The iPhone Wiki - User contributions [en]

Tutorial:Re-Provisioning iPhone 4 using file system (Incomplete)

2011-02-24T05:06:43Z

D235j: Re-Provisioning iPhone 4G using file system (Incomplete) moved to Re-Provisioning iPhone 4 using file system (Incomplete): there is no iPhone "4G"

=== Prerequisites ===

You need:
* Jailbroken iPhone 4G CDMA with OpenSSH installed.
* SSH client.
* pList Editor

----

=== Setting UP ===

Reserved.

----

=== Installation ===

Reserved..

----

Talk:Tutorial:Re-Provisioning iPhone 4 using file system (Incomplete)

2011-02-24T05:06:43Z

D235j: Talk:Re-Provisioning iPhone 4G using file system (Incomplete) moved to Talk:Re-Provisioning iPhone 4 using file system (Incomplete): there is no iPhone "4G"

It is not "iPhone 4G", it is iPhone 4. Please use proper nomenclature, or use Apple's device generation number scheme if you are unsure (iPhone1,1, iPhone1,2, iPhone2,1, iPhone3,1, iPhone3,3, which are iPhone, iPhone 3G, iPhone 3GS, iPhone 4 (GSM) and iPhone 4 (CDMA) respectively). --[[User:Cmdshft|cmdshft]] 03:49, 24 February 2011 (UTC)

Tutorial:Re-Provisioning iPhone 4 from Verizon Wireless for other CDMA Carriers

2011-02-24T05:06:12Z

D235j: Re-Provisioning iPhone 4G from Verizon Wireless for other CDMA Carriers moved to Re-Provisioning iPhone 4 from Verizon Wireless for other CDMA Carriers: there is no iPhone "4G"

=== Prerequisites ===

You will need:
* Verizon iPhone 4 CDMA
* A Carrier that will except other Carriers ESN/MEID phones. Example Cricket or MetroPCS.

----

=== OTA Programming ===

*Note the only known method for getting the CDMA iPhone to another carrier is by using the OTA feature to update your PRL, MDN and MIN.
If the OTA is not working in your area, then this will not work for you at the moment.

1. You must be using a carrier who will accept the phones MEID.

2. Add the phone to your account by calling in 611 from your current phone or calling your carriers number.
Phone Numbers
Cricket 1-800-274-2538

3. If you are using Cricket, Please make sure you are on the $45.00 plan and Android CPE (Customer Provided Equipment) as your phone model.
MetroPCS owners the plan shouldn't matter.

4. Once you have the phone on your plan, its time to find out the correct OTA number for you to dial in order for you to provision your phone.
Start with *22800, *22801, *22802 etc until you receive your carriers OTA message.
Known OTA Numbers for areas
Salt Lake City Utah, *22804

5. Follow the OTA instructions, making sure to select update equipment or update roaming agreements.

6. Once the OTA has succesfully updated your iPhone4 with the correct PRL, MDN, MIN and SYSID you should be ready for basic Talk and Text.

7. You can check the current PRL you are using by dailing.
*#5005*help#(4357), Send.

[[Image:iPhonePRL]]

8. That's it for now more to come!!

----

Talk:Tutorial:Unlocking iPhone 4 (iPhone3,3) model with OTA

2011-02-24T05:06:12Z

D235j: Talk:Re-Provisioning iPhone 4G from Verizon Wireless for other CDMA Carriers moved to Talk:Re-Provisioning iPhone 4 from Verizon Wireless for other CDMA Carriers: there is no iPhone "4G"

N92AP

2011-02-07T22:13:23Z

D235j: added baseband chip, from ifixit teardown

[[Image:iPhone 4 CDMA.png|right|thumb|iPhone 4 (CDMA model)]]
This is the CDMA variant of iPhone 4. It is very similar to its [[n90ap|its GSM counterpart]]. Notable differences are the lack of GSM hardware (in favor of [[wikipedia:Code division multiple access|CDMA]]), and a redesigned antenna.

== [[S5L8900|Application Processor]] ==
It still uses the [[S5L8930|Apple A4]] CPU found in the GSM version.

== [[Baseband Device]] ==
Qualcomm MDM6600

== GPS ==
The iPhone 4 uses the [[Broadcom BCM4750]] single-chip GPS receiver, like the iPad.

== Specifications ==
'''Color:''' Black
'''Size''': 115.2 mm (4.5 inches) (h), 58.6 mm (2.31 inches) (w), 9.3 mm (0.37 inches) (d) <br />
'''Weight''': 135 g (4.8 oz) <br />
'''Battery''': Standby up to 300 hours, talk time up to 7 hours on 3G<br />
'''Rear camera''': 5MP with Autofocus and manual focus (''Tap to focus''), supporting HD video recording @ 30FPS <br />
'''Front camera''': VGA photos and video @ 30 FPS, supporting [[FaceTime]] Video Calls

25C3 presentation "Hacking the iPhone"

2010-10-13T21:26:55Z

D235j: fixed broken ext links

{{DISPLAYTITLE:25C3 presentation "Hacking the iPhone"}}
This was a presentation held on the 27 December 2008 at the [http://events.ccc.de/congress/2008/wiki/Main_Page/ 25th Chaos Communication Congress (25C3)] in Berlin. Speakers were [[pytey]], [[User:planetbeing|planetbeing]] and [[User:MuscleNerd|MuscleNerd]].

The presentation explained the inner workings of the iOS architecture, its security, and how it was circumvented. [http://events.ccc.de/congress/2008/Fahrplan/events/2976.en.html Short event description]

During the presentation [[User:MuscleNerd|MuscleNerd]] wanted to show the [http://qik.com/video/729275 video of a live demo of the unlock] with ([[yellowsn0w]]), but skipped it because of the missing time. This video was actually released [[Timeline#December|some days before]].

