Understanding the Setup.App
On iOS Devices, the initial configuration and activation is carried out by an app called "Setup.App", its internal name is PurpleBuddy. This application is responsible for anything activation-related and not only. When the device is being restored, or erased, the Setup.App is the first interface the users will see. The application has got multiple aspects during its existence, and starting from iOS 7.0 it uses the white theme featured on iOS 10.x as well. Also, starting from iOS 7.x, Setup.App checks the iCloud Activation Lock status.
Not the best feature Apple ever created. What was made to try to discourage the thieves, actually turned out into a simple small inconvenience for them. Locked iPhones, iPads and iPod Touches are still being sold on eBay, Craigslist, and many other local / regional profile sites. In this whole loop, the only one that suffers is the buyer. One buys the phone online, pays for it before shipping, and when it comes, one realizes the device is Locked and he paid a lot of money for a brick. Trying to contact the owner either results in no response, or an additional fee (usually 100 or 200$) to unlock it. Of course, some of the devices are stolen, but a lot of scammers sell their own devices (they no longer need) but let them locked purposefully on a dummy account they know, just to get that extra cash.
While we don't support thieves at all (we provide no help for any lost / stolen device), those who bought a device locked but in clean (not reported as lost or stolen) mode can try the CFW method to attempt unlocking the device for which they paid. Of course this method does not work for anybody / any device, that's why there is a F.A.Q. (Frequent Asked Questions) page that must be read.
Now let's understand the Setup.App:
In order to check the activation status, Setup.App is working with lockdownd (Lockdown Daemon). Once the device is reported by this daemon as being Unactivated, Setup.App makes request to albert.apple.com for a WildCard Ticket and an Activation Ticket. These tickets contain important encrypted (usually Base64) data such IMEI, Serial Number, ECID, SIM ID, Carrier, FairPlay Certificate, FairPlay Key Data, Activation Randmoness, device type, etc.
FairPlay Certificate and FairPlay Key Data are being generated by fairplayd (FairPlay Daemon) and are randomly created to prevent forged certificates. In the past, the activation procedure was bypassed by making iTunes (the main client for activation) to try to use a local / custom activation server. This method worked as the device did not check the RSA certificates of the address from which it gathers the Plist files, but past iOS 7.1.1, this have changed. Apple have patched the bug on the devices and now it checks the identity (SSL) of the address.
The Activation ticket also holds info like: whether the device is carrier locked, on which carrier is supported. Using this data, it can download the appropriate Carrier Bundles and enable the Cellular connection. Carrier bundles help the device understand how to handle a specific carrier. It mostly contains links, codes, signatures, certificates, identifiers, etc. Some carrier provide 4G / LTE support, and this is being specified in the Carrier Bundle alongside with the link to be accessed by the device and the port / APN for connecting to the carrier.
Why bypassing iCloud always results in No Service?
As easy as it sounds. No Service means that there is no Carrier Bundle downloaded into the device, therefore the iPhone can't understand how to handle the SIM Card. During the activation, it normally activates the Baseband and configures it with the data from the Carrier Bundles downloaded for the SIM Card inserted (unless the device is SIM locked). If you bypass, there is no activation process, therefore, no one to download the Carrier Bundle and configure your Baseband, thus resulting in a Baseband Soft Brick (it won't affect any feature of the device, but you won't be able to place calls or send SMS without additional (HARD) fixes).
How the CFW works?
Setup.App is being patched (invalidated). On iOS, each and every app that starts, including the system ones have to be signed (codesign). If you tamper with an app's executable, it will no longer match the codesign (can be fixed, partially). AMFI (Apple Mobile File Integrity) is a kext (Kernel Extension) of the iOS Kernel that always checks the binaries before executing them. If Setup.App is patched, and you are not Jailbroken, the device will refuse to start its own app due to AMFI, and it will redirect you to the main screen known as SpringBoard.
Setup.App doesn't only handle the activation process, it also handles the language, country, WiFi settings, Touch ID (if applicable), Apple ID, iCloud Login (for File Backup), restoring from iTunes (backup), restoring from iCloud (backup), importing data from an Android device, agreeing with the terms and conditions, configuring the pass code, Siri, Diagnostic Data and so on.