FaceTime

General
FaceTime is iChat AV for iPad 2, iPod touch 4G, iPhone 4 and iPhone 4S. Jobs presented an "alphabet soup" of technologies that were involved in making FaceTime work, many of which are shared with iChat AV, including:


 * H.264 and AAC, its ISO/MPEG video and audio codecs (just like iChat).
 * SIP (Session Initiation Protocol), the open IETF signaling protocol for VoIP used by iChat AV.
 * STUN (Session Traversal Utilities for NAT), an IETF standard for dealing with lots of different kinds of NAT.
 * TURN (Traversal Using Relay NAT), an IETF standard for allowing a client behind NAT to receive incoming requests like a server.
 * ICE (Interactive Connectivity Establishment) an IETF standard which helps set up connections through NAT firewalls.
 * RTP (Real-time Transport Protocol), an iETF standard for delivering media streams in VoIP.
 * SRTP (Secure RTP) an IETF standard designed to provide encryption, message authentication and integrity for the data streams.

FaceTime uses ports 53, 80, 443, 4080, 5223, and 16393-16472 (UDP).

A Mac Client for FaceTime is available on The Mac app store. More info can be found at http://www.apple.com/mac/facetime/

FaceTime Activation / Registration
FaceTime is activated by sending a couple of SMS text messages in the background between the iPhone and an Apple server. If your carrier does not officially support the iPhone 4, you may be charged for sending the activation SMS to an international (UK) number. Your carrier might also have issues delivering the SMS correctly which will prevent FaceTime from activating.

After enabling FaceTime in iPhone settings, your iPhone will attempt to send a "silent text message" (i. e. a text you don't know about) to Apple, that registers your telephone number on Apple's servers used for FaceTime. Apple then returns a "silent coded text message" to your iPhone, that activates the FaceTime within iOS4.

After being activated, FaceTime will happily operate solely over WiFi. However, FaceTime activation currently requires the iPhone to be activated, have an active SIM card with the ability to send and receive SMSes. If there's an issue sending or receiving SMS messages, FaceTime can't be enabled or activated.

FaceTime will work successfully in Airplane Mode over WiFi, however it requires FaceTime to be activated, and a SIM card inserted in your device.

FaceTime Registration Request
The iPhone sends a Registration Request SMS silently to this UK number (as identified by the +44 country code): +44 7786 205094. AT&T customers have their own local number for FaceTime activations: 28818773. In Bell and Telus carrier bundles, version 7.2 the number is: 49988.

The Activation Servers number (PhoneNumberRegistrationGatewayAddress) is set in carrier.plist in System/Library/Carrier Bundles/.bundle (or Unknown.bundle):

PhoneNumberRegistrationGatewayAddress +447786205094

You can change this to i. e. your own number and FaceTime will send the FaceTime Registration Request SMS to your own number.

Some carrier bundles (i.e. T-Mobile Germany Carrier Update 7.1) also contain the following key, which displays a warning that SMS charges might be applied when trying to activate FaceTime. RegistrationOptInRequired

Registration Request: REG-REQ?v=2;t=char[64];i=char[40];r=char[8]

Registration Request Example: REG-REQ?v=2;t=0C11F1ACF776391387797F5EEC1B87E9FC33DAD9 B86583270B8E8DDE78A7A23C;i=2CFA805D9A0D1D43CE57429 B4DA8E454B9AADB5D;r=5917c44d It was noticed the last portion i= has different character for every FaceTime request.

The Request is saved on:


 * /var/wireless/spool/MobileOriginated/s.sms.1073741825 (or another identifier)

FaceTime will continue to retry sending the activation SMS multiple times before failing. 

FaceTime Registration Response
If your carrier doesn't officially support silent SMS messages, you may see the FaceTime Registration Response messages displayed.

Registration Response: ¿¿¿¿y¿¿REG-RESP?v=2;r=XXXXXXX;n=+XXXXXXXXX;s=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(X are numbers and codes received, it looks like a password and a hash code).

