iPhone Activation Process [wiki]

Under iPhone activation process one should understand a process of device validation by Apple through iTunes using internet connection. When the iPhone comes as a new device or is newly restored, it usually has “Emergency Call Screen” or “Connect to iTunes” sign. Be careful not to mess this screen with Recovery Mode – activation screen has a battery indicator in the top right corner to indicate the difference). After the activation process is complete you will be brought to devices SpringBoard with all the functions available. The file which includes code responsible for activating process can be found lockdownd, a daemon that always runs on the background and monitors gadget’s activation status, FairPlay, CarrierDebug status as well as few other things.

iPhone Activation lockdownd

The lockdownd process patches activate your phone and remove the need in legitimate activation process involving iTunes with an official carrier. That requires a device to be jailbroken to enable the kernel patching and iBoot launch without dynamic libraries dynamically patching in RAM.  But that’s not the end of the process.

The iPhone can’t be used normally (calling, texting) unless its baseband will be unlocked. That can be achieved through various software and hardware solutions depending on device model. Lockdownd patches are only used on the iPhone and iPad 3g or CDMA. Those type of patches has never been declined despite country, firmware or other factors.

iPhone unlock exploits like SAM unlock or WildCard Ticket unlock are based on activation process.

Activation process is handled by Apple Server:

https://albert.apple.com/WebObjects/ALActivation.woa/wa/deviceActivation

Here is the sample of activation request by Apple

Download sample

Layout of Activation Token

This is the CFDictionary string representation which gets sent to Apple’s server.The object can be obtained by using the MobileDevice Library, AMDeviceCopyValue function with the “ActivationInfo” value.

It is generated by lockdownd. Upon generation it stores ActivationRandomness in data ark and later checks it, thus only the last generated token it valid. SHA1 is generated in lockdown and then it makes a request to fairplayd to complete signature process and obtain certificate chain.

<dict>
       <key>ActivationInfoComplete</key>
       <true/>
       <key>ActivationInfoXML</key>
       <data>
       (base64-encoded activation info here)
       </data>
       <key>FairPlayCertChain</key>
       <data>
       (base64-encoded RSA certificate chain including root CA in DER format)
       </data>
       <key>FairPlaySignature</key>
       <data>
       (base64-encoded signature (SHA1+RSA) of ActivationInfoXML, validated using FairPlayCertChain certificate)
       </data>
 </dict>

Source: theiPhoneWiki

You can find your activation file in the following directory:

 /var/root/Library/Lockdown/activation_records/

This ActivationTicket is bound to a specific SIM card. If Apple sees that something is wrong then it locks iPhone again. In other words you can’t use iTunes if your iPhone is unlocked unofficially. SAM unlock is work with the same Wildcard Ticket Activation method to fool Apple Activation server.