How to break the iPhone and start the service for 15 million users
In the summer of 2014, my friends and I were on a walk, and a historic event happened. While shooting a video, suddenly, the iPhone 5C fell out of my wife's hands and crashed on a concrete floor.
At that moment it seemed to me a sad situation. But this was the impetus for the launch of the service, which now serves more than 15 million users.
What does the iPhone have to do with it? What kind of service? How is all this related? Answers under the cut!
Foreword
In this article I want to share with you the events that began in 2014. I will tell everything as it was, until my memory is fresh, and also I will share information that has not been published anywhere so far.
Repairs
Like anyone who felt the bitterness of broken glass of their favorite gadget, I wanted to fix it as soon as possible. The display itself was not damaged, and the repair is just a replacement for the touchscreen glass. An acquaintance recommended SC in Kiev, and I sent a phone there. He was glueed and sent back to me. I could not wait to receive the phone by mail.
As soon as I got it, another disappointment awaited me. The touchscreen was replaced, but there were yellow spots around the edges of the display. In the SC, they promised me to fix it, or replace it with the original along with the display. Since I still found scratches under the glass, I decided to completely replace the display.
A week later I received the phone back, it turned out that the display is not original. Even on the surface itself, it was obvious that it was at an angle to the body. Yes, and the colors were dimmer, which clearly distinguished the display from the original. It turned out that the original display for the iPhone is hard to find. I decided to come to terms with this situation, and sometime in the future, change the iPhone to a newer model.
A few days passed, I slowly got used to the Chinese display. I sat in the chair and the phone slipped out of my pocket. He fell on the wooden floor, the glass cracked again. The phone with the original glass fell many times, but did not break right up to the concrete scrum. But the Chinese, crookedly glued glass, broke at the first attempt.
The realization that the original glass purchase will not work, led me to think of finding a donor. I started looking for an iPhone that they sell on olx for parts. It turned out there are many who have a problem with the iCloud feature Find My iPhone. These phones can not be activated, and they remain in a hanging state until you enter the Apple ID of the owner, or if the owner removes the phone from your account.
I found a donor, iPhone 5C in excellent condition, blocked by the operator and iCloud. The display successfully approached my phone, and finally everything fell into place. Green iPhone has decided to keep, just in case, as a donor. Finally, I was able to calm down and forget about this problem.
What's next?
A few weeks passed, the green iPhone 5C and I lay on the table under the monitor. But from time to time I remembered him, because out of habit, I donāt like things to wallow. So the phone was tied to an unknown operator, and even with broken glass, there was no sense from iCloud disconnection. But the thought that the phone in theory can be unlocked, until now in an unknown way, did not leave me.
doulCi
In general, I began to google, read the forums. I found information about doulCi (the name is not strange, but it is almost backwards iCloud). It was a team of enthusiasts that started the server to bypass the FMI for early iOS 7 firmware. They started the MITM and swapped packets from the unlocked iPhone to the locked one. In general, at that time, Apple did not check for compliance with the packages for Serial / IMEI and doulCi successfully used this. Their server did not work for a long time, but they managed to unlock about 70 thousand devices. Those who managed to connect to their server received a working device in which the SIM card was not working. Then one of their team poured the source into the Internet, and Apple successfully patched such a hole. At this stage, their team broke up, and everyone went in different ways. More their server was not working.
Of course I did not know about it then. I went to their official website, and I saw timers there, saying āwait until 4:00 pm Friday, then we will launch the server for free to unlockā. And there were everywhere fields for entering IMEI and registration. In general, I decided to wait for this hour. As soon as the time came, I set the alarm not to miss, kept the USB cable ready. The time has come, I went to their website, and there everything is working a new time to start the server. I tried to wait again, and everything turned out to be an advertising lure. It pretty much got me, but I was not going to stop.
Proxy server
Later, news about proxy servers began to appear, saying that by connecting to them you can go to the web page.
In the page that gives Apple
By clicking on the "Activation Assistance" the user was taken to a page with text. But the Apple developers missed a small detail, the link did not lead to HTTPS, but to an HTTP address.
This allowed to intercept and replace traffic, as it was not encrypted.
