Change MismatchedICCID to FactoryActivated
 
0xC7DC 0xB4 0xE4 Change MismatchedICCID to FactoryActivated
 
0xC8AC 0xB0 0×33 0×14 0×34 Change Unactivated to FactoryActivated
 
0xC904 0×01 0×00 Change enable brick mode to disable.
 
   
  +
[[iTunes]] generates an [[Activation Token]] and sends it to Apple's activation server. Once the [[Activation Token]] is validated, the server will generate a [[WildcardTicket]] and signs it with Apple's private key. [[iTunes]] then calls AMDeviceActivate with the [[WildcardTicket]]; The device gets the [[WildcardTicket]] and checks if the signature matches. If it does, it get pasts the emergency call screen and allowing the use of the iPhone. All devices actually go through this process. The activation process is outlined in detail in US patent no. [http://www.freepatentsonline.com/20090061934.pdf 2009/0061934].
   
  +
Although the [[List of iPod touches|iPod touch]] can be "activated" without an internet connection, some services such as YouTube and Push Notifications will fail to work due to not having a valid authentication token ([http://support.apple.com/kb/TS3305 iPad and iPod touch: Unable to use YouTube or Push notifications]) so connecting to iTunes will activate the [[List of iPod touches|iPod touch]] fully.
   
  +
The [[List of iPhones|iPhone]] needs a cellular data connection for the first time, after the activation in [[iTunes]]. You can make calls if an alert says "iPhone is activated". If you don't have a cellular data connection (3G, EDGE, GPRS) you won't be able to make calls and you have only 1 bar of reception. If you only have 1 bar and no carrier at the status bar, it isn't activated correctly.
Lockdownd 1.1.1:
 
   
  +
[[SAM]] (Subscriber Artificial Module) can simulate official activation for hacktivated devices.
Offset Original Patched Reason
 
0×482F 0×1A 0xEA Changed to ignore baseband version.
 
0xAF5C 0×01 0×00 Change enable brick mode to disable.
 
0xB814 0×24 0×54 Change Unactivated to FactoryActivated
 
0xB818 0×01 0×00 Change enable brick mode to disable.
 
0xB838 0×00 0×30 Change Unactivated to FactoryActivated
 
0xB858 0xE0 0×14 0×10 0×15 Change Unactivated to FactoryActivated
 
0xB884 0xB4 0xE4 Change Unactivated to FactoryActivated
 
0xB958 0×00 0×10 Change MismatchedICCID to FactoryActivated
 
0xB970 0xEC 0xF8 Change MissingSIM to FactoryActivated
 
0xB9E0 0×58 0×88 Change Unactivated to FactoryActivated
 
0xBA58 0×01 0×00 Change enable brick mode to disable.
 
   
  +
== See Also ==
  +
* [[Activation Token]]
   
  +
== External Links ==
Lockdownd 1.0.2:
 
  +
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]
  +
* [http://www.freepatentsonline.com/20090061934.pdf Apple Patent]
   
  +
{{stub|firmware}}
Offset Original Patched Reason
 
0×9184 0×01 0×00 Change enable brick mode to disable.
 
0×94F0 0×01 0×00 Change enable brick mode to disable.
 
0×94F4 0×3C 0×68 Change Unactivated to FactoryActivated
 
0×95C4 0×84 0×98 Change MismatchedIMEI to FactoryActivated
 
0×9604 0×01 0×00 Change enable brick mode to disable.
 
0×9624 0×2C 0×38 Change MismatchedICCID to FactoryActivated
 
0×962C 0×28 0×30 Change MissingSIM to FactoryActivated
 
0×96A4 0×01 0×00 Change enable brick mode to disable.
 
   
  +
[[Category:Baseband]]
 
 
Lockdownd 1.0.1:
 
 
Offset Original Patched Reason
 
0×9158 0×01 0×00 Change enable brick mode to disable.
 
0×94C4 0×01 0×00 Change enable brick mode to disable.
 
0×94C8 0×3C 0×68 Change Unactivated to FactoryActivated
 
0×9598 0×84 0×98 Change MismatchedIMEI to FactoryActivated
 
0×95D8 0×01 0×00 Change enable brick mode to disable.
 
