The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Activation Token"
m |
GeoSn0wOLD (talk | contribs) m (→Key: ActivationInfoXML: Corrected the misspelled word "problem") |
||
(24 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
+ | ==Layout of Activation Token== |
||
− | [[iTunes]] gets a couple things from the phone: the [[DeviceID]], the [[CHIPID]], the [[wikipedia:IMEI|IMEI]], the [[Wikipedia:ICCID|ICCID]], the [[Wikipedia:IMSI|IMSI]], the phone number (!), and a few other things. This is called the "activation token" and is unique to every iPhone. This token is then sent to the Apple server (alfred.apple.com) via [[Wikipedia:Transport Layer Security|SSL]]. The server appends the [[WildcardTicket]] to the token, signs the token with Apple's private key and transmits it back to [[iTunes]]. [[iTunes]] then calls [[AMDeviceActivate]] with this signed token. The device gets the token and checks whether or not the signature matches the token. If it does and if the baseband is able to log in to a GSM network, the device is activated. A patched [[lockdownd]] circumvents these checks rather then to provide a valid token. |
||
+ | This is the [[wikipedia:Core Foundation|CFDictionary]] string representation which gets sent to Apple's server.The object can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value. |
||
+ | It is generated by [[lockdownd]]. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to [[fairplayd]] to complete signature process and obtain certificate chain. |
||
− | ==Layout Activation Token== |
||
− | |||
− | <?xml version="1.0" encoding="UTF-8"?> |
||
− | <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
||
− | <plist version="1.0"> |
||
<dict> |
<dict> |
||
<key>ActivationInfoComplete</key> |
<key>ActivationInfoComplete</key> |
||
Line 15: | Line 12: | ||
<key>FairPlayCertChain</key> |
<key>FairPlayCertChain</key> |
||
<data> |
<data> |
||
− | (base64-encoded |
+ | (base64-encoded RSA certificate chain including root CA in DER format) |
+ | </data> |
||
+ | <key>FairPlaySignature</key> |
||
+ | <data> |
||
+ | (base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate) |
||
</data> |
</data> |
||
</dict> |
</dict> |
||
+ | ===Key: ActivationInfoXML=== |
||
− | ==Layout ActivationInfo== |
||
+ | The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below |
||
+ | |||
<?xml version="1.0" encoding="UTF-8"?> |
<?xml version="1.0" encoding="UTF-8"?> |
||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
||
Line 25: | Line 28: | ||
<dict> |
<dict> |
||
<key>ActivationRandomness</key> |
<key>ActivationRandomness</key> |
||
− | <string> |
+ | <string>(GUID)</string> |
<key>ActivationRequiresActivationTicket</key> |
<key>ActivationRequiresActivationTicket</key> |
||
<true/> |
<true/> |
||
<key>ActivationState</key> |
<key>ActivationState</key> |
||
− | <string> |
+ | <string>Unactivated</string> |
<key>BasebandMasterKeyHash</key> |
<key>BasebandMasterKeyHash</key> |
||
− | <string>( |
+ | <string>(Hash of hardware IDs)<string> |
− | <key>BasebandThumbprint</key> |
+ | <key>[[Baseband TEA Keys#Hardware Thumbprint Generation|BasebandThumbprint]]</key> |
− | <string>(TEA key)string> |
+ | <string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string> |
<key>BuildVersion</key> |
<key>BuildVersion</key> |
||
<string>8A306</string> |
<string>8A306</string> |
||
Line 41: | Line 44: | ||
</data> |
</data> |
||
<key>DeviceClass</key> |
<key>DeviceClass</key> |
||
− | <string>iPhone</string> |
+ | <string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string> |
<key>IntegratedCircuitCardIdentity</key> |
<key>IntegratedCircuitCardIdentity</key> |
||
− | <string> |
+ | <string>(ICCID as base-10 string)</string> |
<key>InternationalMobileEquipmentIdentity</key> |
<key>InternationalMobileEquipmentIdentity</key> |
||
− | <string> |
+ | <string>(IMEI as base-10 string)</string> |
<key>InternationalMobileSubscriberIdentity</key> |
<key>InternationalMobileSubscriberIdentity</key> |
||
− | <string> |
+ | <string>(IMSI as base-10 string)</string> |
<key>ModelNumber</key> |
<key>ModelNumber</key> |
||
<string>MC135</string> |
<string>MC135</string> |
||
<key>PhoneNumber</key> |
<key>PhoneNumber</key> |
||
− | <string> |
+ | <string>(String like "+1 (555) 555-5555")</string> |
<key>ProductType</key> |
<key>ProductType</key> |
||
<string>iPhone2,1</string> |
<string>iPhone2,1</string> |
||
<key>ProductVersion</key> |
<key>ProductVersion</key> |
||
<string>4.0.1</string> |
<string>4.0.1</string> |
||
+ | <string>SIMGID1</string> |
||
+ | <data> |
||
+ | (base64-encoded binary GID1) |
||
+ | </data> |
||
+ | <string>SIMGID2</string> |
||
+ | <data> |
||
+ | (base64-encoded binary GID2) |
||
+ | </data> |
||
<key>SIMStatus</key> |
<key>SIMStatus</key> |
||
− | <string>kCTSIMSupportSIMStatusReady</string> |
+ | <string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string> |
<key>SerialNumber</key> |
<key>SerialNumber</key> |
||
<string>...</string> |