== Conference Recordings ==
* [http://vimeo.com/2646755?pg=embed&sec=2646755 Conference recording video on Vimeo]
* [http://mirror.netcologne.de/CCC/25C3/video_h264_720x576/25c3-2976-en-hacking_the_iphone.mp4 Conference recording video in H264] or [ftp://ftp.ccc.de/congress/25c3/video_h264_720x576/25c3-2976-en-hacking_the_iphone.mp4 via FTP] or [http://ftp.ccc.de/congress/25c3/video_h264_720x576/25c3-2976-en-hacking_the_iphone.mp4.torrent torrent link]. This version is the best quality available.
* [http://derchris.eu/ccc/25C3/video_h264_iPod/25c3-2976-en-hacking_the_iphone.ipod.m4v Conference recording video in M4V]
* [http://bork.informatik.uni-erlangen.de/pub/ccc/25c3/audio_only/25c3-2976-en-hacking_the_iphone.mp3 Conference recording as MP3 audio]
* [http://ftp.uni-kl.de/25C3/audio_only/25c3-2976-en-hacking_the_iphone.ogg Conference recording as OGG audio]
* [http://events.ccc.de/congress/2008/wiki/Conference_Recordings/index.html Official download page] (look for presentation 2976)
* [http://ftp.ccc.de/congress/25c3/ Official FTP server] (look for presentation 2976)

The presentation slides are currently not available. Maybe one of the presentators can upload them here or post a link.

== Transcript of the presentation ==

[[Image:25C3_A01.png|thumb|left|A01]]
=== Start ===
Good evening everybody. I would like to introduce the [[iPhone Dev Team]] who are here to give a talk on iPhone hacking. So if you join me to give a round full of applause please.

=== Introduction (by [[pytey]]) ===
Good evening ladies and gentlemen. Here’s a little slide show here for you. [[Image:25C3_B01.png|thumb|B01]] This is a slide called hacking the iPhone. I’ll give a little history here about [[iPhone Dev Team|our little crew]]. [[Image:25C3_B02.png|thumb|left|B02]] We formed in [[Timeline#June_4|June 2007]], just before the release of the [[M68ap|original iPhone]]. We’re original hardware hackers and device enthusiasts, based around Apple products and we sort of rather say towards the iPhone as a platform. We exist on [[wikipedia:Internet Relay Chat|IRC]]. This is the first time most of us have met each other. Originally there was a couple of channels on the osx86.hu server. [[Image:25C3_B03.png|thumb|B03]] We’ve got a wide membership: Germany, Belgium, France, Russia, Hungary, USA, Israel. And during those initial few months of the [[M68ap|iPhone first generation]] DHL and FedEx shipped around a lot of US phones to us. [[Image:25C3_B04.png|thumb|left|B04]] We’ve got some statistics here of our little site. We’ve had about 1.7 million visits in the last month. [[Image:25C3_B05.png|thumb|B05]] Fifty, sixty thousand unique visitors per day and various networks around. [[Image:25C3_B06.png|thumb|left|B06]] We’ve got a tool called [[PwnageTool|Pwnage tool]] and another tool called [[QuickPwn]] which is viewed here as the next good project. [[Image:25C3_B07.png|thumb|B07]] It’s a [[wikipedia:Cocoa (API)|Cocoa]] application. It’s got 20,000 lines of code. [[QuickPwn]] has got 15,000 lines of code. There’s also other platforms: Windows and Linux as well. We’ve had 3.6 million [[wikipedia:Sparkle (software)|Sparkle]] updates since we last deleted our logs, which was in the 16th of July. We try to release patches when Apple releases an iPhone update. [[Image:25C3_B08.png|thumb|left|B08]] We try to get patches out 24-48 hours after the release of those updates. And the modular bundle sets for cross-platform use. We use [[wikipedia:Sparkle (software)|Sparkle]] for updates for the Mac platform, as I mentioned. An interesting lead: There’s a 180 very active users from Apple who update their [[QuickPwn]] and [[PwnageTool|Pwnage tool]] on a regular basis, so I think they like our software, which is pretty cool. Thank you very much Apple. (big applause)

[[Image:25C3_B09.png|thumb|B09]] I’ll just introduce my colleagues here. We’ve got [[User:Bushing|bushing]] on the end. He’s one of the guys. This is [[User:MuscleNerd|MuscleNerd]] (laughter) - I don’t know why. This is [[User:Planetbeing|planetbeing]]. And we’ve got a bunch of other guys here we don’t want to be identified for obvious reasons, but they’re over there wearing Pwn-Apple T-shirts. And they speak Russian. (laughter) Say hi guys! (applause)

So with that further I’ll hand you over to [[User:Planetbeing|planetbeing]] who’s gonna talk a bit about the applications processor side of the iPhone. Thanks.

=== Part 1: Applications Processor (by [[User:Planetbeing|planetbeing]]) ===
[[Image:25C3_C01.png|thumb|left|C01]] So my talk is gonna be about the application’s processor side. That’s the chip that runs the [[iOS|iPhone OS]] in all the racing car games that you all see in the [[App Store]]. [[Image:25C3_C02.png|thumb|C02]] It’s only related to the [[Unlock|baseband unlock]], because the iPhone has two [[ARM]] processors and the [[S-Gold_2|baseband modem]] has one of them and the [[S5L8900|application processor]] has the other one, and they’re only loosely connected. Each has their own security framework. My portion of the talk will be focusing on the [[S5L8900|application processor]]. And you know our goal is to execute custom code on the [[iOS|iPhone OS]]. [[Image:25C3_C03.png|thumb|left|C03]]The purpose of doing so is to launch third-party apps, [[activation]] of the iPhone which allows the [[iOS|iPhone OS]] to recognize unofficial carriers, and it also provides a useful platform for the [[Unlock|SIM unlock]] because then we can use the [[iOS|iPhone OS]] to directly communicate with the [[Baseband_Device|baseband modem]]. So I’m gonna just go over some of the security framework of the [[M68ap|iPhone]], and first of all I’m gonna talk about the basic software architecture of the device. [[Image:25C3_C04.png|thumb|C04]]

