Iphone Activation Patch..! - GSM-Forum

iqballk · 05-07-2012, 12:21

hello ppl,

i want to share some interest information regarding iphone unlock, it means ACTIVATION PROCESS.

when we come to Activation, a file called xxx.plist created in var\root\Library\Lockdown\activation_records folder. xxx is your SIM's 19 digit ICCID.

this plist file contain encrypted activation records which identified locked or unlocked.

let me explain, i have an iphone 4 which is locked to AT&T network. its 5.01 jailbreak state. i have deactivate nd reactivate it with AT&T Sim, backup xxx.plist file via iphone folders. install SAM module. activate with my local network sim. again backup xxx.plist file. now my phone works with my local network sim.

again i deactivate nd reactivate with AT&T sim. this time, phone could not accept my local network sim. i replace xxx.plist file dt was backuped after SAM method.viola.. now iphone accept my local network sim.

may be it possible to unlock or patch activation data by decrypting this plist file.

i heared, dt plutil.exe can decrypt plist files into simple xml format. u can find plutil.exe from C:\Program Files\Common Files\Apple\Apple Application Support folder.

so.. i use this tool to convert xxx.plist file to xlm format via command line. but dt xml file contain same data as encrypted plist file. may be its only work with old ipod keychain.plist files.

its possible to unlock if we can decrypt this plist file's data.

any idea's welcome..!

lbd2005 · 05-07-2012, 13:47

anyone tested this?can you simplify your explaination...thanks

iqballk · 05-07-2012, 14:26

this is not a solution. its reversing.

plist
ICCID
Encryption
Decryption

you have to learn more to understand..,

regards..

frake50 · 05-07-2012, 14:48

it is decy. with 2034 bit, if you want to use normal PC to read the code, then you need more than 1 bilion years.

unles you have the code.

SanjanMobile · 05-07-2012, 15:30

Your local sim accept, can u explain me network comes or not, if there are network, can u call by your iphone
Explain more

Franks1 · 05-07-2012, 16:08

Quote:

Originally Posted by lbd2005

anyone tested this?can you simplify your explaination...thanks

agree

mehulkr76 · 05-07-2012, 18:06

Quote:

Originally Posted by frake50

it is decy. with 2034 bit, if you want to use normal PC to read the code, then you need more than 1 bilion years.

unles you have the code.

private and public key are given too in the folder then rsa password can be cracked

iqballk · 05-08-2012, 05:28

yes, have both keys.. theres no use of RSA. coz RSA depends on IMSI nd ICCID.

regards..

iqballk · 05-08-2012, 05:31

Quote:

Originally Posted by satcable20055

Your local sim accept, can u explain me network comes or not, if there are network, can u call by your iphone
Explain more

yes.. it got signal too with SAM's trick (its done b4 apple close sam exploit).

regards..

***stanner_austin*** · 05-08-2012, 10:16

attached here decoded activationdata and activationcomplete plist from apple.
it don't use rsa or any high security in this activation stuff.
fareplay key is sign every time change on every request.
same as randomizer in both side.

really nice playing with apple activation hole till it was active.

Best Regards
Chevli

dangke · 05-08-2012, 10:26

if you want to use normal PC to read the code, then you need more than 1 bilion years.

http://forum.gsmhosting.com/iptch/156/Refurbished Apple iPhone 3GS (16GB) Black Color

iqballk · 05-08-2012, 11:55

with a factory unlocked phone.. is still fareplay signing every request..?

nd can u confirm plist file from activation_records contain that phones lockstate table..?

Ta@of!k · 05-27-2012, 11:53

• Similar
message
tampering
technique
was
used
in
iPhone4
01.59.00
ultrasn0w
• Apple
started
looking
for
this
message
tampering
(although
they
have
typos
all
throughout
their
debug
strings,
calling
it
"tambering")
• A
much
more
challenging
obstacle
on
the
iPhone4
was
the
hardware-*‐based
DEP
mechanism
(“crossbar”).
• As
soon
as
you
write
to
memory,
hardware
disables
all
execution
rights
for
the
address
range
containing
it
• The
solution
@planetbeing
and
I
developed
for
ultrasn0w
to
overcome
the
crossbar
is
detailed
in
the
iOS
Hacker's
Handbook

iqballk · 05-28-2012, 05:36

Nice Copy paste..

no regards..

musicloverdenon · 05-28-2012, 07:23

iPhone activation ticket is encrypted with TEA using iPhone hardware signature (norID, HWID and most probably unique device ID). While unique device ID is easily available through iTunes when the phone is connected, norID and HWID is bit difficult to get. You need to be good in programming.

05-07-2012, 12:21	#1 (permalink)
iqballk No Life Poster Join Date: Jul 2002 Location: sri lanka Age: 28 Posts: 1,197 Member: 13932 Status: Offline Sonork: 100.1609876 Thanks: 40 Thanked 329 Times in 167 Posts	Iphone Activation Patch..! hello ppl, i want to share some interest information regarding iphone unlock, it means ACTIVATION PROCESS. when we come to Activation, a file called xxx.plist created in var\root\Library\Lockdown\activation_records folder. xxx is your SIM's 19 digit ICCID. this plist file contain encrypted activation records which identified locked or unlocked. let me explain, i have an iphone 4 which is locked to AT&T network. its 5.01 jailbreak state. i have deactivate nd reactivate it with AT&T Sim, backup xxx.plist file via iphone folders. install SAM module. activate with my local network sim. again backup xxx.plist file. now my phone works with my local network sim. again i deactivate nd reactivate with AT&T sim. this time, phone could not accept my local network sim. i replace xxx.plist file dt was backuped after SAM method.viola.. now iphone accept my local network sim. may be it possible to unlock or patch activation data by decrypting this plist file. i heared, dt plutil.exe can decrypt plist files into simple xml format. u can find plutil.exe from C:\Program Files\Common Files\Apple\Apple Application Support folder. so.. i use this tool to convert xxx.plist file to xlm format via command line. but dt xml file contain same data as encrypted plist file. may be its only work with old ipod keychain.plist files. its possible to unlock if we can decrypt this plist file's data. any idea's welcome..!

