Difference between revisions of "Activation Token"

From The iPhone Wiki
Jump to: navigation, search
(links)
m (Key: ActivationInfoXML: Corrected the misspelled word "problem")
 
(30 intermediate revisions by 7 users not shown)
Line 1: Line 1:
  +
==Layout of Activation Token==
[[iTunes]] gets three things from the phone, the [[DeviceID]], the [[wikipedia:IMEI|IMEI]], and the [[Wikipedia:ICCID|ICCID]]. This is called the token and is unique to every iPhone. This token is then sent to the Apple server (alfred.apple.com) via [[Wikipedia:Transport Layer Security|SSL]]. Apple uses their private key to sign the token and transmits it back to [[iTunes]]. [[iTunes]] then calls [[AMDeviceActivate]] with this signed token. The device gets the token and checks whether or not the signature matches the token. If it does, the device is activated. A patched [[lockdownd]] circumvents these checks rather then to provide a valid token. (To create a valid token someone needed Apple's private key.)
 
  +
This is the [[wikipedia:Core Foundation|CFDictionary]] string representation which gets sent to Apple's server.The object can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value.
   
  +
It is generated by [[lockdownd]]. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to [[fairplayd]] to complete signature process and obtain certificate chain.
{
 
  +
<dict>
"UniqueDeviceID" = "aabbccdd......";
 
  +
<key>ActivationInfoComplete</key>
"InternationalMobileEquipmentIdentity" = "1234....";
 
  +
<true/>
"IntegratedCircuitCardIdentity" = "1234...";
 
  +
<key>ActivationInfoXML</key>
}
 
  +
<data>
  +
(base64-encoded activation info here)
  +
</data>
  +
<key>FairPlayCertChain</key>
  +
<data>
  +
(base64-encoded RSA certificate chain including root CA in DER format)
  +
</data>
  +
<key>FairPlaySignature</key>
  +
<data>
  +
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate)
  +
</data>
  +
</dict>
   
  +
===Key: ActivationInfoXML===
For the first generation iPhones, the [[NCK]] field has been added. For later generation models, the [[WildcardTicket]] field is used for activating the baseband with [[AT+XLCK]].
 
  +
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below
  +
  +
<?xml version="1.0" encoding="UTF-8"?>
  +
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  +
<plist version="1.0">
  +
<dict>
  +
<key>ActivationRandomness</key>
  +
<string>(GUID)</string>
  +
<key>ActivationRequiresActivationTicket</key>
  +
<true/>
  +
<key>ActivationState</key>
  +
<string>Unactivated</string>
  +
<key>BasebandMasterKeyHash</key>
  +
<string>(Hash of hardware IDs)<string>
  +
<key>[[Baseband TEA Keys#Hardware Thumbprint Generation|BasebandThumbprint]]</key>
  +
<string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string>
  +
<key>BuildVersion</key>
  +
<string>8A306</string>
  +
<key>DeviceCertRequest</key>
  +
<data>
  +
(base64 encoded cert)
  +
</data>
  +
<key>DeviceClass</key>
  +
<string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string>
  +
<key>IntegratedCircuitCardIdentity</key>
  +
<string>(ICCID as base-10 string)</string>
  +
<key>InternationalMobileEquipmentIdentity</key>
  +
<string>(IMEI as base-10 string)</string>
  +
<key>InternationalMobileSubscriberIdentity</key>
  +
<string>(IMSI as base-10 string)</string>
  +
<key>ModelNumber</key>
  +
<string>MC135</string>
  +
<key>PhoneNumber</key>
  +
<string>(String like "+1 (555) 555-5555")</string>
  +
<key>ProductType</key>
  +
<string>iPhone2,1</string>
  +
<key>ProductVersion</key>
  +
<string>4.0.1</string>
  +
<string>SIMGID1</string>
  +
<data>
  +
(base64-encoded binary GID1)
  +
</data>
  +
<string>SIMGID2</string>
  +
<data>
  +
(base64-encoded binary GID2)
  +
</data>
  +
<key>SIMStatus</key>
  +
<string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string>
  +
<key>SerialNumber</key>
  +
<string>...</string>
  +
<key>SupportsPostponement</key>
  +
<true/>
  +
<key>UniqueChipID</key>
  +
<integer>...</integer>
  +
<key>UniqueDeviceID</key>
  +
<string>(hex UUID)</string>
  +
</dict>
  +
</plist>
  +
  +
SIMGIDs and PhoneNumber are present only if installed SIM has them and it was read correctly.
  +
  +
If ActivationState is not Unactivated or token signature is not correct, Apple server will respond with message "there's problem with your device".
  +
  +
==Activation Protocol==
  +
Use SSL and send the request below with the values
  +
POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1
  +
Accept-Encoding: gzip
  +
Accept-Language: en-us, en;q=0.50
  +
Content-Type: multipart/form-data; boundary=DeviceActivation
  +
Content-Length: 1234
  +
Host: albert.apple.com
  +
Cache-Control: no-cache
  +
  +
--DeviceActivation
  +
Content-Disposition: form-data; name="activation-info"
  +
  +
<dict>
  +
<key>ActivationInfoComplete</key>
  +
<true/>
  +
<key>ActivationInfoXML</key>
  +
<data>
  +
(base64-encoded activation info here)
  +
</data>
  +
<key>FairPlayCertChain</key>
  +
<data>
  +
(base64-encoded cert in DER format)
  +
</data>
  +
<key>FairPlaySignature</key>
  +
<data>
  +
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)
  +
</data>
  +
</dict>
  +
  +
==Resources==
  +
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]
  +
* [[User:sn0wra1n|iSn0wra1n]]'s [http://github.com/iSn0wra1n/iActivator iActivator v2 for Windows]
   
