/dev/random

After hanging around the osx86 crew last night on IRC, I found out that they had finally cracked the activation service and made a proof of concept tool that would activate the iPhone with a plist file. The developers refused to release the actual tokens that needed to be embedded inside the plist file for activation though, for good reason, as they are DVD Jon’s.

Now, they did tell me one thing. The keys are embedded in the .NET binary in JLJ’s iPhone activation server. So I began working and this led to where I’m at now, a how-to. This post will not provide the tokens, nor will I provide them until JLJ says I can. This article will walk you through the process of obtaining them so you can activate your iPhone on a mac though, as suggested by the developers of the tool.zip we will be using.
As of now, you can just download the newly released iPhoneActivatorTool to activate your phone. This is a newer version of tool.zip that includes the plist file required.

Step 1:
Download the following files:

• JLJ’s PhoneActSrv - Mirror
• tool.zip - mirror
• My iPhone Decrypt App
• Lutz Roeder’s Reflector .NET disassembler

Step 2:
This step is where you’ll actually prepare the data you need to get. You will need windows with .NET framework 2.0+. JLJ’s PhoneActSrv’s binary has the keys stored within it, encrypted using AES. In order to get the keys, we need to disassemble the binary. To do this, you need to open up Reflector and go to File->Open then locate and open the PhoneActSrv.exe file.

Once it’s loaded, you will see the entry in the tree view. Right click on PhoneActSrv and click Export. Make sure you save this somewhere that you will remember, you will spend a lot of time looking at the disassembly. You also need access to it over the mac.

Step 3:
Now, open the directory you saved the disassembly files to. You should see the following files:

• a.cs
• b.cs
• AssemblyInfo.cs
• d.cs
• DotfuscatorAttribute.cs
• e.cs
• e.resources
• f.resources
• Global.cs
• PhoneActSrv.csproj

If you see these files, you did step 2 correct. If not, go back and do it again. This is where you may need some coding experience, as I can’t just hand these keys out. I provide you with enough hints that I feel you can find the keys. Unzip my iPhone Decrypt application and open up iphone_decrypt.c and read the comments. For each variable needed, I provide you with a hint on how to find it. All the values needed are located in the d.cs file.

Once you find them, plug the values into their appropriate arrays in iphone_decrypt.c. Once you have what you think are the values, open up a terminal, go to the directory iphone_decrypt.c is located in and run the following in console.

$ ./build.sh
$ chmod +x iphone_decrypt
$ ./iphone_decrypt

If all goes well, you should see something like the following on the terminal:

kalashnikov:~/Desktop/iPhone-RE/AES decrypt cody$ ./build.sh
kalashnikov:~/Desktop/iPhone-RE/AES decrypt cody$ ./iphone_decrypt
Welcome to the iPhone JLJ key decryptor. Find the data in his app and set the variables in the code to this one.
Setting AES key...done
---1076
Attempting to decrypt the key...done
Key is <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Document xmlns="http://www.apple.com/itms/" disableHistory="true" disableNavigation="true">
&nbsp;
<Protocol>
    <plist version="1.0">
        <dict>
	
          <key>iphone-activation</key>
          <dict>
            <key>unbrick</key>
            <true/>
            <key>activation-record</key>
            <dict>
              <key>AccountToken</key><data>*snip*</data>
              <key>AccountTokenSignature</key><data>*snip*/data>
            </dict>
          </dict>
	
        </dict>
    </plist>
</Protocol>
&nbsp;
</Document>??V?n9???lsQ?
Freeing up memory...done

If you do, move onto step 4, if not, keep trying.

