Difference between revisions of "Activation Token"

Layout Activation Token

This is the plist file which gets sent to Apple's server.It can be obtained by using the MobileDevice Library, AMDeviceCopyValue function with the "ActivationInfo" value

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
       <key>ActivationInfoComplete</key>
       <true/>
       <key>ActivationInfoXML</key>
       
       (base64-encoded activation info here)
       
       <key>FairPlayCertChain</key>
       
       (base64-encoded cert in DER format)
       
       <key>FairPlaySignature</key>
       
       (base64-encoded signature (SHA1+RSA) of ActivationInfoXML)
       
 </dict>

Key: ActivationInfoXML

The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
       <key>ActivationRandomness</key>
       <string>(GUID)</string>
       <key>ActivationRequiresActivationTicket</key>
       <true/>
       <key>ActivationState</key>
       <string>Unactivated</string>
       <key>BasebandMasterKeyHash</key>
       <string>(Hash of hardware IDs)<string>
       <key>BasebandThumbprint</key>
       <string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string>
       <key>BuildVersion</key>
       <string>8A306</string>
       <key>DeviceCertRequest</key>
       
       (base64 encoded cert)
       
       <key>DeviceClass</key>
       <string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string>
       <key>IntegratedCircuitCardIdentity</key>
       <string>(ICCID as base-10 string)</string>
       <key>InternationalMobileEquipmentIdentity</key>
       <string>(IMEI as base-10 string)</string>
       <key>InternationalMobileSubscriberIdentity</key>
       <string>(IMSI as base-10 string)</string>
       <key>ModelNumber</key>
       <string>MC135</string>
       <key>PhoneNumber</key>
       <string>(String like "+1 (555) 555-5555")</string>
       <key>ProductType</key>
       <string>iPhone2,1</string>
       <key>ProductVersion</key>
       <string>4.0.1</string>
       <string>SIMGID1</string>
       
       (base64-encoded binary GID1)
       
       <string>SIMGID2</string>
       
       (base64-encoded binary GID2)
       
       <key>SIMStatus</key>
       <string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string>
       <key>SerialNumber</key>
       <string>...</string>
       <key>SupportsPostponement</key>
       <true/>
       <key>UniqueChipID</key>
       <integer>...</integer>
       <key>UniqueDeviceID</key>
       <string>(hex UUID)</string>
 </dict>
 </plist>

Spoofing the Activation Server using python

Here's a python script to spoof it:

import httplib,urllib
import time
ai=open("a.plist",'r')
aidata=ai.read()
conn = httplib.HTTPSConnection("albert.apple.com")
headers = {"Content-type": "application/x-www-form-urlencoded", "User-Agent": 'iTunes/7.6 (Windows; U; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) DPI/96}'}
params = urllib.urlencode({
	'activation-info': aidata
	})
conn.request('POST', '/WebObjects/ALActivation.woa/wa/deviceActivation',params,headers)
response = conn.getresponse()
resdata=response.read()
f=open("arsp.xml",'w')
f.write(resdata)
#time.sleep(1)

Resources

• posixninja's iDeviceActivate