05-08-2012, 10:26	#11 (permalink)
dangke Junior Member Join Date: May 2012 Posts: 3 Member: 1756925 Status: Offline Thanks: 0 Thanked 0 Times in 0 Posts	if you want to use normal PC to read the code, then you need more than 1 bilion years. http://forum.gsmhosting.com/iptch/156/Refurbished Apple iPhone 3GS (16GB) Black Color Last edited by dangke; 05-08-2012 at 10:33.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
thread	Thread Starter	Forum	Replies	Last Post
I have Wintesla PKD-1 dongle schematic and activation file	Gsmhq	Nokia Hardware & Hardware-Repair Area	3	08-20-2004 10:11
Problem with Vibrator Activator Nokia 3210	Erik	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	1	07-12-2000 21:17
Me need activator for TDF-4 NSE13	Alexey	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	6	04-16-2000 20:00
How to activate Netmonitor in 8110i	zfrank	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	2	08-20-1999 08:19
Anyone have idea for activate netmon on 8110?	.:Shorbagy Team:.	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	0	06-13-1999 05:11

05-07-2012, 13:47	#2 (permalink)
lbd2005 Freak Poster Join Date: Jul 2010 Location: Mandaue City, Cebu, Philippine Posts: 199 Member: 1348264 Status: Offline Thanks: 9 Thanked 18 Times in 18 Posts	anyone tested this?can you simplify your explaination...thanks

05-07-2012, 14:26	#3 (permalink)
iqballk No Life Poster Join Date: Jul 2002 Location: sri lanka Age: 28 Posts: 1,197 Member: 13932 Status: Offline Sonork: 100.1609876 Thanks: 40 Thanked 329 Times in 167 Posts	this is not a solution. its reversing. plist ICCID Encryption Decryption you have to learn more to understand.., regards..

05-07-2012, 14:48	#4 (permalink)
frake50 Freak Poster Join Date: Jan 2010 Posts: 356 Member: 1198842 Status: Offline Thanks: 5 Thanked 167 Times in 61 Posts	it is decy. with 2034 bit, if you want to use normal PC to read the code, then you need more than 1 bilion years. unles you have the code.

05-07-2012, 15:30	#5 (permalink)
SanjanMobile Freak Poster Join Date: Jul 2006 Age: 34 Posts: 245 Member: 316292 Status: Offline Thanks: 392 Thanked 71 Times in 43 Posts	Your local sim accept, can u explain me network comes or not, if there are network, can u call by your iphone Explain more

05-08-2012, 05:28	#8 (permalink)
iqballk No Life Poster Join Date: Jul 2002 Location: sri lanka Age: 28 Posts: 1,197 Member: 13932 Status: Offline Sonork: 100.1609876 Thanks: 40 Thanked 329 Times in 167 Posts	yes, have both keys.. theres no use of RSA. coz RSA depends on IMSI nd ICCID. regards..

05-08-2012, 11:55	#12 (permalink)
iqballk No Life Poster Join Date: Jul 2002 Location: sri lanka Age: 28 Posts: 1,197 Member: 13932 Status: Offline Sonork: 100.1609876 Thanks: 40 Thanked 329 Times in 167 Posts	with a factory unlocked phone.. is still fareplay signing every request..? nd can u confirm plist file from activation_records contain that phones lockstate table..?

05-27-2012, 11:53	#13 (permalink)
Ta@of!k Freak Poster Join Date: May 2012 Location: AsanSam-inG! Posts: 136 Member: 1754434 Status: Offline Sonork: 100.1603928 Thanks: 191 Thanked 37 Times in 21 Posts	• Similar message tampering technique was used in iPhone4 01.59.00 ultrasn0w • Apple started looking for this message tampering (although they have typos all throughout their debug strings, calling it "tambering") • A much more challenging obstacle on the iPhone4 was the hardware-*‐based DEP mechanism (“crossbar”). • As soon as you write to memory, hardware disables all execution rights for the address range containing it • The solution @planetbeing and I developed for ultrasn0w to overcome the crossbar is detailed in the iOS Hacker's Handbook

05-28-2012, 05:36	#14 (permalink)
iqballk No Life Poster Join Date: Jul 2002 Location: sri lanka Age: 28 Posts: 1,197 Member: 13932 Status: Offline Sonork: 100.1609876 Thanks: 40 Thanked 329 Times in 167 Posts	Nice Copy paste.. no regards..

05-28-2012, 07:23	#15 (permalink)
musicloverdenon Freak Poster Join Date: Sep 2011 Age: 33 Posts: 152 Member: 1653961 Status: Offline Thanks: 16 Thanked 9 Times in 9 Posts	iPhone activation ticket is encrypted with TEA using iPhone hardware signature (norID, HWID and most probably unique device ID). While unique device ID is easily available through iTunes when the phone is connected, norID and HWID is bit difficult to get. You need to be good in programming.