How to smash an iPhone and launch a service for 15 million users / SurprizingFacts

In the summer of 2014 my friends and I were on a walk, and a historical event happened. During the shooting of the video, suddenly, the iPhone 5C fell from the hands of my wife and crashed against the concrete floor.

It seemed to me at that moment a sad situation. But that's what triggered the launch of the server, which now serves more than 15 million users.

What does the iPhone have to do with it? What kind of service? How is all this connected? Answers under the cat!


In this article, I want to share with you the events that began in 2014. I'll tell you everything as it was while my memory is fresh, and I will also share information that has never been published anywhere.


Like anyone who felt the bitterness of the broken glass of a favorite gadget, I wanted to fix it as soon as possible. The display itself was not damaged, and the repair is just a replacement for the touchscreen glass. The acquaintance recommended the SC in Kiev, and I sent the phone there. It was re-glued and sent back to me. I could not wait to receive the phone by mail.

As soon as I received it, I was faced with another disappointment. The touchscreen was replaced, but there were yellow spots on the edges of the display. In the SC, I was promised to fix this, or replace it with the original with the display. Since under the glass I still found scratches, I decided to completely replace the display.

A week later I received the phone back, it turned out that the display was not original. Even on the surface itself it was clear that it was at an angle to the body. And the colors were dimmer, which clearly distinguished the display from the original. It turned out that the original displays for the iPhone are difficult to find. I decided to put up with this situation, and sometime in the future to change the iPhone to a newer model.

A few days passed, I gradually got used to the Chinese display. I sat on the chair and the phone slipped out of my pocket. He fell on the wooden floor, the glass cracked again. The phone with the original glass fell many times, but did not crash right up to the concrete battle. But the Chinese, crookedly glued glass, broke at the first attempt.

The realization that the original glass would not be bought, led me to the idea of ​​finding a donor. I started looking for an iPhone that they sell on olx for spare parts. It turned out that there were a lot of those who had a problem with iCloud function Find My iPhone. These phones can not be activated and they remain suspended until they enter the Apple ID of the owner, or if the owner removes the phone from their account.

I found the donor, iPhone 5C in excellent condition, blocked by the operator And under iCloud. The display has successfully approached my phone, and finally everything fell into place. The green iPhone decided to keep to itself, in case anything happens, as a donor. Finally, I was able to calm down and forget about this problem.

What's next?

A few weeks passed, the green iPhone 5C was lying on my desk under the monitor. But from time to time I thought of him, because, out of habit, I do not like things to lie around idle. The phone was so tied to an unknown operator, and even with the broken glass, there was no sense from the iCloud untie. But the thought that the phone in theory can be unlocked, still in an unknown way, did not leave me.


In general, began to google, read the forums. I found information about doulCi (the name is not strange, but it's almost backward in front of iCloud). It was a team of enthusiasts that launched a server to bypass FMI for early iOS 7 firmware. They ran MITM and swapped packages from an unlocked iPhone to a locked one. In general, at that time, Apple did not check the compliance of the packages to Serial / IMEI and doulCi successfully used it. Their server did not last long, but they managed to unlock 70 thousand devices. Those who managed to connect to their server, received a working device in which the SIM card did not work. Then one of their team merged the source code into the Internet, and Apple successfully patched such a hole. At this stage, their team broke up, and all went in different ways. More their server did not work.

Of course, I did not know about that at the time. I went to their official website, and saw the timers there, saying "wait until 16:00 Friday, then run the server for free unlocked." And there were also fields for IMEI input and registration. In general, I decided to wait this hour. As soon as time came, I set the alarm clock so as not to miss, I kept the USB cable ready. It was time, I visited their site, and there everything works the new server startup time. Tried to wait another, and everything turned out to be an advertising lure. It took me quite a bit, but I did not intend to stop.

Proxy server

Later, news began to appear about proxy servers, they said, connecting to them can be accessed on the web page.

In the page that Apple issues

By clicking on " Got on the page with the text. But the developers of Apple missed a small detail, the link did not lead to HTTPS, but to the HTTP address.
This allowed to intercept and replace traffic, as it was not encrypted.

