The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Activation Token"
(New page: iTunes gets three things from the phone, the DeviceID, the IMEI, and the ICCID. This is called the token and is unique to every iPhone. This token is then sent to the apple server (alfred....) |
GeoSn0wOLD (talk | contribs) m (→Key: ActivationInfoXML: Corrected the misspelled word "problem") |
||
(38 intermediate revisions by 10 users not shown) | |||
Line 1: | Line 1: | ||
+ | ==Layout of Activation Token== |
||
− | iTunes gets three things from the phone, the DeviceID, the IMEI, and the ICCID. This is called the token and is unique to every iPhone. This token is then sent to the apple server (alfred.apple.com) via SSL. Apple uses their private key to sign the token and transmits it back to iTunes. iTunes then calls AMDeviceActivate with this signed token. The device gets the token and checks whether or not the signature matches the token. If it does, the device is activated. |
||
+ | This is the [[wikipedia:Core Foundation|CFDictionary]] string representation which gets sent to Apple's server.The object can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value. |
||
+ | It is generated by [[lockdownd]]. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to [[fairplayd]] to complete signature process and obtain certificate chain. |
||
− | { |
||
+ | <dict> |
||
− | "UniqueDeviceID" = "aabbccdd......"; |
||
+ | <key>ActivationInfoComplete</key> |
||
− | "InternationalMobileEquipmentIdentity" = "1234...."; |
||
+ | <true/> |
||
− | "IntegratedCircuitCardIdentity" = "1234..."; |
||
+ | <key>ActivationInfoXML</key> |
||
− | } |
||
+ | <data> |
||
+ | (base64-encoded activation info here) |
||
+ | </data> |
||
+ | <key>FairPlayCertChain</key> |
||
+ | <data> |
||
+ | (base64-encoded RSA certificate chain including root CA in DER format) |
||
+ | </data> |
||
+ | <key>FairPlaySignature</key> |
||
+ | <data> |
||
+ | (base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate) |
||
+ | </data> |
||
+ | </dict> |
||
+ | ===Key: ActivationInfoXML=== |
||
− | Now the NCK and several other fields have also been added. |
||
+ | The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below |
||
+ | |||
+ | <?xml version="1.0" encoding="UTF-8"?> |
||
+ | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
||
+ | <plist version="1.0"> |
||
+ | <dict> |
||
+ | <key>ActivationRandomness</key> |
||
+ | <string>(GUID)</string> |
||
+ | <key>ActivationRequiresActivationTicket</key> |
||
+ | <true/> |
||
+ | <key>ActivationState</key> |
||
+ | <string>Unactivated</string> |
||
+ | <key>BasebandMasterKeyHash</key> |
||
+ | <string>(Hash of hardware IDs)<string> |
||
+ | <key>[[Baseband TEA Keys#Hardware Thumbprint Generation|BasebandThumbprint]]</key> |
||
+ | <string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string> |
||
+ | <key>BuildVersion</key> |
||
+ | <string>8A306</string> |
||
+ | <key>DeviceCertRequest</key> |
||
+ | <data> |
||
+ | (base64 encoded cert) |
||
+ | </data> |
||
+ | <key>DeviceClass</key> |
||
+ | <string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string> |
||
+ | <key>IntegratedCircuitCardIdentity</key> |
||
+ | <string>(ICCID as base-10 string)</string> |
||
+ | <key>InternationalMobileEquipmentIdentity</key> |
||
+ | <string>(IMEI as base-10 string)</string> |
||
+ | <key>InternationalMobileSubscriberIdentity</key> |
||
+ | <string>(IMSI as base-10 string)</string> |
||
+ | <key>ModelNumber</key> |
||
+ | <string>MC135</string> |
||
+ | <key>PhoneNumber</key> |
||
+ | <string>(String like "+1 (555) 555-5555")</string> |
||
+ | <key>ProductType</key> |
||
+ | <string>iPhone2,1</string> |
||
+ | <key>ProductVersion</key> |
||
+ | <string>4.0.1</string> |
||
+ | <string>SIMGID1</string> |
||
+ | <data> |
||
+ | (base64-encoded binary GID1) |
||
+ | </data> |
||
+ | <string>SIMGID2</string> |
||
+ | <data> |
||
+ | (base64-encoded binary GID2) |
||
+ | </data> |
||
+ | <key>SIMStatus</key> |
||
+ | <string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string> |
||
+ | <key>SerialNumber</key> |
||
+ | <string>...</string> |
||
+ | <key>SupportsPostponement</key> |
||
+ | <true/> |
||
+ | <key>UniqueChipID</key> |
||
+ | <integer>...</integer> |
||
+ | <key>UniqueDeviceID</key> |
||
+ | <string>(hex UUID)</string> |
||
+ | </dict> |
||
+ | </plist> |
||
+ | |||
+ | SIMGIDs and PhoneNumber are present only if installed SIM has them and it was read correctly. |
||
+ | |||
