iPhone Hacking Presentation - History 1.0-1.1.4

From The Apple Wiki

George Hotz's Presentation on "Hacking the iPhone" - 9:30 EST 17 July 2009, irc.osx86.hu #presentation

The Hackers in the Presentation (alphabetical order):

Geohot began the presentation with a potted history of iPhone hacking.

The history of "jailbreaking"[edit]

At the start:

  • slide for emergency (before lockdownd patches) <- this is activation
  • apple generates an activation record when you connect your phone to itunes for the first time
  • put in tmobile sim card, didnt work..

Activation record contains:

  • IMEI (baseband)
  • ICCID (sim card)
  • DEVID (UDID, phone/s5l/app processor)

So, then tried...

  • resending activation record to another phone
  • lockdownd didn't check that record actually matched anything
  • dvd jon wrote a program to spoof activation server, that sends his record and since the lockdownd didnt check that the record matched the iPhones IDs, it worked -> people can now activate

iphone dev folks start reversing itunesmobiledevice.dll / MobileDevice.framework → AMDeviceActivate (give it an activation record, and it would activate the phone for you)

Through the reversing of the MobileDevice.framework (AFC protocol) it was possible to gain control of the chrooted jailed files in /var/root/media

iTunes uses AFC to send files (music, contacts etc) to the iPhone, inside the /var/mobile/media jail. So the next thing after activation is jailbreak. ("jail" means a chroot jail, more info at: http://en.wikipedia.org/wiki/Chroot, http://docs.freebsd.org/44doc/papers/jail/jail.html)

System Partition mounted at / User Partition /var/mobile/

First jailbreak was done by using the cp (copy) command in restore mode, which had access to the whole FS. They overwrote fstab and services.plist, and they added a service called afc2 which shared the whole FS.

We could also take a look at the disk image itself inside an ipsw:

  • unfortunately, the rootfs dmg has encryption that doesn't use the traditional dmg password scheme
  • so we wrote vfdecrypt

So... then we could touch the filesystem all we wanted, but without a toolchain we couldn't do anything useful. this is interesting because:

  • mach-o and ARM: never done before outside apple; we needed to write it ourselves (aka watch in awe as nightwatch did it)

this lead to the days of irc://irc.osx86.hu/iphone-uikit

  • mentioned neato things:
    • MobileTerminal, Hello World

George Hotz joined the small group of "iPhone Dev team folks" (#iphone.dev ?ithink?) things started becoming secretive, and George Hotz decided to release http://chickenenchiladagrilledstuftburrito.info/u.htm [Archived 2008-06-09 at the Wayback Machine], his "manifesto"


First Unlock:

  • Hardware
    1. Erase baseband firmware
    2. Using a hardware test point, pull an address line high, so it thinks it's all erased (fakeblank)
    3. You can send serial payloads and run your own unsigned code, so patch it to be unlocked

IPSF style unlock:

  • If code uploaded to baseband had an SHA1 hash ending in 00 00 00 00, it would run (due to buggy coding, they only checked the last four bytes), and the bleichenbacher RSA attack allowed fake unlock tokens to be generated server side

Then there was iUnlock by the Dev-Team, which used Minus 0x400 exploit to unlock.

then along comes 1.1.1: encryption, i got this: Restore holes to jailbreak were patched, but this lead to the most simple jailbreak: jailbreakme.com / TIFF exploit This was taken from the PSP hacking scene, an old version of libtiff had a buffer overflow (found by taviso, firstly exploited by cmw) on one of the metadata tags iirc.

and 1.1.2 comes along, patching the tiff vuln, things start to get more complex:

  • initially we started by just insisting that people downgrade to 1.1.1, then update again
  • this became harder as more phones came preinstalled with 1.1.2, etc.
  • at 1.1.3 (BB version 4.6), this became unbearable...
  • george releases gunlock using the -0x20000 w back extend erase exploit
  • and eventually ZiPhone is released (unsigned ramdisk exploit)

How this works:

  • hit restore, iphone goes into recovery mode (iBoot, bootloader for the s5l proc)
  • commence geohot wall-o-text:
  • your iphone has two major processors, the s5l(which runs the apps, and is targeted by jailbreaks), and the baseband(which runs the phone stuff, and is targeted by unlocks)
  • recovery mode sending a ramdisk and kernel can boot the device no matter whats on nand
  • after the ramdisk boots, it enters restore mode
  • in restore mode, the system dmg(with the OS) is sent
  • the nor is upgraded to have the latest iboot and llb
  • and the baseband is upgraded to have the latest baseband firmware
  • so, imagine being able to write your own ramdisk
  • everything up to user mode was always sig checked
  • including the ramdisk


Links posted by "the hackers":

  1. http://nanocr.eu/2007/07/03/iphone-without-att/ [Archived 2009-07-22 at the Wayback Machine]
    Site: Jon "DVD Jon" Lech Johansen’s blog
    Entry: "iPhone Independence Day"
    Documents Jon's discovery of how to activate a brand new iPhone unofficially.
    Originally posted on Tuesday 3 July 2007
  2. http://chickenenchiladagrilledstuftburrito.info/u.htm [Archived 2008-06-09 at the Wayback Machine]
    Site: (mirror)
    Entry: George Hotz's "manifesto"
    Originally mirrored on Friday, 27 July 2007
  3. Minus 0x20000 with Back Extend Erase
    This is the exploit used to unlock all phones with a 4.6 bootloader.
    Originally posted on Saturday, 27 July 2008

Definitions of terms used[edit]

  • Jailbreak: Apple makes it so your device can only use one folder on the phone, jailbreak gets out of that single folder jail and lets you use the entire filesystem.

Active Documenters (alphabetical order)[edit]

  • Izzard
  • Kroo
  • Oranav
  • Veeloc
  • crash-x (only in the beginning)