Jailbreak

2011-04-10T15:43:00Z

Taraff1:

'''[https://www.plimus.com/jsp/redirect.jsp?contractId=2613674&referrer=taraff1 Click Here to Unlock and Jailbreak ANY iPhone Instantly and Automatically]'''

This is the process by which full execute and write access is obtained on all the partitions of the iPhone. It is done by patching /etc/fstab to mount the System partition as read-write. This is entirely different from an [[unlock]]. Jailbreaking is the first action that must be taken before things like unofficial [[activation]] (hacktivation), and unofficial unlocking can be applied.

The original jailbreak also included modifying the [[AFC|afc]] service (used by [[iTunes]] to access the filesystem) to give full filesystem access from root. This was later updated to create a new service ([[AFC|afc2]]) that allows access to the full filesystem.

Modern jailbreaks also include patching the kernel to get around code signing and other restrictions.

==Exploits which were used in order to jailbreak (in chronological order)==
=== 1.0.2 ===
* [[Restore Mode]] ([[iBoot (Bootloader)|iBoot]] had a command named cp, which had access to the whole filesystem)

=== 1.1.1 ===
* [[Symlinks]] (an upgrade jailbreak)
* [[LibTiff | libtiff exploit]] (Adapted from the PSP scene, used by [[JailbreakMe]])
=== 1.1.2 ===
* [[Mknod]] (an upgrade jailbreak)
=== 1.1.3 / 1.1.4 ===
* [[Soft Upgrade]] (an upgrade jailbreak)
* [[Ramdisk Hack]]

==Exploits which are used in order to jailbreak 2.0 and above==

===[[Userland]] (used for all devices)===
*[[MobileBackup Copy Exploit]] + [[Incomplete Codesign Exploit]] + [[BPF_STX Kernel Write Exploit]] (together for [[Spirit]])
*[[Malformed CFF Vulnerability]] + [[Incomplete Codesign Exploit]] + [[IOSurface Kernel Exploit]] (together for [[Star]])
*[[Packet Filter Kernel Exploit]] (together with [[limera1n]]'s bootrom exploit or the [[usb_control_msg(0xA1, 1) Exploit]], for [[untethered jailbreak]])
*[[HFS Legacy Volume Name Stack Buffer Overflow]] (together with [[limera1n]]'s bootrom exploit or the [[usb_control_msg(0xA1, 1) Exploit]], for [[untethered jailbreak]])

===[[M68ap|iPhone]] / [[N82ap|iPhone 3G]] / [[N45ap|iPod touch]]===
* [[Pwnage]] and [[Pwnage 2.0]] (together)

===[[N72ap|iPod touch 2G]]===
* [[ARM7 Go]] (used by [[tethered jailbreak]]s)
* [[0x24000 Segment Overflow]] (used on "MB" models for an [[untethered jailbreak]])
*[[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak|tethered]] for units with the [[iBoot-240.5.1|new bootrom]])
*[[usb_control_msg(0xA1, 1) Exploit]] (used for a [[tethered jailbreak]] on units with the [[iBoot-240.5.1|new bootrom]])

===[[N88ap|iPhone 3GS]]===
* [[0x24000 Segment Overflow]] (used on older devices for an [[untethered jailbreak]])
* [[iBoot Environment Variable Overflow]]
* [[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak|tethered]] for newer devices)
* [[limera1n]] ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)

===[[N18ap|iPod touch 3G]]===
*[[usb_control_msg(0x21, 2) Exploit]] ([[tethered jailbreak|tethered]] only)
* [[limera1n]] ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)

===[[N90ap|iPhone 4]]===
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)

===[[N81ap|iPod touch 4G]]===
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)

===[[k48ap|iPad]]===
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)

===[[k66ap|Apple TV 2G]]===
* [[limera1n]]'s bootrom exploit ([[tethered jailbreak|tethered]] on its own, [[untethered jailbreak|untethered]] with an additional exploit)

Unlock

2011-04-10T15:42:46Z

Taraff1:

'''[https://www.plimus.com/jsp/redirect.jsp?contractId=2613674&referrer=taraff1 Click Here to Unlock and Jailbreak ANY iPhone Instantly and Automatically]'''

This is the process by which the iPhone baseband is modified to accept the [[SIM]] card of any GSM carrier. This is entirely different than a [[jailbreak]] though a jailbreak is required for the current unlocks to take effect.

