000webhost

Web hosting

Friday, August 7, 2015

Apple iCloud Device Locking and General Apple Information

If you work in IT you probably have people ask you random questions out of nowhere from time to time. I was recently asked about how to bypass Apple iCloud device locking.

First of all, my opinion of this. I just try to avoid this space (from any perspective). If it sounds too good/cheap to be true it probably is, yadayada...

There does seem to be some tools online to enable checking prior to purchase but obviously even that isn't full proof. For example, if the seller knows that the goods have been locked but never connects to Apple servers then it is impossible/unlikely that the device in question will be locked prior to be the sale. They could feign ignorance also when confronted, law enforcement and the legal system may offer no avenue for recourse, etc...
https://support.apple.com/en-au/HT201581
http://apple.stackexchange.com/questions/62448/find-original-sales-information-of-macbook-by-serial-number
https://www.powermax.com/stolen/index
http://notebooks.com/2011/05/10/how-to-avoid-buying-a-stolen-mac-apple-store-robbed-of-24-macbooks-in-30-seconds-video/
http://www.reddit.com/r/apple/comments/1lfko4/macbook_pro_got_stolen_how_can_i_access_the/
Safe to give out the serial number of a Mac I'm selling?
http://arstechnica.com/civis/viewtopic.php?f=19&t=93200
https://www.icloud.com/activationlock/
http://apple.stackexchange.com/questions/132478/macbook-pro-locked-with-find-my-mac-and-wont-let-me-boot
http://www.cnet.com/au/news/apples-icloud-lock-for-macs-is-not-very-secure/
iPhone 6 Plus Are "Stolen Goods" from Futu_Online eBay Promotion
https://www.ozbargain.com.au/node/205809
http://www.amta.org.au/pages/amta/Check.the.Status.of.your.Handset

If you've been watching this space for a while you'll know that about the Doucli bypass. This seems to work based on MITM (Man in the Middle Attack) principles (I haven't taken too close a look at this).
http://maypalo.com/2014/05/24/doulci-alternative-method-gadgetwide/
http://howtosifiwiki.com/bypass-icloud-account/
http://apple.stackexchange.com/questions/167978/factory-reset-an-ipad-without-knowing-the-icloud-password

For those who don't know what this is is that any communications that go from Apple to your device now go through a third party (Doucli). Doucli filters out any traffic which relates to iCloud locking or simply inserts a different set of communications which can then unlock the device. For anyone who knows how this is done this can be extremely tedious and difficult especially if the defender has taken extensive counter-measures against attack.

If you are interested in possible avenues of attacking it here goes:
- preventing it from locking your device should be simple enough. Don't connect it to the Internet and allow it to hook up with Apple servers. Earlier versions of the Doucli hack depend on DNS host file hacking. Later version of Apple software seems to block this behaviour though. Easiest way around this is to setup a layered defense/attack with DNS re-directs occuring at multiple points between you and Apple whether it may be via software (relevant configuration files, virtual machines, containers, etc...) and/or hardware (networking hardware, servers, etc...)
- the network/server setup of Apple systems is such that the authentication servers may not be isolated from the store purchases making things slightly more difficult (there are plenty of programs out there to do this). If you must use a second/intermediary system to which downloads music/software and use this to transfer to another system which is never connected online. This allows you to have the benefits of the purchasing online while not having to deal with iCloud authentication issues. Your device can not be locked without relevant identifying information being transferred between yourself and Apple (obviously, if this becomes a widespread means of bypassing iCloud then they'll be counter-measures which are deployed, etc...)
- the game keeps on changing. As cracks in the protocol/system are identified attackers and Apple have to continually change the game. If you really want to understand it, you're best trying to understand live packet manipulation and reverse engineering/cracking or DRM systems
- I've looked at this and for me the easiest way to attack is via direct hardware if your device is locked. It requires no advance knowledge of the software/protocol and is reliant entirely on the way in which data is stored on the device itself (obviously, this only makes the problem slightly easier to deal with). It's similar to the way in which firmware reset mode works on embedded devices such as eBooks and to the way in which bypass is achieved in physical security systems. The only troubling thing may access. They're BGA! Realistically this could mean that this type of attack is neigh on impossible (I think it may be possible though. When I have dead hardware lying around I often play around with it. A single copper fibre and the right type of signal/voltage may be enough to create the type of data corruption that I require). Effectively, the type of attack that I envisage revolves around storage corruption. Since, everything is stored via a combination of encrypted keys at multiple layers my belief is that destroying/corrupting the storage and restoring iOS clean and bypassing Apple servers is easier than engaging in a continual race against Apple (making the assumption that restoration of iOS can be completed independently of iCloud lock checking)
http://dtbnguyen.blogspot.com/2012/07/if-only-reading-were-easier.html
http://dtbnguyen.blogspot.com/2012/08/funky-firmware.html
http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf
https://www.ifixit.com/Answers/View/192220/Is+it+possible+to+transfer+NAND+Flash+from+iPhone+to+another
http://www.datarecovery.net/newsletters/what-kills-flash-drive.html
Toshiba THGBX2G7B2JLA01 16 GB NAND Flash
SK Hynix H2JTDG8UD1BMR 16 GB NAND Flash
- clearly, I'm working on the premise that attacking hardware is easier than attacking software since it is more difficult to change. To change the pin-out structure on a single chip requires re-tooling on a mass scale for chips that may also be used in other devices making it un-economical for both Apple and flash chip manufacturers to engage in. Once a design is out there, we can just figure it out and it should work across that entire design specification/model though... Of course, this could be somewhat of a moot point because a lot of Apple devices aren't easily upgradeable, change layout on each iteration, etc...
- another type of attack revolves around changing identifying information on the device and then clearing iOS. That said, you don't know whether or not Apple may have some sort of unique/class based identification system which may block non-Apple identified systems from accessing their servers. Either way, it requires a second system to act as an intermediary
- insider at Apple who removes gives you a 'clean sheet'
- that said, much of what I'm saying here is theoretical. I don't have access to an iPod/iPad at the moment so I don't know The best I've been able to manage are online teardowns
http://www.techhive.com/article/116572/article.html
http://superuser.com/questions/616033/are-unpowered-ssds-vulnerable-to-an-emp-shock
http://www.survivalistboards.com/showthread.php?t=72855
http://electronics.stackexchange.com/questions/36921/does-magnetism-affect-sd-cards
https://en.wikipedia.org/wiki/Flash_memory