0×95F8 0×2C 0×38 Change MismatchedICCID to FactoryActivated
 
0×9600 0×28 0×30 Change MissingSIM to FactoryActivated
 
0×9678 0×01 0×00 Change enable brick mode to disable.
 
 
Lockdownd 1.0.0:
 
 
Offset Original Patched Reason
 
0×8CF8 0×01 0×00 Change enable brick mode to disable
 
0×90A4 0×01 0×00 Change enable brick mode to disable
 
0×90A8 0×3C 0×68 Change Unactivated to FactoryActivated
 
0×9178 0×84 0×98 Change MismatchedIMEI to FactoryActivated
 
0×91B8 0×01 0×00 Change enable brick mode to disable
 
0×91D8 0×2C 0×38 Change MismatchedICCID to FactoryActivated
 
0×91E0 0×28 0×30 Change MissingSIM to FactoryActivate
 
0×9258 0×01 0×00 Change enable brick mode to disable
 
 
 
 
 
 
 
'''All Lockdownd'''
 
 
1.1.4 original http://rapidshare.com/files/133067477/114_lockdownd_original.zip.html
 
 
1.1.4 patched http://rapidshare.com/files/133067620/114_lockdownd_patched.zip.html
 
 
Details:
 
The lockdownd in firmware 1.1.4 is very similar to the version 1.1.3, so the same patch applied to 1.1.3 also works on 1.1.4. NOTE: You can’t use the old 1.1.3 patched lockdownd because the files are different, you need to apply the patch on the 1.1.4 lockdownd.
 
 
Patch details:
 
 
Search for differences
 
 
1. G:\iPhone Stuffs\Lockdownd\lockdownd_114_original\lockdownd: 1,107,780 bytes
 
2. G:\iPhone Stuffs\Lockdownd\lockdownd_114_patched\lockdownd: 1,107,780 bytes
 
Offsets: hexadec.
 
 
83AF: 0A EA
 
AFA3: 0A EA
 
C4CF: 1A EA
 
CDB4: 80 04
 
CDB5: 28 29
 
CDC0: 01 00
 
CE08: 2C B0
 
CE58: DC 60
 
CE59: 27 28
 
CF24: 3C 94
 
CF7C: F4 3C
 
CF7D: 26 27
 
D000: 70 B8
 
D1A8: 8C 10
 
D1A9: 24 25
 
D224: 4C 94
 
D274: 01 00
 
 
17 difference(s) found.
 
 
 
 
1.1.3 original http://rapidshare.com/files/133068021/113_lockdownd_original.zip.html
 
 
1.1.3 patched http://rapidshare.com/files/133068133/113_lockdownd_patched.zip.html
 
 
Patch details:
 
 
Search for differences
 
 
1. G:\iPhone Stuffs\Lockdownd\lockdownd_113_original\lockdownd: 1,107,780 bytes
 
2. G:\iPhone Stuffs\Lockdownd\lockdownd_113_patched\lockdownd: 1,107,780 bytes
 
Offsets: hexadec.
 
 
83AF: 0A EA
 
AFA3: 0A EA
 
C4CF: 1A EA
 
CDB4: 80 04
 
CDB5: 28 29
 
CDC0: 01 00
 
CE08: 2C B0
 
CE58: DC 60
 
CE59: 27 28
 
CF24: 3C 94
 
CF7C: F4 3C
 
CF7D: 26 27
 
D000: 70 B8
 
D1A8: 8C 10
 
D1A9: 24 25
 
D224: 4C 94
 
D274: 01 00
 
 
17 difference(s) found.
 
 
 
 
1.1.2 original http://rapidshare.com/files/133068455/112_lockdownd_original.zip.html
 
 
1.1.2 patched http://rapidshare.com/files/133068558/112_lockdownd_patched.zip.html
 
 
Details: This patch uses the same technique as introduced in 1.1.1 patch. With this patch, the 1.1.2 can be factory activated immediately.
 
