How the iPhone Activation Lock hack works

Find My iPhone. Photo: Jim Merithew/Cult of Mac

Hackers have discovered an exploit that makes it easy to defeat the Activation Lock on iPhones. Photo: Jim Merithew/Cult of Mac

The recently revealed exploit that allows anyone to bypass the iPhone’s Activation Lock system is a rather simple process that requires adding just a single line of code to a computer running iTunes.

The exploit, which is called DoulCi (“iCloud” backward), has already been used thousands of times on locked iPhones and iPads around the world. It’s the work of a pair of anonymous hackers, who cracked Apple’s theft-deterrent measure by tricking lost or stolen iOS devices into thinking they are being reactivated by Apple’s servers.

Introduced in iOS 7, Activation Lock is designed to render a lost or stolen iPhone useless unless it is recovered by its proper owner. It’s a powerful tool designed to help protect iPhone owners who fall victim to street thieves who find Apple products irresistible. When Apple’s Find My Phone app is turned on, an iDevice can be tracked by its owner through iCloud.com and remotely wiped if necessary.

Say a thief snatches an iPhone, it gets remotely wiped by the owner, and the thief attempts to restore the iPhone so it can be used again as a new device. That’s when Activation Lock comes into play. During the setup process after a restore, the Apple ID and password originally associated with the device needs to be entered. If that login info can’t be provided, the iPhone can’t be reactivated with Apple’s iCloud servers. You have a bricked iPhone that can’t get past the initial setup. All it’s good for is spare parts.

By performing what is commonly referred to as a man-in-the-middle attack, the DoulCi exploit intercepts web traffic between the iPhone and Apple’s servers.

Here’s how DoulCi works

1) The first step is to edit your computer’s hosts file and add a line of code that points to DoulCi’s server. The IP address of DoulCi’s server, 188.226.251.76, is simply copied and pasted at the bottom of the hosts file, like so:

Screen Shot 2014-05-22 at 4.24.29 PM

The hosts file maps IP addresses to domain names, directing the computer’s network traffic. The hosts file takes precedence over the public and private DNS servers that are used to map IP addresses. Usually you should leave the hosts file alone, but it’s sometimes edited override the computer’s DNS system, manually rerouting IP addresses to block spam or malicious software.

Obviously, modifying the hosts file is a potential security risk. It might not be a good idea to route your data through a shady IP address controlled by a pair of anonymous hackers. Luckily, modifying the hosts file isn’t super easy. It’s a multistep process that varies depending upon which operating system you are using. Here’s a good overview of how to edit the hosts file on different Mac and Windows systems.

2) The lost/stolen iPhone is then plugged into a Mac or PC running iTunes and put into DFU/Recovery mode. To do this, turn off the device. Turn it back on, holding down the Sleep/Wake button for three seconds, and then — without releasing the Sleep/Wake button — begin holding the Home button for an additional 10 seconds. Release the Sleep/Wake button but keep holding the Home button until iTunes recognizes your device and Recovery mode begins. iTunes will restore the iPhone to a blank state, and the normal setup process begins while the iPhone is connected to the computer with iTunes open.

3) This is where things get shady. When the device attempts to contact Apple’s server to see if it needs to be activated, the line added to the hosts file reroutes the ping through DoulCi’s servers instead. The iPhone thinks it’s talking to Apple when it’s really talking to the hackers’ server.

The iPhone thinks it’s talking to Apple when it’s really talking to DoulCi.

At this point, the hackers running DoulCi’s servers could capture device info, such as serial numbers and other unique identifiers. However, security researcher and iOS hacker Steven De Franco told Cult of Mac that no credit card or other personal information tied to the original owner can be swiped. “Unless they have access to Apple’s database, they can’t do much,” he said. “Even then … I think the most they could pull up is billing info.” Besides, if the device being unlocked was stolen in the first place, the person using the exploit likely doesn’t care about sharing its serial number with a mysterious server.

4) After the DoulCi servers have spoofed the activation request, the iPhone is good to go as though it has been authenticated with the owner’s Apple ID login. Sort of…

The SIM card problem

The catch is that after the exploit, the iPhone’s SIM card won’t be recognized. The SIM is blocked because iOS has been tricked into thinking it has been activated, while the iPhone’s baseband (the firmware that communicates and authenticates the device with the carrier) has not. The iPhone won’t connect to a wireless carrier but can be used for all other functions.

The hackers behind DoulCi told Cult of Mac their technique works on all iOS devices. They claim to have a fix for the SIM-blocking issue in the works.

Apple has not responded to Cult of Mac’s requests for comment.

  • ciderrules

    They “claim” to have a fix for the SIM issue. Meanwhile they take pride in thousands of iPhones being “unlocked” and then sold. What good is buying a phone where the SIM doesn’t work?

    • Guido Fioravantti

      People will still buy it or be tricked.

      Anyway, it works on the iPad too.

