Difference between revisions of "IPhone Hacking Presentation - History 1.0-1.1.4"

George Hotz' Presentation on "Hacking the iPhone" 9:30 EST 17 July 2009 irc.osx86.hu #presentation JailbreakMe

The Hackers in the Presentation (alphabetical order):

• pumpkin
• geohot
• kroo
• lilstevie
• posixninja
• westbaer

Geohot began the presentation with a potted history of iPhone hacking.

The history of "jailbreaking":

At the start:

  - slide for emergency (before lockdownd patches) <- this is activation
  - apple generates an activation record when you connect your phone to itunes for the first time
  - put in tmoble sim card, didnt work..
  

Activation record contains:

  ICCID (sim card)
  IMEI (baseband)
  DEVID (UDID, phone/s5l/app processor)
  

So, then tried...

   resending activation record to another phone
   lockdownd didn't check that record actually matched anything
   
   dvd jon wrote a program to spoof activation server, that sends his record and since the lockdownd didnt check that the record matched the iPhones IDs, it worked -> people can now activate

iphone dev folks start reversing itunesmobiledevice.dll / MobileDevice.framework

 -> AMDeviceActivate (give it an activation record, and it would activate the phone for you)

Through the reversing of the MobileDevice.framework (AFC protocol) it was possible to gain control of the chrooted jailed files in /var/root/media

iTunes uses AFC to send files (music, contacts etc) to the iPhone, inside the /var/mobile/media jail. So the next thing after activation is jailbreak.

       ("jail" means a chroot jail, more info at: http://en.wikipedia.org/wiki/Chroot, http://docs.freebsd.org/44doc/papers/jail/jail.html )

System Partition mounted at / User Partition /var/mobile/

First jailbreak was done by using the cp (copy) command in restore mode, which had access to the whole FS. They overwrote fstab and services.plist, and they added a service called afc2 which shared the whole FS.

We could also take a look at the disk image itself inside an ipsw:

   unfortunately, the rootfs dmg has encryption that doesn't use the traditional dmg password scheme
   so we wrote vfdecrypt

So... then we could touch the filesystem all we wanted, but without a toolchain we couldn't do anything useful. this is interesting because:

   mach-o and ARM: never done before outside apple; we needed to write it ourselves (aka watch in awe as nightwatch did it)

this lead to the days of irc://irc.osx86.hu/iphone-uikit

 mentioned neato things:
     MobileTerminal, Hello World

George Hotz joined the small group of "iPhone Dev team folks" (#iphone.dev ?ithink?) things started becoming secretive, and George Hotz decided to release http://chickenenchiladagrilledstuftburrito.info/u.htm , his "manifesto"

Unlocks:

First Unlock:

  Hardware
  1. Erase baseband firmware
  2. Using a hardware test point, pull an address line high, so it thinks it's all erased (fakeblank, more information @ http://www.theiphonewiki.com/wiki/index.php?title=Fakeblank )
  3. You can send serial payloads and run your own unsigned code, so patch it to be unlocked
  

IPSF style unlock:

 If code uploaded to baseband had an SHA1 hash ending in 00 00 00 00, it would run (due to buggy coding, they only checked the last four bytes), and the bleichenbacher RSA attack allowed fake unlock tokens to be generated server side
 

Then there was iUnlock by the Dev-Team, which used -0x400 exploit to unlock.

then along comes 1.1.1: encryption, i got this: Restore holes to jailbreak were patched, but this lead to the most simple jailbreak: jailbreakme.com / TIFF exploit This was taken from the PSP hacking scene, an old version of libtiff had a buffer overflow (found by taviso, firstly exploited by cmw) on one of the metadata tags iirc.

and 1.1.2 comes along, patching the tiff vuln, things start to get more complex:

   initially we started by just insisting that people downgrade to 1.1.1, then update again
   this became harder as more phones came preinstalled with 1.1.2, etc.
   at 1.1.3 (BB version 4.6), this became unbearable...
   george releases gunlock using the -0x20000 w back extend erase exploit
   and eventually ZiPhone is released (unsigned ramdisk exploit)

How this works:

   hit restore, iphone goes into recovery mode (iBoot, bootloader for the s5l proc)
   commence geohot wall-o-text:
   your iphone has two major processors, the s5l(which runs the apps, and is targeted by jailbreaks), and the baseband(which runs the phone stuff, and is targeted by unlocks)
   recovery mode sending a ramdisk and kernel can boot the device no matter whats on nand
   after the ramdisk boots, it enters restore mode
   in restore mode, the system dmg(with the OS) is sent
   the nor is upgraded to have the latest iboot and llb
   and the baseband is upgraded to have the latest baseband firmware
   so, imagine being able to write your own ramdisk
   everything up to user mode was always sig checked
   including the ramdisk
   

RESOURCES:

Links posted by "the hackers":

1) http://nanocr.eu/2007/07/03/iphone-without-att/ Site: Jon "DVD Jon" Lech Johansen’s blog Entry: "iPhone Independence Day" Documents Jon's discovery of how to activate a brand new iPhone unofficially. Originally posted on Tuesday 3 July 2007

2) http://chickenenchiladagrilledstuftburrito.info/u.htm Site: (mirror) Entry: George Hotz's "manifesto" Originally mirrored on Friday, 27 July 2007

3) http://theiphonewiki.com/wiki/index.php?title=Minus_0x20000_with_Back_Extend_Erase Site: The iPhone Wiki Entry: "Minus 0x20000 with Back Extend Erase" This is the exploit used to unlock all phones with a 4.6 bootloader. Originally posted on Saturday, 27 July 2008

/* Definitions of terms used: (links here possibly) */ Jailbreak: Apple makes it so your device can only use one folder on the phone, jailbreak gets out of that single folder jail and lets you use the entire filesystem.

Active Documenters (alphabetical order):

• Izzard
• Kroo
• Oranav
• Veeloc
• crash-x (only in the beginning)