Baseband info in activation ticket

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Baseband info in activation ticket

Postby amfid » Sun Feb 07, 2016 1:00 am

Hi J,

I'm playing with iOS activation, reversing how activation ticket is created. While tracing mobactivationd I found that service collecting baseband data and generate activation ticket. Most of data accessed by MGCopyAnswer, but some stuff is not, like BasebandActivationTicketVersion.

Im trying to trace how service get this data, and found your great article here http://newosxbook.com/articles/guesstalt.html. As i understand it is communicating via MobileGestaltHelper, which use XPC for transferring data between processes.

In my case I see imports like _CTServerConnectionCopyBasebandMasterKeyHash, _CTServerConnectionCopyBasebandThumbprint but they never called. So I guess it use xpc to get baseband info. I need to trace\hook baseband data in mobactivationd.

Could you help me with this problem ?
amfid
 
Posts: 5
Joined: Sun Feb 07, 2016 12:14 am

Re: Baseband info in activation ticket

Postby morpheus » Sun Feb 07, 2016 3:31 am

So, amfid (great choice of nickname),

I don't get how you don't see calls to CT (that's CoreTelephony, the programmatic interface to CommCenter) because clearly:

Oreo:~ root# jtool -d __TEXT.__text /System/Library/PrivateFrameworks/MobileActivation.framework/Support/mobactivationd | grep CopyBaseband
Disassembling from file offset 0x2c20, Address 0x100002c20
100011ee0 BL CoreTelephony::__CTServerConnectionCopyBasebandThumbprint
100011f00 ADR x2, 283740 ; ->R2 = 0x10005735c "_CTServerConnectionCopyBasebandThumbprint() error: %ld.%ld"
100011f18 BL CoreTelephony::__CTServerConnectionCopyBasebandMasterKeyHash
100011f38 ADR x2, 283743 ; ->R2 = 0x100057397 "_CTServerConnectionCopyBasebandMasterKeyHash() error: %ld.%ld"
10004f148 ADD W9, W10, W9 ; ...R9 = R10 (0xd1) + R9 (0x10004f8e7) = 0x10004f9b8.. ; CoreTelephony::__CTServerConnectionCopyBasebandMasterKeyHash


Disassemble the implementations of both, and you'll see that the calls involve CommCenter itself. For this purpose our mobster friend has:

Oreo:~ root# jtool --ent /System/Library/PrivateFrameworks/MobileActivation.framework/Support/mobactivationd
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>abs-client</key>
<string>584196299</string>
<key>application-identifier</key>
<string>com.apple.mobileactivationd</string>
<key>com.apple.CommCenter.fine-grained</key>
<array>
<string>spi</string>
<string>identity</string>
</array>
...


Look closely at MobileGestaltHelper, and you'll see that it has both these entitlements as well.

For the keys you specifically want - the CT keys - reverse libmobileGestaltExtensions.dylib. It falls apart under jtool. Specifically,

bash-3.2# ARCH=arm64 jtool -d __TEXT.__cstring libMobileGestaltExtensions.dylib | grep _CT
0x197d743ca: _CTServerConnectionCanSetCapability
0x197d743ee: _CTServerConnectionCanSetCapabilityExtended
0x197d7441a: _CTServerConnectionCopyCarrierBundleInfoArray
0x197d74448: _CTServerConnectionCopyFirmwareManifestData
0x197d74474: _CTServerConnectionCopyFirmwareManifestStatus
0x197d744a2: _CTServerConnectionCopyFirmwarePreflightInfo
0x197d744cf: _CTServerConnectionCopyFirmwareSecurityInfo
0x197d744fb: _CTServerConnectionCopyFirmwareUpdateInfo
0x197d74525: _CTServerConnectionCopyFirmwareVersion
0x197d7454c: _CTServerConnectionCopyLastKnownMobileSubscriberCountryCode
0x197d74588: _CTServerConnectionCopyMobileEquipmentInfo
0x197d745b3: _CTServerConnectionCopyMobileSubscriberNetworkCode
0x197d745e6: _CTServerConnectionCopyPostponementStatus
0x197d74610: _CTServerConnectionCopySystemCapabilities
0x197d7463a: _CTServerConnectionCreate
0x197d74654: _CTServerConnectionGetActiveWirelessTechnology
0x197d74683: _CTServerConnectionGetPacketContextActiveByServiceType
0x197d746ba: _CTServerConnectionGetSIMStatus
0x197d746da: _CTServerConnectionGetSIMTrayStatus


Those _CT are *obviously* symbols. True, it doesn't directly link with anything, but I leave this as an exercise to the talented readers to find out how it does call these symbols.

Edit: hint - run my sample program with the environment variable DISABLE_GESTALT_DLOPEN=1 (q.v. that article) and you'll see you can't get that key, even if you have entitlements.

