Difference between revisions of "Activation Token"

From The iPhone Wiki
Jump to: navigation, search
m (Key: ActivationInfoXML: Corrected the misspelled word "problem")
 
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==Layout ActivationInfo==
+
==Layout of Activation Token==
This is the plist file which gets sent to Apple's server
+
This is the [[wikipedia:Core Foundation|CFDictionary]] string representation which gets sent to Apple's server.The object can be obtained by using the [[MobileDevice Library]], AMDeviceCopyValue function with the "ActivationInfo" value.
   
  +
It is generated by [[lockdownd]]. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to [[fairplayd]] to complete signature process and obtain certificate chain.
<?xml version="1.0" encoding="UTF-8"?>
 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 
<plist version="1.0">
 
 
<dict>
 
<dict>
 
<key>ActivationInfoComplete</key>
 
<key>ActivationInfoComplete</key>
Line 14: Line 12:
 
<key>FairPlayCertChain</key>
 
<key>FairPlayCertChain</key>
 
<data>
 
<data>
(base64-encoded cert in DER format)
+
(base64-encoded RSA certificate chain including root CA in DER format)
 
</data>
 
</data>
 
<key>FairPlaySignature</key>
 
<key>FairPlaySignature</key>
 
<data>
 
<data>
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)
+
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate)
 
</data>
 
</data>
 
</dict>
 
</dict>
Line 82: Line 80:
 
</plist>
 
</plist>
   
  +
SIMGIDs and PhoneNumber are present only if installed SIM has them and it was read correctly.
==Spoofing the Activation Server using python==
 
  +
Here's a python script to spoof it:
 
  +
If ActivationState is not Unactivated or token signature is not correct, Apple server will respond with message "there's problem with your device".
import httplib,urllib
 
  +
import time
 
  +
==Activation Protocol==
ai=open("a.plist",'r')
 
  +
Use SSL and send the request below with the values
aidata=ai.read()
 
  +
POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1
conn = httplib.HTTPSConnection("albert.apple.com")
 
  +
Accept-Encoding: gzip
headers = {"Content-type": "application/x-www-form-urlencoded", "User-Agent": 'iTunes/7.6 (Windows; U; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) DPI/96}'}
 
  +
Accept-Language: en-us, en;q=0.50
params = urllib.urlencode({
 
  +
Content-Type: multipart/form-data; boundary=DeviceActivation
'activation-info': aidata
 
  +
Content-Length: 1234
})
 
  +
Host: albert.apple.com
conn.request('POST', '/WebObjects/ALActivation.woa/wa/deviceActivation',params,headers)
 
  +
Cache-Control: no-cache
response = conn.getresponse()
 
  +
resdata=response.read()
 
  +
--DeviceActivation
f=open("arsp.xml",'w')
 
  +
Content-Disposition: form-data; name="activation-info"
f.write(resdata)
 
  +
#time.sleep(1)
 
  +
<dict>
  +
<key>ActivationInfoComplete</key>
  +
<true/>
  +
<key>ActivationInfoXML</key>
  +
<data>
  +
(base64-encoded activation info here)
  +
</data>
  +
<key>FairPlayCertChain</key>
  +
<data>
  +
(base64-encoded cert in DER format)
  +
</data>
  +
<key>FairPlaySignature</key>
  +
<data>
  +
(base64-encoded signature (SHA1+RSA) of ActivationInfoXML)
  +
</data>
  +
</dict>
  +
 
==Resources==
 
==Resources==
 
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]
 
* [[User:posixninja|posixninja]]'s [http://github.com/posixninja/ideviceactivate iDeviceActivate]
  +
* [[User:sn0wra1n|iSn0wra1n]]'s [http://github.com/iSn0wra1n/iActivator iActivator v2 for Windows]
   
 
[[Category:Baseband]]
 
[[Category:Baseband]]

Latest revision as of 16:36, 18 November 2015

Layout of Activation Token

This is the CFDictionary string representation which gets sent to Apple's server.The object can be obtained by using the MobileDevice Library, AMDeviceCopyValue function with the "ActivationInfo" value.

