Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Activation Lock
(and some other stuff)
By: iH8sn0w
Jailbreakcon 2014
April 13, 2014
1
Who Am I?
Steven (iH8sn0w)
From Toronto, Ontario (Canada)
19 years old
Involved in the iOS Jailbreak community
since 2009
Previous Talks
Previous Talks
Downloadable soon.
4
iOS 7
iCloud Activation Lock
Restorer could not activate
Albert
Apples activation server.
Sends down signed activation tickets in
response to what it was sent.
*
*
Not a person
10
Activation
Request
Albert
SIMs IMSI
SIMs ICCID
SerialNumber
Model
11
* iDevice generates a unique activation request for Albert (contains info like SIM ICCID, IMSI, Serial Number, etc).
* Albert verifies conditions of lock on file for the imei matches what it got.
* Submits with Activation Ticket.
Activation
Ticket
Activation
Request
Albert
SIMs IMSI
SIMs ICCID
SerialNumber
Model
12
Activation
Ticket
Activation
Request
Activation
Ticket
Albert
SIMs IMSI
SIMs ICCID
SerialNumber
Is Locked to
FindMyiPhone?
Model
HTML Page
13
* iDevice generates a unique activation request for Albert (contains info like SIM ICCID, IMSI, Serial Number, etc).
* Albert looks up to see if device asking for an activation ticket is locked via Find My iPhone.
* If it is, an HTML page is sent down instead of an Activation Ticket.
* This is the Enter your AppleID/Pass page.
Albert
verifies conditions of lock on file for the imei matches what it got.
*
Submits
with Activation Ticket.
*
15
People that managed to crash Setup.app via complicated procedures (e.g Get to Phone.app from emergency call and adding contacts) would notice springboard apps fail to
run.
Userland Jailbreaks
Modern userland jailbreaks exploit services
that only spawn on Activated iDevices.
* Goal for a server-side iCloud Activation Lock bypass would be to convince the server to not check to see if the device is linked to an AppleID.
* TSS server is what replies back with SHSH blobs and aptickets. (gs.apple.com)
* While speaking with iNeal on Skype, I told him an idea I had with attacking the TSS server.
* He tried it and it actually worked.
* We were trying to get it to sign anything we gave it.
* Only managed to get TSS to sign previously signed/trusted images.
* Essentially allowed downgrades.
Got
closed
randomly days later.
*
* We blame my homework and the internal errors we caused.
* Apple most likely saves the requests we send to the server upon internal errors to an isolated location for future analysis.
* TSS server is what replies back with SHSH blobs and aptickets. (gs.apple.com)
* While speaking with iNeal on Skype, I told him an idea I had with attacking the TSS server.
* He tried it and it actually worked.
* We were trying to get it to sign anything we gave it.
* Only managed to get TSS to sign previously signed/trusted images.
* Essentially allowed downgrades.
Got
closed
randomly days later.
*
* We blame my homework and the internal errors we caused.
* Apple most likely saves the requests we send to the server upon internal errors to an isolated location for future analysis.
23
*
*
*
Noteworthy Flaws
iOS 7.0.x iCloud removal/disable of Find
My iPhone.
What is happening?
iCloud locked devices are usually either
being sold as a scam or for parts only.
Marketing?
If you purchased an iPhone on eBay that
is iCloud locked, check listing and
possibly file a PayPal dispute.
r0bf0rdsn0w?
do u believe?
Cracked only by one person so far.
Speak to me privately if you would like to
know more how this /concept/ works.
30
31
Q&A
(for this talk :P)
32