The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "WildcardTicket"
(New page: The wildcard ticket is used for activating the baseband. It is stored in the file "/var/root/Library/Lockdown/activation_records/wildcard_record.plist". ==Layout== 0x0 Version number (=2...) |
(→Ticket Layout) |
||
(12 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | The wildcard ticket is used for activating the baseband. It is stored in the file "/var/root/Library/Lockdown/activation_records/wildcard_record.plist". |
+ | The wildcard ticket is used for activating the baseband. It is stored in the file "/var/root/Library/Lockdown/activation_records/wildcard_record.plist". When activating an iPhone, the ticket is pulled from Apple's server and stored on the device. It contains all the information about sim-/netlocks. Factory- and carrier-unlocked devices receive a wildcard ticket with policies that permit all SIM cards. |
− | ==Layout== |
+ | ==Ticket Layout== |
0x0 Version number (=2 for iPhone 3G, 3GS) |
0x0 Version number (=2 for iPhone 3G, 3GS) |
||
0x4 Encrypted Ticket |
0x4 Encrypted Ticket |
||
− | The ticket is decrypted with TEA in CBC mode using the |
+ | The ticket is decrypted with [[TEA]] in [[CBC mode]] using a key hashed from the [[NORID]], [[CHIPID]], [[wikipedia:IMEI|IMEI]] and a [[wikipedia:Salt (cryptography)|salt]]. The layout of the decrypted ticket looks like this: |
− | + | 0x000 Certificate Length (in bits) |
|
− | + | 0x004 Certificate Serial (usually 1) |
|
− | + | 0x008 Public Key Length (in bits) |
|
− | + | 0x00c Public Key Exponent |
|
− | + | 0x010-0x090 Public Key (RSA Key 3) |
|
+ | 0x090-0x110 Montgomery Reduction |
||
− | 0x110-0x190 Certificate of the first 0x110 bytes signed with rsa_key2 |
||
+ | 0x110-0x190 Certificate of the first 0x110 bytes signed with rsa_key2 |
||
− | 0x190-0x19B ICCID mask (relevant bits for simlock) |
||
+ | 0x190-0x19B [[wikipedia:ICCID|ICCID]] mask (relevant bits for simlock) |
||
− | 0x19C-0x1A3 IMEI |
||
+ | 0x19C-0x1A3 [[wikipedia:IMEI|IMEI]] |
||
− | 0x1A4-0x1B7 Hash of several hardware IDs (IMEI, norID, chipID) |
||
+ | 0x1A4-0x1B7 [[Baseband TEA Keys#Hardware Thumbprint Generation|Hash of several hardware IDs]] ([[wikipedia:IMEI|IMEI]], [[NORID]], [[CHIPID]]) |
||
− | 0x1B7- Table of "policies" (netlock) |
||
+ | 0x1B8-... Table of "policies" (netlock) |
||
− | Attached to the decrypted ticket is a certificate (0x80 byte) signed with the key at |
+ | Attached to the decrypted ticket is a certificate (0x80 byte) signed with the [[Baseband RSA Keys|RSA key 3]] at 0x010. |
+ | |||
+ | ==Policy Table Layout== |
||
+ | 0x0 Total length of the policy table in bytes |
||
+ | <Policy Item> |
||
+ | |||
+ | An item is 12 byte in size and has this structure: |
||
+ | 0x0-0x2 ID |
||
+ | 0x2-0x4 type? |
||
+ | 0x4-0xC [[wikipedia:IMSI|IMSI]] mask |
||
+ | |||
+ | Each [[wikipedia:nibble|nibble]] of a mask corresponds to a number - the wildcard is encoded as 0xE. |
||
+ | |||
+ | ===AT&T USA=== |
||
+ | IMSI Mask |
||
+ | 310150????????? |
||
+ | 310170????????? |
||
+ | 310410????????? |
||
+ | 311180????????? |
||
+ | 310980????????? |
||
+ | This is an iPhone 3GS from [[wikipedia:List of mobile network codes in the United States|AT&T]]. |
||
+ | |||
+ | ===T-Mobile Germany=== |
||
+ | IMSI Mask |
||
+ | 26201?????????? |
||
+ | 26201?????????? |
||
+ | 26201?????????? |
||
+ | This is an iPhone 3G from [[wikipedia:Mobile_network_code#G|T-Mobile Germany]]. |
||
+ | |||
+ | ===Factory Unlocked Device=== |
||
+ | IMSI Mask |
||
+ | ??????????????? |
||
+ | Obligatory. |
||
[[Category:Baseband]] |
[[Category:Baseband]] |
Latest revision as of 03:28, 20 March 2011
The wildcard ticket is used for activating the baseband. It is stored in the file "/var/root/Library/Lockdown/activation_records/wildcard_record.plist". When activating an iPhone, the ticket is pulled from Apple's server and stored on the device. It contains all the information about sim-/netlocks. Factory- and carrier-unlocked devices receive a wildcard ticket with policies that permit all SIM cards.
Contents
Ticket Layout
0x0 Version number (=2 for iPhone 3G, 3GS) 0x4 Encrypted Ticket
The ticket is decrypted with TEA in CBC mode using a key hashed from the NORID, CHIPID, IMEI and a salt. The layout of the decrypted ticket looks like this:
0x000 Certificate Length (in bits) 0x004 Certificate Serial (usually 1) 0x008 Public Key Length (in bits) 0x00c Public Key Exponent 0x010-0x090 Public Key (RSA Key 3) 0x090-0x110 Montgomery Reduction 0x110-0x190 Certificate of the first 0x110 bytes signed with rsa_key2 0x190-0x19B ICCID mask (relevant bits for simlock) 0x19C-0x1A3 IMEI 0x1A4-0x1B7 Hash of several hardware IDs (IMEI, NORID, CHIPID) 0x1B8-... Table of "policies" (netlock)
Attached to the decrypted ticket is a certificate (0x80 byte) signed with the RSA key 3 at 0x010.
Policy Table Layout
0x0 Total length of the policy table in bytes <Policy Item>
An item is 12 byte in size and has this structure:
0x0-0x2 ID 0x2-0x4 type? 0x4-0xC IMSI mask
Each nibble of a mask corresponds to a number - the wildcard is encoded as 0xE.
AT&T USA
IMSI Mask 310150????????? 310170????????? 310410????????? 311180????????? 310980?????????
This is an iPhone 3GS from AT&T.
T-Mobile Germany
IMSI Mask 26201?????????? 26201?????????? 26201??????????
This is an iPhone 3G from T-Mobile Germany.
Factory Unlocked Device
IMSI Mask ???????????????
Obligatory.