A dyld library can be used to modify the info on the fly with the data already stored from the locked iDevice :) This will enable you to obtain the activation info and a valid FairPlaySignature! Congratulations!!! There are simple ways to do this, even for non-patched binaries. This is where we need the patched lockdownd and any other binaries that need to be patched (iPhone 3Gs and iPhone 4 work best with doulCi Kitchen), so that some data may be taken from the safe location and not all from the device itself. An activation request is later submitted to the kitchen, but at this point, activation is requested for the kitchen itself, except when generating the activation info. The program will send the modified data to the Kitchen, which will read the data and store what is needed at a safe location (which may be chosen by the user).
To use doulCi Kitchen, you need to add the Kitchen IP Address to your host file to redirect the request, or just create a simple proxy to read important information from your iDevice (I suggest using non-Apple software as a proxy to modify the request nicely and easily). If you are going to purchase an iDevice and don't know whether it's iCloud Locked, I strongly suggest using Apple's service to check its status at Apple Activation Lock Status. Plug in your device and iTunes sends the information to Albert, which returns you that dreaded message ("Your device is blah, blah, blah"). The device is afterwards redirected to the Apple default Albert activation server. This time I am using a very different kind of server for the "Man in the Middle" (MITM) attack, provided by "doulCi Kitchen", see line 3 of this section. doulCi Kitchen uses an iDevice as a target with a proxy as go between (whether it be a user computer with regular iTunes or any other software used to activate iDevices).
You won't even have to patch fairplayd binary because if you understand the logic, you can do whatever you want. PROXY: Could be by wifi, OTA, itunes or other idevice-management software.ĭoulCi KITCHEN: This is the actual 0 day exploit for all iDevices, including a patched lockwdown binary. The following illustration should help explain: As I said before, I am not going to release the tool, but I will briefly outline the concept. doulCi Kitchen uses a very nice and easy idea that provides a better iCloud Activation Lock Bypass that can even be longer, depending on how well it is implemented (I am not going to release the tool, but I'll give you the concept write up explaining how it works ). It follows along the same lines as the first doulCi idea (doulCi Server), but this time a different logic and tools are used.
doulCi Kitchen is the new version of doulCi, i.e., doulCi 2.0, and it's a new level of iOS hacking concept.
0 kommentar(er)