Packet Capture - original from FryGuy's Blog

 * 1st iPhone IP Private – 192.168.0.128
 * 1st iPhone IP NAT – 216.164.100.100
 * 2nd iPhone IP Private 192.168.2.106
 * 2nd iPhone IP NAT – 72.81.200.200

Note: NATs changed to protect the guilty

Packets
No.    Time        Source                Destination           Protocol Info 1 0.000000   192.168.0.128         17.155.5.251          UDP      Source port: 16402  Destination port: connected 2 0.431054   17.155.5.251          192.168.0.128         UDP      Source port: connected  Destination port: 16402 3 0.715713   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: connected 4 0.716064   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: 16385 5 0.717147   192.168.0.128         17.155.5.252          UDP      Source port: 51136  Destination port: 16386 6 0.958285   17.155.5.252          192.168.0.128         UDP      Source port: 16386  Destination port: 51136 7 0.960329   17.155.5.251          192.168.0.128         UDP      Source port: 16385  Destination port: 51136 8 0.960588   17.155.5.251          192.168.0.128         UDP      Source port: connected  Destination port: 51136 9 1.016402   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 10 1.018172   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 11 1.019912   192.168.0.128         17.155.4.14           TCP      50697 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=2 TSV=469580285 TSER=0 12 1.020140   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 13 1.298294   17.155.4.14           192.168.0.128         TCP      https > 50697 [SYN, ACK] Seq=0 Ack=1 Win=8190 Len=0 MSS=1360 WS=4 14 1.318312   192.168.0.128         17.155.4.14           TCP      50697 > https [ACK] Seq=1 Ack=1 Win=131920 Len=0 15 1.321211   192.168.0.128         17.155.4.14           TLSv1    Client Hello 16 1.645657   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: connected 17 1.645978   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: 16385 18 1.646130   192.168.0.128         17.155.5.252          UDP      Source port: 51136  Destination port: 16386 19 1.662234   192.168.0.128         208.59.216.10         TCP      50698 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=2 TSV=469580291 TSER=0 20 1.730834   17.155.4.14           192.168.0.128         TCP      [TCP segment of a reassembled PDU] 21 1.731963   17.155.4.14           192.168.0.128         TLSv1    Server Hello, Certificate, Server Hello Done 22 1.808298   208.59.216.10         192.168.0.128         TCP      http > 50698 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1380 TSV=941715237 TSER=469580291 WS=1 23 1.832208   192.168.0.128         17.155.4.14           TCP      50697 > https [ACK] Seq=160 Ack=1361 Win=130560 Len=0 24 1.834588   192.168.0.128         17.155.4.14           TCP      50697 > https [ACK] Seq=160 Ack=2490 Win=130788 Len=0 25 1.834954   192.168.0.128         208.59.216.10         TCP      50698 > http [ACK] Seq=1 Ack=1 Win=131328 Len=0 TSV=469580293 TSER=941715237 26 1.836526   192.168.0.128         208.59.216.10         HTTP     GET /WebObjects/VCInit.woa/wa/getBag?ix=1 HTTP/1.1 27 1.881018   17.155.5.252          192.168.0.128         UDP      Source port: 16386  Destination port: 51136 28 1.882147   17.155.5.251          192.168.0.128         UDP      Source port: connected  Destination port: 51136 29 1.883124   17.155.5.251          192.168.0.128         UDP      Source port: 16385  Destination port: 51136 30 1.884207   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 31 1.886053   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 32 1.886343   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 33 1.930729   192.168.0.128         17.155.4.14           TLSv1    Client Key Exchange 34 1.930835   192.168.0.128         17.155.4.14           TLSv1    Change Cipher Spec 35 1.931583   192.168.0.128         17.155.4.14           TLSv1    Encrypted Handshake Message 36 2.190008   208.59.216.10         192.168.0.128         TCP      http > 50698 [ACK] Seq=1 Ack=229 Win=6432 Len=0 TSV=941715619 TSER=469580293 37 2.190313   208.59.216.10         192.168.0.128         TCP      [TCP segment