 
[[Category:Baseband]]
 
[[Category:Baseband]]

Latest revision as of 16:36, 18 November 2015

Layout of Activation Token

This is the CFDictionary string representation which gets sent to Apple's server.The object can be obtained by using the MobileDevice Library, AMDeviceCopyValue function with the "ActivationInfo" value.

It is generated by lockdownd. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to fairplayd to complete signature process and obtain certificate chain.

 <dict>
       <key>ActivationInfoComplete</key>
       <true/>
       <key>ActivationInfoXML</key>
       
       (base64-encoded activation info here)
       
       <key>FairPlayCertChain</key>
       
       (base64-encoded RSA certificate chain including root CA in DER format)
       
       <key>FairPlaySignature</key>
       
       (base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate)
       
 </dict>

Key: ActivationInfoXML

The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
       <key>ActivationRandomness</key>
       <string>(GUID)</string>
       <key>ActivationRequiresActivationTicket</key>
       <true/>
       <key>ActivationState</key>
       <string>Unactivated</string>
       <key>BasebandMasterKeyHash</key>
       <string>(Hash of hardware IDs)<string>
       <key>BasebandThumbprint</key>
       <string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string>
       <key>BuildVersion</key>
       <string>8A306</string>
       <key>DeviceCertRequest</key>
       
       (base64 encoded cert)
       
       <key>DeviceClass</key>
       <string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string>
       <key>IntegratedCircuitCardIdentity</key>
       <string>(ICCID as base-10 string)</string>
       <key>InternationalMobileEquipmentIdentity</key>
       <string>(IMEI as base-10 string)</string>
       <key>InternationalMobileSubscriberIdentity</key>
       <string>(IMSI as base-10 string)</string>
       <key>ModelNumber</key>
       <string>MC135</string>
       <key>PhoneNumber</key>
       <string>(String like "+1 (555) 555-5555")</string>
       <key>ProductType</key>
       <string>iPhone2,1</string>
       <key>ProductVersion</key>
       <string>4.0.1</string>
       <string>SIMGID1</string>
       
       (base64-encoded binary GID1)
       
       <string>SIMGID2</string>
       
       (base64-encoded binary GID2)
       
       <key>SIMStatus</key>
       <string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string>
       <key>SerialNumber</key>
       <string>...</string>
       <key>SupportsPostponement</key>
       <true/>
       <key>UniqueChipID</key>
       <integer>...</integer>
       <key>UniqueDeviceID</key>
       <string>(hex UUID)</string>
 </dict>
 </plist>

SIMGIDs and PhoneNumber are present only if installed SIM has them and it was read correctly.

If ActivationState is not Unactivated or token signature is not correct, Apple server will respond with message "there's problem with your device".

Activation Protocol

Use SSL and send the request below with the values

POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1
Accept-Encoding: gzip
Accept-Language: en-us, en;q=0.50
Content-Type: multipart/form-data; boundary=DeviceActivation
Content-Length: 1234
Host: albert.apple.com
Cache-Control: no-cache

--DeviceActivation
Content-Disposition: form-data; name="activation-info"

<dict>
       <key>ActivationInfoComplete</key>
       <true/>
       <key>ActivationInfoXML</key>
       
       (base64-encoded activation info here)
       
       <key>FairPlayCertChain</key>
       
       (base64-encoded cert in DER format)
       
       <key>FairPlaySignature</key>
       
       (base64-encoded signature (SHA1+RSA) of ActivationInfoXML)
       
 </dict>

Resources