All of the above means nothing if you can simply replace the logic board which is the impression that I'm getting with some repairers who seem to be charging a lot for something like this (in comparison with unlocking phones).

Cracking Open: Apple iPad Air 2
https://www.youtube.com/watch?v=-tZlpBz8WF4
https://www.ifixit.com/Teardown/iPad+Mini+Wi-Fi+Teardown/11423
https://www.ifixit.com/Teardown/iPad+Mini+2+Teardown/19374
https://www.ifixit.com/Teardown/iPad+Mini+3+Wi-Fi+Teardown/30628
https://www.ifixit.com/Teardown/iPad+Wi-Fi+Teardown/2183
https://www.ifixit.com/Teardown/iPad+3+4G+Teardown/8277
https://www.ifixit.com/Teardown/iPad+Air+LTE+Teardown/18907
https://www.ifixit.com/Teardown/iPad+Air+2+Teardown/30592
- just don't get why some groups simply don't release downloadable software which can be used to bypass. A local/loopback proxy would likely have minimal system impact if the protocol break feels as simple as it could possibly be. My guess is that at least some hacker/cracker groups are using the (supposedly) free and altruistic bypasses as a means of gaining access to people's private details. All the more reason to avoid these third party hacks and buy equipment 'clean'...
- if you're used to researching DRM and disassembly/reverse engineering of files some of the above may seem foreign to you. Believe me, it's not that much of a leap up. Conceptually, many of the same techniques and theories are employed. You just have to get used to a new setting. That's all...

Identify your iPod model
https://support.apple.com/en-au/HT204217

Diagnostic mode for Apple iPod devices
https://discussions.apple.com/thread/3110831
http://www.methodshop.com/gadgets/ipodsupport/diagnosticmode/index.shtml

Sources/options for replacement storage on iPod Classics
http://www.ebay.com/bhp/ipod-classic-120gb-hard-drive
http://rockbox.cool.haxx.narkive.com/ibajtp9V/mk1214gah-or-spinpoint-n2
http://blog.macsales.com/28857-give-your-ipod-classic-new-life-with-owc-iflash
http://eshop.macsales.com/item/OWC/TARIPODFLSH/
http://apple.stackexchange.com/questions/89367/were-the-2009-mbps-affected-by-the-nvidia-problem
http://forums.whirlpool.net.au/archive/1123805

Source for replacement of Apple parts locally
https://www.macfixit.com.au/apple-ipad-iphone-ipod-accessories/ipad-iphone-ipod-repair-replacement-parts/ipod-parts.html

Enabling alternative filesystem support on Mac OS X Yosemite
http://www.cnet.com/au/news/how-to-manually-enable-ntfs-read-and-write-in-os-x/
http://apple.stackexchange.com/questions/152661/write-to-ntfs-formated-drives-on-yosemite
http://computers.tutsplus.com/tutorials/quick-tip-how-to-write-to-ntfs-drives-in-os-x-mavericks--cms-21434
http://www.cnet.com/au/how-to/how-to-manage-ext2ext3-disks-in-os-x/
http://osxdaily.com/2014/03/20/mount-ext-linux-file-system-mac/

Booting Live Linux discs on an Apple Macbook
http://askubuntu.com/questions/71189/how-do-i-boot-the-live-cd-on-a-macbook-pro
https://en.wikipedia.org/wiki/List_of_live_CDs

Mac OS X Live discs are an interesting option for those who are interested in testing/trying Mac OS X without wanting to purchase hardware beforehand.
http://www.insanelymac.com/forum/topic/22193-104145-live-and-install-dvd/
http://www.insanelymac.com/forum/forum/109-os-x-livedvd/

How to install latest Mac OS X on iMac without original DVD
https://discussions.apple.com/thread/7006750
Create a bootable installer for OS X Mavericks or Yosemite
https://support.apple.com/en-au/HT201372

Capitalist Liberalist Democracy Thoughts 3, Random Stuff, and More

On liberal capitalist democracy:  - before we go through this we need to preface this was the reasoning for this. Capitalism is literally...