of a reassembled PDU] 38 2.191366   208.59.216.10         192.168.0.128         TCP      [TCP segment of a reassembled PDU] 39 2.192312   208.59.216.10         192.168.0.128         HTTP/XML HTTP/1.1 200 OK      40 2.242678    192.168.0.128         208.59.216.10         TCP      50698 > http [ACK] Seq=229 Ack=2737 Win=128592 Len=0 TSV=469580297 TSER=941715619 41 2.243014   192.168.0.128         208.59.216.10         TCP      50698 > http [ACK] Seq=229 Ack=3506 Win=127820 Len=0 TSV=469580297 TSER=941715619 42 2.393275   17.155.4.14           192.168.0.128         TCP      https > 50697 [ACK] Seq=2490 Ack=299 Win=35216 Len=0 43 2.393305   17.155.4.14           192.168.0.128         TCP      https > 50697 [ACK] Seq=2490 Ack=305 Win=35216 Len=0 44 2.393351   17.155.4.14           192.168.0.128         TCP      https > 50697 [ACK] Seq=2490 Ack=342 Win=35184 Len=0 45 2.394633   17.155.4.14           192.168.0.128         TLSv1    Change Cipher Spec, Encrypted Handshake Message 46 2.448112   192.168.0.128         17.155.4.14           TCP      50697 > https [ACK] Seq=342 Ack=2533 Win=131876 Len=0 47 2.449760   192.168.0.128         17.155.4.14           TLSv1    Application Data 48 2.450325   192.168.0.128         17.155.4.14           TLSv1    Application Data 49 2.511448   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: connected 50 2.512608   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: 16385 51 2.512776   192.168.0.128         17.155.5.252          UDP      Source port: 51136  Destination port: 16386 52 2.905644   17.155.5.252          192.168.0.128         UDP      Source port: 16386  Destination port: 51136 53 2.905690   17.155.4.14           192.168.0.128         TCP      https > 50697 [ACK] Seq=2533 Ack=966 Win=34560 Len=0 54 2.905782   17.155.4.14           192.168.0.128         TCP      https > 50697 [ACK] Seq=2533 Ack=1453 Win=34064 Len=0 55 2.906896   17.155.5.251          192.168.0.128         UDP      Source port: 16385  Destination port: 51136 56 2.907536   17.155.5.251          192.168.0.128         UDP      Source port: connected  Destination port: 51136 57 2.923466   17.155.4.14           192.168.0.128         TLSv1    Application Data 58 2.923924   17.155.4.14           192.168.0.128         TLSv1    Application Data 59 3.060254   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 60 3.060422   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 61 3.062146   192.168.0.128         17.155.4.14           TCP      50697 > https [ACK] Seq=1453 Ack=2894 Win=131556 Len=0 62 3.062451   192.168.0.128         17.155.4.14           TCP      50697 > https [ACK] Seq=1453 Ack=3240 Win=131212 Len=0 63 3.062741   192.168.0.128         199.7.52.190          TCP      50699 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=2 TSV=469580305 TSER=0 64 3.063122   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 65 3.532458   199.7.52.190          192.168.0.128         TCP      http > 50699 [SYN, ACK] Seq=0 Ack=1 Win=8190 Len=0 MSS=1380 66 3.571122   192.168.0.128         199.7.52.190          TCP      50699 > http [ACK] Seq=1 Ack=1 Win=65535 Len=0 67 3.579117   192.168.0.128         199.7.52.190          HTTP     GET /EVIntl2006.cer HTTP/1.1 68 3.690690   192.168.0.128         17.155.4.14           TLSv1    Encrypted Alert 69 3.692505   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: connected 70 3.696701   192.168.0.128         17.155.4.14           TCP      50697 > https [FIN, ACK] Seq=1476 Ack=3240 Win=131920 Len=0 71 3.697007   192.168.0.128         208.59.216.10         TCP      50698 > http [FIN, ACK] Seq=229 Ack=3506 Win=131328 Len=0 TSV=469580312 TSER=941715619 72 3.697388   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: 16385 73 3.697617   192.168.0.128         17.155.5.252          UDP      Source port: 51136  Destination port: 16386 74 3.809626   199.7.52.190          192.168.0.128         TCP      [TCP segment of a reassembled PDU] 75 3.810572   199.7.52.190          192.168.0.128         HTTP     HTTP/1.0 200 OK  (text/plain) 76 3.881720   192.168.0.128         199.7.52.190          TCP      50699 > http [ACK] Seq=154 Ack=1865 Win=65535 Len=0 77 