It is generated by lockdownd. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to fairplayd to complete signature process and obtain certificate chain.

 <dict>
       <key>ActivationInfoComplete</key>
       <true/>
       <key>ActivationInfoXML</key>
       
       (base64-encoded activation info here)
       
       <key>FairPlayCertChain</key>
       
       (base64-encoded RSA certificate chain including root CA in DER format)
       
       <key>FairPlaySignature</key>
       
       (base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate)
       
 </dict>

Key: ActivationInfoXML

The ActivationInfo plist file above has a key called ActivationInfoXML. The base64 data value of that key represents the plist file below

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
       <key>ActivationRandomness</key>
       <string>(GUID)</string>
       <key>ActivationRequiresActivationTicket</key>
       <true/>
       <key>ActivationState</key>
       <string>Unactivated</string>
       <key>BasebandMasterKeyHash</key>
       <string>(Hash of hardware IDs)<string>
       <key>BasebandThumbprint</key>
       <string>(Hash of hardware IDs not directly used as a key - the TEA key can be derived from this)<string>
       <key>BuildVersion</key>
       <string>8A306</string>
       <key>DeviceCertRequest</key>
       
       (base64 encoded cert)
       
       <key>DeviceClass</key>
       <string>(String ENUM "iPhone", "iPod", "iPod touch", "iPad")</string>
       <key>IntegratedCircuitCardIdentity</key>
       <string>(ICCID as base-10 string)</string>
       <key>InternationalMobileEquipmentIdentity</key>
       <string>(IMEI as base-10 string)</string>
       <key>InternationalMobileSubscriberIdentity</key>
       <string>(IMSI as base-10 string)</string>
       <key>ModelNumber</key>
       <string>MC135</string>
       <key>PhoneNumber</key>
       <string>(String like "+1 (555) 555-5555")</string>
       <key>ProductType</key>
       <string>iPhone2,1</string>
       <key>ProductVersion</key>
       <string>4.0.1</string>
       <string>SIMGID1</string>
       
       (base64-encoded binary GID1)
       
       <string>SIMGID2</string>
       
       (base64-encoded binary GID2)
       
       <key>SIMStatus</key>
       <string>(ENUM kCTSIMSupportSIMStatusReady kCTSIMSupportSIMStatusNotReady kCTSIMSupportSIMStatusOperatorLocked)</string>
       <key>SerialNumber</key>
       <string>...</string>
       <key>SupportsPostponement</key>
       <true/>
       <key>UniqueChipID</key>
       <integer>...</integer>
       <key>UniqueDeviceID</key>
       <string>(hex UUID)</string>
 </dict>
 </plist>

SIMGIDs and PhoneNumber are present only if installed SIM has them and it was read correctly.

If ActivationState is not Unactivated or token signature is not correct, Apple server will respond with message "there's problem with your device".

Activation Protocol

Use SSL and send the request below with the values

POST /WebObjects/ALUnbrick.woa/wa/deviceActivation HTTP/1.1
Accept-Encoding: gzip
Accept-Language: en-us, en;q=0.50
Content-Type: multipart/form-data; boundary=DeviceActivation
Content-Length: 1234
Host: albert.apple.com
Cache-Control: no-cache

--DeviceActivation
Content-Disposition: form-data; name="activation-info"

<dict>
       <key>ActivationInfoComplete</key>
       <true/>
       <key>ActivationInfoXML</key>
       
       (base64-encoded activation info here)
       
       <key>FairPlayCertChain</key>
       
       (base64-encoded cert in DER format)
       
       <key>FairPlaySignature</key>
       
       (base64-encoded signature (SHA1+RSA) of ActivationInfoXML)
       
 </dict>

Resources