==Official Unlock==
[[Image:iTunesUnlock.png|thumb|Unlock in iTunes]]
At +0x400 in the [[seczone]], a token is stored encrypted with (NCK + NORID + HWID). Apple, knowing the [[NCK]], sends it using an [[activation token]] over iTunes. The phone receives an AT+CLCK="PN",0,"......NCK......" It decrypts the token with the generated [[Baseband_TEA_Keys|key]]. If that decryption, after deRSAing with Key 2, is a valid token for the phone, it is stored back to that flash with the token TEA, but not RSA decrypted. On startup, if the lockstate table says the phone is unlocked, it validates that RSA token.

==Hardware Unlock==
How to unlock your phone http://www.iphone-hacks.com/downloads/iphoneunlock.pdf

==Old AnySim Patch (1.0.X)==
This deprecated patch disabled signature checks. So the RSA signature would always validate, and the phone would always appear to be unlocked and every NCK would appear to be valid. This patch caused the locktables to be rewritten to the unlocked state which resulted in a cypto failure once the patch was removed during a BB upgrade, causing the 0049 IMEI issue. The virginizer was written in response to this problem and allowed users to write locked, virgin locktables. This removed the crypto failure and allowed the application of the ignore MCC/MNC patch.

==New AnySIM Patch (1.1+)==
This patch, also know as the ignore MCC/MNC patch, makes every MCC/MNC pair appear valid. This patch is overwritten on a reflash of the baseband, and doesn't touch the seczone or the locktables at all. It must be reapplied for every baseband upgrade to maintain the unlock.

In addition, AnySIM 1.1 fixed the "Spamming AT" problems from [[iUnlock]] and earlier AnySIM versions.

==IPSF==
See [[IPSF]] for main article. This exploit changed the lockstate table in the [[seczone]] to read unlocked and created a spoofed RSA token that was seen as valid by BL3.9 (BL4.6 was ''not'' vulnerable to IPSF). It overwrote your previous token, which means the phone could nor longer be officially unlocked, unless a restore of the token was performed from a previously made backup. Since the token isn't modified in a baseband flash, this unlock survived a baseband downgrade or upgrade. Apple attempted to combat this by requiring AT+CLCK command to be sent every startup. In a officially unlocked iPhones, lockdownd does this. In a late version IPSF phone, signal.app does this.

== Cloning Officially Unlocked Phones ==
This has been suggested by many people, however it has been well investigated and virtually ruled out for these reasons:
# Replacing the [[Baseband Bootloader|baseband bootloader]] or [[Baseband Firmware|firmware]] of a locked phone with that of an officially unlocked phone does ''not'' unlock the phone, as the unlock information resides in a different flash area, known as the [[seczone]] and is unique to each phone.
# Cloning the [[seczone]] would duplicate [[wikipedia:International Mobile Equipment Identity|IMEIs]] which would be illegal in most places and would likely result in a ban of these.
# Phones with cloned [[seczone]]s would not even be unlocked by the [[NCK]]s of the phone they were cloned from as the [[CHIPID]] and [[NORID]] is concatenated with the [[NCK]] to produce the decryption key used on the RSA [[seczone]] token. The only way to make this work is to change the [[NORID]] and [[CHIPID]] which is not possible.

== External Links ==
*[http://caniunlock.com/ English Website from chpwn with overview of unlock status]
*[http://caniunlock.de/ Deutsche Website von pattyland mit einer Übersicht des Unlockstatus's]

The iPhone Wiki - User contributions [en]

Jailbreak

Unlock