3.890585   192.168.0.128         199.7.52.190          TCP      50699 > http [FIN, ACK] Seq=154 Ack=1865 Win=65535 Len=0 78 3.952258   208.59.216.10         192.168.0.128         TCP      http > 50698 [FIN, ACK] Seq=3506 Ack=230 Win=6432 Len=0 TSV=941717381 TSER=469580312 79 3.954256   192.168.0.128         208.59.216.10         TCP      50698 > http [ACK] Seq=230 Ack=3507 Win=131328 Len=0 TSV=469580314 TSER=941717381 80 4.007781   17.155.4.14           192.168.0.128         TCP      https > 50697 [ACK] Seq=3240 Ack=1476 Win=40928 Len=0 81 4.007965   17.155.4.14           192.168.0.128         TCP      https > 50697 [FIN, ACK] Seq=3240 Ack=1477 Win=40928 Len=0 82 4.009155   17.155.5.251          192.168.0.128         UDP      Source port: 16385  Destination port: 51136 83 4.009170   17.155.5.251          192.168.0.128         UDP      Source port: connected  Destination port: 51136 84 4.009948   192.168.0.128         17.155.4.14           TCP      50697 > https [FIN, ACK] Seq=1476 Ack=3240 Win=131920 Len=0 85 4.014495   192.168.0.128         17.155.4.14           TCP      50697 > https [ACK] Seq=1477 Ack=3241 Win=131920 Len=0 86 4.019866   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 87 4.023955   17.155.5.252          192.168.0.128         UDP      Source port: 16386  Destination port: 51136 88 4.025984   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 89 4.034971   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 90 4.504292   199.7.52.190          192.168.0.128         TCP      http > 50699 [ACK] Seq=1865 Ack=155 Win=8190 Len=0 91 4.671800   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: connected 92 4.672167   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: 16385 93 4.672411   192.168.0.128         17.155.5.252          UDP      Source port: 51136  Destination port: 16386 94 5.139092   17.155.5.252          192.168.0.128         UDP      Source port: 16386  Destination port: 51136 95 5.140068   17.155.5.251          192.168.0.128         UDP      Source port: 16385  Destination port: 51136 96 5.140129   17.155.5.251          192.168.0.128         UDP      Source port: connected  Destination port: 51136 97 5.210011   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 98 5.215809   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 99 5.216068   192.168.0.128         216.164.100.100       UDP      Source port: 51136  Destination port: 52585 100 5.715774   192.168.0.128         17.155.5.251          UDP      Source port: 51136  Destination port: 16385 101 6.054578   17.155.5.251          192.168.0.128         UDP      Source port: 16385  Destination port: 51136 102 8.258196   192.168.0.128         192.168.2.106         STUN2    Binding Request 103 8.286606   192.168.0.128         192.168.2.106         STUN2    Binding Request 104 8.303893   192.168.0.128         72.81.200.200         STUN2    Binding Request 105 8.313353   192.168.0.128         192.168.2.106         STUN2    Binding Request 106 8.313582   72.81.200.200         192.168.0.128         STUN2    Binding Request 107 8.316909   192.168.0.128         72.81.200.200         STUN2    Binding Success Response 108 8.333677   192.168.0.128         72.81.200.200         STUN2    Binding Request 109 8.344419   72.81.200.200         192.168.0.128         STUN2    Binding Request 110 8.350980   192.168.0.128         72.81.200.200         STUN2    Binding Success Response 111 8.360852   192.168.0.128         72.81.200.200         STUN2    Binding Request 112 8.374294   72.81.200.200         192.168.0.128         STUN2    Binding Request 113 8.376750   192.168.0.128         72.81.200.200         STUN2    Binding Success Response 114 8.467002   192.168.0.128         192.168.2.106         STUN2    Binding Request 115 8.496083   192.168.0.128         192.168.2.106         STUN2    Binding Request 116 8.528156   72.81.200.200         192.168.0.128         STUN2    Binding Request 117 8.530139   192.168.0.128         72.81.200.200         STUN2    Binding Request 118 8.530765   192.168.0.128         72.81.200.200         STUN2    Binding Success Response 119 8.553316   72.81.200.200         192.168.0.128         