Servers were constantly falling, the best that I found was the niltpH server. But he constantly changed the ports, whether so that users came to his site more often, or the server could not stand, and so he took off the load.
I constantly wondered why making a proxy if you can redirect DNS queries?
There will be no heavy load, and the server will always be online. But there were only proxy servers.
Then a wave of fraudsters began, they began to massively make proxy servers.
Showing pages with the payment of a non-existent full detour, a lot of people suffered from such fake services. Proxy servers allowed to get full control over traffic. Thus, bad guys stole passwords and credit cards, and users believed that it would work as any change in their device evoked confidence.
Apple did nothing to change the situation, but I did it. As a result of my further actions, no one else could find the proxy server of the scammers in the search engine.
First iCloud DNS Bypass server
Resolved, I will start my server. One winter evening in December, I began to develop. To implement my ideas, I needed one HTTP and one DNS server. I decided to write both C ++ services using Visual Studio 2010. Working with sockets directly byte by byte without third-party libraries.
The DNS protocol is not complicated, for one UDP request, one response, with the same structure every time. For a couple of hours I wrote a simple DNS server, he answered with a static IP address on static.ips.apple.com and took the rest with the DNS from Google.
Then I started writing the HTTP server. The first stage was just to issue an HTML page. When the program was launched, it was loaded into memory, and then issued to ready-made packages to anyone who sent a request for port 80. So my program gave the page to everyone who sent the request, regardless of the specified host. Everything worked in the browser, but by registering DNS in the Wi-Fi iOS settings by clicking on āActivation Assistanceā I received an error in the phone.
After analyzing the traffic, it turned out that Apple uses XML files, generating a remote interface for them.
Sample code can be seen at the activation help link:
And here is the response from the server requesting a password on the locked device:
<xmlui><script><![CDATA[functionenableNextButton(){ var fieldPassword = xmlui.getFieldValue('password'); if (fieldPassword && fieldPassword.length >= 3) returntrue; returnfalse; } functionvalidateForm(){ var fieldLogin = xmlui.getFieldValue('login'); var fieldPassword = xmlui.getFieldValue('password'); if (fieldLogin == 'test') { xmlui.setFieldInvalid('login', false); xmlui.alert("Test!"); } else { xmlui.setFieldInvalid('login', true); xmlui.alert("Value entered is not 'test'."); } }]]></script><page><navigationBartitle="Activation Lock"loadingTitle="Activating..."hidesBackButton="false"><linkBarItemposition="right"label="Next"httpMethod="POST"url="/deviceservices/deviceActivation"style="blue"enabledFunction="enableNextButton"/></navigationBar><tableView><sectionfooter="This iPhone is linked to an Apple ID. Enter the Apple ID and password that were used to set up this iPhone."/><sectionfooter=" : This iPhone has been lost. Please call me. (123) 456-1234"/><sectionfooter=" "footerLinkURL="http://static.ips.apple.com/deviceservices/buddy/barney_activation_help_ru_ru.buddyml"><editableTextRowid="login"label="Apple ID"placeholder="example@icloud.com"disableAutocapitalization="true"disableAutocorrection="true"keyboardType="email"/><editableTextRowsecure="true"id="password"label=""placeholder=""/></section></tableView></page><serverInfoisAuthRequired="true"activation-info-base64=" "/></xmlui>
After examining the source you can understand that the code has JavaScript, and it works inside the tags <! [CDATA [..]]>
And at that time, the existing proxy servers used a single page with HTML code.
<xmlui><page><navigationBartitle="Games"loadingTitle="Loading..."hidesBackButton="false"><linkBarItemposition="right"label="Next"httpMethod="POST"url="/deviceservices/deviceActivation"style="blue"enabledFunction="enableNextButton"/></navigationBar><htmlLabelRow> <![CDATA[<html> HTML </html>]]></htmlLabelRow></page></xmlui>
The phone could be seen instead of the text on the activation of a simple site. Cookies worked. But by clicking on any external link, all styles were lost and subsequent transitions were impossible. This is how proxy servers worked at the time.
