|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "WildcardTicket"
(→Layout) |
(→Layout) |
||
| Line 7: | Line 7: | ||
The ticket is decrypted with TEA in CBC mode using a key hashed from the norID, chipID, IMEI and a salt. The layout of the decrypted ticket looks like this: |
The ticket is decrypted with TEA in CBC mode using a key hashed from the norID, chipID, IMEI and a salt. The layout of the decrypted ticket looks like this: |
||
| − | 0x00 Certificate Length (in bits) |
+ | 0x00 Certificate Length (in bits) |
| − | 0x04 Certificate Serial (usually 1) |
+ | 0x04 Certificate Serial (usually 1) |
| − | 0x08 Public Key Length (in bits) |
+ | 0x08 Public Key Length (in bits) |
| − | 0x0c Public Key Exponent |
+ | 0x0c Public Key Exponent |
| − | 0x10-0x90 Public Key (RSA Key 3) |
+ | 0x10-0x90 Public Key (RSA Key 3) |
| − | 0x90-0x110 Additional Public Key - not in use |
+ | 0x90-0x110 Additional Public Key - not in use |
| − | 0x110-0x190 Certificate of the first 0x110 bytes signed with rsa_key2 |
+ | 0x110-0x190 Certificate of the first 0x110 bytes signed with rsa_key2 |
| − | 0x190-0x19B ICCID mask (relevant bits for simlock) |
+ | 0x190-0x19B ICCID mask (relevant bits for simlock) |
| − | 0x19C-0x1A3 IMEI |
+ | 0x19C-0x1A3 IMEI |
| − | 0x1A4-0x1B7 Hash of several hardware IDs (IMEI, norID, chipID) |
+ | 0x1A4-0x1B7 Hash of several hardware IDs (IMEI, norID, chipID) |
| − | + | 0x1B8-... Table of "policies" (netlock) |
|
Attached to the decrypted ticket is a certificate (0x80 byte) signed with the [[Baseband RSA Keys|RSA key 3]] at 0x10. |
Attached to the decrypted ticket is a certificate (0x80 byte) signed with the [[Baseband RSA Keys|RSA key 3]] at 0x10. |
||
Revision as of 06:06, 15 August 2010
The wildcard ticket is used for activating the baseband. It is stored in the file "/var/root/Library/Lockdown/activation_records/wildcard_record.plist". When activating an iPhone, the ticket is pulled from Apple's server and stored on the device. It contains all the information about sim-/netlocks. Factory- and carrier-unlocked devices receive a wildcard ticket with policies that permit all SIM cards.
Layout
0x0 Version number (=2 for iPhone 3G, 3GS) 0x4 Encrypted Ticket
The ticket is decrypted with TEA in CBC mode using a key hashed from the norID, chipID, IMEI and a salt. The layout of the decrypted ticket looks like this:
0x00 Certificate Length (in bits) 0x04 Certificate Serial (usually 1) 0x08 Public Key Length (in bits) 0x0c Public Key Exponent 0x10-0x90 Public Key (RSA Key 3) 0x90-0x110 Additional Public Key - not in use 0x110-0x190 Certificate of the first 0x110 bytes signed with rsa_key2 0x190-0x19B ICCID mask (relevant bits for simlock) 0x19C-0x1A3 IMEI 0x1A4-0x1B7 Hash of several hardware IDs (IMEI, norID, chipID) 0x1B8-... Table of "policies" (netlock)
Attached to the decrypted ticket is a certificate (0x80 byte) signed with the RSA key 3 at 0x10.
