WildCard Ticket Exploit on iPhone Baseband Activation: Similar to SAM Unlock
It is really great to have a possibility to unlock iPhone using different exploits. Many of them are based on methods that involve baseband decrypting (NCK Unlock) or spoofing user SIM’s IMSI number (SAM unlock). Some of them are pretty hard to execute, some, like NCK unlock are right now applicable only to certain models of iPhones. Today I want to share analysis of activation exploits with you. This exploit is made to activate your locked iPhone.
We will talk about WildcardTicket which is also called Activation ticket (record).
When your iPhone is locked to some carrier then you need official (wildcard) activation from Apple to unlock your device. After your iPhone is unofficially unlocked by the fruit company then you can’t to connect it to iTunes for updating, syncing and stuff like this. You need to be sure that you’ve got the unlock before connecting to iTunes because when iTunes locates your iPhone it sends its data to Apple. Company’s servers analyse your baseband information like IMEI, ICCID, IMSI and generate Activation Ticket. This ActivationTicket is bound to a specific SIM card. If Apple sees that something is wrong then it locks iPhone again. In other words you can’t use iTunes if your iPhone is unlocked unofficially. SAM unlock is work with the same Wildcard Ticket Activation method to fool Apple Activation server. But you’ve heard SAM not working now. But actual thing is SAM is do working for now if you have Activation ticked but if Apple re-lock the device somehow in that case it will not work. The simple reason is the baseband Seczone not accessible.
But there is a question. How does actually Ultrasn0w works? Because when unlocking device by Dev Team Ultrasn0w you are able to connect and restore it many times as long as don’t update the baseband. The trick is: when using Ultrasn0w it unlock the iPhone baseband on the fly or in other words every time the iPhone boot => Ultrasn0w is sending its exploit to the baseband and unlocks it.
So here I am going to show you one of the possible activation exploits which can be used to find a way to unlock iPhone. Below you will see bunch of AT commands which you need to send to your baseband using Minicom. For more information on Minicom and program installation use this link.
The AT commands like ones shown below should be used for receiving information about Wildcard unlock.
The most important command is:
which permits a properly signed WildcardTicket to allow all ICCIDs+IMSIs. Those unlocks are the “carrier” or “IMEI” unlocks. Those are the unlocks that Apple can theoretically revoke at their discretion. Incidentally, these “Wildcard” unlocks are the only possible exploits these days. SAM unlock functioning principle is very similar to Wildcard unlock as it also uses ICCID and IMSI along with some other data to trick Apple’s servers sending them data that says iPhone is unlocked. When using at+xlck or at+xsimstate commands the Unlocked baseband sends return like this:
+ XLOCK: "PN", 1,0 + XSIM: 2 or (7)
If iPhone is locked then at+xlck returns:
+ XLOCK: "PN", 1,2
Here is the list off all known codes presented in at+xlck and at+xsimstate commands. So lets do some analyse:
Continue to analyze the results before and after the record of this return
at + xlck = 0
at + xlck = 1,1, "key 1"
at + xlck = 1,2, "key 2"
at + xlck = 1,3, "key 3"
at + xlck = 1,4, "key 4"
at + xlck = 2
Should get you:
+ XLOCK: "PN", 1,0 + XSIM: 7
So the baseband is unlocked.
So if you have read all the info above and understood nothing here’s the simpler explanation of what’s going on in general steps:
Step 1. You need to send – at + xlck = 0 to receive information about unlock data.
Step 2. Send – at + xlck = 1, x, sending four 512-byte lenth unlock key.
Step 3. Send at + xlck = 2, the implementation of unlock verify operation.
If everything goes right then baseband return + XLOCK: “PN”, 1,0, if not then it returns to + XLOCK: “PN”, 1,2
Wildcard Ticket wildcard_record.plist
You can find your activation file in the following directory:
Here you can find an .plist file with ICCID which is used to be unique for each SIM. You can use the plist editor to open plist file. There you should find AccountToken field. This is actually activated base64 encoding of the information you need. Decoded base64 encoded string of information, get activated.
ActivationTicket is sent to the baseband unlock key. The key is based on Apple’s server side where it confirms validation of the activation file. If it is not activated then => send Activation ticket to the baseband to get + XLOCK: “PN”, 1,0, and then activate it. You don’t need your original Sim card to be activated. Current activation vulnerability to unlock iPhone is possible when you backup the activation file and don’t update the baseband. After baseband updating your saved activation ticket will failure because it belongs to other baseband firmware version.Tags: 04.11.08, 04.12.01, activation, activation ticket, AT+, exploits, iactivator, minicom, nck, SAM unlock, wildcard ticket