Step 4:
Unzip tool.zip and open up the blank.plist file in something like textmate. It’s just an XML file. blank.plist contains the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ActivationRecord</key>
	<dict>
		<key>AccountToken</key>
		<data>
		</data>
		<key>AccountTokenCertificate</key>
		<data>
		</data>
		<key>AccountTokenSignature</key>
		<data>
		</data>
		<key>DeviceCertificate</key>
		<data>
		</data>
		<key>FairPlayKeyData</key>
		<data>
		</data>
	</dict>
	<key>Request</key>
	<string>Activate</string>
	
</dict>
</plist>

Copy the AccountToken and AccountTokenCertificate lines and their data lines from the console output of iphone_decrypt. Paste them into the plist file so that it looks like the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ActivationRecord</key>
	<dict>
		<key>AccountToken</key><data>*snip*</data>
	              <key>AccountTokenSignature</key><data>*snip*</data>
	</dict>
	<key>Request</key>
	<string>Activate</string>
	
</dict>
</plist>

Save this file as activate.plist in the same directory as blank.plist

Step 5:
Activate your iPhone by running the following command in the terminal after changing to the directory that blank.plist is located in.

$ ./tool --activate activate.plist

You should see the following output on the console:

kalashnikov:~/Desktop/tool Folder cody$ ./tool –activate test.plist
iPhoneActivatorTool 1.0
2007-07-04 15:10:43.887 tool[10443] Found iPhone Device: 1
2007-07-04 15:10:43.887 tool[10443] Connecting…
2007-07-04 15:10:43.892 tool[10443] Checking Pairing…
2007-07-04 15:10:43.905 tool[10443] Starting device session…
2007-07-04 15:10:43.990 tool[10443] ActivationState: Unactivated
2007-07-04 15:10:43.990 tool[10443] Deactivating your iPhone…
2007-07-04 15:10:44.002 tool[10443] New ActivationState: Unactivated
2007-07-04 15:10:44.003 tool[10443] Activating your iPhone…
2007-07-04 15:10:44.163 tool[10443] New ActivationState: MismatchedICCID
2007-07-04 15:10:44.163 tool[10443] Your iPhone was successfully activated.

You will probably see a popup about your iPhone having an incorrect SIM card. Just slide the unlock slider at the bottom to the right and you should be ready to go.

Permalink | Comments(26)  |   Del.icio.us  |   Digg  |   Slashdot

Check it out:
http://www.codymays.net/files/OWNED.txt

Permalink | Leave a comment  |   Del.icio.us  |   Digg  |   Slashdot

Well, we came up with the new name and the teaser page is up. Have fun. ThreadBound.com I’ll make a logo soon as Alpaca gets back from Canada. Fill out the form if you want updates.

Permalink | Leave a comment  |   Del.icio.us  |   Digg  |   Slashdot

Well I guess I’ll finally go ahead and make the annoucement of what my new “Web 2.0″ site was suppose to be called, Theed. Over the past few days, I have been trying my darnedest to work with the guy who has it parked. He’s trying to sell it as theED.com (the erectile disfunction for those not familiar with spam). This guy is on his fourth year of trying to sell it.

I emailed him and offered $50 for the one domain name, which he just renewed and pointed out that he would still be making a profit on it. ($8 * 4 = $32). He then comes back with a personal attack on my “IQ” level. I’ll let the following emails speak for themselves:

To: ravi4321@aol.com
Are you interested in selling this domain name? I know it is going on it’s 4th
year for sale. What are you asking for it?

His reply:

From: ravi4321@aol.com
HI CODY

I BUY AND SELL DOMAINS GLOBALLY…AND I HAVE MORE THAN 9200 DOMAINS..
MOST OF MY DOMAINS ARE ON AUTO RENEW.

I HAVE…THE FOLLOWING DOMAINS..

*THEERECTILEDYSFUNCTION.COM*
*THEED.COM*

I CAN MAKE A SACRIFICE IF THE PRICE IS RIGHT.

I SHALL SETTLE FOR *$900*

THANKS.

RAVI

THE*ED * ALSO CAN BE USED FOR EDUCATION.

My response:

To: ravi4321@aol.com
I really only want theed.com, but I’m not paying $900 for it knowing what you just payed last week for it.
The most I would be willing to pay is $50. Would you be willing to sell it for that? It is still almost $30 profit.

