The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
ECID
The ECID (possibly standing for Exclusive Chip ID or Electronic Chip ID) is an identifier unique to every unit.
It is 64 bits wide, with the first ~20 bits usually set to zero (looks like 00000XXXXXXXXXXX in hex).
It holds a key position in the SHSH Protocol, being the element that limits each APTicket to a single specific device.
Note: Some tools show it in decimal format while others do it in hexadecimal.
Contents
Getting the ECID
Via third-party software
On-device
The UDID Calculator application from Cydia displays (among other things) the ECID of your device (shown in decimal).
Via USB
- Install libimobiledevice.
- Connect your device over USB.
- Run
ideviceinfo | grep UniqueChipID
command. - There should be exactly one line, reading
UniqueChipID
followed by your ECID (in decimal).
Via Recovery Mode or DFU Mode
Mac Instructions
- Put your device in Recovery Mode or DFU Mode.
- Open System Profiler. (in /Applications/Utilities/).
- In the sidebar, go to "USB" (in the "Hardware" section).
- Under "Serial Number", there should be a part called "ECID". There you go.
Windows Instructions
- Put your device in Recovery Mode or DFU Mode.
- Open Device Manager and right click on Apple Mobile Device (Recovery or DFU Mode) for properties.
- Click on the details tab.
- Click on the dropdown box and select Device Instance Path.
- You should find it in the textbox.
Extracting from an SHSH
Img3
There are 19 blobs in an SHSH, and the first line of every blob is the same as below:
RElDRUAAAAAIAAAA********AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
The * part is the ECID(Dec) encrypted by a certain formula which is
a.Transform ECID(Dec) into ECID(Hex) such as 58608372174291 ---> 35 4D D3 34 4D D3
b.Reverse the ECID(Hex) string such as 35 4D D3 34 4D D3 ---> D3 4D 34 D3 4D 35
c.Transform the string we have got into binary such as D3 4D 34 D3 4D 35 ---> ÓM4ÓM5
d.Encode the binary with base64 such as ÓM4ÓM5 ---> 00000001
Use this formula backward (d. to a.) we can extract the * part into ECID(Dec).
Img4
First, get your apticket.der. There are two options:
- Copy it from your device in
/System/Library/Caches/apticket.der
. - Extract it from an SHSH file, e.g. using
plutil -extract ApImg4Ticket xml1 -o - *.shsh | xmllint -xpath '/plist/data/text()' - | base64 -D > apticket.der;
.
Now you can use any old ASN.1 parser to display the file, such as openssl asn1parse -i -inform DER -in apticket.der
.
To get only the ECID part, use openssl asn1parse -inform DER -in apticket.der | grep -A1 ECID
. It should show on the second line after the colon (in hexadecimal, possibly with a leading zero).
Developer Instructions
On OSX, call AMDeviceCopyValue
in the MobileDevice Framework with "UniqueChipID". It returns the ECID as a CFNumberRef(kCFNumberSInt64Type)
object.
Example implementation (all safeties removed, will probably crash if connection fails), compile with clang -F/System/Library/PrivateFrameworks -framework MobileDevice -framework CoreFoundation
:
// Please ping @s1guza on Twitter if this file stops compiling/working #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <CoreFoundation/CoreFoundation.h> // Cheap aliases to make things compile without headers typedef void am_device; typedef void am_device_notification; typedef void* am_device_notification_callback_info; extern void AMDeviceNotificationSubscribe(void(*callback)(am_device_notification_callback_info *info, void *arg), int unused1, int unused2, void *unknown, am_device_notification** notification); extern void AMDeviceConnect(am_device *device); extern void AMDeviceStartSession(am_device *device); extern void* AMDeviceCopyValue(am_device *device, int unknown, CFStringRef value); void cb(am_device_notification_callback_info *info, void *arg) { uint64_t ecid; am_device *dev = *info; /* info->dev */ CFRetain(dev); AMDeviceConnect(dev); AMDeviceStartSession(dev); CFNumberRef ecidRef = AMDeviceCopyValue(dev, 0, CFSTR("UniqueChipID")); CFNumberGetValue(ecidRef, kCFNumberSInt64Type, &ecid); printf("ECID: %llX\n", ecid); CFRelease(dev); exit(0); } int main() { uint32_t buf[5]; am_device_notification *notification = (am_device_notification*)buf; AMDeviceNotificationSubscribe(&cb, 0, 0, NULL, ¬ification); CFRunLoopRun(); return 0; }