Web hosting

Friday, August 7, 2015

Apple iCloud Device Locking and General Apple Information

If you work in IT you probably have people ask you random questions out of nowhere from time to time. I was recently asked about how to bypass Apple iCloud device locking.

First of all, my opinion of this. I just try to avoid this space (from any perspective). If it sounds too good/cheap to be true it probably is, yadayada...

There does seem to be some tools online to enable checking prior to purchase but obviously even that isn't full proof. For example, if the seller knows that the goods have been locked but never connects to Apple servers then it is impossible/unlikely that the device in question will be locked prior to be the sale. They could feign ignorance also when confronted, law enforcement and the legal system may offer no avenue for recourse, etc...
Safe to give out the serial number of a Mac I'm selling?
iPhone 6 Plus Are "Stolen Goods" from Futu_Online eBay Promotion

If you've been watching this space for a while you'll know that about the Doucli bypass. This seems to work based on MITM (Man in the Middle Attack) principles (I haven't taken too close a look at this).

For those who don't know what this is is that any communications that go from Apple to your device now go through a third party (Doucli). Doucli filters out any traffic which relates to iCloud locking or simply inserts a different set of communications which can then unlock the device. For anyone who knows how this is done this can be extremely tedious and difficult especially if the defender has taken extensive counter-measures against attack.

If you are interested in possible avenues of attacking it here goes:
- preventing it from locking your device should be simple enough. Don't connect it to the Internet and allow it to hook up with Apple servers. Earlier versions of the Doucli hack depend on DNS host file hacking. Later version of Apple software seems to block this behaviour though. Easiest way around this is to setup a layered defense/attack with DNS re-directs occuring at multiple points between you and Apple whether it may be via software (relevant configuration files, virtual machines, containers, etc...) and/or hardware (networking hardware, servers, etc...)
- the network/server setup of Apple systems is such that the authentication servers may not be isolated from the store purchases making things slightly more difficult (there are plenty of programs out there to do this). If you must use a second/intermediary system to which downloads music/software and use this to transfer to another system which is never connected online. This allows you to have the benefits of the purchasing online while not having to deal with iCloud authentication issues. Your device can not be locked without relevant identifying information being transferred between yourself and Apple (obviously, if this becomes a widespread means of bypassing iCloud then they'll be counter-measures which are deployed, etc...)
- the game keeps on changing. As cracks in the protocol/system are identified attackers and Apple have to continually change the game. If you really want to understand it, you're best trying to understand live packet manipulation and reverse engineering/cracking or DRM systems
- I've looked at this and for me the easiest way to attack is via direct hardware if your device is locked. It requires no advance knowledge of the software/protocol and is reliant entirely on the way in which data is stored on the device itself (obviously, this only makes the problem slightly easier to deal with). It's similar to the way in which firmware reset mode works on embedded devices such as eBooks and to the way in which bypass is achieved in physical security systems. The only troubling thing may access. They're BGA! Realistically this could mean that this type of attack is neigh on impossible (I think it may be possible though. When I have dead hardware lying around I often play around with it. A single copper fibre and the right type of signal/voltage may be enough to create the type of data corruption that I require). Effectively, the type of attack that I envisage revolves around storage corruption. Since, everything is stored via a combination of encrypted keys at multiple layers my belief is that destroying/corrupting the storage and restoring iOS clean and bypassing Apple servers is easier than engaging in a continual race against Apple (making the assumption that restoration of iOS can be completed independently of iCloud lock checking)
Toshiba THGBX2G7B2JLA01 16 GB NAND Flash
- clearly, I'm working on the premise that attacking hardware is easier than attacking software since it is more difficult to change. To change the pin-out structure on a single chip requires re-tooling on a mass scale for chips that may also be used in other devices making it un-economical for both Apple and flash chip manufacturers to engage in. Once a design is out there, we can just figure it out and it should work across that entire design specification/model though... Of course, this could be somewhat of a moot point because a lot of Apple devices aren't easily upgradeable, change layout on each iteration, etc...
- another type of attack revolves around changing identifying information on the device and then clearing iOS. That said, you don't know whether or not Apple may have some sort of unique/class based identification system which may block non-Apple identified systems from accessing their servers. Either way, it requires a second system to act as an intermediary
- insider at Apple who removes gives you a 'clean sheet'
- that said, much of what I'm saying here is theoretical. I don't have access to an iPod/iPad at the moment so I don't know The best I've been able to manage are online teardowns

All of the above means nothing if you can simply replace the logic board which is the impression that I'm getting with some repairers who seem to be charging a lot for something like this (in comparison with unlocking phones).

Cracking Open: Apple iPad Air 2
- just don't get why some groups simply don't release downloadable software which can be used to bypass. A local/loopback proxy would likely have minimal system impact if the protocol break feels as simple as it could possibly be. My guess is that at least some hacker/cracker groups are using the (supposedly) free and altruistic bypasses as a means of gaining access to people's private details. All the more reason to avoid these third party hacks and buy equipment 'clean'...
- if you're used to researching DRM and disassembly/reverse engineering of files some of the above may seem foreign to you. Believe me, it's not that much of a leap up. Conceptually, many of the same techniques and theories are employed. You just have to get used to a new setting. That's all...

Identify your iPod model

Diagnostic mode for Apple iPod devices

Sources/options for replacement storage on iPod Classics

Source for replacement of Apple parts locally

Enabling alternative filesystem support on Mac OS X Yosemite

Booting Live Linux discs on an Apple Macbook

Mac OS X Live discs are an interesting option for those who are interested in testing/trying Mac OS X without wanting to purchase hardware beforehand.

How to install latest Mac OS X on iMac without original DVD
Create a bootable installer for OS X Mavericks or Yosemite

Quick Beef Stew Recipe, Random Stuff, and More

This is the latest in my series on quick, easy, and tasty meals:   http://dtbnguyen.blogspot.com/2017/11/chinese-style-congee-jook-recipe...