  • http://appletite.tumblr.com/ Alex

    “wireless carrier but can be used for all over functions.” — I think you meant to type “all other functions”

  • Jeffrey Jevnikar

    Is it really a good idea to advertise exactly how to do this?

    • lucascott

      Given the whole ‘you can’t use the phone functions’ issue, many folks aren’t likely to try it cause they actually want to use their phones

  • tornacious

    “…The iPhone won’t connect to a wireless carrier but can be used for all other functions.”
    At this point, let’s just call it an iPod.

    • https://twitter.com/leahfoxrbx Leahfoxrbx

      No lets call it a

      iPhod That a gud idea?

  • PMB01

    So we’re all advocating theft and reselling. I’m sure Apple loves that.

    • https://twitter.com/leahfoxrbx Leahfoxrbx

      Apple will care when they will get less money by NOT FIXING THIS FLAW.

  • anil

    i lost my phone so plz tell me how i block my phone ?

    • https://twitter.com/leahfoxrbx Leahfoxrbx

      Do you have icloud on your iphone with find my iphone on?
      Go login to http://www.icloud.com with your apple id and password and go to find my iphone and see if its there if not you diddnt set it up.

      Happy trailing!

      ~leahfoxrbx

  • sadyhr

    Am I missing something in my knowledge of the etc/hosts-file?
    I thought you have to put both a domain-name AND a IP-address in there, so that it makes the computer route e.g. unluck-iDevice.apple.com to this hacker’s ip?

  • Selma Rosal

    How to Bypass Activation Lock IOS 7 on your iPhone 5s, 5c, 5, 4s, 4. We want to help you solve that problem, to remove iCloud Activation on your iPhone. Apple has created a protective measure if you lose or if your iPhone is stolen it can be blocked, If your iPhone is blocked when you want to activate it will ask you to enter your email to send code to the rightful owner, but because you aren’t rightful owner you can’t have that information. But now with this software will you solve that problem. This is the hack tool with which activate your iPhone quickly and easily… http://iphonehackios7.blogspot.com/

  • Edwin

    Why ppl always refer icoud link problem lost or stolen device.? Find my iPhone without informing ppl about the complication involved. not everyone literally is good at remembering.

  • jabbawok

    I thought the whole point of DMCA was to prevent this kind of crap. There is no legitimate use for this hack. Hopefully apple will introduce a digital signature requirement for activation to prevent this.

    • Marquis Mathis

      actually there is like me and probably many other people if you buy the iphone second hand and its activation locked this is very helpful.

    • Billy Jeffs

      What if you are a large organisation that just fired an employee on bad terms who’s company device was linked to their personal iCloud account and they are not returning your calls to release the phone from their account…? I’d say a workaround like this would be very useful and legitimate in this instance.

      • jabbawok

        Apple will remove the link to an iTunes account if you can prove ownership of the device. If the organisation purchased the phone/ipad then they should have no trouble proving ownership. The only real issue arises when someone purchases a used iDevice that is bound to the previous owners iTunes account. In this case if it was purchased through a reputable mean the buyer can return it if the device is not unlinked.
        If you are foolish enough to buy a used iDevice from somewhere you can’t return it to if it it’s locked, then it’s your own fault.
        Much like buying a car without the appropriate documents, you should assume something is dodgy.

        Also this hack will not enable the phone part of an iDevice so pretty useless for an iPhone.

      • cmm324

        You also forget legitimate situations where people sell phones and tablets in the secondary markets that had been broken, the buyer repairs it to find that it is icloud locked but maybe it is long past the point of purchase. For instance, I buy a phone off of ebay. Get it, take it apart, figure out I need this and that, order those parts, find time to make the repairs and the seller no longer responds via ebay comm?

        This is no different than DRM protection on digital media, it is a tax on honest people while those of less honorable morals will continue to bypass the systems set in place.

  • David Houghtlin

    this is not working for me, i copy and pasted the IP address to the bottom of the host files and put my iphone in dfu mode then tried to set it up but sadly failed, can somebody help me?

  • Professor Cattington

    DoulCi are clearly fake just view twitter and see for yourself.

    Servers are NEVER on and they always say they are working on something.

    All they are doing is scamming peoples ‘donations’, if they weren’t scamming people why did Paypal block them from claiming the money……

  • Misa

    How to edit host file? Is it like IPAddress domain name ? What is domain name for your server?

  • steven gonzales

    I have a problem, on itunes recognize as a new iphone and work well but in the iphone did not appear nothing, how can i repeat the process again, i mean reedo it ?

  • erica

    my tita forgot her password..and it wont activate..is der any way to activate it?thank u

  • rastahog .

    Work on iPods too? Bought one on Craigslist and it’s locked

About the author

Alex HeathAlex Heath is a staff writer at Cult of Mac and co-host of the CultCast. He has been quoted by the likes of the BBC, KRON 4 News, and books like "ICONIC: A Photographic Tribute to Apple Innovation." If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Twitter always works too.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News, Top stories | Tagged: , , , , |