+ | If ActivationState is not Unactivated or token signature is not correct, Apple server will respond with message "there's problem with your device". |
||
+ | |||
+ | ==Activation Protocol== |
||
+ | Use SSL and send the request below with the values |
||
+ | POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1 |
||
+ | Accept-Encoding: gzip |
||
+ | Accept-Language: en-us, en;q=0.50 |
||
+ | Content-Type: multipart/form-data; boundary=DeviceActivation |
||
+ | Content-Length: 1234 |
||
+ | Host: albert.apple.com |
||
+ | Cache-Control: no-cache |
||
+ | |||
+ | --DeviceActivation |
||
+ | Content-Disposition: form-data; name="activation-info" |
||
+ | |||
+ | <dict> |
||
+ | <key>ActivationInfoComplete</key> |
||
+ | <true/> |
||
+ | <key>ActivationInfoXML</key> |
||
+ | <data> |
||
+ | (base64-encoded activation info here) |
||
+ | </data> |
||
+ | <key>FairPlayCertChain</key> |
||
+ | <data> |
||
+ | (base64-encoded cert in DER format) |
||
+ | </data> |
||
+ | <key>FairPlaySignature</key> |
||
+ | <data> |
||
+ | (base64-encoded signature (SHA1+RSA) of ActivationInfoXML) |
||
+ | </data> |
||
+ | </dict> |
||
+ | |||
+ | ==Resources== |
||
+ | * [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate] |
||
+ | * [[User:sn0wra1n|iSn0wra1n]]'s [http://github.com/iSn0wra1n/iActivator iActivator v2 for Windows] |
||
+ | |||
+ | [[Category:Baseband]] |
Latest revision as of 16:36, 18 November 2015
Layout of Activation Token
This is the CFDictionary string representation which gets sent to Apple's server.The object can be obtained by using the MobileDevice Library, AMDeviceCopyValue function with the "ActivationInfo" value.
It is generated by lockdownd. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to fairplayd to complete signature process and obtain certificate chain.
<dict> <key>ActivationInfoComplete</key> <true/> <key>ActivationInfoXML</key> (base64-encoded activation info here) <key>FairPlayCertChain</key> (base64-encoded RSA certificate chain including root CA in DER format) <key>FairPlaySignature</key> (base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate) </dict>
Key: ActivationInfoXML
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ActivationRandomness</key> <string>(GUID)</string> <key>ActivationRequiresActivationTicket</key> <true/> <key>ActivationState</key> <string>Unactivated</string> <key>BasebandMasterKeyHash</key> <string>(Hash of hardware IDs)<string> <key>BasebandThumbprint</key> <string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string> <key>BuildVersion</key> <string>8A306</string> <key>DeviceCertRequest</key> (base64 encoded cert) <key>DeviceClass</key> <string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string> <key>IntegratedCircuitCardIdentity</key> <string>(ICCID as base-10 string)</string> <key>InternationalMobileEquipmentIdentity</key> <string>(IMEI as base-10 string)</string> <key>InternationalMobileSubscriberIdentity</key> <string>(IMSI as base-10 string)</string> <key>ModelNumber</key> <string>MC135</string> <key>PhoneNumber</key> <string>(String like "+1 (555) 555-5555")</string> <key>ProductType</key> <string>iPhone2,1</string> <key>ProductVersion</key> <string>4.0.1</string> <string>SIMGID1</string> (base64-encoded binary GID1) <string>SIMGID2</string> (base64-encoded binary GID2) <key>SIMStatus</key> <string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string> <key>SerialNumber</key> <string>...</string> <key>SupportsPostponement</key> <true/> <key>UniqueChipID</key> <integer>...</integer> <key>UniqueDeviceID</key> <string>(hex UUID)</string> </dict> </plist>
SIMGIDs and PhoneNumber are present only if installed SIM has them and it was read correctly.
If ActivationState is not Unactivated or token signature is not correct, Apple server will respond with message "there's problem with your device".
Activation Protocol
Use SSL and send the request below with the values
POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1 Accept-Encoding: gzip Accept-Language: en-us, en;q=0.50 Content-Type: multipart/form-data; boundary=DeviceActivation Content-Length: 1234 Host: albert.apple.com Cache-Control: no-cache --DeviceActivation Content-Disposition: form-data; name="activation-info" <dict> <key>ActivationInfoComplete</key> <true/> <key>ActivationInfoXML</key> (base64-encoded activation info here) <key>FairPlayCertChain</key> (base64-encoded cert in DER format) <key>FairPlaySignature</key> (base64-encoded signature (SHA1+RSA) of ActivationInfoXML) </dict>