The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Activation Token
Revision as of 03:06, 19 March 2011 by Whiteshinyapple (talk | contribs)
Contents
Layout ActivationInfo
This is the plist file which gets sent to Apple's server
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ActivationInfoComplete</key> <true/> <key>ActivationInfoXML</key> (base64-encoded activation info here) <key>FairPlayCertChain</key> (base64-encoded cert in DER format) <key>FairPlaySignature</key> (base64-encoded signature (SHA1+RSA) of ActivationInfoXML) </dict>
Key: ActivationInfoXML
The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ActivationRandomness</key> <string>(GUID)</string> <key>ActivationRequiresActivationTicket</key> <true/> <key>ActivationState</key> <string>Unactivated</string> <key>BasebandMasterKeyHash</key> <string>(Hash of hardware IDs)<string> <key>BasebandThumbprint</key> <string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string> <key>BuildVersion</key> <string>8A306</string> <key>DeviceCertRequest</key> (base64 encoded cert) <key>DeviceClass</key> <string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string> <key>IntegratedCircuitCardIdentity</key> <string>(ICCID as base-10 string)</string> <key>InternationalMobileEquipmentIdentity</key> <string>(IMEI as base-10 string)</string> <key>InternationalMobileSubscriberIdentity</key> <string>(IMSI as base-10 string)</string> <key>ModelNumber</key> <string>MC135</string> <key>PhoneNumber</key> <string>(String like "+1 (555) 555-5555")</string> <key>ProductType</key> <string>iPhone2,1</string> <key>ProductVersion</key> <string>4.0.1</string> <string>SIMGID1</string> (base64-encoded binary GID1) <string>SIMGID2</string> (base64-encoded binary GID2) <key>SIMStatus</key> <string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string> <key>SerialNumber</key> <string>...</string> <key>SupportsPostponement</key> <true/> <key>UniqueChipID</key> <integer>...</integer> <key>UniqueDeviceID</key> <string>(hex UUID)</string> </dict> </plist>
Spoofing the Activation Server using python
Here's a python script to spoof it:
import httplib,urllib import time ai=open("a.plist",'r') aidata=ai.read() conn = httplib.HTTPSConnection("albert.apple.com") headers = {"Content-type": "application/x-www-form-urlencoded", "User-Agent": 'iTunes/7.6 (Windows; U; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) DPI/96}'} params = urllib.urlencode({ 'activation-info': aidata }) conn.request('POST', '/WebObjects/ALActivation.woa/wa/deviceActivation',params,headers) response = conn.getresponse() resdata=response.read() f=open("arsp.xml",'w') f.write(resdata) #time.sleep(1)