After a couple of hours, I had a working DNS and HTTP server that gave out 1 page on any request. XMLUI turned out to be markup with unknown parameters that could not be found anywhere. And now there is no documentation anywhere. Apple uses it only inside its products.
In fact, standard iOS elements are generated by XMLUI code, even those that work offline. Lists, buttons, icons, the choice of date and time, submenus, all this is only the result of converting an XML-like script into an interface on the fly.
The realization that many of the interfaces in iOS are made in just such a clumsy way, I was slightly disappointed. This is when you expect that everything has already been done as optimally as possible, and it turns out there is an interlayer on the interlayer.
Then I realized that in theory, if you know the markup of the interface, you can generate quite a convenient native iOS interface with a list of icons and links. Such as settings in iOS. And replace them with the activation dialogue completely.
All that I understood from the already saved code is that there is some kind of table with the ability to add a set of <section footer that can refer to other XMLUI files. It is possible to make your XMLUI server with some information. But I just wanted to get a list with sites, and so that you can go to Google, for example.
How to make a markup interface without knowing the commands?
The first thing that occurred to me was that once iOS generates commands, and consequently compares the lines of XML parameters, then they must be stored somewhere in the firmware. Ideally, find a file with a list of commands that you can try to add to the XMLUI code, but no, this did not happen.
At that time, the iPhone 4 was already cracked completely. There from under the boot-loader you can boot and get full access to the file system, it does not matter whether the password is from iOS or not.
I found the firmware iOS 7 downloaded from the iPhone 4 and started poking around. I collected a list of famous words, from those XMLUI files that I collected and began to search word for word across all firmware files. At first glance, a useless exercise, it is comparable to finding a needle in a haystack, but for some reason I was sure that I would find something. It took more than one hour, I could not find anything, but my attention was attracted by the file dyld_shared_cache_armv7. He weighed as much as 300 MB, while all the firmware weighed about 1 GB.
It turned out to be a āpackageā of dynamic libraries. In order not to load the file system, Apple packs all dynamic libraries for all system programs into 1 file. Using the Apple developer tools, I unpacked this file, receiving a large number of files. I began to search again in their data for words from my list, tried to combine and match them. He began to look for similar in style of writing - a few words, the first with a small letter, the rest with a capital, without spaces and underscores.
After countless attempts, I was able to find the word htmlButtonRow. If you insert it into the code, you get an error, which means it somehow influenced and recognized. The next step was the selection of the place, where to stick it?
Finally, the code worked, and I got the coveted menu bar:
A string was simply displayed, and the text, nothing happened by pressing. But the section name itself htmlButtonRow spoke about HTML, which means that you can most likely add the page code there.
Inserting HTML code into a button using <! [CDATA worked. Even earned the transition from the button to the site.
I got what I wanted, a way to display a list of different sites, and go to them. Then I started developing the XMLUI code generation engine. I wrote a list of necessary parameters for a single button, put a link to the picture, text and a link to the site.
The result is a text file of the following configuration:
Next, I made templates for the pages to which the buttons were added, everything was stored in memory statically and was issued on demand without accessing the disk.
After a couple of days I corrected all the bugs, and the server was ready for a permanent launch. The launch of the first version of iCloud DNS Bypass took place on December 25, 2014. I wrote the DNS server address on the w3bsit3-dns.com site in the iCloud bypass branch, the site moderators wrote to me the same day and offered to create a separate branch. Who cares , here's a link to the forum thread w3bsit3-dns.com .
As a result, everything looked like this:
But due to the limitations of the interface itself, it was only possible to follow the link, and the subsequent transition to third-party sites was impossible. In the end, everyone could use only the list of sites that I added to the server.
Troubleshooting iCloud DNS Bypass
A couple of days after launch, my friend Dybik launched a website with information about the server. I created a group in VK and communicated with server users. It turned out that on the new iOS firmware, the HTML link navigation no longer works.
At that time, about 500 unique users had already connected, and all the reviews helped me to believe that I was doing something useful. And I always dreamed of launching a big project. These thoughts gave me the strength not to give up. I started to look again for the names of the XMLUI values, I was sure that there are many more useful commands.
After spending another 3-4 hours of diligent searches and rebounds, I finally found a useful tag.