As Apple advertised the [[iOS|iPhone OS]] architecture is basically [[wikipedia:Mac OS X|Mac OS X]]. If you look at a disassembly of the [[kernel]], you can see that it’s basically [[wikipedia:XNU|XNU]], which is the kernel for the [[wikipedia:Mac OS X|Mac OS]], it’s basically [[wikipedia:XNU|XNU]] code compiled for [[ARM]]. A lot of the userland architecture is also the same. There is [[wikipedia:Launchd|launchd]], which is the Mac OS version of [[wikipedia:Init|init]] like Linux is [[wikipedia:Init|init]]. It’s a little bit bottomized, there’s no command line switches, but, you know it’s basically the same thing, have launch [[wikipedia:Daemon (computer software)|daemons]] and everything else. System libraries are slightly modified, but they’re pretty much the same as on a typical OS X Mac machine. So instead of the Finder you have [[SpringBoard]] as the shell. One important difference between the Mac version of OS X and the [[iOS|iPhone OS]] is that there’s an additional [[wikipedia:Daemon (computer software)|daemon]] called [[lockdownd]], and it handles communications with the computer. It basically is the gateway between the computer and the iPhone over the USB cable. It [[wikipedia:Multiplexing|multiplexes]] the USB connections and it establishes an [[wikipedia:Transport Layer Security|SSL]] [[wikipedia:Tunneling protocol|tunnel]] between a [[wikipedia:Internet socket|socket]] on the computer and on the iPhone. It’s basically like [[wikipedia:inetd|inetd]]. You can have different services that [[lockdownd]] activates. Services like [[MobileSync]], [[MobileBackup]] and a rather important one for our purposes is called [[AFC]], which allows the computer to access a small jailed portion to the file system. So our goal here is to sort of subvert this and to modify the operating system, so that we can run our own code. How do we do this? [[Image:25C3_C05.png|thumb|left|C05]] The [[iOS|iPhone OS]] primarily runs on a [[NAND]] flash disk. To userland it appears as a normal [[wikipedia:Device file#Block devices|block device]]. So if you’re familiar with the Mac OS terminology, it’s under /dev/rdisk0s1 /dev/rdisk0s2. There’s two logical partitions on a [[NAND]] drive. There’s a system partition, which is mounted at root, and there’s a user partition. The system partition is read-only, and these are only logical partitions, and they sit on top of an [[wikipedia:Flash file system|FTL]] which convert the logical partitions which are better suited for traditional disk drives to [[NAND]] flash geometries, which, you know, have peculiar things, like be only able to erase a block at a time.

Here is how the [[iOS|iPhone OS]] is protected. [[Image:25C3_C06.png|thumb|C06]] Third-party applications and everything else that’s modifiable on the [[iOS|iPhone OS]] are installed on the user partition. The system partition is read-only, so in case the iPhone crashes you don’t have to recheck the system partition for file system integrity. Every program, every executable on the iPhone is signature-checked when the system call [[execv]] is executed on that. All executables must be signed by Apple and the signatures and the hashes are stored in the mark-up format as segments and because the signatures are only checked when the program starts you can still use code execution [[Category:Exploits|exploits]] if you have a buffer overflow or a stack overflow, but the limitations of that is that all the applications like MobileSafari or MobileMail and everything else run as a [[mobile user]], so they can’t really alter the operating system. The signature-checks are implemented inside the [[kernel]]. So in order to do our thing, in order to run third-party applications, we have to modify the [[kernel]]. Here is how the [[kernel]] is protected. [[Image:25C3_C07.png|thumb|left|C07]] The [[kernel]] is stored on the system partition, which again is mounted read-only. It’s a big [[wikipedia:Blob (computing)|binary blob]] with the [[kernel]] and all the kernel extensions, KEXTs, which basically provide driver functionality for Mac OS X and they are all concatenated together and compressed with [[wikipedia:Lempel–Ziv–Storer–Szymanski|LZSS]] and encrypted and signed. And you can’t alter this [[kernelcache]], except as [[wikipedia:Superuser|root]]. So even if you got a code execution [[Category:Exploits|exploit]], you still need a privilege escalation exploit as well in order to modify this file. And even if you could do that, the [[kernelcache]] is signed, so if you modify it, your system will stop booting. So, to get around that, we need to look at how the signature for the [[kernel]] is checked. And I’m only just take briefly take you to the [[boot process]] for the iPhone.

