In a few days after posting my research of Apple iCloud activation lock I found my article almost on top of Google for that subject. At the same time my stars aligned and I received a used iPhone 5s from Ebay, which turned to be iCloud locked after flashing to iOS 8.1.2. I realized it was a sign, so I started my deeper research in this area.
First of all I intercepted the traffic between iPhone and Apple’s activation server. They called it “Albert” (albert.apple.com) and got my applause as a physicist.
Implementing the Man-In-The-Middle attack on SSL connection for intercepting and modifying Internet traffic – is a topic for another article, so I would omit these details here. Let’s take a look at the results.
Each time your iPhone starts activation process attempt – it sends a specific set of data to Apple’s activation server. By the way, it silently activates itself every time you insert new SIM-card into your phone, so there couldn’t be any permanent fake activation, unless you have a jailbroken device with modified file system. It has an “activation_data.plist” file for every SIM-card which had been inserted into the device, and if there’s a new SIM-card present – the activation process repeats.
The data being sent from iPhone to Apple’s server consists from 3 major parts:
- Activation data – contains all the unique data of the device such as serial number, model, firmware version, IMEI/ESN, unique chip ID, baseband ID and serial number, baseband cryptography keys hash, country, region, etc.
- FairPlay Certificate Chain – needed to identify current device in Apple services like iTunes, iMessage, push notifications, etc.
- Digital signature of the data above. (looks like a SHA-hash)
As we can see – cryptography and digital signatures are widely used in all parts of data, so it can be validated on both sides. Yes, iPhone verifies all the data it gets from Apple servers internally, even if it gets it from iTunes and not from the Internet directly. There was a bug in iOS 7, when iPhone didn’t validate all the data from iTunes internally, so previously mentioned Doulci team could use their fake activation server. My research shows, that in iOS 8 there’s no such vulnerability.
But… I found a very strange issue – modifying the “BasebandChipID” value doesn’t affect the digital signature validation, however, it should be a valid chip ID in order to get a correct response from server, not just a random number. So, maybe, this could be a potential door for a future exploit.
As for me – I want to use a fully functional device with all its features like push notifications and iTunes Store. Can you ever imagine a smartphone without notifications today? The FairPlay Certificate Chain in iPhone activation request makes impossible future device use with that services without proper activation, so even if you successfully unblock the device UI with a fake activation – you will never get all its features.
The response from activation server is also properly signed with RSA encryption key, so iPhone could check internally if we intercepted the traffic and modified the response some how. To modify the server response a potentional attacker should have access to Apple’s private keys used for cryptography, which are highly secured, I guess.. Server response is not being just validated once on iPhone. The baseband chip on each logic board has built-in feature to validate the activation data once again, even if it had successfuly passed validation on device CPU. That’s why all activated with Doulci server devices have no network access – the basebands of that devices are simply disabled by their internal firmware.
The magic key in the server response is named “Unbrick” with “true” or “false” possible values. Very funny solution for the naming. Modifying this key in the server response also takes no effect unless we have no valid digital signature for our modified request.
Finally, one idea came into my mind about Apple’s global devices database used to validate iPhones worldwide. They should store info and lock devices by IMEI (International Mobile Equipment Identity) for GSM phones or MEID/ESN (Mobile Equipment Identifier) for CDMA devices, which should be unique for any manufactured baseband chip. So, after some thoughts, I ended up desoldering the baseband chip from the logic board. My experiment shows, that iPhone realizes itself as iPod without baseband and activates normally.
Checkmate! No baseband – no problem. I’m the owner of unique iPod 5s now and my advice is to avoid getting locked iPhones.