<string>...</string> |
||
Line 65: | Line 76: | ||
<integer>...</integer> |
<integer>...</integer> |
||
<key>UniqueDeviceID</key> |
<key>UniqueDeviceID</key> |
||
− | <string> |
+ | <string>(hex UUID)</string> |
</dict> |
</dict> |
||
</plist> |
</plist> |
||
+ | SIMGIDs and PhoneNumber are present only if installed SIM has them and it was read correctly. |
||
+ | |||
+ | If ActivationState is not Unactivated or token signature is not correct, Apple server will respond with message "there's problem with your device". |
||
+ | |||
+ | ==Activation Protocol== |
||
+ | Use SSL and send the request below with the values |
||
+ | POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1 |
||
+ | Accept-Encoding: gzip |
||
+ | Accept-Language: en-us, en;q=0.50 |
||
+ | Content-Type: multipart/form-data; boundary=DeviceActivation |
||
+ | Content-Length: 1234 |
||
+ | Host: albert.apple.com |
||
+ | Cache-Control: no-cache |
||
+ | |||
+ | --DeviceActivation |
||
+ | Content-Disposition: form-data; name="activation-info" |
||
+ | |||
+ | <dict> |
||
+ | <key>ActivationInfoComplete</key> |
||
+ | <true/> |
||
+ | <key>ActivationInfoXML</key> |
||
+ | <data> |
||
+ | (base64-encoded activation info here) |
||
+ | </data> |
||
+ | <key>FairPlayCertChain</key> |
||
+ | <data> |
||
+ | (base64-encoded cert in DER format) |
||
+ | </data> |
||
+ | <key>FairPlaySignature</key> |
||
+ | <data> |
||
+ | (base64-encoded signature (SHA1+RSA) of ActivationInfoXML) |
||
+ | </data> |
||
+ | </dict> |
||
==Resources== |
==Resources== |
||
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate] |
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate] |
||
+ | * [[User:sn0wra1n|iSn0wra1n]]'s [http://github.com/iSn0wra1n/iActivator iActivator v2 for Windows] |
||
[[Category:Baseband]] |
[[Category:Baseband]] |
Latest revision as of 16:36, 18 November 2015
Layout of Activation Token
This is the CFDictionary string representation which gets sent to Apple's server.The object can be obtained by using the MobileDevice Library, AMDeviceCopyValue function with the "ActivationInfo" value.
It is generated by lockdownd. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to fairplayd to complete signature process and obtain certificate chain.
<dict> <key>ActivationInfoComplete</key> <true/> <key>ActivationInfoXML</key> (base64-encoded activation info here) <key>FairPlayCertChain</key> (base64-encoded RSA certificate chain including root CA in DER format) <key>FairPlaySignature</key> (base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate) </dict>
Key: ActivationInfoXML
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ActivationRandomness</key> <string>(GUID)</string> <key>ActivationRequiresActivationTicket</key> <true/> <key>ActivationState</key> <string>Unactivated</string> <key>BasebandMasterKeyHash</key> <string>(Hash of hardware IDs)<string> <key>BasebandThumbprint</key> <string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string> <key>BuildVersion</key> <string>8A306</string> <key>DeviceCertRequest</key> (base64 encoded cert) <key>DeviceClass</key> <string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string> <key>IntegratedCircuitCardIdentity</key> <string>(ICCID as base-10 string)</string> <key>InternationalMobileEquipmentIdentity</key> <string>(IMEI as base-10 string)</string> <key>InternationalMobileSubscriberIdentity</key> <string>(IMSI as base-10 string)</string> <key>ModelNumber</key> <string>MC135</string> <key>PhoneNumber</key> <string>(String like "+1 (555) 555-5555")</string> <key>ProductType</key> <string>iPhone2,1</string> <key>ProductVersion</key> <string>4.0.1</string> <string>SIMGID1</string> (base64-encoded binary GID1) <string>SIMGID2</string> (base64-encoded binary GID2) <key>SIMStatus</key> <string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string> <key>SerialNumber</key> <string>...</string> <key>SupportsPostponement</key> <true/> <key>UniqueChipID</key> <integer>...</integer> <key>UniqueDeviceID</key> <string>(hex UUID)</string> </dict> </plist>
SIMGIDs and PhoneNumber are present only if installed SIM has them and it was read correctly.
If ActivationState is not Unactivated or token signature is not correct, Apple server will respond with message "there's problem with your device".
Activation Protocol
Use SSL and send the request below with the values
POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1 Accept-Encoding: gzip Accept-Language: en-us, en;q=0.50 Content-Type: multipart/form-data; boundary=DeviceActivation Content-Length: 1234 Host: albert.apple.com Cache-Control: no-cache --DeviceActivation Content-Disposition: form-data; name="activation-info" <dict> <key>ActivationInfoComplete</key> <true/> <key>ActivationInfoXML</key> (base64-encoded activation info here) <key>FairPlayCertChain</key> (base64-encoded cert in DER format) <key>FairPlaySignature</key> (base64-encoded signature (SHA1+RSA) of ActivationInfoXML) </dict>