[[Image:25C3_C08.png|thumb|C08]] The first piece of code that’s loaded on the iPhone is the [[bootrom]]. It’s Secure-Boot as Apple’s terminology is. I mean it’s kind of a lie as you find out later. So the first thing that it does is it loads from [[NOR]] flash a program called [[LLB]]. The [[NOR]] flash supplements the [[NAND]] flash. It’s just an 8 megabit [[NOR]] flash and it serves as the [[NOR (NVRAM)|NVRAM]] for the OS which concludes [[wikipedia:Kernel panic|kernel panic]] logs, [[bootloader]] variables. It also has a file system, or a kind of a rudimentary one; a list of images that contain the bootloaders themselves. So the [[LLB]] is, like the way I put it, is that it’s the [[wikipedia:Master boot record|MBR]] for the [[NOR]], which it does the same thing that the [[wikipedia:Master boot record|MBR]] does on like an x86 machine. It reads the image-less format and it loads the next-stage [[bootloader]] from the image list, signature-checking it first before executing it. [[Image:25C3_C09.png|thumb|left|C09]] The next stage in the [[S5L8900#Boot Chain|boot process]] after [[LLB]] is [[iBoot]], which is loaded from the image list. If you’re familiar at all with the Mac boot process, [[iBoot]] is an analogous to [[wikipedia:Open Firmware|Open Firmware]]. On a Mac machine, instead of the [[kernel]] probing devices and discovering what hardware is there, the [[bootloader]] provides the [[kernel]] with the [[DeviceTree]] which has all this information already included. And [[iBoot]] loads the [[DeviceTree]] from the [[NOR]]. The [[DeviceTree]] - there’s one for each different type of platform, one for the [[M68ap|iPhone]], one for the [[N82ap|iPhone 3G]] and one for the [[N45ap|iPod touch]]. And this [[DeviceTree]] is only partially populated. There’s still some device-specific things, like the serial number that must be added by [[iBoot]]. Also Apple uses different components from different vendors in their manufacturing process. There’ll be like a few different types of LCD panels that they use and a few different types of [[NAND]] chips from different vendors, and some of them have their own initialization sequences. Instead of having the [[kernel]] do that, [[iBoot]] actually does that, which makes the [[kernel]] more flexible. So it populates the [[DeviceTree]] with [[wikipedia:Gamma correction|gamma]] tables, Wi-Fi calibration data, it does all of that. And then finally it loads the [[kernel]] from [[NAND]] and executes it. The thing here is that [[iBoot]] checks signatures on everything. It checks signatures on the [[kernel]], it checks signatures on the [[DeviceTree]], and even the boot logo and graphics that it displays. So we need to get around this in order to do our eventual goal of running unsigned applications on the iPhone. And the whole structure works like this. You have this whole chain that signature-checks the [[kernel]] and then the kernel signature-checks all the userland applications.

[[Image:25C3_C10.png|thumb|C10]] So there’s one slight problem with this scheme. We know that userland applications are signature-checked by the [[kernel]], which is good. And the [[kernel]] is signature-checked by [[iBoot]], so that’s good. [[iBoot]] is signature-checked by the [[LLB]]. OK. But is the [[LLB]] signature-checked by the [[bootrom]]? No! So, that’s a big problem. So all we need to do is just flash our own [[LLB]] and then patch all the signature-checking on all the subsequent stages and then we can run our own code. This is a little bit easier said than done though. The only way we can flash the [[NOR]] is through the [[iPhone Restore Procedure|restore process]] and I’ll explain why in a second after I tell you what it is. [[Image:25C3_C11.png|thumb|left|C11]] Every stage in the [[S5L8900#Boot Chain|boot process]] that I described earlier can abort to either a [[DFU Mode|DFU]] or [[Recovery Mode]], and it’s activated by either keypresses or if the next stage can’t load. [[Recovery Mode]] is basically a USB or serial console. It’s a feature of [[iBoot]]. And [[DFU Mode]] is just a mode where [[iBoot]] can be loaded and you can get into [[Recovery Mode]]. So the [[iPhone Restore Procedure|restore process]] is basically a version of [[iBoot]] is loaded- a newer version, the latest one- is loaded by [[iTunes]] onto existing version of [[iBoot]] or [[DFU Mode]]. And then [[iTunes]] sends the latest [[kernel]] and a [[Restore Ramdisk|Restore ramdisk]] to this [[iBoot]]. And then [[iBoot]] boots the [[kernel]] from the [[Restore Ramdisk|ramdisk]]. The [[iPhone Restore Procedure|restore process]] itself is actually conducted by this [[Restore Ramdisk|ramdisk]]/[[kernel]] combination, [[lockdownd]] daemon, called [[restored]]. The [[lockdownd]] thing, as I described, it communicates with [[iTunes]], it downloads of ASR image. I don’t know if you guys know about ASR, but it’s an Apple backup thing. ASR image from iTunes: it also downloads [[NOR]] firmware to be flashed. And the good thing about this process is it’s actually very well designed. It’s pretty much impossible to break the iPhone because of this process. Because you can at any point... break the [[S5L8900|applications processor]] that is. At any point because you can always bootstrap the [[iPhone Restore Procedure|restore process]] like this. [[Image:25C3_C12.png|thumb|C12]] The way that this [[iPhone Restore Procedure|restore process]] is protected is that [[iBoot]] that’s loaded from any stage is signature-checked before being executed. The [[Restore Ramdisk|ramdisk]] and [[kernel]] is also signature-checked by [[iBoot]], and [[restored]] itself signature-checks the [[wikipedia:Apple Software Restore|ASR]] image in a [[NOR]] firmware and it already sits on a signature checked [[Restore Ramdisk|ramdisk]], so itself cannot normally be modified. [[Image:25C3_C13.png|thumb|left|C13]] Also, everything is encrypted with a key that’s derived from a hardware [[wikipedia:Advanced Encryption Standard|AES]] key. This [[wikipedia:Advanced Encryption Standard|AES]] key we can’t read it, but the code on the iPhone can use it. These keys are disabled from any boot that’s not from a signed [[Restore/Update Ramdisks|ramdisk]]. So this means that even if we’re able to find a code execution exploit on a normal boot and have a privilege escalation exploit and communicate with the kernel and tell it to flash the [[NOR]], we still can’t do it, because we’re not in a secure mode. The filesystem itself is encrypted with [[wikipedia:FileVault|FileVault]] and the way that’s done is that [[wikipedia:FileVault|FileVault]] key and also the expected [[wikipedia:Secure Hash Algorithm|SHA]] hash of the filesystem is stored on a encrypted [[Restore/Update Ramdisks|ramdisk]]. And this way everything is encrypted. This makes it difficult for us to do our work, because we can’t read any code and we can’t reverse engineer it. That’s the way that they planned it. [[Image:25C3_C14.png|thumb|C14]] So it still sounds pretty secure. All the modification that this graph shows the modification vectors for every piece of the software that I mentioned. And you see that everything signature-checks everything else pretty much. So, it’s still pretty secure even if the [[bootrom]] doesn’t signature-check [[LLB]], as long as you can’t modify the [[NOR]].

