doulCi Kitchen, a.k.a. doulCi 2.0
DTN - DWU : doulCi Team News | doulCi Write Up's (doulCi Kitchen, a.k.a. doulCi 2.0).
doulCi Kitchen, a.k.a. doulCi 2.0
- doulCi Kitchen is the new version of doulCi, i.e., doulCi 2.0, and it's a new level of iOS hacking concept. It follows along the same lines as the first doulCi idea (doulCi Server), but this time a different logic and tools are used.
- doulCi Kitchen uses a very nice and easy idea that provides a better iCloud Activation Lock Bypass that can even be longer, depending on how well it is implemented (I am not going to release the tool, but I'll give you the concept write up explaining how it works ).
- As I said before, I am not going to release the tool, but I will briefly outline the concept. The following illustration should help explain:
PROXY: Could be by wifi, OTA, itunes or other idevice-management software.
doulCi KITCHEN: This is the actual 0 day exploit for all iDevices, including a patched lockwdown binary. You won't even have to patch fairplayd binary because if you understand the logic, you can do whatever you want.
- doulCi Kitchen uses an iDevice as a target with a proxy as go between (whether it be a user computer with regular iTunes or any other software used to activate iDevices). This time I am using a very different kind of server for the "Man in the Middle" (MITM) attack, provided by "doulCi Kitchen", see line 3 of this section. The device is afterwards redirected to the Apple default Albert activation server.
- Plug in your device and iTunes sends the information to Albert, which returns you that dreaded message ("Your device is blah, blah, blah"). If you are going to purchase an iDevice and don't know whether it's iCloud Locked, I strongly suggest using Apple's service to check its status at Apple Activation Lock Status.
- To use doulCi Kitchen, you need to add the Kitchen IP Address to your host file to redirect the request, or just create a simple proxy to read important information from your iDevice (I suggest using non-Apple software as a proxy to modify the request nicely and easily). The program will send the modified data to the Kitchen, which will read the data and store what is needed at a safe location (which may be chosen by the user). An activation request is later submitted to the kitchen, but at this point, activation is requested for the kitchen itself, except when generating the activation info. This is where we need the patched lockdownd and any other binaries that need to be patched (iPhone 3Gs and iPhone 4 work best with doulCi Kitchen), so that some data may be taken from the safe location and not all from the device itself. There are simple ways to do this, even for non-patched binaries. A dyld library can be used to modify the info on the fly with the data already stored from the locked iDevice :) This will enable you to obtain the activation info and a valid FairPlaySignature! Congratulations!!!
- doulCi Kitchen will send and receive valid activation info, which will be stored at a readable location via Afc protocol, (for example : /private/var/Media/activation/Ticket-SN.plist), and notify the proxy to read from that location, in case of custom proxy, or provide them with a web server for regular iTunes. Your locked iDevice will have been Activated :).
- Yes! But I cannot release that info! Most iOS RESEARCHERS/HACKERS know how to get the signature part of the operation. It's easy and the most important part!
- I apologize for my grammar and the way I wrote this, but English is not my mother tongue. Yahya Lmallas (Maroc-OS), @MerrukTechnolog from doulCi Team.
What is doulCi Kitchen ?
- doulCi Kitchen is the new version of doulCi, i.e., doulCi 2.0, and it's a new level of iOS hacking concept. It follows along the same lines as the first doulCi idea (doulCi Server), but this time a different logic and tools are used.
- doulCi Kitchen uses a very nice and easy idea that provides a better iCloud Activation Lock Bypass that can even be longer, depending on how well it is implemented (I am not going to release the tool, but I'll give you the concept write up explaining how it works ).
How does it Work?
- As I said before, I am not going to release the tool, but I will briefly outline the concept. The following illustration should help explain:
PROXY: Could be by wifi, OTA, itunes or other idevice-management software.
doulCi KITCHEN: This is the actual 0 day exploit for all iDevices, including a patched lockwdown binary. You won't even have to patch fairplayd binary because if you understand the logic, you can do whatever you want.
- doulCi Kitchen uses an iDevice as a target with a proxy as go between (whether it be a user computer with regular iTunes or any other software used to activate iDevices). This time I am using a very different kind of server for the "Man in the Middle" (MITM) attack, provided by "doulCi Kitchen", see line 3 of this section. The device is afterwards redirected to the Apple default Albert activation server.
- Plug in your device and iTunes sends the information to Albert, which returns you that dreaded message ("Your device is blah, blah, blah"). If you are going to purchase an iDevice and don't know whether it's iCloud Locked, I strongly suggest using Apple's service to check its status at Apple Activation Lock Status.
- To use doulCi Kitchen, you need to add the Kitchen IP Address to your host file to redirect the request, or just create a simple proxy to read important information from your iDevice (I suggest using non-Apple software as a proxy to modify the request nicely and easily). The program will send the modified data to the Kitchen, which will read the data and store what is needed at a safe location (which may be chosen by the user). An activation request is later submitted to the kitchen, but at this point, activation is requested for the kitchen itself, except when generating the activation info. This is where we need the patched lockdownd and any other binaries that need to be patched (iPhone 3Gs and iPhone 4 work best with doulCi Kitchen), so that some data may be taken from the safe location and not all from the device itself. There are simple ways to do this, even for non-patched binaries. A dyld library can be used to modify the info on the fly with the data already stored from the locked iDevice :) This will enable you to obtain the activation info and a valid FairPlaySignature! Congratulations!!!
- doulCi Kitchen will send and receive valid activation info, which will be stored at a readable location via Afc protocol, (for example : /private/var/Media/activation/Ticket-SN.plist), and notify the proxy to read from that location, in case of custom proxy, or provide them with a web server for regular iTunes. Your locked iDevice will have been Activated :).
Can this be reworked to be used again?
- Yes! But I cannot release that info! Most iOS RESEARCHERS/HACKERS know how to get the signature part of the operation. It's easy and the most important part!
- I apologize for my grammar and the way I wrote this, but English is not my mother tongue. Yahya Lmallas (Maroc-OS), @MerrukTechnolog from doulCi Team.
[ VIA : ] doulCi.
[ SOURCE : ] Merruk Technology.
[ COMMENTS : ]