TL;DR - CommCenter is the one who actually provides this. but it will do so only if you have the entitlements. To get to it, you go through MobileGestaltHelper, though you can also go directly through the MG APIs. If you do go through MGH, it's supposed to ask for allow-protected-keys. If you go directly to CommCenter, it will ask for the fine-grained.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Baseband info in activation ticket

Postby amfid » Sun Feb 07, 2016 3:54 pm

Administrator wrote:So, amfid (great choice of nickname),

Thanks :)
I don't get how you don't see calls to CT (that's CoreTelephony, the programmatic interface to CommCenter) because clearly:

Oreo:~ root# jtool -d __TEXT.__text /System/Library/PrivateFrameworks/MobileActivation.framework/Support/mobactivationd | grep CopyBaseband
Disassembling from file offset 0x2c20, Address 0x100002c20
100011ee0 BL CoreTelephony::__CTServerConnectionCopyBasebandThumbprint
100011f00 ADR x2, 283740 ; ->R2 = 0x10005735c "_CTServerConnectionCopyBasebandThumbprint() error: %ld.%ld"
100011f18 BL CoreTelephony::__CTServerConnectionCopyBasebandMasterKeyHash
100011f38 ADR x2, 283743 ; ->R2 = 0x100057397 "_CTServerConnectionCopyBasebandMasterKeyHash() error: %ld.%ld"
10004f148 ADD W9, W10, W9 ; ...R9 = R10 (0xd1) + R9 (0x10004f8e7) = 0x10004f9b8.. ; CoreTelephony::__CTServerConnectionCopyBasebandMasterKeyHash



In my case I see those symbols, hook them but they are never called.
In my case I see imports like _CTServerConnectionCopyBasebandMasterKeyHash, _CTServerConnectionCopyBasebandThumbprint but they never called.


It could be that system cache baseband data, and did not call APIs each time. Some of them are called each time I activate device, example:
_CTServerConnectionCreate()
_CTServerConnectionCopyPostponementStatus()
CTSIMSupportGetSIMStatus()

Those APIs are called each time, but __CTServerConnectionCopyBasebandMasterKeyHash or _CTServerConnectionCopyBasebandThumbprint not.
I have a feeling that device call them once and cache baseband data or use xpc to get this data (?). Any ideas ?

----------
Update. I have hooked all this stuff, but none of them get called during activation from mobactivationd.
bash-3.2# ARCH=arm64 jtool -d __TEXT.__cstring libMobileGestaltExtensions.dylib | grep _CT
0x197d743ca: _CTServerConnectionCanSetCapability
0x197d743ee: _CTServerConnectionCanSetCapabilityExtended
0x197d7441a: _CTServerConnectionCopyCarrierBundleInfoArray
0x197d74448: _CTServerConnectionCopyFirmwareManifestData
0x197d74474: _CTServerConnectionCopyFirmwareManifestStatus
0x197d744a2: _CTServerConnectionCopyFirmwarePreflightInfo
0x197d744cf: _CTServerConnectionCopyFirmwareSecurityInfo
0x197d744fb: _CTServerConnectionCopyFirmwareUpdateInfo
0x197d74525: _CTServerConnectionCopyFirmwareVersion
0x197d7454c: _CTServerConnectionCopyLastKnownMobileSubscriberCountryCode
0x197d74588: _CTServerConnectionCopyMobileEquipmentInfo
0x197d745b3: _CTServerConnectionCopyMobileSubscriberNetworkCode
0x197d745e6: _CTServerConnectionCopyPostponementStatus
0x197d74610: _CTServerConnectionCopySystemCapabilities
0x197d7463a: _CTServerConnectionCreate
0x197d74654: _CTServerConnectionGetActiveWirelessTechnology
0x197d74683: _CTServerConnectionGetPacketContextActiveByServiceType
0x197d746ba: _CTServerConnectionGetSIMStatus
0x197d746da: _CTServerConnectionGetSIMTrayStatus
amfid
 
Posts: 5
Joined: Sun Feb 07, 2016 12:14 am

Re: Baseband info in activation ticket

Postby amfid » Mon Feb 08, 2016 8:32 pm

So I found an issue, it was an IDA Pro issue :) IDA analyze function as function without arguments, only return value. Thats why I just skip this function as not interested. Long story short, baseband data was copied using CoreTelephony APIs. Core Telephony use XPC to get this data from CommCenter. XPC sniffer did the trick.
amfid
 
Posts: 5
Joined: Sun Feb 07, 2016 12:14 am

Re: Baseband info in activation ticket

Postby morpheus » Thu Feb 11, 2016 11:06 pm

Yep. CommCenter all along :) Btw, For an XPC sniffer you have the small dylib I packaged along with jlaunchctl a while back.

IDA? Wouldn't be the first bug I've seen. And I quit using that as soon as I got jtool to properly handle 64-bit. Wouldn't be surprised if 6.10 or 7.0 suddenly offer MIG and block support - wouldn't be the first jtool inspired feature there :)
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 3 guests