[[Image:25C3_C15.png|thumb|left|C15]] Well, there’s one problem, is that this chain can be broken. And what place we break it is at the [[bootrom]] level or where they can’t patch it or fix it in any way. So it’s a pretty much your standard stack overflow exploit. They’re processing certificates which are on a [[wikipedia:Distinguished Encoding Rules|DER format]]. They copy all the certificate information onto the stack, but the signature itself is copied into this data structure without any sort of bounds checking. So then you have this classic stack buffer overflow and then you just make the signature checking function return true. I was just gonna show you – I probably don’t have enough time to do a very thorough job of this, but basically [[Image:25C3_C16.png|thumb|C16]] this is the function that we want to return true. We want to jump to offset 57EC and make R4=1, because our R4 gets moved into the return value later. CheckCertificateAndGetSecureBootOnes is the function that has the vulnerability. As you can see, in the [[Image:25C3_C17.png|thumb|left|C17]] highlighted areas it makes space on the stack for three certificate structs. So what you wanna do is construct a certificate [[wikipedia:Distinguished Encoding Rules|DER]] that’s structured like this. The thing that’s overflowable is [[MCertSignatureValue]], so you have 0x30 bytes of padding at the end of covered the rest of these and then you can start loading the registers with your own exploit values. So 1 for R4, we don’t really care about the other registers. [[Image:25C3_C18.png|thumb|C18]] And the offset 57EC for the PC – for the program counter. So that’s basically our exploit. What we load from this is what we called [[Pwnage]], which is our complete solution as it were. [[Image:25C3_C19.png|thumb|left|C19]] What we do is we patch every single stage, like where I mentioned all the signature checks, we patch all of those out. And what we do, we patch out in the [[LLB]], [[iBoot]], [[kernel]], the [[restored]] on the [[Restore/Update Ramdisks|ramdisk]], and on the filesystem image, because we patched out the signature checking on [[restored]], we can put our own sort of [[App Store]] for unsigned programs for things that Apple won’t support. And the two most popular ones are [[Cydia]] and [[Installer.app|Installer]]. We use the [[Pwnage 2.0|DFU exploit]] to load a version of [[iBoot]] that doesn’t perform signature checking and then we use the normal [[iPhone Restore Procedure|restore process]] to restore the rest of it; to flash the rest of this onto the iPhone. And what ends up happening is that we can use [[iTunes]] to flash our own custom firmware onto the iPhone. So, yeah. (applause)

[[Image:25C3_C20.png|thumb|C20]] Just briefly I just mentioned stuff that Apple did wrong, to make the job easier for us and probably the biggest reason is that instead of rolling out all this wonderful security mechanisms at once, they did it piece by piece and they sort of made a few mistakes early on in the process. And by doing so they allow us to get access to pieces of code and we’re able to reverse engineer it and we were able to figure out how it all worked and where the vulnerable points are and how to attack it. One of the early mistakes is in 1.0.2. The iPhone actually trusted [[iTunes]] which we can modify easily. At that point we could actually send custom restore commands and [[jailbreak]] the iPhone. Another call was none of the executables were signed at that point, so you could make a simple file system alteration and you’re jailbroken. [[Image:25C3_C21.png|thumb|left|C21]] Another vulnerability in 1.1.1 and 1.1.2 is that everything used to run as [[wikipedia:Superuser|root]]. So if you find a vulnerability within any userland program, then you have root. They also left some interesting things like [[/dev/kmem]] which means that we can poke and peek kernel memory and execute kernel code, so that was kinda bad. [[Image:25C3_C22.png|thumb|C22]] And finally probably the mistake that first allowed [[Pwnage]] was they left the [[boot arguments]] pmd= and vmd= and these [[boot arguments]] can construct a [[Restore/Update Ramdisks|ramdisk]] to boot out of anything. And that basically... not out of anything but out of any contiguous portion of memory. And that allowed us to bootstrap a [[Restore/Update Ramdisks|ramdisk]] pretty easily, because when we upload a [[Restore/Update Ramdisks|ramdisk]], the iPhone has to store in memory somewhere and then signature check and then decide whether it wants it pass on to the kernel based on whether the signature is correct. But even if it fails the signature check, the [[Restore/Update Ramdisks|ramdisk]] is still in memory, so we can use pmd= or vmd= to construct a [[Restore/Update Ramdisks|ramdisk]] out of that portion of memory that it temporarily stores or upload in. And then this basically allowed us to boot from an unsigned [[Restore/Update Ramdisks|ramdisk]] right away. And allow us to flash our first [[bootloader]]s. We learn a lot from this process. We now have added quick control over the iPhone’s hardware to even run Linux on it, so that’s basically where we are. I’ll pass it to [[User:MuscleNerd|Musclenerd]] to describe the [[Baseband Firmware]].

=== Part 2: Baseband (by [[User:MuscleNerd|MuscleNerd]]) ===
(in work by [[User:http|http]], will follow here)

=== End and Q&A ===
(in work by [[User:http|http]], will follow here)

[[Category:Events]]

SHSH

2010-07-15T14:45:23Z

D235j:

0x80 byte RSA signature of a firmware image.

This often also refers to the backup file with the signature. This signature is needed to restore a specific firmware version. The signature is being created by Apple and is being generated based on some hardware keys of the device and the hash of the firmware. Using a [http://en.wikipedia.org/wiki/Replay_attack replay attack], with the saved signature old firmware can be restored, although Apple doesn't issue the signatures anymore and therefore disallows installing older firmware. Therefore it is recommended to save the signature for your device as long as Apple issues it.

To downgrade the firmware, simply change your hosts file to map any request to an Apple server to point to [[Saurik]]'s server instead, if your certificate is there. If you have the file yourself, run TinyTSS on your local machine.