STUN2    Binding Request 120 8.555467   192.168.0.128         72.81.200.200         STUN2    Binding Request 121 8.556032   192.168.0.128         72.81.200.200         STUN2    Binding Success Response 122 8.626234   72.81.200.200         192.168.0.128         STUN2    Binding Success Response 123 8.629896   72.81.200.200         192.168.0.128         STUN2    Binding Success Response123 124 8.730361   192.168.0.128         72.81.200.200         SIP/SDP  Request: INVITE sip:user@72.81.200.200:50925, with session description 125 8.748746   72.81.200.200         192.168.0.128         STUN2    Binding Success Response 126 8.771618   192.168.0.128         192.168.2.106         STUN2    Binding Request 127 8.797557   192.168.0.128         192.168.2.106         STUN2    Binding Request 128 8.925571   72.81.200.200         192.168.0.128         STUN2    Binding Success Response 129 8.927723   72.81.200.200         192.168.0.128         STUN2    Binding Success Response 130 9.232700   192.168.0.128         72.81.200.200         SIP/SDP  Request: INVITE sip:user@72.81.200.200:50925, with session description 131 9.258562   192.168.0.128         192.168.2.106         STUN2    Binding Request 132 9.262926   72.81.200.200         192.168.0.128         SIP      Status: 100 Trying 133 9.268831   72.81.200.200         192.168.0.128         SIP      Status: 180 Ringing 134 9.296692   192.168.0.128         192.168.2.106         STUN2    Binding Request 135 9.320586   72.81.200.200         192.168.0.128         SIP/SDP  Status: 200 OK, with session description 136 9.326857   192.168.0.128         72.81.200.200         SIP      Request: ACK sip:user@72.81.200.200:50925 137 9.334699   192.168.0.128         72.81.200.200         SIP      Request: MESSAGE sip:user@72.81.200.200:50925 138 9.688477   72.81.200.200         192.168.0.128         SIP/SDP  Status: 200 OK, with session description 139 9.716567   192.168.0.128         72.81.200.200         SIP      Request: ACK sip:user@72.81.200.200:50925 140 9.834542   192.168.0.128         72.81.200.200         SIP      Request: MESSAGE sip:user@72.81.200.200:50925 141 10.216053  72.81.200.200         192.168.0.128         SIP      Status: 200 OK    142 10.230152   192.168.0.128         72.81.200.200         SIP      Request: MESSAGE sip:user@72.81.200.200:50925 143 10.442848  72.81.200.200         192.168.0.128         SIP      Status: 200 OK    144 10.491689   72.81.200.200         192.168.0.128         SIP      Status: 200 OK    145 10.727812   192.168.0.128         72.81.200.200         SIP      Request: MESSAGE sip:user@72.81.200.200:50925 146 11.229984  192.168.0.128         72.81.200.200         SIP      Request: MESSAGE sip:user@72.81.200.200:50925 147 11.318007  72.81.200.200         192.168.0.128         SIP      Status: 200 OK    148 11.367565   192.168.0.128         72.81.200.200         SIP      Request: MESSAGE sip:user@72.81.200.200:50925 149 11.618986  72.81.200.200         192.168.0.128         SIP      Status: 200 OK    150 11.866691   192.168.0.128         72.81.200.200         SIP      Request: MESSAGE sip:user@72.81.200.200:50925 151 11.998932  192.168.0.128         72.81.200.200         UDP      Source port: 16402  Destination port: 50925 152 12.035444  72.81.200.200         192.168.0.128         SIP      Status: 200 OK    153 12.063916   192.168.0.128         72.81.200.200         UDP      Source port: 16402  Destination port: 50925 154 12.129174  192.168.0.128         72.81.200.200         UDP      Source port: 16402  Destination port: 50925 155 12.180258  192.168.0.128         72.81.200.200         UDP      Source port: 16402  Destination port: 50925 156 12.183416  192.168.0.128         72.81.200.200         UDP      Source port: 16402  Destination port: 50925 157 12.187093  72.81.200.200         192.168.0.128         SIP      Status: 200 OK    158 12.195043   192.168.0.128         72.81.200.200         UDP      Source port: 16402  Destination port: 50925 159 12.200932  72.81.200.200         192.168.0.128         SIP      Request: BYE sip:user@192.168.0.128:16402 160 12.206181  192.168.0.128         72.81.200.200         SIP      Status: 200 OK

