Difference between revisions of "WildcardTicket"

From The iPhone Wiki
Jump to: navigation, search
(New page: The wildcard ticket is used for activating the baseband. It is stored in the file "/var/root/Library/Lockdown/activation_records/wildcard_record.plist". ==Layout== 0x0 Version number (=2...)
 
(Ticket Layout)
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The wildcard ticket is used for activating the baseband. It is stored in the file "/var/root/Library/Lockdown/activation_records/wildcard_record.plist".
+
The wildcard ticket is used for activating the baseband. It is stored in the file "/var/root/Library/Lockdown/activation_records/wildcard_record.plist". When activating an iPhone, the ticket is pulled from Apple's server and stored on the device. It contains all the information about sim-/netlocks. Factory- and carrier-unlocked devices receive a wildcard ticket with policies that permit all SIM cards.
   
==Layout==
+
==Ticket Layout==
 
0x0 Version number (=2 for iPhone 3G, 3GS)
 
0x0 Version number (=2 for iPhone 3G, 3GS)
 
0x4 Encrypted Ticket
 
0x4 Encrypted Ticket
   
The ticket is decrypted with TEA in CBC mode using the norID, chipID, IMEI and a salt. The layout of the decrypted ticket looks like this:
+
The ticket is decrypted with [[TEA]] in [[CBC mode]] using a key hashed from the [[NORID]], [[CHIPID]], [[wikipedia:IMEI|IMEI]] and a [[wikipedia:Salt (cryptography)|salt]]. The layout of the decrypted ticket looks like this:
   
0x00 Certificate Length (in bits)
+
0x000 Certificate Length (in bits)
0x04 Certificate Serial (usually 1)
+
0x004 Certificate Serial (usually 1)
0x08 Public Key Length (in bits)
+
0x008 Public Key Length (in bits)
0x0c Public Key Exponent
+
0x00c Public Key Exponent
0x10-0x90 Public Key
+
0x010-0x090 Public Key (RSA Key 3)
  +
0x090-0x110 Montgomery Reduction
0x110-0x190 Certificate of the first 0x110 bytes signed with rsa_key2
 
  +
0x110-0x190 Certificate of the first 0x110 bytes signed with rsa_key2
0x190-0x19B ICCID mask (relevant bits for simlock)
 
  +
0x190-0x19B [[wikipedia:ICCID|ICCID]] mask (relevant bits for simlock)
0x19C-0x1A3 IMEI
 
  +
0x19C-0x1A3 [[wikipedia:IMEI|IMEI]]
0x1A4-0x1B7 Hash of several hardware IDs (IMEI, norID, chipID)
 
  +
0x1A4-0x1B7 [[Baseband TEA Keys#Hardware Thumbprint Generation|Hash of several hardware IDs]] ([[wikipedia:IMEI|IMEI]], [[NORID]], [[CHIPID]])
0x1B7- Table of "policies" (netlock)
 
  +
0x1B8-... Table of "policies" (netlock)
   
Attached to the decrypted ticket is a certificate (0x80 byte) signed with the key at 0x10.
+
Attached to the decrypted ticket is a certificate (0x80 byte) signed with the [[Baseband RSA Keys|RSA key 3]] at 0x010.
  +
  +
==Policy Table Layout==
  +
0x0 Total length of the policy table in bytes
  +
<Policy Item>
  +
  +
An item is 12 byte in size and has this structure:
  +
0x0-0x2 ID
  +
0x2-0x4 type?
  +
0x4-0xC [[wikipedia:IMSI|IMSI]] mask
  +
  +
Each [[wikipedia:nibble|nibble]] of a mask corresponds to a number - the wildcard is encoded as 0xE.
  +
  +
===AT&T USA===
  +
IMSI Mask
  +
310150?????????
  +
310170?????????
  +
310410?????????
  +
311180?????????
  +
310980?????????
  +
This is an iPhone 3GS from [[wikipedia:List of mobile network codes in the United States|AT&T]].
  +
  +
===T-Mobile Germany===
  +
IMSI Mask
  +
26201??????????
  +
26201??????????
  +
26201??????????
  +
This is an iPhone 3G from [[wikipedia:Mobile_network_code#G|T-Mobile Germany]].
  +
  +
===Factory Unlocked Device===
  +
IMSI Mask
  +
???????????????
  +
Obligatory.
   
 
[[Category:Baseband]]
 
[[Category:Baseband]]

Latest revision as of 03:28, 20 March 2011

The wildcard ticket is used for activating the baseband. It is stored in the file "/var/root/Library/Lockdown/activation_records/wildcard_record.plist". When activating an iPhone, the ticket is pulled from Apple's server and stored on the device. It contains all the information about sim-/netlocks. Factory- and carrier-unlocked devices receive a wildcard ticket with policies that permit all SIM cards.

Ticket Layout

0x0 Version number (=2 for iPhone 3G, 3GS)
0x4 Encrypted Ticket

The ticket is decrypted with TEA in CBC mode using a key hashed from the NORID, CHIPID, IMEI and a salt. The layout of the decrypted ticket looks like this:

0x000        Certificate Length (in bits)
0x004        Certificate Serial (usually 1)
0x008        Public Key Length (in bits)
0x00c        Public Key Exponent
0x010-0x090  Public Key (RSA Key 3)
0x090-0x110  Montgomery Reduction
0x110-0x190  Certificate of the first 0x110 bytes signed with rsa_key2
0x190-0x19B  ICCID mask (relevant bits for simlock)
0x19C-0x1A3  IMEI
0x1A4-0x1B7  Hash of several hardware IDs (IMEI, NORID, CHIPID)
0x1B8-...    Table of "policies" (netlock)

Attached to the decrypted ticket is a certificate (0x80 byte) signed with the RSA key 3 at 0x010.

Policy Table Layout

0x0          Total length of the policy table in bytes
<Policy Item>

An item is 12 byte in size and has this structure:

0x0-0x2      ID
0x2-0x4      type?
0x4-0xC      IMSI mask

Each nibble of a mask corresponds to a number - the wildcard is encoded as 0xE.

AT&T USA

IMSI Mask
310150?????????
310170?????????
310410?????????
311180?????????
310980?????????

This is an iPhone 3GS from AT&T.

T-Mobile Germany

IMSI Mask
26201??????????
26201??????????
26201??????????

This is an iPhone 3G from T-Mobile Germany.

Factory Unlocked Device

IMSI Mask
???????????????

Obligatory.