Not all devices have this check built in. Older devices allow installation of any correctly signed firmware, so no backup of the certificate is necessary. Devices that need Apple signatures are: iPhone 3G (?), iPhone 3GS, iPhone 4, iPod Touch 3rd generation, iPad and all newer devices.

With the tools mentioned below it is possible to backup the signature. It is not necessary that the device is jailbroken to do the backup. Usually the shsh signature file is stored on [[Saurik]]'s server. If it is stored there, then you can see in [[Cydia]] (on jailbroken devices) for which version a backup exists.

Users usually make the mistake that (even if they understand all this) they think the shsh firmware version they backup depends on the firmware version they have installed on their device. It does NOT depend on the device which signature you can save - it only depends on which version Apple signs. And that depends on the date. For example in April 2010 you could only backup the certificate for firmware 3.1.3, even if you have still 3.1.1 installed on you phone. Here's a timeline:

* (announced for July 2010) firmware 4.1
* 21 June 2010 firmware 4.0
* 3 April 2010 firmware 3.2 (for iPad)
* 2 February 2010 firmware 3.1.3
* 8 October 2009 firmware 3.1.2
* (?) firmware 3.1.1
* 9 September 2009 3.1
* (?) firmware 3.0.1
* 17 June 2009 firmware 3.0

==Links and Tools==
* [http://thefirmwareumbrella.blogspot.com/ Umbrella/TinyTSS] requires Java installed
* [http://ih8sn0w.com/ AutoSHSH tool] Was in the menu there, but does not work since 4.0 anymore. Was a quick&easy tool for end-users.
* [http://www.saurik.com/id/12 Detailed background info from Saurik]

[[Category:Firmware Tags]]
[[Category:Firmware Parsing]]

User talk:Geohot

2010-07-14T19:55:21Z

D235j:

== Future of this Wiki ==

[[Geohot]] is the founder of this wiki. Now that he has retired (or whatever) I would be interested to know how this Wiki continues. I'm a little scared that he could just turn it off. Maybe we should make some backups now? Or can geohot or a close insider provide some infos about the future of this Wiki? If geohot needs someone to take over this project, I would be happy to do so (and probably many others also). It would be awful to see all our contributions fade away. A clear statement by any insider would help. Thanks. --[[User:Http|http]] 18:58, 13 July 2010 (UTC)

I currently have no plans to shut down this wiki. Rest assured that if I do, I will make a backup available online. --[[User:Geohot|geohot]] 19:17, 13 July 2010 (UTC)

Thanks for clarification. This helps a lot. --[[User:Http|http]] 22:39, 13 July 2010 (UTC)

== Access to [http://iphonejtag.blogspot.com/ blog] archives ==
Will you post the information on your initial iPhone 2G unlock anywhere? This used to be on your blog (in the archives) and was quite fascinating... :( [[User:D235j|D235j]] 01:41, 14 July 2010 (UTC)

== Other ==

You made a rational decision leaving the jailbreak community. After all the crap you had to take from people I dont blame you. Im sorry for ever adding to the BS you deal with on a day-to-day basis. [[User:Leobruh|Leobruh]] 22:42, 13 July 2010 (UTC)!

User talk:Geohot

2010-07-14T01:41:47Z

D235j:

== Future of this Wiki ==

[[Geohot]] is the founder of this wiki. Now that he has retired (or whatever) I would be interested to know how this Wiki continues. I'm a little scared that he could just turn it off. Maybe we should make some backups now? Or can geohot or a close insider provide some infos about the future of this Wiki? If geohot needs someone to take over this project, I would be happy to do so (and probably many others also). It would be awful to see all our contributions fade away. A clear statement by any insider would help. Thanks. --[[User:Http|http]] 18:58, 13 July 2010 (UTC)

I currently have no plans to shut down this wiki. Rest assured that if I do, I will make a backup available online. --[[User:Geohot|geohot]] 19:17, 13 July 2010 (UTC)

Thanks for clarification. This helps a lot. --[[User:Http|http]] 22:39, 13 July 2010 (UTC)

Will you post the information on your initial iPhone 2G unlock anywhere? This used to be on your blog (in the archives) and was quite fascinating... :( [[User:D235j|D235j]] 01:41, 14 July 2010 (UTC)

== Other ==

You made a rational decision leaving the jailbreak community. After all the crap you had to take from people I dont blame you. Im sorry for ever adding to the BS you deal with on a day-to-day basis. [[User:Leobruh|Leobruh]] 22:42, 13 July 2010 (UTC)!

Talk:XMM6180

2010-06-22T21:43:51Z

D235j:

Are we sure this is the baseband?

The infineon spec-sheet says "HSDPA/HSUPA capabilities of 7.2Mbps/2.9Mbps".

At the keynote Steve mentioned 5.8Mbps HSUPA.
[[User:Iemit737|Iemit737]] 19:26, 21 June 2010 (UTC)

Running "string" on the new baseband files shows "XGold 618" multiple times.
--[[User:Miketress|Miketress]] 19:35, 21 June 2010 (UTC)

Ok, awesome. Thanks for finding this so quickly! [[User:Iemit737|Iemit737]] 19:50, 21 June 2010 (UTC)

Very unlikely it's the 618 after looking at the spec sheet.
In case anyone is interested, [http://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a39470bb00555 | X-Gold 616 spec sheet], [https://www.infineon.com/cms/en/product/channel.html?channel=db3a304319c6f18c011a3948dc76055b | X-Gold 618 spec sheet].
[[User:D235j|D235j]] 21:43, 22 June 2010 (UTC)

Talk:XMM6180

2010-06-22T21:38:51Z

D235j: Talk:X-Gold 618 moved to Talk:X-Gold 616: The X-Gold 618 doesn't support the same speeds that Apple has advertised. Also, the product brief indicates that it is designed for single-processor phones. The X-Gold 616 better fits the iPhone 4 advertis

XMM6180

2010-06-22T21:38:50Z

D235j: X-Gold 618 moved to X-Gold 616: The X-Gold 618 doesn't support the same speeds that Apple has advertised. Also, the product brief indicates that it is designed for single-processor phones. The X-Gold 616 better fits the iPhone 4 advertised specs,

This is the baseband processor used in the iPhone 4.