 
The patch details:
 
 
Search for differences
 
 
1. G:\iPhone Stuffs\lockdownd\lockdownd_112_original\lockdownd: 996,440 bytes
 
2. G:\iPhone Stuffs\lockdownd\lockdownd_112_patched\lockdownd: 996,440 bytes
 
Offsets: hexadec.
 
 
4B4C: 01 14
 
4B4E: A0 00
 
4B4F: E3 EA
 
C5C1: 00 40
 
C5C2: 54 A0
 
C5C8: 04 00
 
C5CA: 00 A0
 
C5CB: 1A E1
 
C5CC: 01 00
 
C5D4: 88 EC
 
 
10 difference(s) found.
 
 
Note: the 1.1.2 has a firmware checking routine which will brick phone in case an unexpected version is found. The patch at 4B4C-4B4F fixes it. In case the firmware version causes any problem, the syslog will log the following info
 
 
lookup_baseband_info: Not the expected firmware version. Enabling brick mode
 
 
but the actual bricking operations will not be run because the patch will force a jump once the syslog is done.
 
 
 
1.1.1 original http://rapidshare.com/files/133068876/111_lockdownd_original.zip.html
 
 
1.1.1 patched http://rapidshare.com/files/133068957/111_lockdownd_patched1.zip.html
 
 
Details:
 
Patch detail:
 
 
Search for differences
 
 
1. C:\iPhone\lockdownd\lockdownd_111_original\lockdownd: 819,328 bytes
 
2. C:\iPhone\lockdownd\lockdownd_111_patched\lockdownd: 819,328 bytes
 
Offsets: hexadec.
 
 
B810: 04 00
 
B812: 00 A0
 
B813: 1A E1
 
B814: 24 54
 
B818: 01 00
 
 
5 difference(s) found.
 
 
 
 
source: George Zhu's Blog
 

Latest revision as of 00:49, 16 October 2017

iPhone with 1 signal bar and damaged hacktivation or it doesn't have an internet connection

Activation is the process by which a new (or newly restored) iPhone or iPod touch can get by the "Emergency Call Screen" (iPhone) or "Connect to iTunes" screen (not to be confused with Recovery Mode; the activation screen has a battery icon in the top right corner to indicate this) to access the SpringBoard.

The code in charge of this resides in lockdownd, which is always running on iOS and monitors the activation status of the device. Lockdownd patches (which requires a jailbreak whereby a patched kernel can be booted by iBoot without dynamic libraries dynamically patching in RAM) activate your phone and remove the need to activate legitimately through iTunes with an official carrier (this process is also called "hacktivation"), however the iPhone cannot be used to communicate unless an unlock is found for the baseband. Lockdownd patches are only used on the iPhone as the iPod touch has never been denied activation regardless of firmware, country etc.

Activation is handled by https://albert.apple.com/deviceservices/deviceActivation

iTunes generates an Activation Token and sends it to Apple's activation server. Once the Activation Token is validated, the server will generate a WildcardTicket and signs it with Apple's private key. iTunes then calls AMDeviceActivate with the WildcardTicket; The device gets the WildcardTicket and checks if the signature matches. If it does, it get pasts the emergency call screen and allowing the use of the iPhone. All devices actually go through this process. The activation process is outlined in detail in US patent no. 2009/0061934.

Although the iPod touch can be "activated" without an internet connection, some services such as YouTube and Push Notifications will fail to work due to not having a valid authentication token (iPad and iPod touch: Unable to use YouTube or Push notifications) so connecting to iTunes will activate the iPod touch fully.

The iPhone needs a cellular data connection for the first time, after the activation in iTunes. You can make calls if an alert says "iPhone is activated". If you don't have a cellular data connection (3G, EDGE, GPRS) you won't be able to make calls and you have only 1 bar of reception. If you only have 1 bar and no carrier at the status bar, it isn't activated correctly.

SAM (Subscriber Artificial Module) can simulate official activation for hacktivated devices.

See Also

External Links

Tango Utilities-terminal.png This firmware article is a "stub", an incomplete page. Please add more content to this article and remove this tag.