The servers were constantly falling, the best I found was the niltpH server. But he constantly changed the ports, either that users would visit his site more often, or the server would not stand up and so he would relieve the load.

I constantly wondered why to make a proxy if you can redirect DNS requests?
] There will be no heavy load, and the server will always be online. But there were only proxy servers.

Then the wave of scammers began, they began to massively make a proxy server.
Showing the pages with the payment of a nonexistent full detour, many people suffered from such false services. Proxy servers allowed you to gain full control over traffic. So bad guys stole passwords and credit cards, and users believed that it would work, as any change in their device caused confidence.

Apple did nothing to change the situation, but I did it. As a result of my further actions, no one else could find the scam proxy server in the search engine.

The first iCloud DNS server Bypass

It is decided, I will launch my server. One winter evening in December, I began to develop. To implement my idea, I needed one HTTP and one DNS server. I decided to write both C ++ services using Visual Studio 2010. Working with sockets directly byte by byte without third-party libraries.

The DNS protocol is not complex, per UDP request, one answer, with the same structure each time. For a couple of hours I wrote a simple DNS server, it responded with a static IP address to static.ips.apple.com and the rest took with DNS from Google.

Then I started writing an HTTP server. The first step was simply to issue an HTML page. It was loaded into memory when the program was started, and then it was issued to packages ready for everyone who would send a request to port 80. So my program gave the page to everyone who sent the request, regardless of the specified host. In the browser, everything worked, but after registering DNS in the Wi-Fi iOS settings, by clicking on "Activation help" I received an error in the phone.

After analyzing the traffic, it turned out that Apple uses XML files, generating a remote interface for them.

An example of the code can be seen from the activation help link:

And here's the response from the server requesting a password on the blocked Device:


After studying the source, you can understand that the code has JavaScript, and it works inside tags.

And at that time existing proxy servers used a single page with HTML code.


<! [CDATA[

Here is the HTML code of the page



In the phone you could see instead of the text on activation a simple site. Cookies worked. But clicking on any external link, all styles are lost and subsequent transitions were impossible. That's how the proxy server worked at that time.

A couple of hours later I had a working DNS and an HTTP server, which produced 1 page for any query. XMLUI was a markup with unknown parameters that could not be found anywhere. And nowhere is there documentation. Apple uses it only within its products.

In fact, standard iOS elements are generated by the XMLUI code, even those that work offline. Lists, buttons, icons, date and time selection, submenus, all this is just the result of converting the XML of a similar script to the interface on the fly.

The realization that many interfaces in iOS are made in such a clumsy way, I was slightly disappointed. This is when you expect that everything has been done as optimally as possible, and it turns out that there is an interlayer in the layer.

Then I realized that in theory, if you know the layout of the interface, you can generate quite a comfortable native iOS interface with a list of icons and links . Such as the settings in iOS. And replace the activation dialog with it completely.

All I understood from the already saved code is that there is a certain table with the ability to add a set of <section footer that can reference other XMLUI files. It is quite possible to make your XMLUI server with some information. But I wanted to get the list with the sites, and so that I could go to Google, for example.

How to make the interface for markup not knowing the commands?

The first thing that occurred to me – once iOS generates commands, therefore, compares the lines of XML parameters, so they must be stored somewhere in the firmware somewhere. Ideally, you would find a file with a list of commands that you can try to add to the XMLUI code, but no, this did not happen.

At that time, iPhone 4 was already hacked completely. There you can boot from the boot loader and get full access to the file system, no matter if there is a password from iOS or not.

I found iOS 7 firmware downloaded from iPhone 4 and started to pick. I collected a list of known words, from those XMLUI files that I collected and began to search word by word for all the firmware files. At first glance, a useless occupation, this is comparable to finding a needle in a haystack, but for some reason I was sure that I would find something. Another hour passed, I could not find anything, but my attention was attracted by the file dyld_shared_cache_armv7. It weighed as much as 300 MB, while all the firmware weighed about 1 GB.