Packets 1 – 10

 * The phones communicates to a server at Apple (17.155.5.251 is what I saw). Communication is sourced from port 16402 via UDP initially and then looks to dynamically allocate ports for communication (16385 and 16386 are what appeared on my end).

Packets 11 – 101

 * The phone then negotiates an HTTPS connection to the servers at Apple for the setup and communication. There also seems to be some communication to other servers (in this case i see RCN 208.59.216.10) – and they are my cable provider.

Packets 102 – 123

 * After Client (iPhone) and server negotiation you start to see Stun requests via the private IPs, after they fail you see them from the Public IP NAT ranges. They success via the Public peering at that point.

Packets 124 – 160

 * A SIP call is then initiated between the phones for the video portion of the call

How does Apples (FaceTime) Server know the IP Address of the 2nd (to be called) iPhone ?
Easy, every iPhone registers itself at Apple's push notification server whenever WiFi is available ("calls" Home).

Basic Process:


 * iPhone detects Wi-Fi Connection
 * iPhone gets IP address via DHCP (if not set to static in Settings)
 * iPhone sends a HTTP request to www.apple.com/library/test/success.html
 * Apple's servers send back a HTML page containing only the word "Success" in the title and body
 * iPhone knows it is connected to the Internet
 * iPhone gets iphone-wu.apple.com/7day/v2/latest/lto2.dat to enable a quick GPS fix for Location Services; LTO stands for long-term orbit. This is unrelated to FaceTime.
 * iPhone contacts the FaceTime server, init.ess.apple.com
 * iPhone downloads EVIntl-aia.verisign.com/EVIntl2006.cer
 * iPhone joins Apple's Jabber server at 17.149.36.99
 * Apple knows the iPhone's IP, which is then used for FaceTime and other push notifications.

Additional Information

 * Interesting Packet Trace & Discussion: http://blog.roychowdhury.org/2010/06/25/facetime-on-iphone-4-vanilla-unencrypted-stun-and-sip/
 * Excellent Analysis: http://www.packetstan.com/
 * Highly Rumorous: http://www.addictivetips.com/mobile/apple-gathering-facetime-information-ability-to-see-video-calls/