X-Gold 618

2010-06-22T21:38:50Z

#REDIRECT [[X-Gold 616]]

Baseband Firmware

2010-06-21T20:25:50Z

D235j:

The main instruction set of the [[Baseband Device|baseband]]. You can get these files from /usr/local/standalone/firmware on the corresponding firmware's ramdisk.

The baseband version that comes with each iPhone firmware is listed on the [[firmware]] page, and also on the [[X-Gold 608#Known_Firmware_Versions|X-Gold 608]] article for the [[N82ap|iPhone 3G]]/[[N88ap|3GS]].

The EEP files is the external EEPROM file. The FLS is the firmware.

The [[N90ap|iPhone 4]] has a single baseband firmware file. For example, the 4.0 baseband firmware filename is ICE3_01.59.00_BOOT_02.06.Release.bbfw. This is actually a .zip file which contains four baseband firmware files.

==Other links==
[http://www.deloware.com/iphone/doku.php?id=bbupdater bbupdater]

Baseband Device

2010-05-18T17:53:52Z

D235j: Undo revision 6409 by D235j (Talk)

This is the device in the iPhone that manages all the functions which require an antenna. The baseband processor has its own RAM and firmware in NOR flash, separate from the ARM core resources. The baseband is a resource to the OS. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in it's NVRAM.

The [[iPhone]]'s baseband processor is the [[S-Gold 2]].
The [[iPhone 3G]] and the [[iPhone 3GS]] make use of the [[X-Gold 608]] chip for this purpose.

You can check some [[Baseband Commands]] too (by pH and EvilPenguin).

==Seczone==
This is the area in the baseband where the lock state is stored.

===Layout===
0x400--NCK token
0xB00--IMEI
0xB10--IMEI signature
0xC00--Locks table

===Encryption===
Many of the sections are encrypted using TEA based off the CHIPID and NORID. See [[NCK Brute Force]] for more info.

==Exploits==
* [[SIM hacks]]
===[[S-Gold 2]]===
* [[Fakeblank]]
* [[IPSF]]
* [[Minus 0x400]]
* [[Minus 0x20000 with Back Extend Erase]]
===[[X-Gold 608]]===
* [[JerrySIM]]
* [[AT+stkprof]]
* [[AT+XLOG Vulnerability]]
* [[AT+XEMN Heap Overflow]]

==Theoretical Attacks==
* [[NCK Brute Force]]
* [[Baseband JTAG]]

==Boot Chain==
[[Baseband Bootrom|bootrom]]->[[Baseband Bootloader|bootloader]]->[[Baseband Firmware|firmware]]

[[Category:Baseband]]

Baseband Device

2010-05-18T17:18:00Z

D235j: JerrySIM is for 2G 4.6, not 3G

This is the device in the iPhone that manages all the functions which require an antenna. The baseband processor has its own RAM and firmware in NOR flash, separate from the ARM core resources. The baseband is a resource to the OS. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in it's NVRAM.

The [[iPhone]]'s baseband processor is the [[S-Gold 2]].
The [[iPhone 3G]] and the [[iPhone 3GS]] make use of the [[X-Gold 608]] chip for this purpose.

You can check some [[Baseband Commands]] too (by pH and EvilPenguin).

==Seczone==
This is the area in the baseband where the lock state is stored.

===Layout===
0x400--NCK token
0xB00--IMEI
0xB10--IMEI signature
0xC00--Locks table

===Encryption===
Many of the sections are encrypted using TEA based off the CHIPID and NORID. See [[NCK Brute Force]] for more info.

==Exploits==
* [[SIM hacks]]
===[[S-Gold 2]]===
* [[Fakeblank]]
* [[IPSF]]
* [[Minus 0x400]]
* [[JerrySIM]]
* [[Minus 0x20000 with Back Extend Erase]]
===[[X-Gold 608]]===
* [[AT+stkprof]]
* [[AT+XLOG Vulnerability]]
* [[AT+XEMN Heap Overflow]]

==Theoretical Attacks==
* [[NCK Brute Force]]
* [[Baseband JTAG]]

==Boot Chain==
[[Baseband Bootrom|bootrom]]->[[Baseband Bootloader|bootloader]]->[[Baseband Firmware|firmware]]

[[Category:Baseband]]

Ramdisk Hack

2010-04-29T20:48:24Z

D235j: oops

This allows unsigned ramdisks to be booted. It was first publicized by [[ZiPhone]]

==Credit==
[[Zibri]]

==Exploit==
Passing pmd*= boot-args specifying a ramdisk in ram > 0x9C000000 allows any ramdisk to be booted.

==Implementation==
* [[PwnageTool]]
* [[ZiPhone]]
* iPlus
* iLibertyX / [[iLiberty+]]
* iFree
* iPhone Forensics Toolkit
* iNdependence
* Any Jailbreak program so far
* iTunes
* Android
* Zune
* Linux
* Windows Mobile
* webOS
* BlackBerry OS

== History ==

Credit goes to Zibri for the discovery of the ramdisk hack. First implemented in ZiPhone, it allowed running jailbreaks on the fly to be quicker than previous jailbreak implementations.

[[Category:Jailbreaks]]
[[Category:Exploits]]

User:Zibri

2010-04-29T20:45:47Z

D235j: deleted nonsense

The creator of [[ZiPhone]] and the first to publish [[Key_0x837]].

==External links==
* [http://www.zibri.org/ Zibri's blog]

A4

2010-01-30T20:16:35Z

D235j: typo correction [there is no SGX 45]

A4 is a SoC designed by Apple in-house chip design department. It is used in [[k48ap|iPad]].

== Specifications ==
CPU: ARM Cortex-A9 MPCore

GPU: PowerVR SGX 545

Video and audio playback: PowerVR VXD

== Links ==
[http://www.apple.com/ipad/specs/ http://www.apple.com/ipad/specs/]

[http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx]

AT+XEMN Heap Overflow

2009-10-28T04:47:06Z

D235j: added possible heap overflow via AT+XEMN

AT+XEMN is a command, that when issued in minicom, causes a non-exploitable crash for 5.11.07.

== Exception Dump ==
+XLOG: Exception Number: 1
Trap Class: 0xDDDD (SW GENERATED TRAP)
Identification: 140 (0x008C)
Date: 22.10.2009
Time: 00:30
File: atform/text/_malloc.c
Line: 1036
Logdata:
2E 0C 76 ED 40 14 31 64 61 74 63 3A 31 00 64 63 ..v.@.1datc:1.dc
20 44 F4 E9 20 20 20 20 20 20 20 20 20 20 20 20 D..
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20

== July 2009 ==
*Oranav discovers this command.
*Shortly after discovered, The iPhone Dev Team, confirms that the command is non-exploitable.
*There was no talk about this command.

== September 2009 ==
*iH8sn0w discovered this command but kept it a secret for about a month - http://twitter.com/iH8sn0w/status/4353547726

== October 2009 ==
*When the Dev-Team stated that iH8sn0w did not have a unlock, he posted the command on Twitter - http://twitter.com/iH8sn0w/status/4954333558.
*Shortly after, Oranav discovered this, and posted his Hash from July - http://pastebin.ca/1485104.
*MuscleNerd tells iHacker that the command was received awhile ago and was non-exploitable - http://twitter.com/MuscleNerd/status/4978871033 | http://twitter.com/iHacker/status/4978821448
*GeoHot attempts to use this command, but later finds out aswell that it is non-exploitable - http://twitter.com/geohot/status/4979506974
*The hunt for another exploit continues as New 3G/3G[S] users join or if 3G/3G[S] users upgrade to Official Apple Firmware.
*Geohot does more investigation and discovers that this command may indeed be exploitable - http://twitter.com/geohot/status/5196861045

Jailbreak

2009-07-18T18:57:48Z

D235j: fixed link to libtiff exploit

This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching /etc/fstab to mount the System partition as read-write. This is entirely different to an [[unlock]]. Jailbreaking is the first action that must be taken before things like non-official [[activation]], and non-official unlocking, can proceed.

The original jailbreak also included modifying the [[AFC|afc]] service (service used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to creating a new service (afc2) that allows access to the full filesystem.

Modern jailbreaks also include patching the OS kernel to get around code-signing and other restrictions.

==Exploits which were used in order to jailbreak (in chronological order)==
=== 1.0.2 ===
* [[Restore Mode]] (iBoot had a command named cp, which had access to the whole filesystem)
=== 1.1.1 ===
* [[Symlinks]] (an update jailbreak)
* [[LibTiff | libtiff exploit]] (Adapted from the PSP scene, used by [[Jailbreakme]])
=== 1.1.2 / 1.1.3 ===
* [[Mknod]] (an update jailbreak)
=== 1.1.4 ===
* [[Ramdisk Hack]]

==Exploits which are used in order to jailbreak 2.0 and above==
===iPhone / iPhone 3G / iPod Touch===
* [[Pwnage]] and [[Pwnage 2.0]] (together)
===iPod Touch 2G===
* [[ARM7 Go]] (used by tethered jailbreaks)
* [[24kpwn]]
===iPhone 3GS===
All jailbreaks are using the [[24kpwn]] exploit, but you need an iBoot exploit as well because of [[ECID]].
====3.0====
* [[iBoot Environment Variable Overflow]]

IPSF

2009-07-13T20:51:56Z

D235j:

IPSF, or iPhone SIM Free, was the first software [[unlock]] available for the iPhone. It relied on two exploits, which weren't understood until much later. Both of these were only in [[Bootloader 3.9]]

==RSA cube root==
The first exploit discovered was an exploit in the parsing of decrypted RSA. The padding length just needed to be greater than 0xA. Since the decryption was done using exponent 3, you could create a plaintext message and take the cube root of it. The first 0x28 bytes would decrypt properly, enough to generate a valid token for 3.9.

This vulnerability in RSA was first discovered by Daniel Bleichenbacher in 2006. [http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html Bleichenbacher's RSA signature forgery based on implementation error]

==SHA1 zero==
If the last 4 bytes in the SHA1 hash of the uploaded data were zero, the endpack would validate and the first 0x400 bytes would be written. This is a brilliant exploit since it isn't findable by reversing the IPSF software.

A loop is used to check if all five dwords (5 * 32 bits = 160 bits) of the SHA1 hash are equal to zero and pass the check if they are. This is because the SHA-1 bytes are initialized to zero for boot in "debug" mode, so the code is designed to handle that contingency. However, the code is badly designed:
<pre>
u32 sha1[5];
for(i = 0; i < 5; i++) {
bad = (sha1[i] != 0);
}
</pre>
Instead of
<pre>
u32 sha1[5];
for(i = 0; i < 5; i++) {
if(sha1[i] != 0) {
bad = true;
break;
}
}
</pre>

This causes the bad == true if sha1[4] != 0 instead of bad == false if sha1[0] == 0 && sha1[1] == 0 && sha1[2] == 0 && sha1[3] == 0 && sha1[4] == 0.

==Implementations==
*[http://iphonesimfree.com/ IPSF]
*[http://lpahome.com/geohot/ipsfserver.rar geohot's IPSF server]

[[Category:Unlocking Methods]]
[[Category:Baseband Exploits]]