It turned out to be a "package" of dynamic libraries. In order not to load the file system, Apple packs all dynamic libraries for all system programs into 1 file. With the help of Apple's utilities, I unpacked this file, having received a large number of files. I began again to look up in their data the words from my list, tried to combine and select them. I started looking for a similar style of writing – a few words, the first with a small letter, the rest with a capital, without spaces and underscores.

After an uncountable number of attempts, I was able to find the word htmlButtonRow. If you plug it into the code, you get an error, it means it was somehow influenced and recognized. The next step was selecting the place where to put it?

Finally, the code worked and I got the cherished menu line:


A line was simply displayed, and the text, by clicking nothing happened. But the very name of the htmlButtonRow section spoke about HTML, which means that it's likely that you can add the page code there.
Inserting HTML code into a button using

I got what I wanted, a way to display a list of different sites, and go to them. Next, I proceeded to develop the engine for generating XMLUI code. I wrote a list of the required parameters for a single button, shoved there a link to the picture, text and a link to the site.
A text file of the following configuration was obtained:

Name = Facebook
Url = menu: // https: //m.facebook.com/
Img = https: //iclouddnsbypass.com/Icons/B5w8iLX.png  

In it I created a list of popular sites.
Next, I made the page templates to which the buttons were added, everything was stored statically in memory and issued on demand without accessing the disk.

A couple of days later I corrected all the bugs and the server was ready for a permanent start. The first version of iCloud DNS Bypass was launched on December 25, 2014. I wrote the DNS server address on the 4pda site in the branch about iCloud traversal, the site moderators wrote to me on the same day and suggested creating a separate branch. To whom it is interesting, here is the link to the forum thread 4pda.

As a result, everything looked like this:

But due to the limitations of the interface itself, you could just follow the link , And the subsequent transition to third-party sites was impossible. As a result, everyone could use only the list of sites that I added to the server.

Troubleshooting iCloud DNS Bypass

A couple of days after the launch, my friend Dybik launched a site with information about the server. I created a group in VK and communicated with the users of the server. It turned out that the new iOS firmware does not already work with HTML link navigation.

At that time, 500 unique users were already connected, and all the feedback helped me to believe that I was doing useful. And I always dreamed of launching a big project. These thoughts gave me strength not to give up. I started again looking for the names of the XMLUI values, I was sure that there are still many useful commands.

After spending 3-4 more hours of diligent searches and rebounds, I finally found a useful tag
<LinkRow and the parameter to it accessory = "disclosure" that makes the button a subfolder. This was just what you need, the list earned on all iOS and took a more native look, since there was no HTML anymore.
The final code of the button was as follows:


I started to send useful links, which I added to the menu, and formed a large list. They also sent bug-crashes that I added to the menu, and everyone could try them.

I also did a language engine, with texts replaced, depending on the user's language. He invited everyone to translate, and in due course they sent me translations from different countries. Now the server interface is translated into 50 languages, thanks to volunteers. I also made restrictions on the list of sites for the language, for example, Russian sites are displayed, Chinese Chinese. Added a chat based on tlk.io, but later made its engine due to spammers.

 image  image  image

] Next, I also found the parameter shouldScaleHTMLPageToFit = "true", which showed the appearance of the browser in the mobile where it is needed. And incidentally, I found another most important parameter isModalHTMLView = "true". With it, I was able to deploy the web page to the full screen, there worked the rotation of the screen and all referrals without references and bugs. Cookies also worked after rebooting, so I used them to count the number of users. For the first time in the world, it became possible to use a full browser without tabs on the locked iOS device.

Also, through the HTML upload button, everyone could use the camera, and in the same way turn on the flashlight. I added a favorites list, and I could add it to the interface. There were radio stations in the menu, you could open music, open another tab with a special button, while the previous one worked, and it turned out a lot of task.

Then it turned out that some users can not connect to the server. The reason for this was either routers or providers that replaced all DNS requests for their own. And I could not change the domain with my server. Then I developed a small program for Windows that runs the built-in DNS server that helps to connect to the local network.

Here is the YouTube EverythingApplePro video about iCloud DNS Bypass where you can see how the interface looked at that time.