His reply:

From: ravi4321@aol.com
HOW MUCH DID U PAY FOR

CODYMAYS.NET

AND WHAT IS YOUR
ASKING PRICE

RAVI4321@AOL.COM

My response:

To: ravi4321@aol.com
It is not for sale.
Do you or do you not agree to the price I offered in the last email?

His reply:

From: ravi4321@aol.com
WHILE
THEED.COM
IS NOT FOR SALE FOR $50…
WWW.CODYMAYS.COM
IS FOR SALE …

RAVI4321@AOL.COM

My response:

To: ravi4321@aol.com
Sir, I hate to break it to you, but it’s definitely not for sale. There is no way I am paying
$900 for one domain name that was purchased for about $8. Right now, you are the only
one at a loss here. I have nothing to lose, but you do because you have renewed the domain
for four years now.

If you accept the $50 payment for it, you will come out ahead, but if you don’t, you’ll stay in the
hole. No one else, obviously, wants this domain name because this is your 4th year of attempting
to sell it.

His response and the beginning personal attack. Notice the above email has no attack on him.

From: ravi4321@aol.com
HI

I BUY AND SELL DOMAINS GLOBALLY.
I DO NOT WANT TO WASTE MY TIME TRYING
TO GAUGE YOUR “IQ”. I LEAVE IT AT THAT.

RAVI

My final email before this post:

To: ravi4321@aol.com
Okay, you’re going to gauge my IQ as lower than your own because I pointed out basic
business logic to you?

Well if we’re judging IQ here, you better get reading a grammar book, because you are
flunking English 101 right now. You see the key marked Caps Lock? Press it so the light
turns off. That will get you started. Hope you have fun in the coming days.

Now, I become another person to ask the international blogosphere for some help here. I know the blogosphere has been pretty powerful with Comcast and AOL over the past few weeks, so I figured I would try it as a last resort. As of right now, my partners and I are very set on this name and really want the domain. Is there anyway we could still go about getting it? Any help would be appreciated.

Note:
We do not want to harm Mr. Ravi. All email addresses provided here are for reference only. Do not attempt to spam him by email or phone number from a whois lookup of theed.com

Permalink | Comments(11)  |   Del.icio.us  |   Digg  |   Slashdot

If you have ever suffered a kernel panic on a Linux system, only to reboot and find you need to fsck your harddrive, you will find these short cuts handy. I know I have needed something like this many times while messing around with Gentoo kernels and borked installs. If you have compiled your kernel with a yes to Magic SysRq key (CONFIG_MAGIC_SYSRQ) in the kernel .config file, you will have the ability to use these shortcuts.

By pressing Alt + SysReq + any of the keys below, you can perform any of the functions listed:

• r - Turns off keyboard raw mode and sets it to XLATE.cc
• k - Secure Access Key (SAK) Kills all programs on the current virtual console
• b - Will immediately reboot the system without syncing or unmounting your disks
• c - Will perform a kexec reboot in order to take a crashdump.
• o - Will shut your system off (if configured and supported)
• s - Will attempt to sync all mounted filesystems
• u - Will attempt to remount all mounted filesystems read-only
• p - Will dump the current registers and flags to your console
• t - Will dump a list of current tasks and their information to your console
• m - Will dump current memory info to your console
• v - Dumps Voyager SMP processor info to your console
• 0-9 - Sets the console log level, controlling which kernel messages will be printed to your console. (’0′, for example would make it so that only emergency messages like PANICs or OOPSes would make it to your console.)
• f - Will call oom_kill to kill a memory hog process
• e - Send a SIGTERM to all processes, except for init
• i - Send a SIGKILL to all processes, except for init
• l - Send a SIGKILL to all processes, INCLUDING init (Your system will be non-functional after this.)
• h - Will display help ( actually any other key than those listed above will display help. but ‘h’ is easy to remember :-)

There are more suggestions in the official Linux kernel Documentation directory (that’s where this came from). See /usr/src/linux/Documentation/sysrq.txt for more information on this handy kernel feature.

Permalink | Leave a comment  |   Del.icio.us  |   Digg  |   Slashdot