<linkRow and its accessory = ādisclosureā parameter, which makes the button a subfolder. It was just what you need, the list worked on all iOS and took a more useful form, since there was no longer any HTML.
I began to send useful links that I added to the menu, and formed a large list. We also sent crash bugs that I added to the menu, and everyone could try them.
I also made a language engine, with the replacement of texts, depending on the user's language. I invited everyone to translate, and in time I received translations from different countries. Now the server interface has been translated into 50 languages, thanks to volunteers. I also made restrictions on the list of sites for the language, for example, Russian sites are displayed for Russian, Chinese are for Chinese. Added chat based on tlk.io, but later made my engine because of spammers.
Next, I also found the parameter shouldScaleHTMLPageToFit = "true" which brought the browser view to the mobile where it is needed. And along the way, I found another most important parameter isModalHTMLView = "true". With it, I was able to expand the web page to full screen, it worked the screen rotation and all the transitions on the links without bugs and restrictions. Cookies also worked after a reboot, so I used them to count the number of users. For the first time in the world, it became possible to use a full-fledged browser without tabs on a locked iOS device.
Also, through the photo upload HTML button, everyone could use the camera, and in the same way turn on the flashlight. I added a list of favorites, and it was possible to add it in the interface. There were radio stations in the menu, it was possible to open music, continue to open another tab with the special button, while the previous one worked, and multitasking was obtained.
Then it turned out that some users can not connect to the server. The reason for this was either routers or providers that replaced all DNS requests with their own. And it was not possible to replace the domain with my server. Then I developed a small program for Windows, which runs the built-in DNS server to help connect to the local network.
Here's a video from YouTube of EverythingApplePro's iCloud DNS Bypass channel, where you can see how the interface looked at that time.
Two months later, more than 200 thousand devices have already connected to the server.
Here is a video, real-time requests are visible on the server that were at that time
But in order for Apple to notice that they have a flaw in the markup, it took another 300 thousand devices to be connected.
Another wave of scams
Two months after launching on the Internet, it was impossible to find anything else about crawling other than my server. This put an end to fraudulent proxies extorting money. But a wave of ads began on eBay started selling "iCloud bypass" at 30-50 USD. Naive and desperate owners of blocked devices are easily manipulated, and fraudsters used it.
By paying for the "unlock service", the scammers gave customers instructions on how to connect to my free server. Many did not even suspect that they were robbed. I was angry and wanted to do something to stop them.
I wrote in all languages āāa page with a message, so that when everyone is connected, they understand that the server is free. Such an inscription is still in the server interface. And also complained about eBay about fraudulent goods, but this war was endless.
I received a lot of letters, and threw off everything they found about hacking, I published on the server, and everyone tried. Sometimes it turned out to go to the desktop, and sometimes everything was unlocked (it worked only with devices erased through the site, the interface crash brought it to working state before rebooting).
Using the information that was sent to me, it turned out that there are many sources offering to unblock devices for money that actually worked. I tried to figure out how to share with the whole community in order to dispel misconceptions about paid services.
Users get a locked device for the following reasons:
Forgot Apple ID Password and Lost Check
Bought a device without knowing that it is locked
Became a victim of ransomware and lost access to their Apple ID
Found the device in the mode of loss
Now I can say with confidence that there are only two ways to completely decouple:
Phishing, stealing owner passwords and deleting a device from his account
Having received the original receipt, the call in support of Apple untie the device, which is not in lost mode
Modem soldering or resistor method for Pasha4ur iPad
Last year, phishing services were massively distributed, and Apple, in response, even removed the message from the owner on the screen of the locked device. But this was not the cause of such widespread phishing attacks. There are sources that sell information from an Apple ID account for the money they used to attack. They stopped working only on holidays in the Chinese calendar. Most likely these are Apple employees in China who copy information from the Apple Care admin panel. I decided to check the information received and everything turned out to be true. There was address information, telephone, secret questions, no passwords and no answers. Then I tried to contact Apple to find out what was going on, and my letters were successfully ignored. So take care of your IMEI / UDID away from the eyes of others, and Apple ID is better not to record this information.