Two months later, more than 200,000 devices connected to the server.

Here is a video, in real time you can see the requests on the server that were at that time

But to Apple notice that they have a defect in the markup, it was necessary to connect another 300 thousand devices.

Another wave of scammers

Two months after the launch on the Internet, it was impossible to find anything else about the crawl except my server. This put an end to the fraudulent proxy, extorting money. But the wave of announcements on eBay began to sell "bypass iCloud" for 30-50 USD. Naive and desperate owners of blocked devices can easily be manipulated, and scammers used it. Paying for the "unlocking service" scammers gave customers instructions on how to connect to my free server. Many did not even suspect that they were robbed. I was angry and wanted to do something to stop them.
I wrote a page in all languages ​​with the message, so that after connecting everyone understood – the server is free. Such an inscription has remained in the server interface so far. А также жаловался на eBay мошеннические товары, но эта война была бесконечной.

Мне приходило много писем, и скидывали все что находили о взломах, я публиковал на сервере, и все пробовали. Иногда получалось выйти на рабочий стол, а иногда все разблокировалось (работало только с стертыми через сайт устройствами, вылет интерфейса приводил его в рабочее состояние до перезагрузки).

С помощью, информации которую мне присылали, выяснилось что есть много источников предлагающих за деньги разблокировать устройства, которые действительно работали. Я пытался выснить как, чтобы поделиться со всем сообществом, дабы развеять заблуждения о платных услугах.

Сейчас я с уверенностью могу сказать, что есть только два способа полной отвязки:

  • Фишинг, кража паролей владельца и удаление устройства с его аккаунта
  • Получив оригинальный чек, звонок в поддержку Apple отвязывает устройство, которое не в режиме пропажи
  • Перепайка модема или метод резистора для iPad от Pasha4ur

В прошлом году фишинговые сервисы массово распространялись, и Apple в ответ даже убрали сообщение от владельца на экране заблокированного устройства. Но это не было причиной столь широкого распространения фишинговых атак. Есть источники, которые продают информацию из аккаунта Apple ID за деньги, которую использовали для атак. Переставали они работать только в праздники по китайскому календарю. Скорее всего это работники Apple в Китае, которые переписывают информацию с админки Apple Care. Я решил проверить полученную информацию и все оказалось правдой. Там была информация адресов, телефон, секретные вопросы, без паролей и без ответов. Тогда я попытался связаться с Apple чтобы выяснить что происходит, и мои письма были успешно проигнорированы. Так что берегите свои IMEI/UDID подальше от сторонних глаз, а в Apple ID лучше не записывать настоящую информацию.

Запасной план

Я подозревал что Apple когда-нибудь заметит недочет в HTTPS ссылке, и сервер iCloud DNS Bypass залпом перестанет работать для всех устройств. Исследование альтернативных возможностей привело меня к идее создать Captive Portal. Этот механизм используется в многих отелях, аэропортах, когда вам приходится ввести свой номер на сайте, перед подключением к интернету.

Информацию о Captive Portal так же было сложно найти. Никто никогда раньше не пытался запустить портал авторизации через DNS сервер. Спустя нескольких дней исследований мне успешно получилось запустить свой собственный Captive Portal. Все работало как в обычном браузере, переход по всех ссылках работал без ограничений. В общем я был готов к тому что Apple поправит недочет, но то, что Cookies стирались по закрытию портала меня смущало.

В то время XMLUI метод работал отлично, я отвечал на письма, мне было интересно общаться с людьми. В ютубе многие снимали видео о моем сервере, и все делились информацией о поисках по полному обходу.

Оффлайн режим, полноценный файловый менеджер без интернета

Прошло почти полгода с запуска сервера и Apple не думали исправлять страницу разметки. Не помню точно, когда, но мне было скучно и я начал пытаться прочитать файловую систему iOS через XMLUI. Мне это удалось, и я мог с файловой системы открывать файлы, заранее зная их путь.

У меня появилась идея, если закидывать все файлы через программу с компьютера в доступные для записи папки на устройстве, можно создать файловый менеджер. Тогда еще можно было получить доступ к файлам без подтверждения на заблокированном устройстве, сейчас на iOS 10 это больше не получится.

