Fake Activation

Introduction

Method I will present you today is spoofing device activation status to activated and FactoryActivated. In order to do this we will be patching mobileactivationd binary and precisely we will change 2 Unactivated references to Activated and second FactoryActivated. So when program see that our device isnt activated it will activate Unactivated reference which we changed to Activated so device will think it's Activated and it will make us able to finish setup without any problems.

Requirements:

- Some knowledge in assemblers and disassemblers.
- Disassembler :D I will use Hopper v4.
- checkra1n compatible device.
- Apple Tech 752 iOS 13.3.1 iCloud Bypass Package from here (we will need tcprelay).

Patching mobileactivationd:

First open new terminal window and cd SSH folder inside iOS 13.3.1 iCloud Bypass package and type:

./tcprelay.py 44:2222


Now open another window and type:

scp -P 2222 root@localhost:/usr/libexec/mobileactivationd /path/to/folder/on/mac


Open binary in disassembler and look for Unactivated or Activated or FactoryActivated string. You should see this:

Jump into it's reference and write down "Activated" reference address. In my case it's 0xb68.

Now jump to "unactivated" reference and assemble it with "Activated" reference address.

If you did correctly "Unactivated" will change into "Activated" reference.

now jump to "FactoryActivated" reference and write down it's address. 0xb70 in my case.

Now jump to next and last "Unactivated" reference we are interested in and assemble it with "FactoryActivated" address.

If you did correctly "Unactivated" will change to "FactoryActivated" address.

That's about it. Now you can save patched binary.
Now we need to add patched binary to /usr/libexec. To do this first rename original binary to some bullshit name and mount disk as rw.

mount -o rw,union,update /


now change original binary name.

mv /usr/libexec/mobileactivationd /usr/libexec/shit


Now add patched binary to /usr/libexec

scp -P 2222 path/to/mobileactivationd_patched root@localhost:/usr/libexec


Change it's name to mobileactivationd

mv /usr/libexec/mobileactivationd_patched /usr/libexec/mobileactivationd


Change permission.

chmod +x /usr/libexec/mobileactivationd


Now we need to reload mobileactivationd LaunchDeamon.

launchctl unload /System/Library/LaunchDaemons/com.apple.mobileactivationd.plist

launchctl load /System/Library/LaunchDaemons/com.apple.mobileactivationd.plist


Done your device should be now fake activated :D. My congratulations if you managed to finish this guide.
Here is video how it should look after you finished it - Video
Homepage