Backup plan
I suspected that Apple would ever notice a flaw in the HTTPS link, and the iCloud DNS Bypass server would stop working for all devices in one gulp. Exploring alternative opportunities led me to the idea of āācreating a Captive Portal. This mechanism is used in many hotels, airports, when you have to enter your number on the site before connecting to the Internet.
Information about the Captive Portal was also hard to find. No one has ever tried to launch an authorization portal through a DNS server. After several days of research, I successfully managed to launch my own Captive Portal. Everything worked as in a normal browser, the transition for all links worked without restrictions. In general, I was ready for the fact that Apple would correct the defect, but the fact that the cookies were erased by closing the portal confused me.
At that time, the XMLUI method worked fine, I responded to emails, it was interesting for me to communicate with people. In YouTube, many people filmed a video about my server, and everyone shared information about searches for a full detour.
Offline mode, a full-fledged file manager without the Internet
Almost half a year has passed since the launch of the server and Apple did not think to fix the markup page. I donāt remember exactly when, but I was bored and I started trying to read the iOS file system through XMLUI. I succeeded, and I could open files from the file system, knowing their path in advance.
I had an idea, if you throw all the files through a program from a computer into accessible folders on the device, you can create a file manager. Then it was still possible to access files without confirmation on a locked device, now on iOS 10 it will not work anymore.
I made a code entry field to unlock the test buttons where the file manager was and invited some volunteers to test.
It was possible to cast files of any format and open it on the device. I also merged all the menus and submenus into one file, which made it possible to download them to the device 1 time, and then use it without the Internet. I wanted to quickly share new features with server users. First you had to make a program that would synchronize the file system structure to the server, and identify the user by providing him with a list of files from his device.
I was very involved, and I began to develop. Many hours have passed and the audio player was ready with a playlist and the ability to select a track. The next morning emails fell to me with messages that the server was not working. I checked everything, the server was running, there were several hundred users online. But it was only the lucky ones who did not leave the server.
On May 13, 2015, Apple developers noticed a flaw and corrected the text of the link from HTTP to HTTPS.
Overnight, all devices stopped connecting to the server and turned back into useless pieces of iron with the apple logo. And at one point, the entire development of the file manager has become useless. No one ever found out that I was going to launch this mode. Now, to return this method, you need to install a self-signed certificate in the device for the domain albert.apple.com, so far this has not been possible. At the time the bug was fixed, due to which the old method no longer works, half a million unique devices were connected.
I immediately began to launch Captive Portal, and transfer the entire menu to the web version. The interface is based on Framework7, I adapted it to the old menu configuration file. On the same day, the server was launched in a new guise, in which it still remains.
On Facebook, I had an iCloud DNS Bypass page where I published only news and server updates. More than a year has passed. For some reason, Apple didnāt like it and one (fine) day I saw the following message without any warnings:
Later CloudFlare sent an email with the message that someone from the Apple branch requested the real IP address of my site, as it violates their copyright right. Although I did not understand what the violation was, I was glad that this was all. For all the time, Apple has never tried to contact directly and ask them to remove what they donāt like.
Such is the irony of fate, if my wife hadnāt dropped the phone, if I hadnāt been distracted from the main project to have a rest and realize my idea, then the iCloud DNS Bypass server would not exist today.
Now the number of unique users has crossed the border of 15 million. 50-60 thousand unique devices are connected per day.
The current version of the server works on all iOS currently existing. And alternatives iCloud DNS Bypass based on the Captive Portal also still does not exist. The server is working around the clock from the time of launch, and donates are enough to rent equipment. Until now, all HTTP connections are served by a single program written in C ++.
Here are the statistics of the countries where the most blocked are Apple devices that have connected to iCloud DNS Bypass. Total currently 15.3 million.
And yes, you can try Captive Portal on your unlocked device by doing everything as per the instructions on the video from this article. And you can just go through any browser to the page ui.iclouddnsbypass.com
Afterword
I hope I did not tire you with my story, and he was interesting to you. There are no rules in our universe, and a project you have been working on for a couple of years can be covered with a copper basin, and a hobby that you spend two weeks on can turn into a service serving many millions of people. I wish you not to be bored at your work and more often distracted by what you really like.