Я сделал поле ввода кода для разблокировки тестовых кнопок где был файловый менеджер и пригласил несколько добровольцев тестировать.

Можно было закидывать файлы любых форматов и открывать на устройстве. Так же я слил воедино все меню и подменю в один файл, что давало возможность их загрузить на устройство 1 раз, а дальше пользоваться без интернета. Хотелось как можно быстрее поделиться новыми функциями с пользователями сервера. Сперва надо было сделать программу, которая бы синхронизировала структуру файловой системы на сервер, и идентифицировать пользователя предоставив ему список файлов с его устройства.

Меня это очень вовлекло, и я приступил к разработке. Много часов утекло и уже был готов аудио плеер с плейлистом и возможностью выбирать трек. На следующее утро ко мне посыпались email-ы с сообщениями что сервер не работает. Я проверил все, сервер был запущен, было онлайн несколько сотен пользователей. Но это были лишь счастливчики, которые не выходили с сервера.
13 мая 2015 года Apple разработчики обратили внимание на недочет, и исправили текст ссылки с HTTP на HTTPS.

В одночасье все устройства перестали подключаться к серверу и превратились обратно в бесполезные железка с логотипом яблока. И в один момент вся разработка файлового менеджера стала бесполезной. Никто так и не узнал, что я собирался запустить этот режим. Теперь чтобы вернуть этот метод нужно установить самописный сертификат в устройство для домена albert.apple.com, пока что это не удалось. На момент исправления бага, из-за которого старый метод больше не работает, было подключено пол миллиона уникальных устройств.

Я сразу же приступил к запуску Captive Portal, и переносу всего меню в веб вариант. В основу интерфейса взят Framework7, я адаптировал его под старый конфигурационный файл меню. В тот же день сервер был запущен в новом облике, в котором он и находится до сих пор.

На фейсбуке у меня была страница iCloud DNS Bypass где я публиковал только новости и обновления сервера. Прошло больше года. Почему-то Apple это не понравились и одного дня я увидел следующее сообщение без каких-либо предупреждений:

Позже CloudFlare прислали email с сообщением что кто-то из подразделения Apple запросил реальный IP адрес моего сайта, так как он нарушает их авторское право. Хотя я и не понимал в чем заключается нарушение, был рад что на этом все и ограничилось. За все время Apple ни разу не попытались связаться напрямую и попросить удалить то что им не нравиться.

Такая вот ирония судьбы, если бы моя жена не уронила телефон, если бы я не отвлекся от основного проэкта, чтобы отдохнуть и реализовать свою задумку, то сервер iCloud DNS Bypass сегодня бы не существовал.

Сейчас количество уникальных пользователей перешло границу 15 млн.
В сутки подключаются 50-60 тыс. уникальных устройств.

Текущая версия сервера работает на всех iOS существующих на данный момент.
И альтернатив iCloud DNS Bypass на основе Captive Portal тоже до сих пор не существует.
Сервер работает круглосуточно со времени запуска а донейтов хватает на оренду оборудования.
До сих пор все HTTP подключения обслуживает одна единственная программа написанная на С++.

Вот статистика стран, где больше всего заблокированных устройств Apple, которые подключились к iCloud DNS Bypass. Всего на текущий момент 15.3 миллионов.

И да, вы можете попробовать Captive Portal на своем не заблокированном устройстве проделав все как по инструкции на видео из этой статьи. А так же можете просто зайти через любой браузер на страницу ui.iclouddnsbypass.com


Надеюсь я вас не утомил своим рассказом, и он был вам интересен.
В нашей вселенной нет правил, и проект, над которым работаешь пару лет, может накрыться медным тазом, а хобби на которое потратишь две недели может превратиться в сервис обслуживающий много миллионов людей. Желаю вам не скучать на своей работе, и чаще отвлекаться на то, что действительно нравиться.

Если найдете ошибки в тексте, прошу присылать их в ЛС, так как русский — не мой родной язык.

About the author


Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *