Exploring Apples iCloud

Activation Lock
(and some other stuff)
By: iH8sn0w

Jailbreakcon 2014

April 13, 2014
1

Who Am I?
Steven (iH8sn0w)

From Toronto, Ontario (Canada)

19 years old

Involved in the iOS Jailbreak community
since 2009

Known for r0bf0rdsn0w, sn0wbreeze, iREB,

iFaith, and f0recast.

sn0wbreeze --> Custom IPSW creator for windows via xpwn.

p0sixspwn > iOS 6.1.3/6.1.4/6.1.5/6.1.6 untether/jailbreak.
iREB --> Entering a Pwned DFU on select devices and exiting recovery mode.
iFaith --> Dump SHSH blobs for the active running iOS on the device.
f0recast --> Lets the user know whether or not they can jailbreak, unlock (and soon itll let users know if theyre phone is factory unlocked [due to new factory unlock services
branching up all over the web].

Previous Talks

Downloadable at: http://iH8sn0w.com/jbcon2012

3

Previous Talks

Downloadable soon.
4

iOS 3 to iOS 4.2.1/4.3.x

Find My iPhone was included with a

yearly subscription to mobileMe.

mobileMe was retired with iCloud.

Thieves can DFU restore and resell device.
5

iOS 5 to iOS 6.1.6

Find My iPhone was now free for

majority of devices.

Still useless if thieves DFU restored.

6

iOS 7
iCloud Activation Lock

Restorer could not activate

phone until AppleID+Password

previously paired to the iDevice
is entered and verified.

iCloud Activation Lock

[PRO] Thieves cannot use the device.

[CON] Used as reseller scam.

[CON] Apple cannot reset the lock. wat?
8

Albert
Apples activation server.

Sends down signed activation tickets in
response to what it was sent.

Responsible for unlocks.

Responsible for locks.

Responsible for iCloud locks.

Responsible for Push, iMessage.
9

*
*

Not a person

How IMEI locks work

All iPhones are built the same.

Phones are programmed/locked at Apple
Store or Retail.

All future activations must satisfy

programmed requirements.

If one requirement fails, activation is

refused.

10

* Only difference between handsets is the regions theyre designated to go to.

* Upon the purchase of the phone from an Apple Store, depending if you paid for a fully unlocked model or locked, genius submits lock information to albert.
* All future activations must fulfill those requirements that were set.

How Activations work

iDevice

Activation
Request

Albert

SIMs IMSI
SIMs ICCID
SerialNumber
Model

11

* iDevice generates a unique activation request for Albert (contains info like SIM ICCID, IMSI, Serial Number, etc).
* Albert verifies conditions of lock on file for the imei matches what it got.
* Submits with Activation Ticket.

Activation
Ticket

How Hactivations work

iDevice

Activation
Request

Albert

SIMs IMSI
SIMs ICCID
SerialNumber
Model

12

* Device is short circuited to already be activated on boot

* Known to cause battery issues in various builds due to memory leaks.

Activation
Ticket

How iOS 7 Activations

work
iDevice

Activation
Request

Activation
Ticket

Albert

SIMs IMSI
SIMs ICCID
SerialNumber

Is Locked to
FindMyiPhone?

Model

HTML Page
13

* iDevice generates a unique activation request for Albert (contains info like SIM ICCID, IMSI, Serial Number, etc).
* Albert looks up to see if device asking for an activation ticket is locked via Find My iPhone.
* If it is, an HTML page is sent down instead of an Activation Ticket.
* This is the Enter your AppleID/Pass page.
Albert
verifies conditions of lock on file for the imei matches what it got.
*
Submits
with Activation Ticket.
*

Client Side Attacks (DFU)

iPhone 4 susceptible to limera1n.

Allows execution of custom ramdisk.

Hard-patch of /usr/libexec/lockdownd

Removal of /Applications/Setup.app
14

Client Side attacks

Phone did not get a valid activation ticket.

Has no clue what carrier its locked to.
(no service).

Phone basically functions as an iPod or

iPad.

15

Client Side Attacks (cont.d)

Setup.app Crashes:

Refuses to run any apps.

Services that jailbreaks exploit are not
running (installd & mobilebackup2).

Worth noting AFC is active regardless

of activation state.
16

People that managed to crash Setup.app via complicated procedures (e.g Get to Phone.app from emergency call and adding contacts) would notice springboard apps fail to
run.

Userland Jailbreaks
Modern userland jailbreaks exploit services
that only spawn on Activated iDevices.

e.g installd and mobilebackup2

Same reason AppleTV 3 jb isnt out (nito ;P)

AppleTV has limited services running.
17

Server Side Attacks

Submit malformed requests to server that
would cause server side code to take
alternative paths.

e.g SAM unlock, GSX sessID, TSS bug

18

* Goal for a server-side iCloud Activation Lock bypass would be to convince the server to not check to see if the device is linked to an AppleID.

Server Side Attacks (SAM)

SAM developed by sbingner (awesome dude).

Able to manipulate Activation requests on
jailbroken phones to achieve /proper/
hactivations.

Community user used SAM to generate an

activation request with mixed components
from an AT&T SIM and a T-Mobile SIM.
19

Server Side Attacks (GSX)

Create GSX Account with leaked GSX code.

GSX Accounts require approval by admin.

Able to access various components by copying
sessionID when visiting root of GSX.

Submit requests to GSX via JavaScript

console.

Several IMEI checkers used this technique till

it was patched months later.
20

Server Side Attacks (TSS)

Found by iNeal and I randomly while Skyping.

Allowed TSS to reply back with blobs for iOS
that were no longer being signed. (essentially
allowed downgrades).
21

* TSS server is what replies back with SHSH blobs and aptickets. (gs.apple.com)
* While speaking with iNeal on Skype, I told him an idea I had with attacking the TSS server.
* He tried it and it actually worked.
* We were trying to get it to sign anything we gave it.
* Only managed to get TSS to sign previously signed/trusted images.
* Essentially allowed downgrades.
Got
closed
randomly days later.
*
* We blame my homework and the internal errors we caused.
* Apple most likely saves the requests we send to the server upon internal errors to an isolated location for future analysis.

Server Side Attacks (TSS)

Goal was to get TSS to sign anything.

Was closed days later! :( [March 30, 2014].
22

* TSS server is what replies back with SHSH blobs and aptickets. (gs.apple.com)
* While speaking with iNeal on Skype, I told him an idea I had with attacking the TSS server.
* He tried it and it actually worked.
* We were trying to get it to sign anything we gave it.
* Only managed to get TSS to sign previously signed/trusted images.
* Essentially allowed downgrades.
Got
closed
randomly days later.
*
* We blame my homework and the internal errors we caused.
* Apple most likely saves the requests we send to the server upon internal errors to an isolated location for future analysis.

Server Side Attacks (TSS)

23

Hardware Attacks (wat?)

Wheres geohot at?

iPhone 4 GSM baseband has not been
unlockable since 04.10.01 via Gevey.

Chinese took it into their own hands.

Got tired of waiting for new sw unlock?

Developed hardware technique to
unlock the iPhone 4.
24

Hardware Attacks (wat?)

Desolder original factory iPhone 4 GSM bb.

Replace with a similar chip sold by Infineon.

Chip has the same chipset as the factory bb.

Flash latest baseband+IMEI via Phone Tool.

Change SN accordingly in NAND_SYSCFG
(otherwise albert request will mismatch).
25

** ADD PICTURES HERE **

Change IMEI/SN to a factory unlocked (iCloud-free) handset.
Illegal in majority of countries.
The result of the change will be a factory unlocked iPhone 4 with service.
To the server, it will look like a completely different device.

*
*
*

Noteworthy Flaws
iOS 7.0.x iCloud removal/disable of Find
My iPhone.

iOS 7.1 iCloud removal/disable of Find My

iPhone.

Thieves might be able to reset the iCloud

password before restoring [if not locked].

(tons of users have iCloud email setup in
Mail.app).
26

Bruteforce Apple IDs?!

Apple IDs can be bruteforced with a
dictionary.

Some old Apple IDs do not have strong

passwords conditions.

WHY IS THERE NO CAPTCHA AFTER

100 FAILED ATTEMPTS?

Supposedly has a 43%-ish success rate.

27

What should be done?

CAPTCHA after failed password attempts.

Not echo so much personal info over
syslog.

Better Apple support to reset iCloud

Activation Locks.

What is happening?
iCloud locked devices are usually either
being sold as a scam or for parts only.

Marketing?

If you purchased an iPhone on eBay that
is iCloud locked, check listing and
possibly file a PayPal dispute.

r0bf0rdsn0w?

do u believe?

Cracked only by one person so far.

Speak to me privately if you would like to
know more how this /concept/ works.

30

sn0wbreeze for iOS 7?!

Hacktivation in sn0wbreeze would trigger

issues with the DMCA since it would
unknowingly also bypass the iCloud
Activation Lock.

An iFaith update will probably happen for

the iPhone 4 and AppleTV 2.

31

Q&A
(for this talk :P)

32